Announcement

Collapse
No announcement yet.

Canonical Developer Criticizes Linux Mint's Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #76
    Originally posted by Vim_User View Post
    Ubuntu uses sudo to switch to the root account. A root account does exist and it has a password, but an impossible one, which makes it impossible to login as root or switch to root using su. There is no such thing like "sudo rights", all that sudo does is elevating your rights to root rights based on the rules in its configuration.
    Well you can use su to switch to root:
    Code:
    tuke@Tippawaara12 ~ $ sudo su
    Tippawaara12 tuke # id
    uid=0(root) gid=0(root) ryhmät=0(root)
    There are differencies with sudo and root terminal, i.e. some of the system critical directories are not accessible with sudo cat.

    Comment


    • #77
      You don't have to keep Mint's pin preferences

      Originally posted by Tinitus View Post
      You still won't get updates for Firefox or other packages provided by the Mint repos because they are pinned with a higher priority than Ubuntu packages. Mint's policy is to prioritize features and stability over security - for example in Mint 12 they shipped a vulnerable Java version for which there had been remote exploits in the public but they did not see the need to take action on this. See https://bugs.launchpad.net/linuxmint/+bug/890278
      You can change or remove pin preferences. My advice? Don't run any automatic update manager, use Synaptic to update packages. Set pin priorities to your needs. As for Java, I do NOT recommend enabling Java in any browser unless you have no other choice. Java, Flash, Quicktime, and Adobe Reader are the 4 biggest vectors of infection in Windows, and anyone aiming their exploits at Flash or Java gets a potential cross-platform exploit. Hell, the last time a big Java exploiut came up, NO patch was available and users were advised to get rid of Java. You can selectively enable or disable plugins in realtime in recent versions of Firefox, so you could say, disable all plugins by default, enable Java or Flash only when actually using them. If you need security, you must pay attention to this stuff yourself, and default preferences of any distro become less relevant unless the distro claims to be a security distro.

      Something like this in Tails or Torbrowser could literally get people killed, in Mint it is unlikely to do anything, and even it it does the expected consequences would be a hacked email account or Facebook page, not a visit from the secret police. Like I said before, as for online banking I wouild not trust anything for that, as I do not trust the network itself. Hell. a default Mint install would still be a tough enough target that real pros like the NSA will forget the computer and go after the router instead. When's the last time you updated your router?

      Comment


      • #78
        Originally posted by Stebs View Post
        Again, the only difference between Ubuntu and Mint Updates is the _default_ setting of Mint to not update things like Xorg and Kernel (level 4 and 5 updates). Enable the Level 4 and 5 Updates (by Mouseclick) and from now on you have the exact same update behavior just like Ubuntu...

        It might be a good idea to point Ubuntu -> Mint changers to this difference in default setting (so they can decide how conservative they want to be), but thats all, why this whole drama about it?
        ...And WTF took that Canonical guy to pretend that Mint (not talking about LMDE by the way) does not get Browser updates at the same time as Ubuntu
        Sorry, but the "only some mouseclicks" argument didnt count when talking about the "spyware" topic with the unity search scopes. Saying now: well a user could inform himself about that topic (why should he knew about that?) and make some mouseclicks to change the default behaviour is IMHO alot different from a search saying: "local and online search" beeing called spyware because it searches online.

        and to stop that: ubuntu/canonical/mark hates mint so everyone related to ubuntu is hating mint: (from http://www.markshuttleworth.com/archives/1295)
        So yes, I am very proud to be, as the Register puts it, the Ubuntu Daddy. My affection for this community in its broadest sense – from Mint to our cloud developer audience, and all the teams at Canonical and in each of our derivatives, is very tangible today.
        reads not like that mint hating some people here are trying to make it look like.



        for me it looks like the mobilizing against canonical from the last years (and especially this year) already gone way to far. that is not worth a linux-"community".

        Comment


        • #79
          Originally posted by tuke81 View Post
          Well you can use su to switch to root:
          Code:
          tuke@Tippawaara12 ~ $ sudo su
          Tippawaara12 tuke # id
          uid=0(root) gid=0(root) ryhmät=0(root)
          Which works only because you are already root when calling su and you are therefore needing no password. This is an unnecessary extra step, you could also use sudo -i.

