Date: Wed, 11 Jun 2008 23:47:43 +0200 From: Roland Smith <rsmith@xs4all.nl> To: David Naylor <naylor.b.david@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD and User Security Message-ID: <20080611214743.GA18371@slackbox.xs4all.nl> In-Reply-To: <200806112225.36221.naylor.b.david@gmail.com> References: <200806112225.36221.naylor.b.david@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, Jun 11, 2008 at 10:25:32PM +0200, David Naylor wrote: > Hi All, > > Today I read an article describing how my government had lost ZAR200 000 000 > from fraud. This is just under $25 000 000. The article credited this loss > largely due to the use of spyware. > > My question is how secure is FreeBSD (including KDE, GNOME and XFCE) to > attacks, including cracking and spyware. That is a very broad question without a simple answer. It depends among other things on the purpose of the machine and the knowledge of the administrator. E.g, if you are creating a workstation that doesn't run externally accessible servers you could configure the firewall to block all incoming new connection requests. That will go a long way toward safeguarding the machine against network attacks. There is no way to safeguard a machine that an attacker has physical access to; he could e.g. steal the harddisk and read your data at his leisure (unless it is encrypted on-disk, e.g. with geli(8)). Also, no OS can defend against social engineering attacks. I would not worry overly much about spyware. Most if not all of those are windows binaries. Also, unix mail clients as a rule do not execute scripts embedded in mail messages. > In addition, is there anyway to > prevent a user from executing a program that is not owned by root (i.e. any > program installed by the user), this would prevent spyware being installed > (assuming root has been properly locked down) and subsequently run. You could mount /home and other partitions where users have write access like /tmp with the noexec option. Note that that wouldn't block the execution of scripts, just binaries. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhQR/8ACgkQEnfvsMMhpyXgwQCdFqXH7olIT3IOsWOAfmO9V+bX Ei8AoItCOmn8zMPQlCK+xkTSTxandpKl =VveH -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080611214743.GA18371>