Secure IT Foundation

Archive for November 2009

Unlike the default settings in Windows, Linux users have to enter the administrative password before they can install new software. Recently a popular variant of Linux called Fedora introduced a change to alter the security model of Fedora to no longer require the administrative password before installing new software.

On paper it seems sensible, Fedora users could only install applications using the equivalent of ‘Add and Remove Programs / Software’ in Windows, from a list of approved titles. To ensure only approved software is installed, these approved items have a digital signature to prove they have not been altered before they are installed.

Seems reasonable so far, so why is it a problem for the Linux security model? It is a matter of trust. If you have administrative password to an operating system then it is assumed that you will only install software you trust. If you don’t have administrative password or equivalent permissions granted to you by someone who does, then it is assumed you won’t have the administrator’s trust to install new software.

What Fedora did was to move the trust from administrators only, to allowing any user to trust third party software implicitly. Suddenly the only security control to protect an unprivileged user, was the process of getting software added to the Fedora software collection, to get a digital signature.

Windows users may be lost at this point because you are mostly used to a world where you have full control of your operating system. The outcome was that Fedora reverted back to the typical Linux security model due to public pressure. What this shows is that the correct security model for operating systems is not to allow the user to install software without entering the admin password to grant your trust to the software provider. It works for OSX, UNIX, LINUX etc and it can work in Windows XP / Vista / 7.

So why doesn’t Windows come with this security feature as a default, you may ask? One to ask Microsoft…

SecurityBrad

Advertisements

Despite the best foaming of rabid Linux ‘experts’, Linux has been found to have yet another serious security problem, especially in Red Hat versions. Given that it runs a large chunk of the Internet and is used by many commercial web businesses, there is a looming risk to your personal information could be flying out the door soon. Responsible Linux users will have patched against this but given most commercial enterprises don’t apply patches immediately there will be a gap between the bad guys exploiting it with companies applying the patches to fix the issue.

Simple rule is, software is never perfect and always needs patching. The operating system is irrelevant, all will need patching while humans still write the code!

SecurityBrad

Not much of a surprise this one, given the similarity to XP / Vista under the hood, but Windows 7 is just as vulnerable to viruses and this has now confirmed by Sophos. Then again if they said otherwise who would use their product. Next week they will tell us the sky is blue and you need an umbrella in the rain to stay dry.

SecurityBrad



    • Coldwind: Couldn't agree more. I downloaded a piece of software just now, disabled the 'toolbar' 'offer' (which fortunately for me has become a reflex); but co
    • ModemJunki: I only discovered this today - I had updated the firmware to the latest out of habit, and I could STILL access my TrendNet cams on the local network w
    • PrentOS – a Simple Secure Computer « Secure IT Foundation: [...] September 2010 we said it was time for a brand new start to computing, well it is starting to take shape… [...]

    Categories