Can switching to Linux protect your online identity?

Can switching to Linux protect your online identity?

Summary: My ZDNet blogging colleague Jason Perlow has switched his systems over to Linux after his Facebook account was compromised. Can plucky "Tux the Penguin" protect Perlow's digital kingdom? Sadly, I don't think so ...


My ZDNet blogging colleague Jason Perlow has switched his systems over to Linux after his Facebook account was compromised. Can plucky "Tux the Penguin" protect Perlow's digital kingdom? Sadly, I don't think so ...

Now, if someone feels that switching to Linux makes them feel safer, then that's as good a starting point as any. When it comes to operating systems I'm an agnostic, and see the OS as a platform or a tool, as opposed to a religion or a sports team I have to get behind. With more and more people making the shift to the cloud, the OS that you use no longer matters, it's the browser that matters.

But the question here is whether Mr Perlow is protected from future breaches of his digital fortress now he's switched to Linux. based on the information he's provided so far, I don't think that he is.

Let's take a look at the evidence to support my case.

First, even after a thorough examination, there's no sign of malware on any of his systems. This might seem like a trivial point, but whenever someone blames malware for anything (and it's common for people to blame malware for anything and everything that goes wrong with their computers), if you can't find a shred of evidence to support the claim, then you might as well blame leprechauns, fairies or Santa for your troubles. Throwing out the notion that it was a "bizarre Facebook virus" just doesn't make sense.

Without evidence, blaming "malware" is a total cop-out.

Was Perlow's password compromised? Well, he claims to have "used a strong mixed alphanumeric password," but this doesn't tell us much. Brute-forcing even relatively strong passwords, which while not trivial, is not a tough thing to engage in when you have a botnet as your disposal. Even with a strong password, the hacker has the twin advantage of time and luck on their side. This is precisely why we use strong passwords, but still use different passwords for different places.

But it doesn't end there. Even with the best passwords in the world, there are still vulnerabilities that you can do very little about. XSS, XSRF and SQL injection are three possibilities. These are attacks that originate online and leave no local trace. All you need to do is visit a compromised Facebook account (doesn't have to be a Facebook account, but if you're targeting Facebook users, it's a good place to start), and the flaws in the website itself does the rest. This sort of thing is damn hard to defend against - you have too be vigilant, and change your password at the first sign of trouble.

There the other nagging issue of why other online accounts belonging to Perlow weren't compromised. I'm thinking things like Twitter and so on. If he suspects a malware breach, then I hope he's changed every single password he's ever used on those systems.

Oh, and as Columbo would say ... "One more thing ..."

Something else Perlow said caught my attention:

It’s certainly possible that the compromise occurred on another system that I had used to log into FaceBook, such on a friend’s or a family member’s computer that got infected which had my login credentials cached.

Well there's your (likely) problem! He then goes on to say:

It’s unlikely since I always run something like CCleaner to wipe out all traces before leaving a PC that I had used, but I won’t rule it out.

The problem here is that "using something like CCleaner" might wipe all traces of your browsing off the PC, but if that system was already compromised, then all that prevention is for nothing.

Also, you can have all the security measures in place, but if you then go off and trust a third-party system with your credentials, then that side-steps all the measures you're put in place to protect yourself.

I don't think there's anything wrong with the steps that Perlow's taken to protect his digital kingdom, but personally I think that he's missed the real issue here. What's he going to do if his account is compromised again ... switch to an abacus? After all, Secunia doesn't list any vulnerabilities for that platform ...

Note: Back in the Fall of 2009 I wrote a piece called "Time to ditch Windows for online banking and shopping." Some of you seem to be wondering if my position has changed since then. The answer is "no." What I'm saying here is that if you are making a shift then the reasons need to be clear. In this case, I don't think that switching to Linux is the answer since I don't believe that the OS has played any factor in the leakage of the information. Without discovering malware on the systems in question, my money is on another system being compromised. The moral of the story is be careful what third-party system you use - and if you do need to use an untrusted system, using a Linux bootable ISO might help ;)

Maybe Perlow would be better switching his friends and family to Linux?

Topics: Linux, Malware, Open Source, Operating Systems, Security, Software, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Jason Perlow is wise beyond his years

    Adrian, let's not pretend there aren't problems with Windows security, OK? (W7 32-bit BSoD/rootkit). It's become so bad that it's like 'shooting fish in a barrel'.

    Making this choice and showing the way is good.
    Jason is making 'security' a top priority over any other interests, unlike yourself.


    It's not funny any more. 1.5M FB accounts owned by a Russian criminal network? This is very serious.

    There's a road side billboard for you if there ever was one.