          There are differencies with sudo and root terminal, i.e. some of the system critical directories are not accessible with sudo cat.
          Actually they are accessible, if you have understood how sudo works and how your shell interprets the command line. Something like
          Code:
          sudo cat xxx.txt > /etc/yyy.txt
          will not work, due to the fact that your shell will try to create (or open for write) the file in /etc before it even looks at the left side of the redirection, which means your rights aren't elevated yet.
          If you do it instead with
          Code:
          sudo $(cat xxx.txt > /etc/yyy.txt)
          you will get the result you want.

          Comment


          • #80
            Originally posted by malligt View Post
            That an uninformed/under-informed ubuntu developer could cause this much angst...
            It probably wouldn't have caused so much fuss, if it wasn't for the fact that it's been a recurring theme of late - someone or another at Canonical coming out spreading misinformation about rivals, or Shuttleworth throwing insults at everyone who's unhappy with their latest misstep. It starts looking less like incompetence, and more like malice...

            Comment


            • #81
              Originally posted by Tinitus View Post
              You still won't get updates for Firefox or other packages provided by the Mint repos because they are pinned with a higher priority than Ubuntu packages.
              Please stop spreading FUD.
              "About Firefox updates:
              Linux Mint uses the same Firefox package as Ubuntu from the same repository. Firefox is a level 2 update so every Mint user receives it by default." -Quote from a Mint Developer.
              The two years I was using Linux Mint (now trying Manjaro), Firefox Updates were available at exactly the same time as on my other PC with Xubuntu on it (even if you let Mint Update Settings at default).
              Originally posted by k1l_ View Post
              Sorry, but the "only some mouseclicks" argument didnt count when talking about the "spyware" topic with the unity search scopes. Saying now: well a user could inform himself about that topic (why should he knew about that?) and make some mouseclicks to change the default behaviour is IMHO alot different from a search saying: "local and online search" beeing called spyware because it searches online.
              Well, IMHO the online search scopes are really no big deal/problem as long as you can easily deactivate them by mousecklicks, never had to do that thought because Unity is just not my "style" of DE.
              Every Distribution is different, has other advantages and disadvantages, so why not just test/read about them all and choose YOUR favorite... and be happy.
              Those Distro-Wars are just stupid. But what really annoys me is when people start telling "facts" that are not true (see Firefox Updates), maybe those were not meant as a lie, but why then start talking about those things if one has no clue?

              Comment


              • #82
                I hear the sounds of jealous Carnonical developers. Got Mint 16 on my laptop and loving it. I bet the Debian developers probably don't have too many good things to say about Ubuntu.

                Comment


                • #83
                  Originally posted by hadrons123 View Post
                  Mint is vulnerable -- Agreed. No doubt.
                  Canonical is vulnerable too with kernel updates. They don't backport all the fixes done from kernel.org. Instead calling shots on Mint they should mind their own business of doing things right.

                  Debian doesn't update all the security fixes in sid and sometimes they let it bit rot for weeks. I was told by debian developer that doing regular kernel updates is not a wise usage of the Debian resources.
                  http://lists.debian.org/debian-secur.../msg00022.html
                  Telling users that there is no security support in sid/Testing doesnt want me to use debian either.

                  The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
                  The other distros are just super duper vulnerable.
                  Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.

                  Comment


                  • #84
                    A moving target is also harder for attackers to hit

                    Originally posted by leech View Post
                    Not sure if someone already corrected you on this, but Debian Testing (Jessie) does have security updates. You just don't get them with Unstable (Sid) because the target does move too fast. I've been getting weekly or bi-weekly kernel updates for it. And they do backport security fixes / drivers for Stable and Testing.
                    I've traditionally used Ubuntu alphas but probably should base my personal OS on Sid. In either case, the moving target may not get explicit security updates, but the code is being updated-and therefore changed-constantly. If a targetted attacker wanted remote access to my system, one of his many problems would be to figure out exactly which vulnerabilities existed in that particular system on that day. As for kernels, I use the mainline PPA kernels they too are a constantly changing target.

