From owner-freebsd-questions@FreeBSD.ORG Wed Jun 11 21:47:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97D941065674 for ; Wed, 11 Jun 2008 21:47:45 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr11.xs4all.nl (smtp-vbr11.xs4all.nl [194.109.24.31]) by mx1.freebsd.org (Postfix) with ESMTP id 2B5B48FC19 for ; Wed, 11 Jun 2008 21:47:44 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with ESMTP id m5BLlh2M056061; Wed, 11 Jun 2008 23:47:44 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 506F1BA8C; Wed, 11 Jun 2008 23:47:43 +0200 (CEST) Date: Wed, 11 Jun 2008 23:47:43 +0200 From: Roland Smith To: David Naylor Message-ID: <20080611214743.GA18371@slackbox.xs4all.nl> References: <200806112225.36221.naylor.b.david@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline In-Reply-To: <200806112225.36221.naylor.b.david@gmail.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD and User Security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2008 21:47:45 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 11, 2008 at 10:25:32PM +0200, David Naylor wrote: > Hi All, >=20 > Today I read an article describing how my government had lost ZAR200 000 = 000=20 > from fraud. This is just under $25 000 000. The article credited this l= oss=20 > largely due to the use of spyware. =20 >=20 > My question is how secure is FreeBSD (including KDE, GNOME and XFCE) to= =20 > attacks, including cracking and spyware.=20 That is a very broad question without a simple answer. It depends among other things on the purpose of the machine and the knowledge of the administrator.=20 E.g, if you are creating a workstation that doesn't run externally accessible servers you could configure the firewall to block all incoming new connection requests. That will go a long way toward safeguarding the machine against network attacks. There is no way to safeguard a machine that an attacker has physical access to; he could e.g. steal the harddisk and read your data at his leisure (unless it is encrypted on-disk, e.g. with geli(8)). Also, no OS can defend against social engineering attacks.=20 I would not worry overly much about spyware. Most if not all of those are windows binaries. Also, unix mail clients as a rule do not execute scripts embedded in mail messages. > In addition, is there anyway to=20 > prevent a user from executing a program that is not owned by root (i.e. a= ny=20 > program installed by the user), this would prevent spyware being installe= d=20 > (assuming root has been properly locked down) and subsequently run. =20 You could mount /home and other partitions where users have write access like /tmp with the noexec option. Note that that wouldn't block the executi= on of scripts, just binaries. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkhQR/8ACgkQEnfvsMMhpyXgwQCdFqXH7olIT3IOsWOAfmO9V+bX Ei8AoItCOmn8zMPQlCK+xkTSTxandpKl =VveH -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3--