It's starting to happen...
Erik Funkenbusch
"Mac OS X targeted by Trojan and backdoor tool"
http://news.zdnet.com/2424-9595_22-251586.html?tag=nl.e550
"It is a downloader, and it contacts a remote server to download the files
it installs," Intego said in an advisory. "This means that, in the future,
the downloader may be able to install payloads [other] than the one it
currently installs."
"The Trojan is found on porn websites posing as a codec needed to play
video files, a technique used to trick the user into downloading and
installing it."
For years, Linux and Mac advocates have been saying their systems are so
much more secure, and not vulnerable to malware. They gave as evidence
that no such malware existed for Linux or Mac's.
Meanwhile, many of us argued that this was a function of lack of
popularity, not security. The single biggest security flaw in computer use
is the human flaw. No amount of security, other than simply not allowing
people to have access *AT ALL* to install programs can stop social
engineering from infecting computers.
We also argued that as the Mac and Linux became more popular, they too
would become targets, which of course was derided. But here it is
happening.
This particular piece of malware is interesting because it's very similar
to how many attacks occur on Windows. Trojaned files which can download
new pieces of malware as needed to address new security patches.
How long before we start seeing similar trojans for Linux? Well, i think
it will be a while. Linux would have to have a much larger base of
non-technical users who have sudo access.
Hadron
You mean like just about every single home Ubuntu user who has their own
machine?
Oops ....
Now wait for Koehlmann to choke on his sauerkraut and tell us how only
Windiots get infected ....
--
"Fuck you, you lying bitch. "
-- Rick <no...@nomail.com> in alt.true-crime, comp.os.linux.advocacy
Terry Porter
> Ok, this may seem off topic, but i'll get to how it's on topic in a
> moment.
Go Fud a MAC group Wintroll, this one is for discussing the advantages of
Linux.
--
If we wish to reduce our ignorance, there are people we will
indeed listen to. Trolls are not among those people, as trolls, more or
less by definition, *promote* ignorance.
Kelsey Bjarnason, C.O.L.A. 2008
Hadron
> On Mon, 24 Nov 2008 15:42:02 -0500, Erik Funkenbusch wrote:
>
>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>> moment.
>
> Go Fud a MAC group Wintroll, this one is for discussing the advantages of
> Linux.
So you don't think advising people on potential weaknesses in Linux is
an advocates job? Head in the sand wiggling your arse in the air singing
"Waltzing Mathilda" is no way to spend your life Bruce. With the
Internet, things can even wing there way to your distant island
penitentiary in no time at all!
--
"Let the body stay buried wherever he put it, maybe it'll get
found some day, maybe not. "
-- "Bo Raxo" <crimene...@gmail.com> in alt.true-crime, comp.os.linux.advocacy
Peter Köhlmann
> Terry Porter <lin...@netspace.net.au> writes:
>
>> On Mon, 24 Nov 2008 15:42:02 -0500, Erik Funkenbusch wrote:
>>
>>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>>> moment.
>>
>> Go Fud a MAC group Wintroll, this one is for discussing the advantages of
>> Linux.
>
> So you don't think advising people on potential weaknesses in Linux is
> an advocates job?
He has not mentioned *any* potential weakness in linux.
He FUDded with a OSX weakness.
And not, it is not "starting to happen" at all.
Similar exploits for OSX have been around since at least 2 years, and there
were several of them.
Security in OSX, although much better than in windows, is not up to the
level linux has
--
If you're right 90% of the time, why quibble about the remaining 3%?
LusoTec
> How long before we start seeing similar trojans for Linux? Well, i think
> it will be a while. Linux would have to have a much larger base of
> non-technical users who have sudo access.
<sarcasm>Installing software in GNU/Linux is very difficult, have you not
heard?!</sarcasm>
Sudo access, if not badly configured, does not compromise the system and
does not allow arbitrary software to be run or installed as root. That
said, allowing the user to execute arbitrary stuff downloaded from the
Internet is a very bad idea even with just normal user permissions.
To prevent that, distributions should setup the system so that /home, /tmp
and any removable file system is mounted with noexec,nodev,nosuid options.
This will stop users from being tricked in to running malware.
Non-technical users will be restricted (and protected from them selves) but
the more tech savvy users can change the system to allow installs using
other methods and sources.
Regards.
Hadron
> Erik Funkenbusch wrote:
>> How long before we start seeing similar trojans for Linux? Well, i think
>> it will be a while. Linux would have to have a much larger base of
>> non-technical users who have sudo access.
>
> <sarcasm>Installing software in GNU/Linux is very difficult, have you not
> heard?!</sarcasm>
>
> Sudo access, if not badly configured, does not compromise the system and
> does not allow arbitrary software to be run or installed as root. That
> said, allowing the user to execute arbitrary stuff downloaded from the
> Internet is a very bad idea even with just normal user permissions.
>
> To prevent that, distributions should setup the system so that /home, /tmp
> and any removable file system is mounted with noexec,nodev,nosuid options.
> This will stop users from being tricked in to running malware.
Will this stop
"sh ./document"
from executing?
owl
Hadron takes first ha><0ring b4by st3ps.
Day 0: Discovers that shell can execute commands.
