[huskerlug] Re: [MLIST] Re: antivirus

> I won't be so bold as to say it can't happen here but KMail, the mail
> program I use in Linux does not set attachments to be executable.  Windows

Typically mail programs for *nix were written without the less secure 
"features" being added (a good thing in my opinion).  But, as I was trying to 
point it, this isn't Linux vs. windows security, it's Kmail vs. Outlook 
security.  Linux/windows have very little to do with this particular case.  
Run kmail inside of Cygwin on windows and I'll be it's just as secure since 
it still won't execute attachments.

> (they might have changed this very recently) does not have the ability to
> keep script files from being executable.  They are associated with the
> scripting executable and then executed as long as read permissions exists.

Windoze NT/2K/XP/2K3 can restrict executable permissions to files just like a 
*nix box can.  Newer versions of Outlook also can set policy restrictions on 
file attachments.  The problem with Outlook is that security has been bolted 
on as an after thought and many of the protections added to it can be 
circumvented by viruses due to security holes and implementation flaws (yes, 
all software has this problem, but Outlook, like IE, seems to have way more 
than it's fair share).

>
> With Linux there are more tools to control evil activities.  You can use
> iptables to restrict your outgoing port 25 connections to only your own
> email server.  With the Linux security module I think you can deny the
> ability to make outgoing connections to whoever you want.

These features are available in windoze too.  Zone Alarm can be used to block 
outgoing connections just like iptables.  

LSM is just a frame work for implementing security policies.  By itself, it's 
useless.  Either way, LSM isn't part of a "stable" kernel yet, so, to make a 
"fair" comparison, we probably shouldn't include it yet. 

Currently there are patches alternatives that can be used to harden stable 
series kernels  (e.g. RSBAC, grsecurity, LIDS, etc.), but most of them aren't 
shipped by default with the commonly used distros.  Most, if not all of these 
patches, will let you restrict network connections.  

Don't get me wrong, I despise windoze, but it is a big misconception to think 
that Linux is immune to viruses/worms.  Now quit making me defend windoze to 
make a point ;-)  I won't argue that as things currently stand, *nix is 
probably a lot safer environment for the "typical" end user since it protects 
them better from "ignorant" mistakes (e.g not opening every attachment that 
gets sent to them).  Most users simply don't know better unless they've been 
eductated by someone.

Cheers!
-- 
Steve Bremer
RHCE,CCNA
--
Real Men don't make backups. They upload it via ftp and let the world 
mirror it. -- Linus Torvalds
--
GnuPG Key fingerprint = 7F06 4D73 7963 BE96 5189  953A E285 CB2C BA03 2746
Available on key servers.

  


----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

Other related posts: