Internet Privacy: Do You Google?

This article is going to be seen as “political” by some, and as such will be controversial. So, if you, dear reader, do not like reading “political” articles, move on along, there is nothing to see here. But if you are a person who can peer past the veil of “politics” to the heart of a matter, you may want to keep reading.

First off, I am a USA National with a long form, hard copy birth certificate to prove it if needed. I believe strongly in personal freedom, personal privacy, personal responsibility, and small, limited government. Very much like the founders of my country (1,2,3). I have been dismayed at the growth of government in my country and the resulting erosion of personal freedom and personal privacy for a long time now. I could not care less which “political party” is in power as long as they share the ideals of the founders of the USA, and thus my ideals.

Sadly, or tragically, or disgustingly, or perhaps happily, depending on one’s perspective, neither of the two major parties here share the ideals of the founders of this nation. They have proven so over and over by continuing to grow the power and reach of government after each election cycle is completed. The slide toward despotism and tyranny in a country always begins with the growth of government and the erosion of personal freedom. An honest look at history will prove that.

What does this have to do with Internet privacy and Google? If you use Google for anything, the US government, and likely other governments, can potentially see what you are doing. Google has servers all over the world and keeps records of your activity. Google can therefore be coerced to give those records to a government agency. Further, Google does not encrypt your connection by default with HTTPS, so snooper programs used by government agencies, such as the US NSA, can watch what you do without need to go to Google. This does not just affect Google users, it also affects users of Yahoo!, Bing and any other on-line service that keeps records of activity and/or does not encrypt connections by default.

The recent revelations that the US government has massive data gathering programs to obtain data on Internet and phone users is no surprise to those of us who suspected this all along. But it has been a big, unpleasant surprise to many folk who do not usually think about these issues. Inevitably we have seen the tired argument raised, “I don’t care! I have nothing to hide! Only people who want to hide criminal activity would be concerned about this!” Yes, the exclamation points must be used. From a freedom and privacy perspective this argument is egregiously incorrect. Allow me to quote a wise man, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” – Benjamin Franklin 1775.

Some others have addressed this argument as well:

Why Privacy Matters Even if You Have ‘Nothing to Hide’
By Daniel J. Solove
The Chronicle Review – May 15, 2011

Plenty to Hide
By Jay Stanley
lifehacker – June 14, 2012

Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance
By Moxie Marlinspike – June 13, 2013

If you are concerned about your privacy on-line what can you do about protecting your privacy from snooping? Here are some means to assist you with that.

Use HTTPS for as much of your browsing on-line as possible. This encrypts the traffic between you and the host to which your browser is connecting. That makes real-time monitoring of the data on your connection impossible by any currently known means of monitoring network data.

Limit your searches to search engines that do not track you and do not store information about your searches. Two of these are run by the same group. and both protect your privacy by first using HTTPS encrypted connections and second by not storing any information about your searches. By using encryption you are protected from in-line scanning of your searches. By not having information stored about your searches you are protected from government coercion of your search provider to reveal your search data. Even better for USA users, the servers for these services are in The Netherlands. This means it would require the US government to rely on treaties and negotiations with the host country before it could even approach the owners of the servers.

Caveat: occasionally these search engines return a message about being overloaded and request you wait for a few minutes and try again. While this may be annoying and frustrating, it surely is a small price to pay for your privacy.

When practical, use a proxy to view web sites. Both of the search engines mentioned above provide a relatively secure proxy feature. A proxy sends its own IP address to a web host and acts as a bridge between your browser and the host system. This helps mitigate your exposure when using sites for which you have searched. Certain features of content rich web sites will not work through a proxy and require a direct connection. So, you have to decide whether or not to continue using such sites. For example, if your browser uses Java for connection to any content, no amount of proxy routing can hide you at that point.

What about e-mail privacy? Once again, avoid the major players like Google, Yahoo!, Microsoft, et al. It may be worth a few dollars to secure your e-mail by using a paid, privacy e-mail service located in a country other than your own. This web search may offer you some ideas: secure private e-mail.

Ultimately we all need to decide what the term “privacy” entails and how much privacy means to us. For me, my “stuff” is mine and no one has a right to know about my “stuff” unless I choose to share it. If this means I have a little less “safety” from terrorists, so be it. I am not willing to compromise my freedoms for some amorphous amount of perceived safety.

Open Source: Homeschool Computing

Proverbs 22:6 – Teach a youth about the way he should go; even when he is old he will not depart from it.
Holman Christian Standard Bible (HCSB)

Many parents in recent years have chosen to homeschool their children. The reasons for this vary, but most include some measure of the understanding that to truly pass on one’s values to one’s children one needs to be the primary source of information for that child. To place one’s child in a school, public or private, is to give up at least part of one’s responsibility to and for that child. There is usually also a desire to have more control over what that immature mind is experiencing as it grows. Some life events should be shielded from a growing mind until that mind is mature enough to handle such events in the context of the desired values imparted by the parents.

One of the facets of homeschooling has to do with computing systems, networking and the Internet. As a homeschool parent once told me, she would never allow her children on the Internet without her or her husband present. This meant the parents could not take time out and let the child have unmonitored free time on the computer unless it was unplugged from the network. I have had that conversation tickling the back of my mind ever since. I think I might have an answer for that homeschool mother and other homeschooling parents in a similar situation. The answer, of course, involves Linux and FOSS.

I recently quoted a dual Opteron CPU (8-cores), 16 GB RAM, dual 500 GB drives, small business Linux server build to a local client. After looking over the quote, which is under $1500, I came to the realization that this server could also serve as the heart of a FOSS homeschool Linux Terminal Server system. The server could have FOSS parental controls, such as DansGuardian, with the parents having complete control of the server. Then the children could have access to the internet only through the controlled connection that goes through the home server. A diskless workstation that boots from the home server could be built for each child for a very low cost. Or, if the parents want to spend the money, each child could have a laptop or netbook loaded with Linux that connects to and through the server. The only costs to the parents are the hardware and the time to become educated about running a Linux based homeschool server.