Day 1: Changes name to Ha><ron
Day 3: Self-nuke
Day 2; Thinks about how to get a shell
.
.
.
Day 0x31337: Will this stop "sh ./document" from executing?
Fingel
I *JUST* posted this same link in the Hospital Virus thread where we
spent two days arguing about this very topic.
--
3A:29
Erik Funkenbusch
> Hadron wrote:
>
>> Terry Porter <lin...@netspace.net.au> writes:
>>
>>> On Mon, 24 Nov 2008 15:42:02 -0500, Erik Funkenbusch wrote:
>>>
>>>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>>>> moment.
>>>
>>> Go Fud a MAC group Wintroll, this one is for discussing the advantages of
>>> Linux.
>>
>> So you don't think advising people on potential weaknesses in Linux is
>> an advocates job?
>
> He has not mentioned *any* potential weakness in linux.
> He FUDded with a OSX weakness.
No, I didn't. The weakness I speak of is not related to any OS. It's a
human weakness. This OSX trojan does not rely on any weakness in OSX, it's
entirely social engineering.
> And not, it is not "starting to happen" at all.
> Similar exploits for OSX have been around since at least 2 years, and there
> were several of them.
> Security in OSX, although much better than in windows, is not up to the
> level linux has
Security is quite similar, they both rely on sudo and unix ugo and process
support.
Please explain how OSX security is significantly worse than Linux.
Fingel
> Erik Funkenbusch wrote:
>> How long before we start seeing similar trojans for Linux? Well, i think
>> it will be a while. Linux would have to have a much larger base of
>> non-technical users who have sudo access.
>
><sarcasm>Installing software in GNU/Linux is very difficult, have you not
> heard?!</sarcasm>
>
> Sudo access, if not badly configured, does not compromise the system and
> does not allow arbitrary software to be run or installed as root. That
> said, allowing the user to execute arbitrary stuff downloaded from the
> Internet is a very bad idea even with just normal user permissions.
root. Thus "SuperUser Do" You can even do sudo -s which essentially
turns you into root.
>
> To prevent that, distributions should setup the system so that /home, /tmp
> and any removable file system is mounted with noexec,nodev,nosuid options.
> This will stop users from being tricked in to running malware.
all-or-nothing. People still download scripts and expect to be able to
run them from ~/ for example, installing a game. Or for distros that
dont support it, installing flash(even those those distros that do it
automatically actually
just download the flash install script for you and run it)
>
> Non-technical users will be restricted (and protected from them selves) but
> the more tech savvy users can change the system to allow installs using
> other methods and sources.
But I think the setup you describe kinda wanders from the entire linux
philosophy. But I guess thats the good thing about multiple distros,
you can always get one that fits your needs.
>
> Regards.
--
3A:29
Erik Funkenbusch
Again, you misunderstand the nature of the trojan. It claims to be a codec
required to view pornography. The user is instructed how to download and
install it, which the user willfully does, just as they would a legitimate
codec.
Users have to be able to install arbitrary software, otherwise the computer
is doing what Linux users complain is one of the problems with Windows,
that the OS thinks it knows better than the user.
Hadron
He won't. He's a clueless fanboy. Anyone who lets him anywhere near a
Linux network is asking for trouble.
--
"<larsl> Are there any decent document editors that can open ODT files except
OpenOffice.org? oowriter is so unstable with large files that it would
be funny if I didn't need to get this finished."
Hadron
> On 2008-11-24, LusoTec <nom...@nomail.not> wrote:
>> Erik Funkenbusch wrote:
>>> How long before we start seeing similar trojans for Linux? Well, i think
>>> it will be a while. Linux would have to have a much larger base of
>>> non-technical users who have sudo access.
>>
>><sarcasm>Installing software in GNU/Linux is very difficult, have you not
>> heard?!</sarcasm>
>>
>> Sudo access, if not badly configured, does not compromise the system and
>> does not allow arbitrary software to be run or installed as root. That
>> said, allowing the user to execute arbitrary stuff downloaded from the
>> Internet is a very bad idea even with just normal user permissions.
> How is sudo different than su root? It allows you to run one command as
> root. Thus "SuperUser Do" You can even do sudo -s which essentially
> turns you into root.
"sudo" can be configured. Debian defaults are different from Ubuntu. Google
up "sudoers".
TomB
> Erik Funkenbusch <er...@despam-funkenbusch.com> writes:
>> How long before we start seeing similar trojans for Linux? Well, i think
>> it will be a while. Linux would have to have a much larger base of
>> non-technical users who have sudo access.
>
> You mean like just about every single home Ubuntu user who has their own
> machine?
I think they'll be just fine because...
...Ubuntu'll freeze before the malicious could be installed. You see,
it's not a bug, it's a security measure :-)
But yeah, I don't see how trojaning a Linux system would be
impossible. Just package the trojan as a .deb, offer it with some lame
excuse a bunch of people are bound to fall for, and wait for one of
the neat, "user friendly" and fully automated package installers to
install it almost automagically. Very likely to happen on e.g. Ubuntu in
the not too distant future.
~ Tommy
--
Nice party, Hapsburg... I see a lot of familiar face lifts.