    Take note of what Jason has done.

    Also take note that very recently a <a href="">CIO for a Florida bank</a> has opted to provide its customers an Ubuntu CD for doing their on-line Internet banking transactions.

    You can keep your Windows core apps in a VirtualBox, or KVM where you can get to them on demand, but make Lucid Lynx your base system for connecting to the Internet.

    If you haven't already done so, don't forget to enable your Linux Security Module AppArmor Firefox profile which puts your Internet session in a protected sandbox with:

    [b]$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox[/b]

    And, be sure to install the FF <a href="">Noscript</a> plugin.

    Ubuntu Linux: The safe choice

    I stake my reputation on it.

    Dietrich T. Schmitz
    Linux Advocate
    Dietrich T. Schmitz, Your Linux Advocate
    • The dangers of over-confidence

      Ubuntu Linux - The safe choice (for now).

      Just because you use Linux and Firefox does not
      make you invincible. Safe practice (such as
      strong passwords and being careful what you
      click on) still apply.

      I agree that currently the Linux platform is
      safer than the Windows platform and that
      Firefox has some strong protection, but social
      engineering and unpatched vulnerabilities are
      still an issue to contend with no matter what
      platform you use.

      How many people are still running Firefox 3.0
      or, god forbid, Firefox 2.0 in the mistaken
      assumption that just because it's Firefox they
      are safe? And I bet there are quite a few
      unpatched Gutsy Gibbons in the wild as well.
      • The point of AppArmor: protection against unpatched vulnerabilities

        AppArmor Firefox profile is designed to stop any privilege escalation from occurring.

        That's its purpose and that's why it's in every copy of Ubuntu.

        It's not a matter of being overconfident--it's a matter of security 'best practices' and having Linux Security Module AppArmor running is proactive and ensures that any Zero-Day exploit will be stopped.

        Windows sysadmins, stop chasing windmills.
        Dietrich T. Schmitz, Your Linux Advocate
        • Still missing the point....

          After following three separate sets of threads on this subject, I tend to agree that switching to LINUX is not going to fix the problem. Here's my reasoning: (1) While the Linux OS may have fewer active vulnerabilities, every time I read up on how users protect their system they both neither bother to run any kind of protective services (antivirus, etc) nor do they know how to "sandbox" their apps. The average user is not tech-savvy. If it's not in the box at boot time it won't be there when the attack occurs. (2) Even if a user were to "exclusively" Linux-fy himself and adhere to all the software tricks to protect themselves (i.e. antivirus, hacks, etc), the minute they step out of their own Linux domain they become vulnerable - a fact that appears to have been promoted by the original user of these threads: Apparently he used someone else's system which may (or may not) have been compromised. Does it really matter if it was a windows system, apple, commodore 64, or Linux? Not really - as soon as you step out of your own "firewall" you are vulnerable. And how many times do we do that every day? Every time you turn on your smart cell phone - is there some kind of antivirus on you cell (!?) - every time you peek over your colleague's shoulder and help him/her out with a problem, every time your cell phone interacts with your car's Onstar (or someone in the passing lane), every time you turn on your laptop during a flight, or visit a website in your work cubicle.... That's the price we pay for having an open internet that everyone can access. Hiding behind this OS and that OS won't matter in the long run - it's the OS between your ears that makes the difference.
          • On Ubuntu AppArmor comes pre-configured for common apps like Firefox.

            No tweaking required.
        • AppArmor isn't meant for securing communications from one computer to..

      • Actually, I think it's safe to say it really IS the safer platform.

        And will remain so. Some people like to make the argument of "but if more people start using it, more people will start attacking it".. but they forget that it will also result
        in more people [i]fixing[/i] it.
    • Disagree

      "It's become so bad that it's like 'shooting fish
      in a barrel'."

      You're just re-iterating the crap that this
      author's article warns against - that this is a
      malware issue, and can be fixed at the OS level.
      [b]We don't know that.[/b]
      • Modes of infection on Windows vs Linux differ

        Aside from phishing, XSS cookie stealing, social engineering, the attack vector for compromising a Windows PC is NOT THE SAME as with Linux.

        That alone makes writing exploits that work on Linux 'a challenge'.

        One recalls the April 1 Conficker fiasco only to be reminded of just how easy it can be to become infected on Windows by having made an innocent 'drive-by'.

        Millions of machines are still infected by it.

        The point?

        No one questions that there are serious issues with respect to Windows security.

        Jason made a determined, reasoned decision to put Windows on 'probation' indefinitely.

        By doing so, he does not sacrifice use of W7 Apps as Virtual Box installation makes those apps 'on demand' and transparent.

