Is using Ubuntu Live CD safe for online financial transactions?

I thought it would be a good idea to use a Live CD of Ubuntu to do all my financial transactions online, I figure thats the safest way since any virus/trojan cannot infect the Live CD?

Just one question, how safe is it to use Linux as a whole for this kind of use? (I mean, Linux and all the apps are open source and written by just about anybody, so how can I be sure that even the Ubuntu Live CD doesnt have any sort of keylogger etc installed? After all, with so many lines of code, I'm sure someone could have sneaked in something like that?)

I don't know if I'm being paranoid, but it would help if someone has answers or links talking about this specific aspect? Also, is there a geek-word for such "sneaking in of malicious software" (apart from "trojan" of course :)

Zabba

Posted 2010-07-26T05:59:30.483

Reputation: 789

Answers

Yes, it is as safe as possible.

With a smaller open source project written almost exclusively by 1-2 people, there is some risk that they can hide something. But with big, well-known and well-tested software such as the Linux kernel, Firefox, and most packages which are a default part of a big distribution, you can be reasonably sure that lots of independent eyes have seen every line of code. You're probably more at risk of a rogue Microsoft employee sneaking in a keylogger into Windows just before a deadline.

The second point is, Linux isn't more secure just because there is fewer Linux malware written. It was designed with a better security model. With Windows, almost everybody ran as admin up to Win XP, and because of the UAC usability disaster in Vista, most people just continue this today, even on 7. The point of running as non-admin isn't to save you from yourself - if it is your own PC, it'll ask you for admin password for deleting System32 and you'll provide it - but that software processes started while you're running as non-admin don't have admin rights, so they are barred from anything the non-admin user is barred from. Besides, there are additional security mechansims built into operation systems, but many such were built into Windows later than their Linux counterparts, and recent studies show that third-party software doesn't use them. Link

And besides, you are not the first who thought of it. A big computer magazine in Germany, c't, actually regularly provides a "banking CD" with its magazine. It is just as you described, a LiveCD based on Ubuntu with some branding. I don't know if they provide specific tools on it too, but if you think that it is more secure than a "common" Ubuntu LiveCD, you could order a past issue with that CD from heise.de. Personally, I wouldn't bother and just take the LiveCD of some big distro.

rumtscho

Posted 2010-07-26T05:59:30.483

Reputation: 3 586

I mean, Linux and all the apps are open source and written by just about anybody

OSS programs may be written by anyone and everyone, but that doesn't mean I make a no-name app and it will be featured in the LiveCD. There are rules, standards and procedures to be adhered to, if I need an app to be featured in the LiveCD and something won't be featured "just like that". Getting the keylogger to start with the LiveCD will mean that upstart scripts will need to be tampered with, and I can tell you nobody's going to miss this.

Sathyajith Bhat

Posted 2010-07-26T05:59:30.483

Reputation: 58 436

1Did you mean "nobody's going to overlook this"? – None – 2010-07-26T06:33:44.363

Or "nobody's NOT going to notice this" ? – Zabba – 2010-07-26T07:04:06.523

@Zabba: Nobody should not know to avoid double negatives. :) – None – 2010-07-26T07:17:54.827

Woops. big mistake hehe – Sathyajith Bhat – 2010-07-26T07:38:31.680

You can be sure Linux doesn't have any keyloggers or other malware BECAUSE it's open source. You are free to go through every source file and check it yourself - I read quite a bit of the source. Canonical (Ubuntu) doesn't just put anyone's random script in without looking at it. I work on an open source project and if something was inserted, we would know. New things almost always break old things. We look at what comes up when the OS is booting, and we know which processes should be running.

Closed source, on the other hand, could have a million "features" you'll never know about.

Starting from a Linux Boot CD will mean that none of the malware you may have on your computer is going to run, and nothing that you enter into your browser will be stored anywhere on your computer once your ram is cleared out. Does that mean you are completely safe? No. Maybe someone is collecting packets between you and the bank and knows how to get around https encryption. Maybe someone at the bank is doing things on that end.

xnine

Posted 2010-07-26T05:59:30.483

Reputation: 61

I agree with the packet-interception, that would be possible on any system; it's the inbuilt "hidden" code i was worried about. Thansk for your insights – Zabba – 2010-07-26T07:02:49.330

First of all, there's nothing wrong with being a bit paranoid :)

Secondly, I think using a Linux Live CD is a great idea.

Infections by keyloggers and the like are a very real threat, and booting from a Live CD gives you a nice blank slate every time. The vast majority of all virusses and malware are targeted at Windows systems, so with Linux, you no longer have to worry about those.

As you mentioned, Open Source development involves a lot of people collaborating to make projects like Ubuntu possible, but it also means there's a lot of peer review and testing.

If someone really did try to sneak something malicious into a program that's included on the Live CD, surely it would have been caught by the many other people involved in these projects.

After all, 700 MB is not a lot of room to work with and only the best and most important applications are approved to be shipped with the Live CD.

For some further reading, security expert Brian Krebs wrote an article about banking with an Ubuntu Live cd for the Washington Post last year: link.

Kenny Rasschaert

Posted 2010-07-26T05:59:30.483

Reputation: 992

Be sure to check for the bugs in software. Live CDs have older versions of software and they might have security risks.

Xolve

Posted 2010-07-26T05:59:30.483

Reputation: 450