A homeschool system built with FOSS gets one all the tools one needs to teach a child about general computing and/or programming. Plus there is the benefit of “free” office suites such as LibreOffice, dozens of “free” games, “free” educational software like GCompris (ages 2 – 10), as well as hundreds of other “free” applications. These are almost all “free” in the truest sense of the word “free”. Meaning they are unencumbered with restrictive licenses that forbid one to install an application on more than one system without paying money. They can be given away and even modified at the source code level and redistributed by one’s budding, homeschooled programmer without having to worry about Federal Marshals showing up at one’s door. An added benefit is that one does not have to worry about Microsoft Windows or Apple OS X viruses, worms, Trojan horses, spyware and adware on a Linux system. A properly secured Linux home server can be set up very easily to also avoid the very few malware that may attack services on Linux.

Custom PC from ERACCIn conclusion, I believe my homeschooling friends I mention above could have benefited from such a system. Their children are now grown and out, so the point is moot for them. But there are hundreds of other homeschooling parents who might want to consider a Linux based homeschool system for their children. The idea is worth examining, in my not so humble opinion.

Security: Linux, OS X, Unix and Malware (Viruses)

I recently had the opportunity to look into the anti-malware world of Apple OS X. One of our clients moved to a new office in late October 2011. As part of this move they also moved from Microsoft operating systems and software to Apple OS X systems and software, making a clean break from all things Microsoft. While researching their question about anti-malware for OS X I found that the world of anti-malware for OS X is just as fraught with information and disinformation from Apple fans, Apple opponents and anti-malware vendors as the world of Linux seems to be at times with its fans and detractors. I came to the following conclusion which is paraphrased and expanded from the e-mail I sent our client.

After a lot of research over the past month I have come to the conclusion that costly Unix, OS X and Linux anti-malware programs, such as Norton anti-virus on OS X, are a waste of money. It is not that unix-like systems are invulnerable to attack, but that the types of attacks I have seen mentioned over this month will get right through most anti-malware software on systems that are vulnerable. All these anti-malware solutions seem able to do is protect your Microsoft using friends and clients to whom you might forward an infected e-mail sent to you from someone else using an infected Microsoft Windows system.

The fact that Microsoft software is perceived to have the largest installed base does mean there are many more attacks against Microsoft systems on the desktop space. But, just because a system is highly targeted does not mean it can be successfully targeted. The flawed core design of all Microsoft operating systems, desktop and server, means more successful attacks. The “designed with security in mind” unix-like systems are much less likely to experience a successful attack on the desktop or the server. This is not to say they will never be targeted, they will. Just that the incidents of successful attacks are likely to be much lower than that of Microsoft’s systems. Of course, any desktop system that has a user interacting with it can be successfully attacked through social engineering. User education is the only solution to social engineering attacks.

Unix-like systems are typically not susceptible to traditional Viruses such as those found on Microsoft Windows. However, they can be susceptible to social engineering, Worm and Trojan Horse attacks. Here are some basic definitions:

Virus – Self-replicating malware that attaches to executable files. The infected program has to be run for the virus to spread. Typically viruses will seek out system programs that will start when the system starts. Or they will seek out specific software that is ubiquitous across the platform on which the virus is designed to attack.

Worm  – Self-spreading malware that attacks un-patched, vulnerable “services” on networks. These usually are a “rootkit” running on an infected system that will attack print servers, name servers, web servers, file servers, and the like. All modern desktop operating systems are likely to be running a service of some sort. Server systems will definitely be running some services. These malware only succeed if the service is vulnerable due to not being patched or up to date. A successful attack will then install itself as a new “rootkit” on the infected system and start scanning a network for more vulnerable systems it can successfully attack from the newly infected system.

Trojan Horse – Embedded malware that requires the end-user to install an application that is pretending to be something it is not. This is the most prevalent attack these days. In some cases it preys on a users ignorance by using social engineering to get the user to install malware. Fake anti-virus pop-up messages from infected web sites are the most common infection vector. In other cases deliberately infected source install files from “strange” web sites is the other attack vector. A Trojan Horse may include a virus, a worm or both.

For more detail see this: The Difference Between a Computer Virus, Worm and Trojan Horse

All anti-virus software is retroactive. In other words, for all of these, the anti-virus software has to already “know” about specific malware to be able to prevent it. In the event of web site pop-up malware, most, if not all, anti-virus software will happily let one install the software that is masquerading as anti-virus software. In some cases the end-user might get a warning that the software is malicious. But often no warning is given, even with web scanning enabled in the anti-virus software. Then the uneducated, gullible user clicks on the dialog and essentially, but unknowingly, agrees to infect the system.

Here is one example of a successful Trojan Horse web based attack on OS X systems:

Mac OS X Viruses: How to Remove and Prevent the Mac Protector Malware

If you are new to unix-like systems and have not yet purchased anti-malware for your Linux, Unix or OS X, here is what I recommend. Do not buy anti-malware for unix-like systems as you will likely just be wasting your money. Instead, use a “free” anti-malware package if you feel you must have one. Keep your unix-like systems up to date. Then educate yourself, your friends, your acquaintances and your employees about these web based Trojan Horse attacks. Think long and hard before you download and install any “strange” software from “strange” web sites. Ultimately the human mind considering the pop-up message on the screen or the program download from a “strange” site is the last line of defense against these attacks. An educated, cautious mind is the best defense against a social engineering malware attack.

Finally, we all know there are some people for whom no amount of training will suffice. Not all brains are equal in their ability to process and store information. These folk may listen politely to explanations about malware, nod that they understand, then go ahead and click the [Install] button on a malicious pop-up dialog and follow the instructions to completion. There are also people who refuse to learn anything they perceive to be “inconvenient”. They remain willfully ignorant of malware threats as a result. These people will always be the weak link in the chain when attempting to protect personal and business systems from malware. The malware clean-up businesses will still have a strong future with these people using computers, no matter what operating system they use.

Custom PC from ERACC   Custom Notebook from ERACC

Microsoft Windows – Promoting Mediocrity Since 1985

What do I mean “… Since 1985”? Go here for a timeline of Microsoft Windows: A history of Windows – Microsoft Windows

I am a Unix / Linux guy writing this article out of sheer frustration, so if one does not like pointed, accurate ranting about that Not A Unix OS to which one may be partial, stop here.