                    Even if someone is using a snapshot, a targetted (as oposed to random) attack on that person has to guess which day that OS is a snapshot of-or he might be good enough to find a new vulnerability first, ahead of the package maintainers. In that case, no patch will ever arrive on time, anywhere. Nobody I know has ever had symptoms of a broken-into end user (non-server) machine running ANY Linux distro, and I have evidence that an encrypted desktop stolen from me in a police raid was never sucessfully cracked. I worry little about random attackers, someone after credit card shit finding none on my machine would have to be a snitch to even be an issue for me, so he would be a threat only if he installed a back door that was then found by someone else.

                    Assuming you don't surf root like Windows users, do not connect your machine to the Internet without a modem, and are not running any externally accessable servers, you are already an exceptionally difficult target. Most real-world uses of kernel attacks is to get access to webservers, the majority of which run Linux. A lot of very security-demanding servers and enterprise applications use Linux, I don't see why any of these would use Mint, as the servers don't even run X and paid tech support (RHEL or Ubuntu) is often crucial to them. No way is Google or the IRS going to have Cinnamon or MATE on their servers!

                    Comment


                    • #85
                      Originally posted by k1l_ View Post
                      Sorry, but the "only some mouseclicks" argument didnt count when talking about the "spyware" topic with the unity search scopes. Saying now: well a user could inform himself about that topic (why should he knew about that?) and make some mouseclicks to change the default behaviour is IMHO alot different from a search saying: "local and online search" beeing called spyware because it searches online.
                      You're twisting and/or confusing the facts here. The dash search was called spyware not because it searched online, but because it sent your keystrokes - unencrypted in first versions - to third parties without your prior consent. It's potentially dangerous even when it's sent encrypted, as there's all kinds of things you might type in your dash to search for local files that you wouldn't want broadcasted to whoever.

                      The spyware aspect wasn't the biggest issue though IMO, even if you don't consider it spyware, there's no question about it being adware. It shoves paid ads in your actual OS interface. It would be very simple to fix all the problems with the dash scopes, by simply making it opt-in instead of opt-out, and making it entirely user-configurable. No one would have anything much to complain about it then, it'd just be another optional feature. Which is why it's monumentally stupid of Canonical not to do it this way.

                      Comparing it to Mint's updates is also entirely fallacious. Mint already does the updates as opt-in: you can opt-in to receive additional updates which may potentially make your system unstable.

                      for me it looks like the mobilizing against canonical from the last years (and especially this year) already gone way to far. that is not worth a linux-"community".
                      For me it looks like you're suffering from the same persecution complex that plagues most of the Ubuntu fanbase: "oh poor us, everyone's always picking on us becuz they jealous!! they want to make linux hard and command line only becuz ofcourse theres no other alternative to unity!!!" And it's really no wonder people spout such crap, when Shuttleworth himself encourages such thinking. And that's how we get people like bo$$...

                      Comment


                      • #86
                        Originally posted by Stebs View Post
                        Well, IMHO the online search scopes are really no big deal/problem as long as you can easily deactivate them by mousecklicks, never had to do that thought because Unity is just not my "style" of DE.
                        Every Distribution is different, has other advantages and disadvantages, so why not just test/read about them all and choose YOUR favorite... and be happy.
                        Those Distro-Wars are just stupid. But what really annoys me is when people start telling "facts" that are not true (see Firefox Updates), maybe those were not meant as a lie, but why then start talking about those things if one has no clue?
                        I am totally fine with users choosing what suits them best. if you dont like unity: no problem, there are a lot of other desktops out there.
                        what i really dont like is the double standards when it comes to ubuntu/canonical:
                        mint: well, do some reading there, some mouseclicks here and everything is fine.
                        ubuntu: omg! you need to make 3 mouseclicks and its not doing that out of the box.




