Ubuntu Most Secure?

[retriever]

I ran across this article the other day, and while Ubuntu appears to be the only Linux distro tested, is it more secure than Salix?

http://www.zdnet.com/uks-security-branc ... 000025312/

Thanks!

[mimosa]

Ubuntu is just here as a representative of Linux. While I'd say it's probably true that Linux is more secure than the alternatives discussed (on all sorts of criteria, not those assessed in the piece), there's no comparison made between different Linux distributions. For those who care (and for domestic use, if you're virus-free, you're doing well), pretty much any Linux can be made watertight; Ubuntu suffers from the twin advantages of a messy design that makes the internals hard to understand, and a large user base of mostly quite inexperienced users, and I have actually heard stories about viruses for Ubuntu. It's probably an Ubuntu-bashing urban myth, though.

In sum, I'd say you have nothing to worry about (as a Linux user) and to the extent it makes any difference, you are in the right place with Slackware. But the key thing is you are using Linux.

One issue that the article touches on that is a real issue is (U)EFI boot, but it doesn't explain it well. New computers are starting to come with it, and it is designed to make you use windows. Linux distributions have to jump throgh hoops to get round it, which at this early stage might mean basically turning it off. I don't undertand the ins and outs of it, but I suppose you could argue that in that case, you are less secure (in that respect) than someone using WIndows 8 on that machine. But you will still be *less* secure on Windows for all the other reasons. Apart from to ensure Microsoft continued market dominance, if UEFI has an honest purpose, it is to make *Windows* more secure. But I bet it still won't be anywhere near as secure as an untweaked Linux running without UEFI.

You asked before about a firewall and antivirus. I'd say again, I don't think you have anything to worry about. Some people in the Linux world are very concerned about security, but that's because they run servers and are responsible for other people's data; or they have done so in the past, and old habits die hard (as well as maybe being fun). You have already taken the one easiest step towards massively improving your own security: switching to Linux.

[retriever]

mimosa,

Thank you again for taking the time to answer my reply. I have always heard that Slackware is very secure, and that gives me peace of mind. You are a great member of the Salix team, and I again must say thank you.

[laprjns]

One issue that the article touches on that is a real issue is (U)EFI boot, but it doesn't explain it well. New computers are starting to come with it, and it is designed to make you use windows. Linux distributions have to jump throgh hoops to get round it, which at this early stage might mean basically turning it off. I don't undertand the ins and outs of it, but I suppose you could argue that in that case, you are less secure (in that respect) than someone using WIndows 8 on that machine. But you will still be *less* secure on Windows for all the other reasons. Apart from to ensure Microsoft continued market dominance, if UEFI has an honest purpose, it is to make *Windows* more secure. But I bet it still won't be anywhere near as secure as an untweaked Linux running without UEFI.

The suggestion that UEFI is designed to make you use window is simple not true and is a common misconception. UEFI was neither designed by nor controlled by Microsoft. UEFI is a specification for a modernized booting process targeted for many different platforms. The UEFI Forum, comprising of many companies, including Apple, Microsoft, Canonical,and The Linux Foundation among many others, write and controls the UEFI specification.http://www.uefi.org/ Hardware and system suppliers implement the specification in firmware which in the case of Intel archeture (x86) is replacing the BIOS firmware that has been used since the inception of the "PC".

Part of this misconception is that UEFI and Secure Boot are the same thing. In fact Secure Boot is one element of the UEFI specification. The fact that MS requires that all system with WIN 8 be shipped with Secure Boot on is used as proof that the "Evil Empire" is trying to lock out other OS. However The UEFI specification requires that there is a means to turn off Secure boot. Several Linus distributions can now boot with Secure Boot on. Please read this, it one of the best explanation that I've found on UEFI and it's Secure Boot extension;
https://www.happyassassin.net/2014/01/2 ... work-then/

[mimosa]

@laprjns
Thanks for that most informative link. We're clearly going to have to get used to UEFI and the more light, the better.