~ Frank Drebin
Fingel
Why is the whole idea of social engineering so hard to get through to
some people? No matter how secure an OS, you can always convince some
dumbass to do your bidding. If you convince an idiot that watering
your computer helps it stay healthy, you have successfully used social
engineering to harm a computer. Makes no difference the OS thats
running.
Again, another factor contributing to the lack of viruses for linux.
Linux users tend to be more tech savvy and thus harder to trick with
social engineering.
Most of them at least. *rolleyes*
--
3A:29
Hadron
It *really* is that simple.
Or change a wiki and include some malicious code in some bash script to
fix an issue.
It doesn't take much.
Koehlmann and co are either incredibly naive or incredibly
stupid. Social Engineering has been discussed and documented so
frequently it is safe to assume the later.
--
"Bwahahahahahahahah - Anyone else think that this announcement from the MS
marketing machine was anything other than a last ditch attempt to try and
foster *some* interest in XP ?"
comp.os.linux.advocacy - where they put the lunacy in advocacy
nes...@wigner.berkeley.edu
>
> I *JUST* posted this same link in the Hospital Virus thread where we
> spent two days arguing about this very topic.
Yeah, and take a look at the argument (mostly between Mac and Windows
fanboys) under the original article.
It isn't worth arguing about. I'll wait until there are 100,000
viruses out there for Linux. That's still 1/5 the number that Windows
has.
Hadron
Another COLA fan boy.
It only takes ONE to screw you up. Your smug self satisfaction is not,
fortunately, shared by most responsible Linux system designers and
users.
--
"I've heard "Linux is the future!" for, let me see now, must about 17 years. For how long do I need to listen to that clap trap?"
-- Ruby Murray <Vind...@curryhouse.co.uk> in comp.os.linux.advocacy
Sinister Midget
Mac users run as admin. Just like they do on Windows. It's not
absolutely necessary (although it can be a bit of trouble not doing
so). But it's the default.
Do you see a commonality here?
--
Let's not be too rough on our own ignorance, it's what makes America great!
-- Frank Zappa
Fingel
OSX? For the Admin Admin?
--
3A:29
RonB
> Mac users run as admin. Just like they do on Windows. It's not
> absolutely necessary (although it can be a bit of trouble not doing
> so). But it's the default.
>
> Do you see a commonality here?
Yep. But there's more to it than that. We keep hearing how Linux "could" be
vulnerable to viruses and trojans "when and if." In the hacking contests,
the winners tell us that they "could have hacked" Linux machine but they
concentrated on the Mac and Windows machine instead. Uh, huh.
But there is truth to the fact that no system is secure from idiots. One of
our accounts, the mortgage division of a (then) major bank, had firewalled
their network. The kournikova virus hit and the network held, until one of
the few people who still had modem access for a special project, decided to
access his AOL account. The virus spread throughout their network within
hours.
Of course that wasn't a Linux network.
--
RonB
"There's a story there...somewhere"
Fingel
that requires I write a buffer overflow exploit for a given program. I
can write it for any platform - linux, windows or OSX. We've already
done it for Windows XP and it was easy. I think I will try on Linux
and see how much harder it is. I'll report back here :P
--
3A:29
Sinister Midget
Early viruses targeted Macs I believe. It's not like this is something
new for them.
Despite that, Windows has *STILL* accumlated over half a million,
wiping out hundreds of billions of dollars of wealth in trying to
recover from them. How do they spread?
1. Open an email.
2. Look at an ecard someone supposedly sent.
3. Plug in a floppy (still used by Windummies in the 21st century).
4. Plug in a jumpdrive.
5. Browse to a website.
6. Connect to the internet right after installing (!!!!!!!!!!!!!).
7. Connect to an infected network.
8. Look at pictures you receive.
9. Use instant messaging.
10. Use an iPod (http://www.apple.com/support/windowsvirus/)
There are plenty of ways on Windows.
How do you get infected on Macs? Probably more, but:
1. Download and install codecs that you've yet to even see any need
for before.
2. Get software from Apple (I can't find the link to this one now, but
Apple sent infected software discs to Korea a few years ago).
Linux has had, what, about 10 total? Causing what, maybe hundreds, or
thousands, of dollars in total cleanup costs /at the most/? And that
damage wasn't even caused by viruses, but by worms on servers. Servers
that weren't up to date as they should be with even a loose schedule of
updating.
Viruses haven't done squat on linux. Worms on desktops have had no
effect that I can recall.
I'm not going to worry until there really is one that works in the
wild. I'm still not going to worry until there is one that does
something besides prove one can be written.
--
You can't be a Real Country unless you have a BEER and an airline - it
helps if you have some kind of a football team or some nuclear weapons,
but at the very least you need a BEER.
-- Frank Zappa
DFS
> <sarcasm>Installing software in GNU/Linux is very difficult, have you
> not heard?!</sarcasm>
I've personally experienced 30 or more instances of packages that claimed to
be installed by the package manager or distro, but when you clicked the menu
item absolutely nothing happened.
Or there's the Syncraptic issue where it can't parse a text file:
http://www.angelfire.com/linux/dfs0/Syncraptic_error.png
Or this howler http://www.angelfire.com/linux/dfslinux/Syncraptic.png
The system was a hard-drive install of the Knoppix 4.0 DVD edition - using
the knx2hd option to 'create a Debian-like system'.