                        Originally posted by dee. View Post
                        You're twisting and/or confusing the facts here. The dash search was called spyware not because it searched online, but because it sent your keystrokes - unencrypted in first versions - to third parties without your prior consent. It's potentially dangerous even when it's sent encrypted, as there's all kinds of things you might type in your dash to search for local files that you wouldn't want broadcasted to whoever.
                        i disagree. when its labled "search local and online" it is very clear that some data will be send online. and you dont want to tell me, that users want to get online results but dont want to get aynthing send online, do you?


                        Originally posted by dee. View Post
                        The spyware aspect wasn't the biggest issue though IMO, even if you don't consider it spyware, there's no question about it being adware. It shoves paid ads in your actual OS interface. It would be very simple to fix all the problems with the dash scopes, by simply making it opt-in instead of opt-out, and making it entirely user-configurable. No one would have anything much to complain about it then, it'd just be another optional feature. Which is why it's monumentally stupid of Canonical not to do it this way.
                        its not paid ads. they just get paid with a refund if you actually buy that after clicking on the search result. its the well known amazon-ref-link thing. other open source projects use that too, like music-players for music in the amazon store.

                        Originally posted by dee. View Post
                        Comparing it to Mint's updates is also entirely fallacious. Mint already does the updates as opt-in: you can opt-in to receive additional updates which may potentially make your system unstable.
                        no its not fallacious. on the one hand you say: its ok to have to opt-in into security topics and on the other hand you say its not ok. that is the double-standard.


                        Originally posted by dee. View Post
                        For me it looks like you're suffering from the same persecution complex that plagues most of the Ubuntu fanbase: "oh poor us, everyone's always picking on us becuz they jealous!! they want to make linux hard and command line only becuz ofcourse theres no other alternative to unity!!!" And it's really no wonder people spout such crap, when Shuttleworth himself encourages such thinking. And that's how we get people like bo$$...
                        as you can read in my postings in this thread im in no way like you described me.
                        while for some very few but load group it seems to be the duty to pick on canonical/ubuntu i think in the long run that only leads to an enviroment where the community is the looser.

                        Comment


                        • #87
                          Originally posted by hadrons123 View Post
                          The distros that does timely security fixes are Fedora/RHEL &its clones and Arch linux is catching up even better than opensuse.
                          The other distros are just super duper vulnerable.
                          Gentoo Hardened should be pretty solid as well.

                          Originally posted by chithanh View Post
                          For reference: These are the numbers from Wikimedia (mostly Wikipedia visitors) http://stats.wikimedia.org/wikimedia...ingSystems.htm

                          I think Wikimedia can accurately detect Ubuntu. They probably cannot accurately detect other distros besides Android, and those hide in the "Linux Other", which lumps together the various desktop and mobile distros. Let's make an uneducated guess that there is a 50/50 split between desktop (ChromeOS etc.) and mobile (Maemo/Meego, WebOS, OpenEmbedded etc.) in "Linux Other". This means that Ubuntu has maybe 50% share of the desktop market, which kind of agrees with other available numbers.
                          Wikimedia stats come from browser user agents. All Linux distros except Ubuntu realised that it's a bad idea to inflate the user agent string (makes for additional bandwidth and could be used for fingerprinting) and removed the distro references. Thus the non-Ubuntu distros listed there are from users using really antiquated versions of the distros, or those that set their user agent manually. I'm also not sure if Ubuntu derivatives change the user agent, but I doubt they do.

                          There's no 50/50 split, it's all desktops. Note how it says "Breakdown per OS version, non mobile". So my take is that Ubuntu and its derivatives are 0.22% 32-bit + 0.21% 64-bit = 0.43%, while all the other distributions combined are 0.46% 64-bit + 0.21% 32-bit + 0.03% unidentified = 0.70%. Thus from the 1.16% of desktop Linux users, Ubuntu and derivative users take 40%.

                          Comment


                          • #88
                            Originally posted by k1l_ View Post
                            its not paid ads. they just get paid with a refund if you actually buy that after clicking on the search result. its the well known amazon-ref-link thing. other open source projects use that too, like music-players for music in the amazon store.
                            In other words, it's paid ads. Canonical has admitted that the purpose of the feature is to collect revenue for Canonical. It produces revenue to Canonical, therefore Canonical is getting paid for displaying ads in their dash, therefore, they are paid ads. It's simple as that.