I have never laid hands on actual UEFI hardware, but my impression remains that the typical Windows user who is thinking of trying Linux will find it harder and scarier with UEFI (and secure boot) than it was with BIOS. Most Linux users once crossed that Rubicon, so it matters. I personally found it quite hard with Bios and ("legacy") Grub, back in the day

This may be completely wrong and is a separate point, but I remember reading that Windows 8 won't work if you turn off secure boot. If that is so, it forces new recruits to Linux to abandon Windows before becoming familiar with the alternative (and presumably, even before trying a Live CD). So virtualisation would have to fill that role.

I bet it isn't true though.

[laprjns]

This may be completely wrong and is a separate point, but I remember reading that Windows 8 won't work if you turn off secure boot. If that is so, it forces new recruits to Linux to abandon Windows before becoming familiar with the alternative (and presumably, even before trying a Live CD). So virtualisation would have to fill that role.
I bet it isn't true though.

You win the bet. Win 8 works fine with or without Secure Boot turned on.

I have never laid hands on actual UEFI hardware, but my impression remains that the typical Windows user who is thinking of trying Linux will find it harder and scarier with UEFI (and secure boot) than it was with BIOS.

Yes, it will be harder; they will have to go into the system UEFI firmware menu and turn off Secure Boot. Getting into the UEFI setting is like getting in the BIOS menu; you just press the appropriate key during the initial boot up just after hitting the power button. Of course with so many different implementations of UEFI there many different ways to get into the setting menu. On my Dell laptop, I have to press the F10, on my Asus laptop it is F2 and on my MSI motherboard F11.
However, you cannot really blame the added complexity on MS. They are just using an available UEFI feature to address an issue that they are routinely criticized for. Unfortunately, the added complexity is the result of having a more secure system.

[mimosa]

The ideal though would be to be able to use Linux and retain secure boot. The actual vulnerability created by turning it off is probably not as great as when running Windows, for reasons similar to the greater prevalence of viruses there (monoculture); but Windows - Linux dual booters won't want to be bothered with turning it on and off all the time accordingly. There's also a rhetorical point that people can say "Windows is safer because it has secure boot".

Presumably though even a Live CD can have a signed kernel.

[retriever]

Perhaps Salix will be able to sort out all of the Windows security stuff before too long. I don't plan on having Windows 8, just Salix, so until I buy a new laptop I won't have to worry about it.

[mimosa]

This is an old thread but the article laprjns linked to above provides very helpful background.

I just got a new machine and put my existing HDD in it, which was booting Salix using EFI/rEFInd. It didn't boot!

A little investigation with the BIOS showed that apparently, it's not possible to boot using EFI unless you have secure boot turned on. But this won't boot Salix because the OS isn't signed.

Legacy boot is possible, and I was able to get back into Salix by installing Grub. But what if I wanted to dual boot with Windows?

It seems it may not be that difficult to add the signature yourself, though this isn't something I have explored yet, let alone grasped:

http://blog.hansenpartnership.com/uefi-secure-boot/
http://blog.hansenpartnership.com/the-m ... uefi-keys/

sbsigntools, which its the tool suggested there to do this, is available from SBo.

It seems that in order to turn Secure Boot on in my BIOS (American Megatrends 2.17.1246) at least three settings need to be changed in different places, and you have to set a user password and then type this in every time you boot.

I should emphasize that booting with Grub is working fine for me now - the purpose of my post is just to explore the situation, which others may encounter too.

[laprjns]

I just got a new machine and put my existing HDD in it, which was booting Salix using EFI/rEFInd. It didn't boot!

Did you add a boot menu entry pointing to the the refind bootloader (refind_x86.efi) in the refind directory on the existing HDD ESP partition?

A little investigation with the BIOS showed that apparently, it's not possible to boot using EFI unless you have secure boot turned on. But this won't boot Salix because the OS isn't signed.

If this is true then your firmware is not UEFI specification compliant.