        What he is doing is making a switch to how his base operating system interfaces the Internet.

        Linux is sufficiently different (not invulnerable) and protected by AA from Zero-Day exploits that it will be a safe choice for venturing on the Internet FOR A LONG TIME TO COME.

        Stay in bounds of the repo system and pick the sites you go to carefully--that goes for all O/S platforms.
        Dietrich T. Schmitz, Your Linux Advocate
        • False sense of security

          While I agree that Linux can be made a safe OS,
          I would warn against having a false sense of
          security because of it.

          "One recalls the April 1 Conficker fiasco only
          to be reminded of just how easy it can be to
          become infected on Windows by having made an
          innocent 'drive-by'."

          By using a hole in Windows that was patched a
          long time before it was on everybody's radar -
          the issue was that people weren't updating. Not
          only that, but this is in an OS that runs
          updates automatically, so they had to be
          disabling the service or ignoring the updates.

          "No one questions that there are serious issues
          with respect to Windows security."

          I'd question that there are serious issues with
          Windows 7 security. The default settings are
          far better than they used to be, and the OS
          updates automatically, like any OS should.

          The evidence of what really happened is still
          sketchy. As far as I can tell, he wasn't
          compromised on his own system. So I still stand
          by the idea that Windows (especially Vista or
          7) can be made secure.
          • so they had to be disabling the service or ignoring the updates

            Not necessarily. Windows update can fail sometimes for various reasons. If an update fails to install it will not try again but will be listed as a failure in the log file. This is available to view but only if you drill down within control panel, something non-techies will not do.

            Keeping your windows pc up to date still requires a fair amount of manual intervention and needs technical knowledge. That's the problem.
            The Star King
          • This occurs VERY VERY infrequently

            Most stalled updates apply fine soon after a machine is rebooted because the process that was using the resource the required updating was shut-down, releasing the affected resource.

            Most users need to do nothing to automatically receieve the latest patches and updates direct from Microsoft.

            The sad fact of the matter is that the VAST majority of PC's infected with conficker had, in FACT, turned off automatic updates and Vista machines that had been infected had usually ALSO turned-off UAC - usually on the advice of so-called "Experts" who should know better.
          • False on Windows 7.

            "If an update fails to install it will not try
            again but will be listed as a failure in the
            log file. This is available to view but only if
            you drill down within control panel, something
            non-techies will not do."

            In my experience, Windows 7 will keep failed
            updates available for install in the same place
            they were available before they failed. I have
            not experienced Windows 7 hiding a failed

            Besides, failed updates are rare, and usually
            minor - the failed updates I've seen are not
            the big security updates.
          • my example

            is installing SP1 in Vista. This update failed (don't know why) but Windows said nothing and it's only when I asked myself "why haven't I got SP1, it's been available for 6 months" that I looked deep into Windows Update. I then found a screen showing an attempt had been made to install SP1 six months ago. Win Update was making no attempts to reinstall it, and did not warn me. Also, there is no "try again" option in windows update to retry a failed update. I called technical support and they said the only way is to go to the MS website and install manually. This involves downloading a much larger file than would be needed in the automatic update program.

            So in this example, it needed technical knowledge and manual intervention, including help from technical support to keep my machine up to date. Hardly automatic!

            But perhaps this is all better in Win 7...
            The Star King
    • $sudo aa-enforce

      non techies will have no idea what this means or how to do this. Even if they do manage run the command once (and assuming the files are all where you say) will this setting operate everytime they boot up their computer? Or does this command need to be run each time or put in a boot-up configuration file.

      All these tasks are well beyond the skill of an average user. I'm afraid its an example of how linux remains innaccessible to ordinary people.
      The Star King
      • No worse or more confusing than a UAC prompt. And it's a one-time change

        Dietrich T. Schmitz, Your Linux Advocate
        • Nonsense

          Sorry DTS, but you're WRONG on this one. The UAC prompt explains using plain english why the user is being prompted. Expecting my Mum to open a console and AppArmor her apps, one-by-one, is just not going to happen.
          • That wasn't my message. FF profile is present. It is simple to enable.

            We can agree to disagree on that point.
            Dietrich T. Schmitz, Your Linux Advocate
          • you are talking nonsense

            [i]"The UAC prompt explains using plain english why the user is being prompted"[/i]

            so does gksu,What is your point?AppArmor and UAC both are different.UAC's equivalent is gksu on the GUI and sudo on the CLI
      • Non-Techi

        If you want to know what it means, then here's the documentation:

        Copy and pasting a command to a terminal is not beyond the average user's skills.