Announcement

Collapse
No announcement yet.

Fedora 32 Might Disallow Empty Passwords For Local Users By Default

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • starshipeleven
    replied
    Originally posted by Charlie68 View Post
    Why does Wayland exist!
    How many distros use Wayland by default. How many people can use Wayland without missing some feature or Xorg stability or compatibility with NVIDIA drivers or something. Web browsers are starting to become Wayland native applications only now.

    For most users it's just not ready yet, the average distro is still using Xorg, also Wayland is just a part of a larger system, if there is no sandboxing having Wayland does not improve the security by much, therefore the average Linux Desktop RIGHT NOW is not really secure.

    It will NOT do that well if pitted against Windows-levels of malware development.

    I never said that Linux is 100% secure
    No, you didn't. When someone said Linux isn't safer than Windows you didn't believe him and said you need to provide proof, I provided proof. You don't like reality? Not my problem.

    looking for something 100% secure?
    Don't shift goalposts please, that's not my point. I'm just showing that it is comparable to Windows in its current situation.

    To protect the / home can encrypt it or you can only encrypt the data to be kept confidential and you should know this too.
    This does not protect from malware that leaks your data in any way, shape or form. Malware is running when the system is up, and if the system is up they have access just as the user has.
    Partition encryption protects against Evil Maid attacks (which are kind of unlikely imho) and keeps your data secure if someone just steals the laptop whole (a normal laptop thief, nothing fancy) and then rummages through its memory in search of a quick buck (in addition to the laptop's own resell value on ebay).

    To protect against malware you need sandboxing, which is what is done on servers by running the service with a different user that has no privileges and no shell access, and on a desktop system has to be done with something like firejail.

    For the sake of beating a dead horse, on Android this sanboxing is the norm and it is pretty strict. Applications can't read other application's data, nor do more than a whitelisted list of actions, period. Some folders like downloads and music and whatnot are free for all, but apart from that it's all locked down. Even if an application is compromised by a malware attack or downright malicious it won't read anything it shouldn't be able to.
    Last edited by starshipeleven; 12-10-2019, 07:33 PM.

    Leave a comment:


  • Charlie68
    replied
    It is not a novelty that Xorg has security problems,
    Then why are you saying you need proof to say Linux is not safe?
    Why does Wayland exist!
    I never said that Linux is 100% secure, looking for something 100% secure? I don't think you will find it and you should know it given the work you do. I just said that it is not possible to compare such different operating systems.
    Yes, privacy and security are different things, this does not mean that one is more important than the other, but they are two different things. To protect the / home can encrypt it or you can only encrypt the data to be kept confidential and you should know this too.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Charlie68 View Post
    I imagine that given your competence, you will be working to improve safety.
    I'm a sysadmin, not a developer.

    It is not a novelty that Xorg has security problems,
    Then why are you saying you need proof to say Linux is not safe?
    If you take applications from the repositories it's ok!
    FYI, this is also true for Windows. "trusted application repositories" is just more of the same proof that the system is unable to defend itself so you must install only "good stuff".

    The problem is that you cannot just use a few applications from a walled garden. Real professional applications and other odds and ends is not going to come from there, and this opens the door to potential malware and issues.

    That's the point, but if you want to fill your shitty pc, then don't complain about security.
    Bullshit. Modern OSes like Android allow you to do that without much issues.

    Security and privacy are two different things, a malware confined to the home can be a problem for privacy, but not for security.
    Heh, "privacy" because anything serious has already migrated away.

    All serious stuff (bank accounts for example) when run on PC requires dual-authentication through SMS or smartphone app BY LAW in the EU. They know the PC security is shit and can't trust it.
    Meanwhile, the bank's app on Android only asks for a password or a fingerprint, and you can pay directly with a smartphone through NFC (Google Pay or Apple Pay)
    Doing the same with a PC (even when you have fingerprint scanners like on businness laptops) without dual-auth is complete bullshit nonsense.

    The security model on PC is a joke, both on Windows and on current default Linux setups.

    Leave a comment:


  • Charlie68
    replied
    Originally posted by starshipeleven View Post
    I don't see what kind of proof you need, Xorg allows easy screen and keylogging to any application, the default "all applications run as the same user" allow any application to read whatever the hell it wants in the user's home folder where all configs are, and also access to any kind of the user's data, while installing applications still requires root privileges just as Windows.

    Linux distros are still using the old Unix model of "single multiuser system" where you only need to protect the server OS from the users and each user from the other users, but that's far from the real use most Linux systems see nowadays.

    As long as applications come from the distro repositories it's kind of OK, but you can't expect to have a large ecosystem of third party applications (also proprietary) that are curated and more or less guaranteed safe as the opensource ones in the distro's repos.

    It's for the OS protection from unauthorized settings change, or to access shared system hardware. It does not really protect the user that much to firewall access to tty subsystem (serial dongles) behind root privileges or granting permission to your user for that.

    Applications are run as your user by default and therefore can freely keelog and steal all your data without root privileges, no need for a password.

    Servers commonly run their service applications under a different non-root user that has limited or no privilege at all (also usually no shell access), which makes them very safe as any breach in the application will be contained, but this is NOT done for user applications in a home PC setup.