Our company web log, web site, shopping site and forum get hit by varying degrees with SPAM bots, or in some cases possibly paid SPAM shills, signing up for accounts, posting “comments” and sending “track-backs” that aren’t. Constant administration oversight is needed to keep these cleaned up, which is one reason why all comments and track-backs here at The ERACC Web Log are moderated. We see the SPAM so you don’t have to. I also see the occasional SPAM in my e-mail. Even though I have measures in place to mitigate the problem in all these locations, nothing completely stops these annoying SPAM-ing jerks. Invariably, when I trace back the IP addresses of these SPAM attempts with nmap and check the running OS I see something like this:

Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP2, Microsoft Windows XP SP2

It seems another technically ignorant Microsoft user, or dare I say “administrator”, has zero clue how to secure an internet facing operating system. (By the way, saying these folk are ignorant is not a slur on their character, because ignorance can be cured.) You see, when a company designs an operating system so mediocre and so “easy” an ignorant person can use it to connect a computer to the internet, you get ignorant people connecting computers to the internet. This in and of itself is not necessarily a Bad Thing™. Unless the operating system in question has flawed design decisions from its inception that leave the OS open to attack when connected to the internet by ignorant users. (Psst, meaning Microsoft Windows from 1985 to now.) Yes, all the Microsoft “guru” types out there are gnashing teeth and insisting Microsoft operating systems can be secured. Yup, I agree. But not by the technically clueless who are coddled by intellect smothering GUI love, which means the majority of Microsoft users.

Too many Microsoft users have been taught the attitude, “I don’t want to have to learn something ‘hard’, I just want this thing to work.” when talking about computer systems. This brings to mind one of my favorite paragraphs from a book I have read more than once:

“Would you fight so with a sword? No? I thought not! You would try to cut your enemy even as his blade split your heart. That is the Angrezi vice; you would rather die than go to the effort of thinking. You are not stupid, but you are lazy —” He touched the side of his head to show what he meant. “You will toil like bullocks with your bodies rather than make your brains sweat.”

David bar-Elias to Athelstane King after King “gives up” during a chess match with Elias in The Peshawar Lancers by S. M. Stirling.

Unfortunately, since Microsoft systems always use a brain atrophying GUI for Every Freaking Thing, the ignorant users are usually not taught how to think for themselves. So these people rarely know the hows and whys of network security or how to parse and solve network problems with their own brain. The GUI keeps these poor people ignorant. If “it” is not in a GUI, “it” is not possible or even knowable as far as many of these folks are concerned. Substitute some network security task for “it” in the previous sentence. (Hey, you. Yeah, you over there using that Microsoft OS. That is a multifunction tool called a computer, not a microwave oven or a toaster or a television set. Get an OS that can teach you that.)

Further, when basic design decisions are made that start off without any thought of security for this same operating system you get an operating system that is easy to suborn, regardless of the endless Microsoft Patch Tuesdays. Anti-malware is a bandage at best, because anti-malware is primarily retroactive. Anyone who is honest will admit that there are attacks that get through anti-malware on Microsoft systems all the time. Not every Microsoft system, because eventually the anti-malware vendors catch up. But if one is the first to get a new “infection”, one’s “heuristic” anti-malware has a fair chance of not catching a new malicious package introduced through that “Excellent FaceBook Page!!!11!!” one just visited with Internet Explorer. (For the record, it is not a “PC Virus”, sweetie, it is a “Microsoft Windows Virus”.)

Add to this heinous equation all the clueless Microsoft users and Microsoft “administrators” clicking their way to GUI Nirvana to realize a world-wide network nightmare called Microsoft Bot-nets, Microsoft SPAM relays and other Microsoft related malware spewing sewers. Here have some Microsoft based SPAM, or a Microsoft based DOS attack. Isn’t mediocrity just Totally Sweet?

When a company promotes ease of use mediocrity over security for its operating systems, perhaps its operating systems should not be allowed on the internet. I’m just saying …

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Open Source: FOSS Security Updates vs Microsoft Patch Day

It is almost that time again. The ritual of installing Microsoft patches released on the second Tuesday of each month to fix security problems with its operating systems and software. My company will be monitoring and installing these updates again for some of our local clients this week.

It is an ironic coincidence that I have received update notices from Mandriva for software installed on my Linux PC systems as well this weekend. These updates come regularly from the upstream developers through Mandriva to Mandriva end-users.  These updates may be simple code fixes for bugs, upgrades to get new versions of software or security fixes to patch possible security problems. While looking at these today I thought it would be interesting to compare vulnerability wise what I am getting from Mandriva today with what Microsoft customers will be getting on Tuesday 14 September 2010.

First, to understand Microsoft's vulnerability code words one must know the terminology Microsoft uses and what it means. This is found in this table borrowed from Microsoft:

Rating Definition
Critical A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
Important A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Moderate Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Low A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

Then one needs to see the Microsoft Security Bulletin Advance Notification for September 2010. If that URL is broken or does not work for one I created a PDF document from that page. What we see are nine "bulletins". The word bulletin is Microsoft-speak for "a problem with our code" or "a vulnerability in our code". The euphemistic term bulletin sounds urgent, no?

Then we see the various software that is afflicted with the problems requiring patches. For our purposes today I am going to ignore all but those that affect Windows 7. Why? Because I am using the latest Mandriva release and anyone using Linux on the desktop is more than likely using a recent release. Or at least a release that is newer than XP sp3 or Vista sp1. So the only fair comparison is to stick with Windows 7.

Windows 7 has three patches. These are all marked as Important which, based on the table above, means they each are "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources." Looking at that definition again some may wonder what the heck it really means? Essentially it is saying one's system might be compromised, also known as cracked and improperly known as hacked, if this patch is not installed. The compromise cannot be "automatic" based on Microsoft's judgement of the problem in Microsoft's code. So, it likely would require one to click on a URL or open a file to create the compromise. Gee, that cannot be too serious then, right? Oh wait, it CAN be serious! So, you Windows 7 users need to make sure you get those patches.

Now I will examine the updates I am getting from Mandriva. I get a GUI popup that updates are available and  have opened that in one of my desktop workspaces. However getting a list from a GUI is problematic. Here is the list as generated from the Mandriva command line command 'urpmi –auto-update -v':

  beagle                         0.3.9        40.3mdv2010.1 i586
  beagle-evolution               0.3.9        40.3mdv2010.1 i586
  beagle-gui                     0.3.9        40.3mdv2010.1 i586
  beagle-libs                    0.3.9        40.3mdv2010.1 i586
  firefox                        3.6.9        0.1mdv2010.1  i586
  firefox-en_GB                  3.6.9        0.1mdv2010.1  i586
  gnome-python-extras            2.25.3       18.2mdv2010.1 i586
  gnome-python-gtkmozembed       2.25.3       18.2mdv2010.1 i586
  gnome-python-gtkspell          2.25.3       18.2mdv2010.1 i586
  kernel-desktop-   1            1mnb2         i586
  kernel-desktop-devel-> 1            1mnb2         i586
  kernel-desktop-devel-latest     1mnb2         i586
  kernel-desktop-latest     1mnb2         i586
  kernel-source-    1            1mnb2         i586
  kernel-source-latest      1mnb2         i586
  libnspr4                       4.8.6        0.1mdv2010.1  i586
  libnss3                        3.12.7       0.1mdv2010.1  i586
  libxulrunner1.9.2.9        0.1mdv2010.1  i586
  nss                            3.12.7       0.1mdv2010.1  i586
  nvidia-current-kernel-2.6.33.> 195.36.24    3mdv2010.1    i586
  nvidia-current-kernel-desktop> 195.36.24    1.20100901.3> i586
  rootcerts                      20100827.00  1mdv2010.1    i586
  xulrunner                  0.1mdv2010.1  i586
  yelp                           2.30.1       4.2mdv2010.1  i586

These updates are better shown grouped and explained this way:


"Security issues" were identified and fixed in Firefox and Mozilla-Thunderbird. The software below relies on some functionality from Firefox and thus also needs to be updated. Technically this is not a "Linux" update. It is a Firefox update that affects some FOSS software that happens to be on my Linux desktop PC. Happily Mandriva provides for these updates in its package management system. Firefox on Microsoft Windows 7 must also be updated. But that is not shown in the Microsoft security bulletins and one cannot get that update direct from Microsoft.

  • firefox-en_GB (Why no firefox-en_US? I don't know.)
  • beagle
  • beagle-evolution
  • beagle-gui
  • beagle-libs
  • gnome-python-extras
  • gnome-python-gtkmozembed
  • gnome-python-gtkspell
  • libnspr4
  • libnss3
  • libxulrunner1.9.2.9
  • nss
  • rootcerts
  • xulrunner
  • yelp


Four "vulnerabilities" were discovered and corrected in the Linux 2.6 kernel. The software below is all related to the Linux kernel and thus also needs to be updated.

  • kernel-desktop-
  • kernel-desktop-devel-
  • kernel-desktop-devel-latest
  • kernel-source-
  • kernel-source-latest
  • nvidia-current-kernel-
  • nvidia-current-kernel-desktop-latest

The words "security issues" and "vulnerabilities" are not my words. These are how the updates are described by the Linux/FOSS community. If one wants to know about the vulnerabilities and security problems as reported then these two URLs will explain the details: (for Firefox) (for Linux kernel)

Okay, so what does this all mean? Is Linux and FOSS less secure and more vulnerable than Microsoft Windows 7 because there are more updates shown here? No, not really. In fact, even if I did not apply these updates and some virus authors were trying to crack Linux, my risk of my Linux desktop PC being successfully cracked is low to zero. Did you get that? I will repeat what I said, "In fact, even if I did not apply these updates and some virus authors were trying to crack Linux, my risk of my Linux desktop PC being successfully cracked is low to zero."

Some ignorant people argue that Linux and FOSS are not cracked much because Linux and FOSS are not all that popular. The argument then goes on to state that Microsoft systems are cracked often because they are more popular and this makes Microsoft a bigger target. That is absolutely false. Linux security updates if not applied to a typical Linux desktop system will most likely not result in that system being compromised. The converse is not true of Microsoft systems. Don't update Microsoft and one will definitely be at a higher risk of likely to certain one's Microsoft desktop system will be compromised with malware. Even then one's Microsoft PC is still vulnerable due to basic design flaws in the operating system.

Frankly, it requires much more effort to crack a typical Linux desktop PC than to crack a typical Microsoft desktop PC. Heck, even the United States National Security Agency (NSA) thinks so. This is covered in a document about its Security-Enhanced Linux a.k.a. SE Linux. This excerpt from the Introduction is telling (my comments are in red):

Unfortunately, existing mainstream operating systems (meaning Microsoft) lack the critical security feature required for enforcing separation: mandatory access control (MAC) [17] (SE Linux adds this).

The document goes on to state that mandatory access control a.k.a. MAC is needed and is added in SE Linux. However, the interesting point here is that the basic structures needed to be able to add MAC are already in Linux but not in Microsoft systems. This means Linux systems already have a higher security standard "out of the box" than Microsoft. Plus, I doubt even the US NSA can get source code to any Microsoft OS without paying dearly and then signing a raft of Non-Disclosure Agreement documents.

So, go ahead and patch those Microsoft Windows 7 systems and then keep on worrying they will be cracked anyway. I think I will put off my Mandriva updates until after I take care of our Microsoft clients and their monthly "Patch Tuesday" requirements … maybe I'll update my systems in December.

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

free hit counter
free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Sun Sep 12 21:30:41 CDT 2010: Change the first sentence in the second paragraph based on an accurate observation of the wording by a reader.

Security: FOSS/CSS Updates – Are They Worth Anything?

The short answer: Updates are worthless if one does not apply them.