Over and over again, Syncraptic reported that kdebluetooth removal
error when I tried to install just a single, small package, like 3dchess or
celestia.
To resolve it, I started Unmarking All, then disabling 1 or 2 of the
repositories Knoppix had selected by default (it started with at least 10
out of 25 or so in the list), reloading the package lists, marking the
single package for installation, and trying again.
Finally, after 5 or 6 tries, when I was down to 4 or 5 repositories enabled,
it installed. Why? No one will ever know.
Total time to finally get one little 156kb package installed via Syncraptic:
20 minutes.
So yes, installing software in GNU/Linux is very easy, haven't you
heard</sarcasm>
Hadron
> On 2008-11-25, RonB <ronb02...@gmail.com> claimed:
>> Sinister Midget wrote:
>>
>>> Mac users run as admin. Just like they do on Windows. It's not
>>> absolutely necessary (although it can be a bit of trouble not doing
>>> so). But it's the default.
>>>
>>> Do you see a commonality here?
>>
>> Yep. But there's more to it than that. We keep hearing how Linux "could" be
>> vulnerable to viruses and trojans "when and if." In the hacking contests,
>> the winners tell us that they "could have hacked" Linux machine but they
>> concentrated on the Mac and Windows machine instead. Uh, huh.
>>
>> But there is truth to the fact that no system is secure from idiots. One of
>> our accounts, the mortgage division of a (then) major bank, had firewalled
>> their network. The kournikova virus hit and the network held, until one of
>> the few people who still had modem access for a special project, decided to
>> access his AOL account. The virus spread throughout their network within
>> hours.
>>
>> Of course that wasn't a Linux network.
>
> Early viruses targeted Macs I believe. It's not like this is something
> new for them.
>
> Despite that, Windows has *STILL* accumlated over half a million,
> wiping out hundreds of billions of dollars of wealth in trying to
> recover from them. How do they spread?
By people being idiots. You could easily write a mail front end for
Linux which executes attachments and con people to install
it. Fortunately there isn't such a thing currently our there to the best
of my knowledge.
But it wont be long before people get "free games" or something in a
.deb and then "sudo dpkg -i it" on debian etc and *bang* au revoir.
DFS
> There is an extra credit lab in my assembly class due in a few weeks
> that requires I write a buffer overflow exploit for a given program. I
> can write it for any platform - linux, windows or OSX. We've already
> done it for Windows XP and it was easy. I think I will try on Linux
> and see how much harder it is. I'll report back here :P
Make sure and post your source code.
Gregory Shearman
> On 2008-11-25, Erik Funkenbusch <er...@despam-funkenbusch.com> wrote:
>> On Tue, 25 Nov 2008 00:01:54 +0100, Peter Köhlmann wrote:
>
> Why is the whole idea of social engineering so hard to get through to
> some people? No matter how secure an OS, you can always convince some
> dumbass to do your bidding. If you convince an idiot that watering
> your computer helps it stay healthy, you have successfully used social
> engineering to harm a computer. Makes no difference the OS thats
> running.
I'm sure you could convince a number of people to eat their own shit,
but it doesn't say anything about Linux security.
> Again, another factor contributing to the lack of viruses for linux.
> Linux users tend to be more tech savvy and thus harder to trick with
> social engineering.
> Most of them at least. *rolleyes*
Well, if there aren't any viruses in the wild, I'd say *all* of them,
wouldn't you?
Security is a serious matter. When you want to be serious about it then
come back and talk, but this is rubbish.
--
Regards,
Gregory.
Gentoo Linux - Penguin Power
Gregory Shearman
WTF is "sudo" anyway?
I don't use it and never will use it. I always "su" my commands using
the "root" password, when I want to do something, like install a new
kernel. Of course "su" on my linux systems is only available to users
who belong to the "wheel" group. Other users can take a flying jump.
Of course some Linux distributions compromise security in the interests
of convenience. Let's hope the process doesn't reach the windows level
of "convenience".
Gregory Shearman
>
>> Erik Funkenbusch wrote:
>>> How long before we start seeing similar trojans for Linux? Well, i think
>>> it will be a while. Linux would have to have a much larger base of
>>> non-technical users who have sudo access.
>>
>> <sarcasm>Installing software in GNU/Linux is very difficult, have you not
>> heard?!</sarcasm>
>>
>> Sudo access, if not badly configured, does not compromise the system and
>> does not allow arbitrary software to be run or installed as root. That
>> said, allowing the user to execute arbitrary stuff downloaded from the
>> Internet is a very bad idea even with just normal user permissions.
>>
>> To prevent that, distributions should setup the system so that /home, /tmp
>> and any removable file system is mounted with noexec,nodev,nosuid options.
>> This will stop users from being tricked in to running malware.
>>
>> Non-technical users will be restricted (and protected from them selves) but
>> the more tech savvy users can change the system to allow installs using
>> other methods and sources.
>
> Again, you misunderstand the nature of the trojan. It claims to be a codec
> required to view pornography. The user is instructed how to download and
> install it, which the user willfully does, just as they would a legitimate
> codec.
Ah yes! Of course! Users, despite being warned not to do such stupid
things, will go ahead anyway...
There's no helping such people.
Unfortunately, not everyone is a complete moron.
