story.news.yahoo.com/news?tmpl=s … _infection
story.news.yahoo.com/news?tmpl=s … ecurity_dc
Looks nasty – a virus that infects websites which haven’t patched their Microsoft IIS webserver software, then infects people’s Internet Explorer browsers with a keystroke logger, to transmit financial-website passwords to identity thieves. . . .
Makes me glad I’m a Knoppix/Morphix addict. 
How do you actually install stuff under Knoppix?
Er, well, mostly you don’t.
You can install it to your HD, or you can set it up to have a “persistent home” on your HD. Or you can use a USB keychain drive as your persistent home.
Another way is to remaster it with whatever setup you want, and burn a custom CD. This doesn’t help if you want to add bookmarks or save your email, though.
When I saw the heading for this I was expecting something like “the virus Apathy has been discovered to infect all Windows users upon purchase of their machine”
But thanks for the heads-up on the latest nasty. Honestly, does anyone really keep up with every patch Microsoft issues? Wouldn’t it take up all the room on your computer? 
Glad to. But, well, no, that’s the problem. And no, it won’t take up all the space (since most patches overwrite the old buggy library with the new one) – it just takes up all your time and energy.
It’s not so much the patching – since Win2K, Microsoft has had a pretty decent automatic update system – but the problem of whether your machine will continue to work after the changes Microsoft makes automatically. My former roommate had to reinstall after their update failed to work with his machine’s video driver; fortunately, he hadn’t done much with the machine yet (just purchased it and installed Win2K). For more serious use, businesses have to worry about whether the latest patch will let their accounting software continue to run – or whether it will install a new and even more exploitable gaping hole.
Linux isn’t by any means perfect, but IMHO it’s a step in the right direction. However, it does require hands-on work to maintain. The LiveCD distributions like Knoppix/Morphix will at least block viruses from permanently infecting your system, though.
[quote=“MaPoSquid”]
Looks nasty – a virus that infects websites which haven’t patched their Microsoft IIS webserver software, then infects people’s Internet Explorer browsers with a keystroke logger, to transmit financial-website passwords to identity thieves. . . [/quote]
How typical of Microsoft. They must spend thousands of man-hours thinking up all sorts of security holes to put into their systems! 
The only other problem with the patching system for Windows is the fact that there have been several recorded instances where MS have come out and said “It’s not worth the effort for us to fix that.”
And the problem I have with Linux is I’ve had to say multiple times, “I don’t know how to patch this!” Of course, it’s gotten easier with apt-get and rpm, but it’s still a mess.
Apparently Arch Linux’s “Pacman” and Gentoo Linux’s “Emerge” systems have that pretty much sorted, but Gentoo’s definitely for the Geek and Arch I can’t test out 'cause my computer doesn’t have the Big Hairies to run it.
Maybe I’m misunderstanding your message, but there is seldom a need to patch anything in Linux. Maybe you mean you have difficulty with installing and uninstalling software. I’d agree with that - the various Linux distributions haven’t settled on a single system for doing this. My feeling is that Debian-based distros (such as Knoppix, the best one in my opinion) are the easiest of all. You install a program called “Synaptic” and it’s all point-and-click from there.
regards,
Robert
You can install Knoppix on your hard drive with the simple command “knoppix-installer”.
Once you’ve got it installed, you only need to go online (with broadband, forget modems) and at a command line type:
apt-get update
Then you’ll probably want to install Synaptic:
apt-get install synaptic
After that, it’s pretty much a point-and-click operation (using synaptic). Or you can install at the command line if you prefer (example - installing Xemacs):
apt-get install xemacs
Or to get rid of Xemacs
apt-get remove xemacs
I wrote an article about Knoppix here:
distrowatch.com/dwres.php?resour … ew-knoppix
I happen to think that Knoppix is the best distro around, but I know there are some Mandrake addicts here too. Well, to each his own. I also like FreeBSD, but that’s more server-oriented.
I’m thinking that we foreign geeks in Taiwan maybe should get together for a meeting. Is anyone else interested? There is a Taiwanese Linux User’s Group in Taipei but it’s nearly dead, and the few meetings they’ve had were mostly conducted in Chinese with an emphasis on programming. I think if we foreigners want this kind of activity, we have to create it ourselves. Years ago there was a foreigners’ DOS users’ group (Taipei Users’ Group, or TUG) but it died along with DOS. We really could use one for Linux/BSD. Anyone else interested?
regards,
Robert
I beg to differ, I worked for 3 years in a complete Linux desktop environment and our 3 sysadmins were always busy patching one vulnerability or another on at least a weekly basis. Most of the time, patching one thing broke something else… Compound that with the fact that the .deb packages for apt-get aren’t always updated in a timely manner and you end up having to recompile stuff from source. If I wanted to deal with that, I would’ve installed Gentoo!
I’ll use Linux for a server anyday, but think at least 3 times before using it as a desktop.
I beg to differ, I worked for 3 years in a complete Linux desktop environment and our 3 sysadmins were always busy patching one vulnerability or another on at least a weekly basis. Most of the time, patching one thing broke something else… Compound that with the fact that the .deb packages for apt-get aren’t always updated in a timely manner and you end up having to recompile stuff from source. If I wanted to deal with that, I would’ve installed Gentoo!