Once again I find myself cleaning malware off of a home user’s Microsoft based notebook PC. Once again, while it has anti-virus software installed it was infected by a “drive-by attack” from a web page. It was infected with the Antispyware Soft fake anti-malware nag and FUD software. The installed Norton Antivirus, which is up to date, did nothing to stop this attack and was then disabled after the malware got on the system. What happened?

As I type this article the notebook PC’s Microsoft system is downloading and applying updates. Many updates. At least a couple of years of updates. Maybe more than that. The IE browser was pre-IE8 and was not patched with security updates even then. The Firefox browser, which is set as the default, was also not up to date. If the system had not been infected and given into the care of my company to clean up it would likely never see another software update applied. Even though the system was set to download and apply updates automatically, the scheduled time was set for 3:00 AM. A time when this notebook PC owned by an older lady will never be on.

Unfortunately, on consumer desktop and notebook PC systems we in the IT community that services this market often find that software updates are not applied. This includes all software updates, not just those that apply to security flaws in software. It seems that in general people with home computers fall into these categories:

  • Ignorant that updates are needed to protect their PC from malware and fix known bugs in the software. These people never apply updates even if notices are popping up to inform them of updates. If the PC is infected they may be blissfully unaware they are using an infected PC.
  • Aware that updates are needed but lackadaisical about applying them. These folk put off updates for many reasons, but mainly because it is inconvenient to apply updates.
  • Aware that updates are needed and apply them regularly.
  • Absolutely fanatical about making sure updates are applied as soon as they are available.

It appears from my experience that the majority of non-technical end-users who end up with infected systems fall into the first category. The second category is a smaller group that have just been lucky to not yet have an infected PC. These two categories of users are almost all Microsoft operating system users. The latter two categories are the small group of users that are more technical and/or security conscious. The more security conscious but non-technical are usually those who have had to deal with a prior PC infection. The latter two categories rarely or never see an infection. The Open Source community of Linux users is generally more technical at this point and thus more likely to take updates seriously.

The main problem as I see it is one of education. A lack of training that emphasizes the importance of getting and applying software updates as soon as possible. Ignorance rather than sloth. There is no government required training course or license to use a PC as there is to drive a car. But I am not calling for government regulation because most government regulations are already too invasive and burdensome. The world needs less government and more personal responsibility, not more government oversight. The answer does not lie in some government regulation.

What can we do about this problem? I can think of at least two.

  • Those of us who sell to consumers PC systems with popular operating systems installed could take the time to explain to our customers the importance of software updates. We can make that part of the sale (Are you listening Dell? HP? Best Buy? WalMart?) instead of just “selling” Microsoft, Apple or Linux based PC systems and leaving the end-user ignorant. Instead of selling anti-malware as the answer to all malware woes we can be honest and admit that no software is able to make a PC perfectly safe (especially not Microsoft’s operating systems). Then emphasize the importance of getting and installing software updates as they become available. Inform the customer that security is a process, including an awareness of the need for security updates, not a product. Sure, there are still those consumer end-users who will not “get it” and will still not apply updates. But more people being made aware of the importance of software updates will mean more people are likely to take updates seriously and apply them.
  • Automate all updates by default in software on systems expected to be purchased and/or used by the average consumer. Even major updates like XP Service Pack 3 (do not change the original license terms thus requiring end-user agreement, Microsoft, and you can do this too). Then setting such automated updates to apply at some time when the computer is likely to be on. Perhaps default scheduling of the updates to start after the system has been on for half an hour instead of some fixed time in the wee hours of the morning when most home PC systems are off. With FOSS systems that use online software repositories this would mean almost all the software would be updated. The exceptions would be software that the user got outside the repositories. Yes, make this the default but leave options for the user to schedule updates or disable updates altogether. The user that has no clue will be a bit more protected by this proactive approach. The user that already is aware of the need for security processes will be able to handle this just fine.

Oh yes, if an automatic update that applies every update is selected we can be sure there will occasionally be hiccups in the process. The end-user should be informed of this probability up front. Not unpleasantly surprised after the fact.

If any of you have some interesting ideas about making average end-users aware of the importance of applying updates please feel free to post a comment. Comments that average end-users are all “morons” are unwelcome. Try to be a bit more thoughtful than that.

Unique accesses to this article:

free hit counter
free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

GNU/Linux: Don’t Call Them PC Viruses

I use a PC. Actually, I use several PCs. My small business has 5 tower PC systems and 1 laptop PC system. All of these are what is called a PC. Any computer that can be purchased by an individual and used by said person for personal "stuff" is by definition a Personal Computer also known as a PC. That includes Apple Computer Systems Personal Computers known as "Macs". All of these devices are PCs.

So, we all can agree that all of these devices are PC systems. The fact that malware are written primarily for PC systems is a given and is well reported in the news. The fact that malware are written primarily for Microsoft Windows based PC systems is often not reported. When such a connection is made in the press or on a Microsoft friendly web site then the caveat is often added that Microsoft Windows suffers from popularity. The argument is that because Microsoft Windows is so ubiquitous it gives a good "Return On Investment" to malware writers. Supposedly these malware writers do not target other operating systems because they want to get the most bang for their buck. I call that hogwash. The reason Microsoft Windows is so often successfully attacked is because of its flawed security design. I run FreeBSD Unix and Mandriva GNU/Linux on my PC systems. I keep my systems patched with up to date bug fixes and security fixes. I will not install software that I do not know from whence it originates. I do not run any anti-virus software and yet I will never get a "PC Virus" on these systems. There is no such thing as a "PC Virus", call them "Microsoft Windows Viruses" or "GNU/Linux Viruses" or "Apple OS X Viruses" depending on the operating system which they successfully attack. Don't call them "PC Viruses".

What is a Virus? I refer people to this definition when asked: The Difference Between a Computer Virus, Worm and Trojan Horse. So, a Virus must be able to be shared and operate easily by user to user transfer to be successful.

All PC systems are targeted for attacks regardless of the operating system. Do not believe any person who says otherwise. The only difference is that some systems are attacked successfully more easily than others. Those more easy systems are almost all Microsoft Windows based PC systems. Anyone who has monitored an internet facing server of any type knows that systems connected to the internet are constantly probed for weaknesses in their open services. (Thank you China, may I have another?) These probes are often looking for unpatched services with known flaws that can be exploited. This is true of Unix, including OS X, GNU/Linux and Microsoft Windows based servers. Any of these open services that are not kept up to date can potentially be exploited. The only mitigating factor would be the underlying operating system on top of which the services are running.