Gregory Shearman
If they don't do a cross-site check of their packages then they deserve
everything they get.
Erik Funkenbusch
> Mac users run as admin. Just like they do on Windows. It's not
> absolutely necessary (although it can be a bit of trouble not doing
> so). But it's the default.
>
> Do you see a commonality here?
Ummm.. no, they don't. They run as normal users and use sudo to elevate
privileges when a user enters a password. Just like many LInux distro's
do, such as Ubuntu.
Hadron
> Mac users run as admin. Just like they do on Windows. It's not
> absolutely necessary (although it can be a bit of trouble not doing
> so). But it's the default.
>
> Do you see a commonality here?
Yes. You're telling lies in common with Liarnut.
An out and out lie.
Please elaborate WHICH Mac users run as root.
http://librenix.com/?inode=8533
,----
| The limitations and tradeoffs of using sudo instead of a logged in root
| account are discussed here.
`----
or
http://www.spy-hill.com/~myers/help/apple/EnableRoot.html
,----
| The default Mac OS X installation has the Unix "root" account
| disabled. This is generally a good thing, because the casual user does
| not need all the powers granted to this "superuser" account.
`----
You see a SIMPLE Google proves you to be a liar.
Watch out Liarnut! There's a new Sheriff in town looking for your badge!
And just to finish rubbing your nose in it here#s an article on
configuring Sudo to allow Mac users to run as admin in order to install
SW but limit it to that:
http://www.macosxhints.com/article.php?story=20070906181925132
--
"I hate Linux and Linux advocacy <click> I hate Linux and Linux
advocacy <click> I hate Linux and Linux advocacy <click> "
-- High Plains Thumper <highplai...@invalid.invalid.com> in comp.os.linux.advocacy
Mart van de Wege
> On 2008-11-24, LusoTec <nom...@nomail.not> wrote:
>> Erik Funkenbusch wrote:
>>> How long before we start seeing similar trojans for Linux? Well, i think
>>> it will be a while. Linux would have to have a much larger base of
>>> non-technical users who have sudo access.
>>
>><sarcasm>Installing software in GNU/Linux is very difficult, have you not
>> heard?!</sarcasm>
>>
>> Sudo access, if not badly configured, does not compromise the system and
>> does not allow arbitrary software to be run or installed as root. That
>> said, allowing the user to execute arbitrary stuff downloaded from the
>> Internet is a very bad idea even with just normal user permissions.
> How is sudo different than su root? It allows you to run one command as
> root. Thus "SuperUser Do" You can even do sudo -s which essentially
> turns you into root.
man sudo
man sudoers
Go RTFM, and STFU until you know what you are talking about.
Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.
Mart van de Wege
> Ok, this may seem off topic, but i'll get to how it's on topic in a moment.
>
> "Mac OS X targeted by Trojan and backdoor tool"
> http://news.zdnet.com/2424-9595_22-251586.html?tag=nl.e550
>
> "It is a downloader, and it contacts a remote server to download the files
> it installs," Intego said in an advisory. "This means that, in the future,
> the downloader may be able to install payloads [other] than the one it
> currently installs."
>
> "The Trojan is found on porn websites posing as a codec needed to play
> video files, a technique used to trick the user into downloading and
> installing it."
>
> For years, Linux and Mac advocates have been saying their systems are so
> much more secure, and not vulnerable to malware. They gave as evidence
> that no such malware existed for Linux or Mac's.
>
> Meanwhile, many of us argued that this was a function of lack of
> popularity, not security. The single biggest security flaw in computer use
> is the human flaw.
So it requires an *active* install.
Yet Windows has had how many auto-install trojans?
The single biggest factor is still whether or not the computer is
running shiteware.
Come back when Mac OS/X has its first drive-by install. Then you can
*start* to talk about equivalent insecurity. Until that day, Windows
rules that sad roost.
Fingel
"DESCRIPTION
sudo allows a permitted user to execute a command as the
superuser or another user, as specified in the sudoers file."
So your point is...?
Sounds like someone else here needs to RTFM.
--
3A:29
Peter Köhlmann
Actually, no, it doesn't
"su" gives you full root access to all subsequent commands
"sudo" does only for the following one, and only if specified in "sudoers"
Both are quite different in scope
--
"Last I checked, it wasn't the power cord for the Clue Generator that
was sticking up your ass." - John Novak, rasfwrj
William Poaster
I agree, & I'll take the advice of Linux security experts, like this:
http://librenix.com/?inode=21
& NOT the ramblings of some windroid like FUDenenbusch.
Until, or even *if*, anything like the viruses that devastate windoze
machines hit Linux, I'll just keep running rkhunter.
--
Most people are sheep.
Microsoft is very effective
at fleecing the flockers.
William Poaster
Indeed they are.
So Fingel really *doesn't* know wtf he's talking about.
I wonder what part of "execute a command" & "as specified in the sudoers
file" doesn't he understand.
Richard Rasker
> Ok, this may seem off topic, but i'll get to how it's on topic in a
> moment.
>
> "Mac OS X targeted by Trojan and backdoor tool"
> http://news.zdnet.com/2424-9595_22-251586.html?tag=nl.e550
>
> "It is a downloader, and it contacts a remote server to download the files
> it installs," Intego said in an advisory. "This means that, in the future,
> the downloader may be able to install payloads [other] than the one it
> currently installs."