                            no its not fallacious. on the one hand you say: its ok to have to opt-in into security topics and on the other hand you say its not ok. that is the double-standard.
                            No I'm not, I'm saying it's ok in both cases to have opt-in. Ubuntu is not having opt-in, they have opt-out of their adware feature.

                            as you can read in my postings in this thread im in no way like you described me.
                            while for some very few but load group it seems to be the duty to pick on canonical/ubuntu i think in the long run that only leads to an enviroment where the community is the looser.
                            It's spelled "loser". And if you want to speak of "the community", you'd better ask yourself why Canonical is shafting the entire community with Mir. Why are they shooting themselves in the foot by being divisive, when they'd much more benefit from a strong focus and united front behind Wayland.

                            Comment


                            • #89
                              Originally posted by dee. View Post
                              In other words, it's paid ads. Canonical has admitted that the purpose of the feature is to collect revenue for Canonical. It produces revenue to Canonical, therefore Canonical is getting paid for displaying ads in their dash, therefore, they are paid ads. It's simple as that.
                              again you miss a point: they get only paid if the user actually buys something. it is not even revenueing that much money, that canonical would think of debating a special deal with amazon.

                              so you can cut off that: canonical is getting rich with spyware.


                              Originally posted by dee. View Post
                              No I'm not, I'm saying it's ok in both cases to have opt-in. Ubuntu is not having opt-in, they have opt-out of their adware feature.
                              in both cases you have to do something to get a more secure state. if its opt-in or opt-out doesnt matter. you could think of opting-out of the not-so-good update-system, too. no matter if you call it opt-in or opt-out, the user has to take action. so its both either good or both bad. but not again these double standards that is good as long as its from canonical.


                              Originally posted by dee. View Post
                              It's spelled "loser". And if you want to speak of "the community", you'd better ask yourself why Canonical is shafting the entire community with Mir. Why are they shooting themselves in the foot by being divisive, when they'd much more benefit from a strong focus and united front behind Wayland.
                              and again i say: you need to accept cooperation if you call for cooperation. the history of unity and the big drama after the mir announce show quite clear that there is no will to accept cooperation.

                              Comment


                              • #90
                                Originally posted by k1l_ View Post
                                again you miss a point: they get only paid if the user actually buys something. it is not even revenueing that much money, that canonical would think of debating a special deal with amazon.

                                so you can cut off that: canonical is getting rich with spyware.
                                Canonical is profiting from selling paid ads in their dash, an integral part of the OS. Try whatever mental gymnastics you like, you can't get away from that basic fact.


                                in both cases you have to do something to get a more secure state. if its opt-in or opt-out doesnt matter. you could think of opting-out of the not-so-good update-system, too. no matter if you call it opt-in or opt-out, the user has to take action. so its both either good or both bad. but not again these double standards that is good as long as its from canonical.
                                It does matter if it's opt-in or opt-out. It matters a lot, as it's simply a way of making it certain that the needs of the users are being put as a first priority.

                                The user has to take action anyway when the user wants to upgrade packages. There's no windows-style automatic updates in Mint, you have to authorize and approve the updates yourself anyway. The user can opt-in to getting certain updates which can possibly lead to instability. The feature of getting extra updates is disabled by default. There is no active feature enabled by default.

                                Whereas Canonical makes it opt-out: they assume by default that you want paid ads in your application launcher, so you have to actively disable that feature yourself, to opt-out of that feature: the active feature is enabled by default. Therefore, it's opt-out.

                                I can't explain this to you any clearer. The default state is inaction, any feature that performs some activity is an active feature, that can either be enabled or disabled by default, opt-out or opt-in. Getting extra updates is an active feature, not getting extra updates is the lack of an active feature. Getting paid ads in the launcher is an active feature, not getting paid ads in the launcher is the lack of an active feature.

                                and again i say: you need to accept cooperation if you call for cooperation. the history of unity and the big drama after the mir announce show quite clear that there is no will to accept cooperation.
                                I don't think you really know that history very well.

                                Comment

                                Working...
                                X