If an attacker can get a root shell prompt, root being the "administrator" account, by exploiting a service flaw on a Unix or GNU/Linux system then the game is over, the attacker basically owns the system at that point. Further, since internet facing systems are often servers that handle traffic for a handful of users up to thousands of users these would be a cherry to pick that is much more "tasty" than some lone PC or even dozens of PC systems.? So why do we read so much about successful Microsoft Windows based malware attacks yet read so little about malware exploits of internet facing servers? Well, most of these are running some form of Unix or Unix-like operating system, such as GNU/Linux. The security by design nature of these Unix based systems make them a very tough nut to crack. Only the really, really smart attackers can figure out how to exploit these systems. The chance of exploiting very many is low because all one has to do to keep an internet facing server "safe" is make sure it is running a Unix based operating system and keep the open services that face the internet up to date. (Yes, I know one can maybe do this with Microsoft based servers too, but they are not in the majority when it comes to internet facing servers.) The majority of system administrators managing internet servers know this. Creating a Virus that can successfully attack these systems using the definition above is likely possible, but spreading it very much is not probable. Just because something is possible, writing a Virus for GNU/Linux, does not make something else probable, the easy spreading of said GNU/Linux Virus. So, attackers that target Unix based systems have to give them personal attention in most cases to find a successful attack vector. These folk are known as Crackers and are a different breed from the plethora of malware writers. Like malware writers Crackers are slime, they are just a smarter level of slime.

What we Unix and GNU/Linux folk worry about most are Crackers, Worms and Trojan Horses. Of course if one keeps service applications like BIND domain server, Apache web server, Postfix mail server, CUPS print server and so on up to date the probability of a successful Cracker or Worm attack is very low. If one uses only secured sources for installable applications and updates the probability of a successful Trojan Horse attack is also very low. Again these would not be called "PC Crack", "PC Worm" or "PC Trojan Horse". They would be called by the service they successfully attack, such as a BIND Worm that exploits known flaws in unpatched versions of BIND or an Apache Crack that allows a Cracker to successfully "get root" through an unpatched Apache web server. Do these attacks succeed? Yes they do sometimes. But they are much less successful than Viruses that are written to take advantage of user ignorance and Microsoft Windows design flaws.

So, if we ever do see a successful GNU/Linux Virus "in the wild" we will call it a "GNU/Linux Virus". As unlikely as that scenario is due to the mitigating factors that make up the security by design model used with GNU/Linux. Or will all you people that insist on calling Microsoft Windows Viruses by the misnomer "PC Virus" also insist we call a GNU/Linux Virus a "PC Virus"? Suuuure you will.

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

Number of unique accesses for this article:

click for free hit counter
university of phoenix

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

GNU/Linux Security: Linux House vs Microsoft House

This is the second article in my series about GNU/Linux security for the GNU/Linux curious and new GNU/Linux user. The first article is here: GNU/Linux Security: Ubuntu has been Cracked!

There are many attempts to explain the differences between GNU/Linux and Microsoft products when it comes to security. In this article I am going to make yet another attempt. I want to make this as simple as I can for the non-technical users out there. Especially those that are using Microsoft products and cannot conceive of anything that is more secure by default. If you are a technogeek god then ignore the fact that the explanations here are very simple. If you, in your great geekness, want to expound further then feel free to post a comment.

At base the Microsoft products all go back to a core that is built on the MS-DOS concept of a single task, on a single computer for a single user. There is little need to be concerned about security with such a design. This is a fine concept if one never attempts to use such a system for anything other than a single task, on a single computer for a single user. But that is not what Microsoft has done. The Microsoft products simply kept that single user, single computer base technology and added on multi-tasking (Running many programs at one time.) and networking (Connecting many computers together for sharing data, printers and so on.) Later multi-user capability (More than one user on a computer at the same time.) was added on top of this single user, single tasking core. Granted the multi-user capability is not really present in Microsoft desktop products, so we can ignore the fact that one may create multiple user accounts on a modern Microsoft based desktop system. I will call the Microsoft model a one-one-one model. (See comment #15 below from “paul”, he explains what I mean here better than I have myself.)

The problem with adding on these multi-tasking, networking and multi-user capabilities to the Microsoft one-one-one products is that there appears to originally have been no concern for securing these systems. The security concern only began once people began to see systems being cracked and exploited “in the wild”. However, there was a serious problem with securing these systems. To correctly raise the security bar for Microsoft systems “out of the box” the core of the operating system should have been redesigned from scratch. The backwards compatibility that has its roots in that single task, single user, single computer model would have to go away at some point. Apparently the high and mighty Muckity Mucks at Microsoft made an executive decision to not do that, ever. So, today we have Microsoft Windows 7 released and containing roots going back to that insecure one-one-one operating system design.

How is GNU/Linux different? A GNU/Linux desktop system is designed from the ground up along the Unix model of multiple tasks with multiple users among multiple computers on a network. I will call this a many-many-many design. As such the basic design also includes consideration for securing the operating system and data on same when many users may have access to the same system simultaneously. Therefore, when a GNU/Linux computer is taken out of the box for the first time it already has a higher security capability. This is because of the many-many-many design that included consideration for security from the beginning.

How does this apply in a real world scenario? Okay, because of the original flawed design decisions by Microsoft many third party software packages require that a user be running as a system administrator with full access rights to the computer, including to system files. So, by default when one pulls out a new computer with a Microsoft system installed the users are created as “administrator” users. This is a problem because now this administrator user can browse to an infected web page and see a pop-up with an “anti-virus” warning. Then our poor user will click the close button on the pop-up and become infested with “Antivirus 2010” or other fake anti-virus program that at minimum is irritating but may also have broader security implications by then installing other malware (Malicious Software) that can steal personal information. Because the user is an administrator with full access to the operating system’s files the malware that starts from the web page also has full administrator access and can install itself with impunity.

