this post was submitted on 19 Aug 2023
705 points (94.8% liked)
Linux
48684 readers
390 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yea came here to say this. If the machine is connected to the internet, you're waiting for trouble.
Well that true for regular windows
...unless you are an experienced security person like me. My family occasionally use internet on a Windows 7 home desktop that I set up 6 years ago with perhaps what would sound simple – a combination of group policy edits and an anti-executable. If nothing I want executes, it will not execute. Browser end is taken care of with uBlock Origin on Firefox with malware and other lists enabled.
Funny thing, a virus executable was laying in AppData since ages, unable to do anything, and I did not even know until probably months or years. Deleted it.
Viruses don't need to be .exes by the way. There were spectre/meltdown proofs of concept that only ever used front end JavaScript.
Because the modern style of CPU attack (zenbleed too) usually side chains access to private memory (where your authentication details exist) they can get full system control without executing any .exes.
That computer would need a firewall disabling all incoming traffic, the latest bios firmware patches and js disabled on Firefox to be close to safe. And that's the base level stuff.
Edit: changed VPN to firewall. That was silly.
The blocker allows to block any kind of executable code, that includes EXE, DLL, VBS and all kinds of extension formats, and allows to whitelist what directories, processes and programs can run as well. It intercepts all IPC as well. There is also a HIPS firewall that intercepts all network traffic and processes. All bases are covered in my approach, and I discussed this personally with The PC Security Channel on a Discord voice call.
The only kind of vulnerabilities would be a CPU or OS/firmware level attack, but the latter is plugged largely due to combined maxed UAC slider/antiexecutable/HIPS firewall blocking any and all execution, and group policies taking care of any elevations. All this runs under a standard user account.
I do not recommend people this approach, considering how complex it is to setup and fully understand, but once it is setup, it is set and forget since years now. Only advanced users and pentesters who have experience and knowledge should do this. I am doing this because it allows both the machine to support legacy hardware like scanner, printer, DVD writer et al, and allows to run legacy Windows programs, besides allowing to use internet with Firefox/custom uBO.