>
> "The Trojan is found on porn websites posing as a codec needed to play
> video files, a technique used to trick the user into downloading and
> installing it."
Gee, I think I better tell my 76-year-old mother-in-law to stay away from
those porn sites now, even though I told her that she wasn't at risk with
her Linux machine ..
> For years, Linux and Mac advocates have been saying their systems are so
> much more secure,
Yup, they are ...
> and not vulnerable to malware.
.. but we made no such general claim. Any system on which software can be
installed, is by definition vulnerable. But yes, some OS'es are inherently
more secure than others, by making it hard to install anything but the
software the user explicitly wants, and offering a mostly closed system for
doing so (i.e. package managers) instead of the common Windows practice of
downloading some setup.exe from the Internet and clicking it.
> They gave as evidence that no such malware existed for Linux or Mac's.
Indeed, viruses and other malware are exceedingly rare for Linux and Mac.
> Meanwhile, many of us argued that this was a function of lack of
> popularity, not security. The single biggest security flaw in computer
> use is the human flaw.
This is mostly a fallacy. How else would you explain that the vast majority
of Windows malware doesn't require any user intervention at all, or at most
clicking a Web link?
> No amount of security, other than simply not allowing people to have
> access *AT ALL* to install programs can stop social engineering from
> infecting computers.
It can be made pretty hard. Most of my ~100 users won't succeed in
installing anything because they never had to deal with terminals, shell
commands, or even the root password (which most people have forgotten).
And yes, I am aware that root rights are not required to run (malicious)
shell code -- but getting people to run it is the hard part.
On the rare occasions when I tried talking non-savvy users through some CLI
commands over the phone, it became clear that making people carry out even
the simplest of shell commands was a royal pain -- even when I sent them
the commands to be carried out beforehand, by e-mail.
> We also argued that as the Mac and Linux became more popular, they too
> would become targets, which of course was derided. But here it is
> happening.
Nothing special is happening. There are threats like these attacking Mac
and/or Linux every six months or so, and every time the Windows apologists
start crowing that it marks the beginning of "mo' Linux/Mac malware". Yet
it never materializes. So we just up the Linux malware counter by one click
(pegged at 30 by now), and get on with our work.
> This particular piece of malware is interesting because it's very similar
> to how many attacks occur on Windows. Trojaned files which can download
> new pieces of malware as needed to address new security patches.
You are confusing the mode of attack (social engineering) with the modus
operandi of the malware (auto-updating etcetera). The former is rather
unlikely to succeed for reasons explained, and the latter is totally
uninteresting from a security point of view -- as soon as malware gets
itself running on a machine, with or without root rights, its base goal is
accomplished, and the machine must be considered completely compromised.
Social engineering or not, getting malicious code to run on a Mac or Linux
is much, much harder than on a Windows machine.
> How long before we start seeing similar trojans for Linux? Well, i think
> it will be a while. Linux would have to have a much larger base of
> non-technical users who have sudo access.
Sure, as with any social engineering attack, some people wil actually fal
for it. But even if Linux had, say, desktop 30% user share, infections
would still be in the realm of "incidents", in my not-so-humble opinion.
We would see nothing like the decade-old massive malware scourge caused by
Windows' security model by the name of "wet paper bag", with it's countless
remote code execution mechanisms ("advanced features", in Microspeak),
orders of magnitude more flaws and thus vulnerabilities in the kernel, and
the effective lack of an x bit, making any executable run by simply
clicking it.
But malware that requires people jumping through unfamiliar hoops to make it
run won't spread on any significant scale.
So in all, if Mac/Linux would get a much larger user share, yes, the amount
of security incidents would rise -- there is a bit of truth in the
"popularity" argument. But for the most part, I'm convinced that Mac and
Linux would still be vastly more secure than Windows.
Richard Rasker
--
http://www.linetec.nl
LusoTec
> Will this stop
>
> "sh ./document"
>
> from executing?
No, for that you will need a wrapper around sh and any other interpreter you
may want to restrict (e.g. perl, python, ruby, csh, tcsh). The interpreters
could also be changed to check for executable permission. The last is a
better cleaner solutions. Both possibilities are easy to implement (from a
developer's perspective), a few lines of code at most.
Note that *nothing* will stop a "proactive idiots" with root access from
damaging the system. The idea is to stop "impulse idiots".
Regards.
LusoTec
> Again, you misunderstand the nature of the trojan. It claims to be a
> codec required to view pornography. The user is instructed how to
> download and install it, which the user willfully does, just as they would
> a legitimate codec.
>
> computer is doing what Linux users complain is one of the problems with
> Windows, that the OS thinks it knows better than the user.
Lets define three types of users:
Type A - unskilled user that know little/nothing about malware security;
Type B - skilled user that know little/nothing about malware security;
Type C - skilled user that know enough about malware security;
Type C users will just say "Yea, I will get right on it!" and ignore (and
report) the malware.
Type A users will have a hard time following complex instructions and will
most likely not even have the inclination to follow them. Type A users are
the ones that can be protected by noexec measures.