I’ll use Linux for a server anyday, but think at least 3 times before using it as a desktop.[/quote]
Everyone is, of course, entitled to their opinion. But now it’s my turn to differ.
You aren’t totally wrong, but we may be talking oranges and apples here. Last time I looked, there were something like 13,000 packages available for Linux (I’m basing that on Debian unstable, which has the biggest package collection). And yes, about once a week, somebody posts a patch for one or two packages that have a vulnerability. So you are right, you’d have to patch about once a week to keep safe IF YOU HAVE ALL 13,000 PACKAGES INSTALLED.
That’s a big if. When a vulnerability is found in (for example) Evolution, I don’t need to patch it because I don’t have Evolution installed. Most people don’t need more than a couple of hundred packages, and even then you probably don’t actually use more than a couple of dozen.
So yes, something like 50 to 100 Linux vulnerabilities are discovered every year, if you’re talking about all 13,000 Linux programs. The number will likely increase, as more packages are added to the total. But Windows is certainly not more secure - then again, not many people would install 13,000 programs on their Windows machine either.
You don’t hear about every vulnerability in Windows because Microsoft keeps this info secret (and unpatched) unless somebody else (besides Microsoft) discovers it and blabs the news all over the Internet. The usual way Microsoft deals with OS vulnerabilities is to release a once-yearly “Service Pack” which fixes hundreds of vulnerabilities at once. There is no Linux service pack, but most Linux distros release two or three new versions a year, which updates not only Linux (the operating system) but also the thousands of packages. Compare that to Windows - do you think Microsoft will patch a vulnerability in Adobe InDesign? In fact, it’s unlikely Adobe will even release a patch - more likely, they’ll ask you to upgrade to the next version (for US$200).
Anyway, back to the scenario that you originally described - yeah, in a corporate network, the system administrators have got to patch every vulnerability that gets reported. The situation is particularly dire when the company is running a server connected to the Internet (such as the one that Forumosa runs on). The wise thing to do in such a case is to run a minimalist system - if you’ve only got Apache web server running, then you just worry about Apache and nothing else. It would bea mistake to install 13,000 packages and then run that machine as a server - you’d go insane trying to keep up with patches.
As for your home system, you really don’t need to patch. Just don’t run a server, keep a good firewall installed, and the hackers won’t even know you exist.
Want to find out how vulnerble you are? Here’s a good experiment. Go to this web page and let it pound on your system, checking for open ports. You might be surprised.
scan.sygatetech.com/quickscan.html
peace,
Robert
P.S. If you’re still paranoid, run OpenBSD. Nothing is more secure than that. But OpenBSD isn’t all that easy.
[quote=“robert_storey”]
As for your home system, you really don’t need to patch. Just don’t run a server, keep a good firewall installed, and the hackers won’t even know you exist.[/quote]
I wish that were the case, because then I wouldn’t have had to spend who knows how many hours explaining to grad students that their linux boxes got hacked within 5 minutes of getting online and were being used to serve kiddie porn. And the only thing they were guilty of was running SSH.
You know of any ipsec/ipchains web sites that a Linux beginner would understand in order to set up a firewall? And no, RTFM or man do not count as user-friendly documentation
Maybe we should all go use Macs…
Robert, why would you pick Knoppix over Debian as the best? Isn’t Knoppix essentially Debian Lite? I’m just dl’ing Debian 3.0r2 at the moment to install…
And I’d be interested in setting up a TUG (maybe not necessarily a LUG, just a general Geekfest?)
[quote=“answerer”][quote=“robert_storey”]
As for your home system, you really don’t need to patch. Just don’t run a server, keep a good firewall installed, and the hackers won’t even know you exist.[/quote]
I wish that were the case, because then I wouldn’t have had to spend who knows how many hours explaining to grad students that their linux boxes got hacked within 5 minutes of getting online and were being used to serve kiddie porn. And the only thing they were guilty of was running SSH.
You know of any ipsec/ipchains web sites that a Linux beginner would understand in order to set up a firewall? And no, RTFM or man do not count as user-friendly documentation
Maybe we should all go use Macs…[/quote]
You are correct, but actually on a client machine you don’t really need to run the SSH daemon. But if you do have it running, the firewall should definitely be configured to block all attempts to log in from outside the LAN.
The only way to be safe is to block every port from outside access. You can allow outgoing connections, but reject all incoming ones. That’s not hard to do just as long as you don’t run a server. If you’re going to run a server, then yes, you’re opening a potential vulnerability and you’d better keep things patched.
I know that a lot of newbies just click “yes” when asked about what “services” should be installed. I don’t think they realize that they are enabling all sorts of server daemons that they don’t need for desktop use.
I’m sorry, but I don’t know of any easy-to-understand web sites on ipsec/ipchains. Actually, ipsec is something I want to learn a lot more about - I’m mostly ignorant about how it works. As for ipchains, I don’t think it’s being used anymore, having been superseded by iptables. On Linux, I normally use Guarddog which is an easy-to-use graphic front-end for iptables. There are some others like Firestarter, but Guarddog is more flexible. Most Linux distros come with some sort of graphical firewall that you can just set-and-forget. Again, the best thing to do is let it block all ports from outside access, even SSH.
