How secure would outdated Ubuntu be?

Long story short: I'm thinking about setting up Ubuntu for someone, but they'll probably never let the Update Manager do its thing.

Taking into account all aspects of security (including security through obscurity), how secure would Ubuntu remain in such a situation?

 

If someone knows how to exploit an old hole, not very secure.

A router can help but a determined hacker can even bypass that. Of course a dedicated hacker could get any of us no matter the security measures.

 

Any OS that isn't kept up to date is going to end up like swiss cheese.

 

Bearing in mind that this would hold true for any OS, my opinion is that keeping a computer and its data safe, can depend largely on what someone does with their computer. Especially if the computer is used in a home computing environment, (email, web surfing, photo archiving, word processing, etc.). I think that behavior can go a large way to safeguarding this kind of computer system, regardless of the OS, applications, or how often they're updated. If your user can remember a few basic rules (others please feel free to suggest additions/deletions);

Use different secure passwords, (at least 8 characters using both numbers and letters), for different accounts. One secure password for your own computer. A different secure password for financial/reseller websites which contain any financial information, such as credit card numbers and address. And a different secure password for sites which contain no personal information about you, (fun sites like NBR Forums, etc.).

Change your passwords periodically. This can be made easier by using a password manager program.

Once you're used to when you enter in your username and password credentials on your computer, pay attention. You shouldn't ever be surprised by having to enter your credentials again, for example in the middle of operating your computer, etc.

If using your computer to purchase items, do so from reputable resellers. The ResellerRatings site is a great site for checking resellers.

Understand when to enter in credit card information, and what to look for in your browser to determine the security level of the page you're entering that information in to.

If you are ever sent your password in an email from one of your financial/reseller websites, you should change the password immediately and contact the website to let them know that under no circumstances should they store users' passwords in a readable format. (You should also consider not using their services until they change this practice) The industry norm is to store your password in their system in an encrypted format, (unreadable to their employees), and if you forget your password, to offer you a reset ability, where they set your password to some value, and then you login to the site using this new password, and then immediately change it to your chosen password.

Never download anything that you're not sure of.

Never install anything you're not sure of, especially if you downloaded it from a website.

If you don't know what you're doing, don't enable or configure anything called any variation of file sharing, p2p, or torrent.​

So, If the user is not inclined to download software and try to install it, or isn't prone to downloading malware, either because they don't visit those kinds of sites regularly or they are knowledgeable enough to avoid them, then it's likely that they will be relatively safe. Additionally in regards to email, if they're unsure of its origin, they should treat an email message as a stranger on their porch.;

If you don't know the email sender, don't read it, (trash it instead).

Don't ever provide any kind of sensitive information via email to anyone.

Don't ever give out your computer username or password in an email, (or on a website).

Don't ever open an email attachment or weblink that you aren't sure of, even if it's sent to you by someone you know.

Don't believe everything you read in your email. Verify it first. The internet mythbuster website Snopes.com is an excellent resource for this.

Don't ever respond to ANY email asking for any kind of account verification, or account credentials. No reputable site will ever ask for this via email. (If you're unsure, call them on the phone)​

Added to that under Linux you have the extra hoop of the normal securing of the root user account, (provided you don't circumvent that), and that it's not generally a target for virus/malware/etc., should mean that even a Ubuntu system that's not up to date, should be relatively secure for a good long while. Finally since it's Linux, you can secure it relatively well at installation, with a firewall and antivirus software, without cost to you, which can help keep things secure in certain circumstances.

Good Luck..

 

Just tell them to run the updater when it pops up. I don't get what is so hard about that.

 

Stubborn old granny hard

 

Due to its excessive use of sudo Ubuntu does NOT have that extra hoop in its standard configuration.

The only reason to install a virus scanner on a Linux box is to prevent spreading Windows viruses that you received from others. If you don't interact with Windows computers there's no point in installing a virus scanner.

Just create a cron or autostart routine that will run apt-get update && apt-get upgrade from time to time.
You can safely uninstall update-notifier so your granny won't even notice the updates.

In general I think Ubuntu is the worst choice among the mayor distributions when it comes to security because for an attacker it's pretty safe to assume that a Linux computer is an Ubuntu computer.
In any case you should make sure that your granny's user account has no rights to become root. In most other distributions that's the default setting, in Ubuntu it's not.

As for using exploits:
About a year ago my company had to install software on some of our older servers. Unfortunately our main admin was on holiday, the 2nd was on a conference and the trainee was ill that week, so we had nobody with the required root access.
Fortunately for us these old servers were vulnerable to a null pointer root exploit which I used to install the required software. Of course anybody else could have exploited that vulnerability too.

 

I remember reading some article which compared the base security of different OS's and Ubuntu's default config had some good security levels, higher than default debian.

 

depends on what kind of security you want...

exploitability rating will be pretty poor

security by obscurity will be pretty high

 

That's hard to believe considering that Debian does not use sudo, gets security fixes faster (Ubuntu usually takes them from Debian), has a more thorough testing procedure (that's why it takes so long for a new Debian release) and suffers less from layer-8 problems.

So do you have a link to that article?

 

Hey, if my mom can figure it out there's hope.