Computer security bullshit

[madires]

With SNI (which is pretty much required in these days of IPv4 crunch and CDNs, if you don't want to pay thousands of dollars), this is no longer true, and the host name is sent in plaintext (the specific file URL is still encrypted)

I stand corrected. You're right. The TLS setup is in cleartext and the SNI reveals the hostname.

[arekm]

It not always reveal real hostname. There are corner cases that use SNI being cleartext for their benefit. It is sometimes used to circumvent blocking firewalls/censorship.

Signal app (https://whispersystems.org/) uses that for communication. SNI hostname is for example "google.com" but "Host" in http header (that's "hidden under" SSL) is their real server like appserver.mydomain.com. The traffic is then handled by appserver.mydomain.com. It works with most CDNs. If someone want's to block that
it needs to block entire "google.com" traffic.

http://www.pcworld.com/article/3152769/security/encrypted-messaging-app-signal-uses-google-to-bypass-censorship.html
http://www.icir.org/vern/papers/meek-PETS-2015.pdf

[Marco]

IMO computer security is easy. Computers used to browse the web, read email any more complex than scrubbed plain text, with user accessible ports for external storage and web servers should be considered root kitted by default. Design around that and it's hard to go wrong without state agency level attacks.

Use minimum trust, because that is clearly still too much.

[f4eru]

I don't even remember when was the last time my computer got compromised even a bit. It's many years ago.

You have not detected a breach since many years does not mean you didn't have a breach.

[slicendice]

I don't even remember when was the last time my computer got compromised even a bit. It's many years ago.

You have not detected a breach since many years does not mean you didn't have a breach.

Oh you are very wrong, I would notice it immediately. If I have time to react in time once it happens, if it ever happens, is a whole different story. But I will not publicly go into any specifics about security details on my computer, because that would get the hacker one step closer to breaching it. 

[RGB255_0_0]

Oh you are very wrong, I would notice it immediately.

[f4eru]

But I will not publicly go into any specifics about security details on my computer, because that would get the hacker one step closer to breaching it. 

Security through obscurity. Yep. That absolutely works.

[imidis]

I don't know why security is such a touchy subject. So much so I rarely participate in the discussions. There are a lot of holes and issues out there.   

[slicendice]

I don't know why security is such a touchy subject. So much so I rarely participate in the discussions. There are a lot of holes and issues out there.   

You are absolutely right! Great choice!

Falls in same category as religion and politics it seems. Never would have thought! 

[slicendice]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

[slicendice]

Had they spell Ubuntu correctly it could be more appealing.

Great catch! I don't think this chart is far off from the truth though. Android has a lot of security flaws and it makes sense to me that it is on the top of this list.

Trying to find more detailed and accurate info on OS specific(not including 3rd party apps) security test overall.

Either way, a good 2-way firewall and good AV increases security. And security suites with added layers for specific tasks improves the overall security even more. Nothing is perfect though.

[Simon]

the problem is the more flexibility and functionality you want from an OS the more exploits there are. I saw an interesting youtube video about how a spyware can trick an internet browser into sending data back for it so as to stay under the radar using basic windows functionality that is legitimately there for programs to talk to each other and it's undetectable. The best line of defence is to not get infected in the first place.

The chart obviously does not clarify the likelyhood of each exploit being used and if an antivirus was used.

[slicendice]

the problem is the more flexibility and functionality you want from an OS the more exploits there are.

You are absolutely correct. For the Android part I'm pretty certain a lot of security issues has to do with Java. It's know to have a lot of holes, though Android Java is a quite modified version of the Oracle one.

The chart obviously does not clarify the likelyhood of each exploit being used and if an antivirus was used.

No it does not, and that is why I look into finding a proper report.

[f1rmb]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

[slicendice]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

I've been building Linux from scratch, there is not much more needed than a bootloader a filesystem and the kernel, the rest is just applications/toolchains to add functionality that has nothing to with an OS and it's purpose.

[f1rmb]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

Had they spell Ubuntu correctly it could be more appealing.

Linux Kernel as an operating system 

I've been building Linux from scratch, there is not much more needed than a bootloader a filesystem and the kernel, the rest is just applications/toolchains to add functionality that has nothing to with an OS and it's purpose.

A *nix kernel isn't an OS, this "chart" mixes oranges and bananas...
I'm still wondering about the purpose of booting a fat/monolitic Linux kernel with *zero* system/user binaries, except to powering up some devices.

Cheers.
---
Daniel

 

[XynxNet]

While there are open bugtrackers for linux/android, I wonder whether we get the same amount of info about bugs in ms or apple software.

[slicendice]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

[Brumby]

But I will not publicly go into any specifics about security details on my computer, because that would get the hacker one step closer to breaching it. 

Which is why I never even enter into discussions on the subject.

[slicendice]

While there are open bugtrackers for linux/android, I wonder whether we get the same amount of info about bugs in ms oder apple software.

I doubt the bug/security hole list for Windows and OSX is a comprehensive as for all opensource OSes out there.

[f1rmb]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

Yeah sure, few OSI layers are missing here, but who cares ? 

[slicendice]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

Yeah sure, few OSI layers are missing here, but who cares ? 

Hahha, I don't care if the OS implements the OSI model or not. As long as it has a scheduler, and can securely orchestrate all the chatter between hardware(or hardware layer), software and user IO (which in some cases are not even needed, depends on the purpose of the OS).

[f1rmb]

Look up the official definition of an Operating System before saying the Linux kernel is not such. The Linux kernel has all the requirements for an Operating System.

Yeah sure, few OSI layers are missing here, but who cares ? 

Hahha, I don't care if the OS implements the OSI model or not. As long as it has a scheduler, and can securely orchestrate all the chatter between hardware(or hardware layer), software and user IO (which in some cases are not even needed, depends on the purpose of the OS).

A scheduler, a task scheduler ? You just said you define the linux kernel alone AS an OS, no software, by any mean. Once you install a single binary somewhere, it starts to be an OS.

Back to the chart you've posted, you take it really personnal, have you made it ? I guess not.
I just found it amusing with the Ubuntu typo, and wrong with the linux kernel entry in the middle.

[slicendice]

No I am not talking about a task scheduler in the sense of some scheduled task you make the OS run some software as a service at a predefined time/interval.

We can make a 6 year study out of this OS talk.

For people who has never written or attempted to write their own OS from scratch, have no clue what a operating system for modern computers today are built of, have no idea how many OS architectures there could possibly exist, have no idea how modern computers work internally at a bit level, and how both the bits and the OS glues it all together, I'd suggest to just keep quiet.

But that is just my opinion. I'm not stopping anyone from making a fool out of them selves.

[madires]

I don't know how accurate this is, but it is interesting. Windows 10 is not on top of the list though being spyware and all. Who would have thought that? 

One has to be careful with those numbers, because it's apples vs. bananas (not oranges) quite often. The linux distributions come with a ton of applications, Windows doesn't. Take firefox for example. For Windows it's a third party application, so any security issues in firefox aren't counted. Ubuntu comes with firefox, so firefox' security issues are added. Another point is how each OS defines a security issue or its severity.