How can I blame Microsoft for these third party software packages and/or users being set up as administrators? Why not blame these third party software designers? Well, I do blame poorly written software that requires administrator access to work correctly. But I also blame Microsoft. Because Microsoft made the poor decision to stay with their one-one-one design and just “improve” it. At first the only way for any software to work correctly with these “improvements” was to have administrator access. Over the years this has changed, but rewriting all software to these new, more secure specifications is a slow and expensive process for the software companies involved. Microsoft should have scrapped that one-one-one model and redesigned the core operating system from scratch. That redesign should have looked something like Unix … or like GNU/Linux.

The GNU/Linux many-many-many system on the other hand works just fine when a plain user who is not an administrator uses programs on it. So, no software run by the user can affect system files. Further, no software on GNU/Linux is designed to automatically allow software to run from a web browser or e-mail application without the user’s knowledge. No open source developers I know are silly enough to think having such “capabilities” is a good idea. So, when our dear user browses to an infected web site and sees a pop-up about an anti-virus infection she can safely close that pop-up without worrying that an infection will occur in the background that will take over her computer. It is very unlikely that a web based malware script written with GNU/Linux as the target could find a way to even infect the user’s home directory. Why? Well, software that is downloaded from a browser instance is not set as executable. So, even if a browser could be made to download a file without the user knowing it the user would have to make changes to the file permissions to make it executable. There are no .EXE, .COM, .BAT or other files on GNU/Linux that can be run just because of their file extension. A file has to be a compiled application or a script and be set as executable before it will run. This automatically makes it much more difficult to infect a GNU/Linux system behind the user’s back. The effort required is much greater than with Microsoft based systems where the file extension makes the application or script able to be run.

I created a script and uploaded it to my web site to demonstrate this. Here is what a “ls -l” file listing of that script looks like when first downloaded:

-rw-r–r– 1 gene users 73 2009-10-23 22:28 a_script_for_you

See that “-rw-r–r–“? That means the owner of the file, the “gene” shown after the “1”, can read it and write to it but not execute it, “rw-“. The group, the “users” shown following “gene’, and everyone else, not shown but implied, can read but not write and not execute the script, “r–r–“. The dashes are placeholders for the bits that allow writing, “w”, and executing, “x”, of files. Now I will change the permissions on the script by hand and run it:

[gene@era4 ~]$ chmod 700 a_script_for_you
[gene@era4 ~]$ ./a_script_for_you
I can only run if you use the command ‘chmod 700 ./a_script_for_you’ or similar!

See? I had to explicitly intervene to make that script run. I would have to do the same if I downloaded a program from a web site. Browsers on GNU/Linux have no ability to change the script to be executable on my system without my knowledge. I have to be involved in the process, so I have to be convinced that making this program or script executable is a good idea. If this script comes from the “Joe’s Bar and Grill” web site and purports to be an upgrade for Firefox I am going to be very suspicious about making it where it will run on my computer. So should you. Social engineering attacks, where the bad guys convince a user to do something stupid, can still occur with GNU/Linux. So beware and be informed about those. But automated attacks that get system level malware installed through the browser or through e-mail are quite impossible on GNU/Linux.

This brings me to my illustration of the Linux House versus the Microsoft House. The Linux House is built with bullet-proof windows that are closed and locked. There are thick steel bar grills over all the windows. The Linux House has thick concrete walls, roof and floors. The Linux House has thick solid steel, bunker doors that bolt at both sides, the top and the bottom. Any thief that wants to get in and steal your family heirlooms is going to have to have some serious means of breaking and entering, like a bazooka or a tank. Yet all the security of the Linux House is behind beautiful and functional facades and the typical resident can be blissfully unaware of it most of the time. On the other hand the Microsoft House is pretty much like your house you live in now. It is quite adequate for day to day living but it is no serious impediment to a thief that wants to get in and steal your jewelry. It has plain old Windows. The thief can pretty much just break those Windows and climb in at will. You see, plain old Windows are no real way to stop a thief.

Can Microsoft operating systems be secured? Yes, they can, up to a point. But the starting point to secure Microsoft operating systems is far lower than the starting point for GNU/Linux systems. However, the flawed original design of Microsoft operating systems that underlie all modern versions of Microsoft operating systems keeps them more amenable to attack even when as locked down as possible. Of course, in reality, the only truly secure computer is one that is never used, by anyone. But then again, no one is going to spend money on a computer that cannot be used.

Any of you serious security types that want to share more information about GNU/Linux and its security by design model or have better illustrations than mine, please leave a comment.

This article has had this many unique visitors:

Powered by school website.

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

GNU/Linux Security: Ubuntu has been Cracked!

[Notice: If you do not like the title, read the article anyway. Otherwise, there is no point in sending me a comment as I will not post comments that state something like, "Your title suxxors! I refused to read your article after I read the first paragraph! You're just trying to boost traffic to your site! You're lame!!" Do you also go around judging books by their covers? 🙂 ]

Okay, I admit I created that title just to get your attention. It worked, you're here. What is the reason for such a provocative title? Other than the obvious tabloid hook, I want to explore the future of GNU/Linux. You know, the time in the near future when "Once 'Linux' is (as|more) popular (as|than) 'Windows' it will start getting all those viruses too."

First off, the problem with that statement is that there is no single homogeneous 'Linux' to be attacked, meaning GNU/Linux of course, as there is a single 'Windows' to be attacked. There are several hundred distributions of GNU/Linux all with differing release versions of software and underlying software libraries. The very heterogeneous nature of the GNU/Linux ecosystem makes creating a far reaching automatic malware attack difficult to unlikely. While one may find a way to automatically attack a large user base of a single distribution, like that of Ubuntu, the attack will not likely work across all or even most other GNU/Linux distributions due to the diverse nature of the versions of included software.