Type B users are knowledgeable enough to circumvent simple noexec measures
and, not seeing the risks, may jump through hops if tempted enough (e.g.
teens and porn, kids and games, adults and millions). These are the ones
that are at risk from these kinds of "follow the instructions malware". The
only solutions for these "proactive idiots" is to hard lock them.
Proper education, safety first then the rest, is the best way to reduce the
number of Type B users.
Regards.
p.s. From my experience GNU/Linux users main security flaw is weak
passwords. It's scary to see servers protected by passwords that dictionary
and brute force attacks can crack in minutes!
Chris Ahlstrom
this bit o' wisdom:
$ sh ./file.txt
./file.txt: line 2: unexpected EOF while looking for matching ``'
./file.txt: line 4: syntax error: unexpected end of file
So you're only going to executing legal shell scripts, not any old
"document".
--
It is the business of the future to be dangerous.
-- Hawkwind
Hadron
You dont need to be root. People send emails, access the web etc in user
mode. So can trojans and viruses.
--
"Poor fishfarb! Pissed because s/h/it doesn't get all the attention s/h/it craves due to wise use of filtering."
-- Sinister Midget <fardb...@gmail.com> trying to impress Willy Filters in comp.os.linux.advocacy
LusoTec
> LusoTec wrote:
>> Sudo access, if not badly configured, does not compromise the system and
>> does not allow arbitrary software to be run or installed as root. That
>> said, allowing the user to execute arbitrary stuff downloaded from the
>> Internet is a very bad idea even with just normal user permissions.
> How is sudo different than su root? It allows you to run one command as
> root. Thus "SuperUser Do" You can even do sudo -s which essentially
> turns you into root.
sudo can be configured to allow only the execution of a very strict set of
commands by the non privileged user. There are some nice how tos for sudo.
Warning: don't install sudo unless you intend to learn about it and spend
some time configuring it. A Badly configured sudo is a big security risk.
>> To prevent that, distributions should setup the system so that /home,
>> /tmp and any removable file system is mounted with noexec,nodev,nosuid
>> options. This will stop users from being tricked in to running malware.
> I guess that works, but it sounds like a bad idea to me. Its too
> all-or-nothing. People still download scripts and expect to be able to
> run them from ~/ for example, installing a game.
I never install "downloaded" stuff either as root or as my main account. I
use a low privilege account, just in case. After testing I move the install
to the main /opt or /usr tree after appropriate chown and chmod.
In the case of games not installed using the package I do the following.
Since games do *not* require access to user files and require no special
privileges, I have setup gamer accounts (HOME=/usr/games/home/$USER) and
the games can only be run from it. The "normal" accounts don't have access
to the games.
From the user perspective, it only has to run a simple script that then runs
xgame (http://freshmeat.net/projects/xgame/) as the appropriate account and
all the user has to do is click what game it wants to play.
There are other possibilities by the above has works great for me and my
users.
> Or for distros that
> dont support it, installing flash(even those those distros that do it
> automatically actually just download the flash install script for you and
> run it)
Installing flash should not have to touch a user's home directory. Something
is wrong if it does.
>> Non-technical users will be restricted (and protected from them selves)
>> but the more tech savvy users can change the system to allow installs
>> using other methods and sources.
>
> Im definetly not trying to flame you. I think you have a good idea.
> But I think the setup you describe kinda wanders from the entire linux
> philosophy. But I guess thats the good thing about multiple distros,
> you can always get one that fits your needs.
I don't think it "kinda wanders from the entire linux philosophy". Safety is
part of the "entire linux philosophy" too. Include somewhere an option that
allows user to select what level of protection they want will protect
user's choice and freedom.
Regards.
LusoTec
> LusoTec <nom...@nomail.not> writes:
>> Note that *nothing* will stop a "proactive idiots" with root access from
>> damaging the system. The idea is to stop "impulse idiots".
>
> mode. So can trojans and viruses.
True but if you restrict the user enough and (s)he will not be able to run
the trojans and viruses in the first place.
Fully restricting the user to only execute programs selected by the admin is
only reasonable in multi user environments.
For single user desktops, the user must have some way to install programs
and manage the system. In the end what ever protections are in place can
simply be bypassed by a "proactive idiots". That was my point.
For example, instead of "su ./document" just "su -c 'sh ./document'"!
Regards.
Hadron
> Hadron wrote:
>> LusoTec <nom...@nomail.not> writes:
>>> Note that *nothing* will stop a "proactive idiots" with root access from
>>> damaging the system. The idea is to stop "impulse idiots".
>>
>> You dont need to be root. People send emails, access the web etc in user
>> mode. So can trojans and viruses.
>
> True but if you restrict the user enough and (s)he will not be able to run
> the trojans and viruses in the first place.
We are talking average home users. You can (dont want to) not lock down
sh for example!
>
> Fully restricting the user to only execute programs selected by the admin is
> only reasonable in multi user environments.
Agreed.
>
> For single user desktops, the user must have some way to install programs
> and manage the system. In the end what ever protections are in place can
> simply be bypassed by a "proactive idiots". That was my point.
And mine.
>
> For example, instead of "su ./document" just "su -c 'sh ./document'"!
>
> Regards.
The main point is that average COLA "advocate" seems totally ignorant of
the facts. They just repeat the mantra that "Linux is secure". It is
not. As Jeff Goldblum said in Jurassic Park "Life will find a way".