    If we want to talk about a half-way secure system we need a Wayland compositor (that is not a free-for-all keylog and screen scraping), and firejail https://github.com/netblue30/firejail (that sandboxes and enforces no access to stuff the application should NOT be able to look at, using Linux kernel features), or Flatpak with packages where the sandboxing is strict. But how many distros are like that yet? Not much.

    Linux CAN and WILL be a very secure OS. For now it really isn't.
    I imagine that given your competence, you will be working to improve safety.
    It is not a novelty that Xorg has security problems, it has been known for a long time and it is trying to move to Wayland also for this reason.
    If you take applications from the repositories it's ok! That's the point, but if you want to fill your shitty pc, then don't complain about security. Security and privacy are two different things, a malware confined to the home can be a problem for privacy, but not for security.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Charlie68 View Post
    It may be as you say, but at the moment it is not possible to support it, since there is no proof of what you say.
    Obviously a greater number of users, would also increase the "viruses" for Linux, however Windows and Gnu / linux are profoundly different, so it is not possible to support your thesis.
    I don't see what kind of proof you need, Xorg allows easy screen and keylogging to any application, the default "all applications run as the same user" allow any application to read whatever the hell it wants in the user's home folder where all configs are, and also access to any kind of the user's data, while installing applications still requires root privileges just as Windows.

    Linux distros are still using the old Unix model of "single multiuser system" where you only need to protect the server OS from the users and each user from the other users, but that's far from the real use most Linux systems see nowadays.

    As long as applications come from the distro repositories it's kind of OK, but you can't expect to have a large ecosystem of third party applications (also proprietary) that are curated and more or less guaranteed safe as the opensource ones in the distro's repos.

    Obviously at the base of everything there is always the user, there are many users even in Linux who are careless, but what is unacceptable is that users complain about entering a password, when this is for their protection.
    It's for the OS protection from unauthorized settings change, or to access shared system hardware. It does not really protect the user that much to firewall access to tty subsystem (serial dongles) behind root privileges or granting permission to your user for that.

    Applications are run as your user by default and therefore can freely keelog and steal all your data without root privileges, no need for a password.

    Servers commonly run their service applications under a different non-root user that has limited or no privilege at all (also usually no shell access), which makes them very safe as any breach in the application will be contained, but this is NOT done for user applications in a home PC setup.

    If we want to talk about a half-way secure system we need a Wayland compositor (that is not a free-for-all keylog and screen scraping), and firejail https://github.com/netblue30/firejail (that sandboxes and enforces no access to stuff the application should NOT be able to look at, using Linux kernel features), or Flatpak with packages where the sandboxing is strict. But how many distros are like that yet? Not much.

    Linux CAN and WILL be a very secure OS. For now it really isn't.
    Last edited by starshipeleven; 12-09-2019, 08:24 PM.

    Leave a comment:


  • Charlie68
    replied
    Originally posted by Danny3 View Post
    If Linux had the same market share it would have the same infection ercentage.
    Just because Linux nags you 100 times a day with password popups it doesn't mean that it's more secure.
    100% of the time it asks me for my password I give it because I want to run that program.
    How is this different than having no password ?
    It may be as you say, but at the moment it is not possible to support it, since there is no proof of what you say.
    Obviously a greater number of users, would also increase the "viruses" for Linux, however Windows and Gnu / linux are profoundly different, so it is not possible to support your thesis.
    Obviously at the base of everything there is always the user, there are many users even in Linux who are careless, but what is unacceptable is that users complain about entering a password, when this is for their protection. What I mean is that there is little attention to security in general and Windows in these years has not helped to create a certain awareness of the subject.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Danny3 View Post
    If Linux had the same market share it would have the same infection ercentage.
    Yes, but to the contrary of Windows, on Linux we are seeing sandboxing frameworks and kernel features that systemd, tools like firejail or application distribution like flatpak can use to isolate stuff.

    Just because Linux nags you 100 times a day with password popups it doesn't mean that it's more secure.
    It means someone didn't configure it correctly, but apart from that, it is limiting access to more stuff than Windows by default, which makes it more secure, at least from some attack vectors.

    How is this different than having no password ?
    It makes sure that the user knows that the application is asking access to stuff it shouldn't, which for the older security model of "the user decides who is trustworthy" is better. For the more modern model it's a bit meh, but so does Windows anyway.

    Of course if you don't configure the system to give your user/application access to the areas it should have, and resort to running everything as root then it's either your own or a distribution issue.

    Leave a comment:


  • Danny3
    replied
    Originally posted by Charlie68 View Post

    ... and it is not surprising that users who use the most famous OS are infected with viruses and format often!
    Between the two, I prefer to stay in the minority ... I not only set a user password in addition to the root password, but I also set a password to protect my password in the wallet and despite everything I am still alive and with the computer I also have to work .
    If people looked a little more at safety and less at performance, even the web would be a better place!
    If Linux had the same market share it would have the same infection ercentage.
    Just because Linux nags you 100 times a day with password popups it doesn't mean that it's more secure.
    100% of the time it asks me for my password I give it because I want to run that program.
    How is this different than having no password ?

    Leave a comment:


  • Vistaus
    replied
    Originally posted by starshipeleven View Post
    or perhaps not completely serious
    Me neither.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by Vistaus View Post
    Someone's full of himself!
    or perhaps not completely serious

    Leave a comment:

Working...
X