Calls from people without and within the FLOSS community to create a "single Linux" or to standardise all distributions are a danger to the security that is inherent in the healthy heterogeneity of GNU/Linux. No, I do not mean "security through obscurity", I mean security through diversity. Part of the problem with the Microsoft install base is that the Microsoft systems in use are all very similar. An automated attack that works on one of them will more than likely work on most of them. If there ever becomes a single GNU/Linux that contains 80% or more of the market then GNU/Linux will be less secure as a result. (See my correction for the previous sentence in comment #25.) In such a future a theoretical automated attack that could infect one GNU/Linux system would have far reaching consequences. Just as the malware that affects Microsoft systems has today.

We all know the weakest security link in a system is the user. I predict that social engineering attacks will be the most prevalent method of attempting to subvert GNU/Linux users. Even today a naive user running GNU/Linux could still be subverted with a phishing scam. However, since GNU/Linux has traditional Unix privilege separation an automated attack that can take over the computer from an unprivileged user login becomes much more difficult. Under traditional Unix privilege separation a non-root ("root" equals "administrator"), unprivileged user cannot change the system files. Could one overcome this privilege separation? Perhaps on a single distribution one could if one put enough time and effort into it at the time a security flaw that allows privilege escalation[1] is first discovered. But to make such an attack work across the huge diverse GNU/Linux ecosystem would be near to zero. That is, as long as GNU/Linux remains a diverse ecosystem.

What about the users that do not ever update their systems? Yes, this will still be a problem under GNU/Linux in the future of its World Dominance. There will always be users that do not update their systems either through apathy or ignorance. Any update that requires user intervention is unlikely to be installed by these users. Automated updates that are on by default can do much to overcome this problem. There are problems with automated updates too though. In some cases an automated update may cause a system problem. For example an update to the X windowing system that includes a new 3D driver may cause the GUI to not work on some systems. Should a problem like this affect a huge user base it would be a PR disaster. So, turning on automated updates by default is not encouraged in most cases.

What is the answer to the apathetic user problem? I do not have it. Some people just do not care about the security processes they need to know to be secure. There is no way to make them care unless they actually end up with a malware infection. Of course at that point these people are more likely to blame the operating system or the malware authors than themselves.

We can address the ignorant user problem though. Just because a user is ignorant does not mean the user is "stupid". Almost all users that fall in the ignorant category can be taught to protect themselves if they have an opportunity to learn good security processes and know they need to learn them. A local Linux User Group (LUG) can be an excellent source of training for our world full of future GNU/Linux users. If you do not have a LUG near you, then start one. Once you have, or discover, a local LUG then occasionally offer a Security Process Training Day through your LUG that covers the basics of what users need to know to keep their GNU/Linux systems secure and happy. Then encourage everyone you know that uses GNU/Linux near you to attend. You may even be able to get "free" advertising through local media outlets for a non-profit LUG.

The Bottom Line: We in the GNU/Linux community need to be proactive with our family, friends and neighbours that decide to use a GNU/Linux distribution. Since most of us already know and practice good security processes we can pass along our knowledge to the new user that may be ignorant but is willing to learn. For any user we run across that is apathetic about security we can encourage them to stick with Microsoft. After all, the apathetic users are already a drag on the Microsoft user base, let's not encourage them to bring their problems to our platform. Am I blaming these users? Yes, I am in the case of apathy. Sometimes the blame falls squarely in the lap of the user. Apathy about security is one of those "sometimes".

[1] Privilege escalation attacks take advantage of a flaw in a system level service that may be running with higher level privilege than a regular user. Exploiting the flaw gives the attacker a higher level of access which may allow compromising the operating system itself. These types of flaws can be found in any operating system at any time. GNU/Linux is no exception.

Read the next article in this series: GNU/Linux Security: Linux House vs Microsoft House

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

This article has had this many unique views:

Powered by school website.

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Tue Oct 20 13:01:16 CDT 2009: Change "blatant deception" to "provocative title" in the first paragraph. I think some folks are imploding after seeing the words "blatant deception". 🙂

Linux and Unix Uptime vs Microsoft on Netcraft

After reading this article be sure to see my follow-up comment about it.

Could it be that Microsoft, Microsoft shills and/or Microsoft fanboys are “gaming” the uptime table at Netcraft? Unless I am misunderstanding something, frankly, I think they are. I was going to show a friend of mine the uptime table at Netcraft to display the ability of Unix and Unix-like operating systems to be stable and reliable. Yet I get there and I see this:

Netcraft Microsoft Bullcrap

For several years I have watched and used the uptime statistics at Netcraft and for the majority of that time the top ranked systems have been Unix, usually BSD and company, and Linux. I have not been to Netcraft to see the statistics in several months. So I was slightly irritated to go there today and see that either Microsoft, Microsoft shills, Microsoft fanboys or a combination of all the above have obviously skewed the chart. How do I know this? This bit of information off that same page near the bottom tells it all:

How to Game the Statistics

Just get enough dedicated people to request sites over and over that run your favored system and you too can have your own favorable Netcraft uptime chart. I think Netcraft needs to rethink how they generate the longest uptimes chart. It is obviously being abused by people who favor Microsoft to falsely show Microsoft operating systems dominate the uptime statistics. Anyone in the IT industry with half a clue, ethics and a sense of honesty knows and admits Microsoft could not dominate on uptimes. There are too many patches that require a reboot of a Microsoft server for that to be true.

Apparently some Microsoft administrators do not patch their systems. I sure would not want my web site hosted on their unpatched Microsoft servers. Of course, these could be server farms where systems do get patched behind a load balancer, but then we are still talking about false statistics. No small business I know that has a Microsoft server in it can keep that server running for over 1,000 days without a reboot. Not if they want to keep it secure with up to date patches. But I do know of small businesses with Unix servers that easily go for more than a year without a reboot if there is no power outage that outlasts their backup power system(s).

What do we in the Unix and Linux community do about this? Maybe write Netcraft and suggest they change how they handle generating that chart. Otherwise I suggest we do … nothing. We should not start our own gaming war to change the statistics. Why? Wallowing in the crap filled mud with pigs only gets one dirty, and the pigs like it. So, just do as I am doing and state the facts to your friends, acquaintances and business associates. But do not use Netcraft to back the facts up at this point.

This article has had this many unique views:

hit counter
hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.