I’ve been experimenting with OpenBSD lately. If has a very good firewall called PF, but it doesn’t have a nice graphic front-end so it’s not real newbie friendly. Still, I’m finding it pretty educational - it’s interesting to see how these firewalls actually work.
I do want to make it clear that I don’t hold myself out as any kind of security expert. There is A LOT that I don’t know. I suspect that there are many on this forum who are more knowledgeable than I am about system administration. It would be real nice meeting with you and discussing some geek things in person. Are you interested in my idea of organizing a foreigners’ LUG in Taipei? Or maybe just an informal get together with some other local geeks? Feel free to contact me at y2kbug@ms25.hinet.net. I’ll be spending most of the summer in Taipei.
best regards,
Robert
[quote=“Tetsuo”]Robert, why would you pick Knoppix over Debian as the best? Isn’t Knoppix essentially Debian Lite? I’m just dl’ing Debian 3.0r2 at the moment to install…
And I’d be interested in setting up a TUG (maybe not necessarily a LUG, just a general Geekfest?)[/quote]
Hi Tetsuo,
I prefer Knoppix because it’s basically Debian Unstable, which is a couple of light-years more up-to-date than Debian Stable. It also helps that Knoppix is dead easy to install and does a superb job of hardware detection. And once you’ve got Knoppix installed, you only need to type “apt-get update” and then you can “apt-get install” whatever packages you need. With 13,000 packages in the Debian archive, you’re spoiled for choice.
I’ve looked at a lot of Linux distros, and overall I feel that the Debian-based ones are the best. I give some praise to Slackware too, but it’s certainly not newbie-friendly and more suitable for someone who wants to run a server. I’ve been playing with FreeBSD and OpenBSD too, but again I think these are more server-oriented (not that there is anything wrong with that, but I wouldn’t recommend this for a beginner).
I’m glad you’re interested in my idea about having a “Geekfest”. I live in Taitung which puts me far from the action, but I’ll be spending most of the summer in Taipei. I’m planning on hearding to Taipei on July 3 (if the damn trains are running - right now we are having a wicked typhoon and Taitung is sealed off from the outside world!). Anyway, when I get to Taipei, I’ll make a post on this forum with a concrete proposal for a Geekfest with some suggested time/place, and see how many people are interested in participating. Around the time that the Taipei LUG collapsed, we were only getting abour 4 or 5 foreigners, maybe 20 Taiwanese. I think a foreigner-based LUG might do better than the mixed foreigner/Taiwanese one - the old foreigner-only TUG had about 30 members.
Feel free to contact me directly by email, y2kbug@ms25.hinet.net.
regards,
Robert
Well, I have to say I’m quite impressed by Knoppix as an HD install at present, but you wouldn’t happen to know anything about getting USB wireless LAN adapters working under it, would you? Linux in general strikes me as a bit crap without an internet connection under it…
First, if you’ll be working with Knoppix, it’s probably good to sign up at the Debian-user mailing list (and pretend you’re a Debian user, rather than Knoppix). Lots of good free advice is available there.
After reading your post, I went onto Google and ran a search on this group of words:
USB wireless LAN adaptor Debian
I got a lot of hits. Too many, really. Anyway, from reading some of the articles (which were mostly posts from users trying to get their wireless LAN cards to work), it was obvious that most of the problems are caused by people using very new LAN cards with older versions of Debian (which means they won’t have a driver for the card).
With Windows, when you buy a new gizmo, it often comes with a floppy disk with a driver on it. I don’t think I’ve ever seen one of these included floppies with a Linux driver, so if you need one it has to be downloaded (from somewhere) and installed. That’s a bit scary for a Linux newbie, especially since installing Linux drivers tends to be more complex than with Windows.
The other alternative is upgrading to the latest version of Debian (or Knoppix, which is easier). Which version of Knoppix are you using? The latest one you can get right now is version 3.4 with a 2004-05-17 release date. Version 3.5 will be released next month from what I hear. The nice thing about Knoppix is that it’s a live CD, so you can test it out first and then only install to the hard drive if you’re satisfied that it works well with your hardware.
How well it works with your hardware may have something to do with which kernel you installed. The new experimental 2.6 kernel might support your hardware even if the default 2.4 kernel doesn’t. When you boot the Knoppix CD, you are given an option to install the 2.6 kernel by typing “knoppix26” rather than just “knoppix”. You might want to give that a try and see if it solves your problem.
I’ll be in Taipei in a few days (just waiting for this damn rain to stop, the Taitung Airport is closed). When I’m there, I’d like to follow through with my proposal for a meeting of expat Linux/BSD users to see if we can solve problems like the one you are describing.
regards,
Robert
FYI, NetGear’s hardware apparently won’t run under Linux at all – they refuse to release any hardware information for people to write the drivers. Just in case you’re still shopping and this is one of your criteria.