--
o how do we destroy Microsoft?"
-- An unknown author in unknown
chrisv
>But there is truth to the fact that no system is secure from idiots.
No doubt. But rather than give up hope, the more secure systems, such
as Linux, may be secure enough to prevent most malware and viruses
from obtaining a "critical mass".
--
'A lot of OSS is simply crap. And if it were "for sale" they would
soon go out of business.' - "True Linux advocate" Hadron Quark
JEDIDIAH
> RonB wrote:
>
>>But there is truth to the fact that no system is secure from idiots.
>
> No doubt. But rather than give up hope, the more secure systems, such
> as Linux, may be secure enough to prevent most malware and viruses
> from obtaining a "critical mass".
Linux is also more likely to quickly adapt to the threat.
--
The average IT manager is a less effective mentor than a
Spongebob Squarepants cartoon.
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
http://www.usenet.com
Sandeep Kumar
> On Tue, 25 Nov 2008 00:01:54 +0100, Peter Köhlmann wrote:
>
>> Hadron wrote:
>>
>>> Terry Porter <lin...@netspace.net.au> writes:
>>>
>>>> On Mon, 24 Nov 2008 15:42:02 -0500, Erik Funkenbusch wrote:
>>>>
>>>>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>>>>> moment.
>>>>
>>>> Go Fud a MAC group Wintroll, this one is for discussing the advantages of
>>>> Linux.
>>>
>>> So you don't think advising people on potential weaknesses in Linux is
>>> an advocates job?
>>
>> He has not mentioned *any* potential weakness in linux.
>> He FUDded with a OSX weakness.
>
> No, I didn't. The weakness I speak of is not related to any OS. It's a
> human weakness. This OSX trojan does not rely on any weakness in OSX, it's
> entirely social engineering.
The next time you are in a large office space walk around and turn over a
few keyboards and I will wager a glass of wine that you will find at least
one of them has a user id or password written on the bottom of it.The
world's most formidable vault might as well be made of balsa wood if the
combination is written on the outside of the door.
Sandeep Kumar
> Erik Funkenbusch wrote:
>
>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>> moment.
>>
>> "Mac OS X targeted by Trojan and backdoor tool"
>> http://news.zdnet.com/2424-9595_22-251586.html?tag=nl.e550
>>
>> "It is a downloader, and it contacts a remote server to download the files
>> it installs," Intego said in an advisory. "This means that, in the future,
>> the downloader may be able to install payloads [other] than the one it
>> currently installs."
>>
>> "The Trojan is found on porn websites posing as a codec needed to play
>> video files, a technique used to trick the user into downloading and
>> installing it."
>
> Gee, I think I better tell my 76-year-old mother-in-law to stay away from
> those porn sites now, even though I told her that she wasn't at risk with
> her Linux machine ..
> Richard Rasker
It might just as well be a site advertising a free case of Depends adult
diapers.As the baby boomer generation ages this may very well become more a
target.
Fingel
linux guru to do that.
>>
>> Both are quite different in scope
>
> Indeed they are.
>
> So Fingel really *doesn't* know wtf he's talking about.
> I wonder what part of "execute a command" & "as specified in the sudoers
> file" doesn't he understand.
>
>
>
I said, it allows you to run 1 command and if you use sudo -s as many
commands as you would like. WTF do you guys *THINK* it does? Give you
magical powers?
--
3A:29
JEDIDIAH
> On Mon, 24 Nov 2008 19:26:42 -0500, Erik Funkenbusch wrote:
>
>> On Tue, 25 Nov 2008 00:01:54 +0100, Peter Köhlmann wrote:
>>
>>> Hadron wrote:
>>>
>>>> Terry Porter <lin...@netspace.net.au> writes:
>>>>
>>>>> On Mon, 24 Nov 2008 15:42:02 -0500, Erik Funkenbusch wrote:
>>>>>
>>>>>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>>>>>> moment.
>>>>>
>>>>> Go Fud a MAC group Wintroll, this one is for discussing the advantages of
>>>>> Linux.
>>>>
>>>> So you don't think advising people on potential weaknesses in Linux is
>>>> an advocates job?
>>>
>>> He has not mentioned *any* potential weakness in linux.
>>> He FUDded with a OSX weakness.
>>
>> No, I didn't. The weakness I speak of is not related to any OS. It's a
>> human weakness. This OSX trojan does not rely on any weakness in OSX, it's
>> entirely social engineering.
> The next time you are in a large office space walk around and turn over a
> few keyboards and I will wager a glass of wine that you will find at least
> one of them has a user id or password written on the bottom of it.The
This is not surprising given the current state of password standards
in corporations. It's like the TSA. End users are burdened with a lot of
BS that interferes with their ability to manage information in their own
head. This BS doesn't make passwords inherently more secure. Infact it
does quite the opposite as users adapt to cope with the BS.
> world's most formidable vault might as well be made of balsa wood if the
> combination is written on the outside of the door.
--
My macintosh runs Ubuntu. |||
/ | \
chrisv
>The next time you are in a large office space walk around and turn over a
>few keyboards and I will wager a glass of wine that you will find at least
>one of them has a user id or password written on the bottom of it
That's exactly why my company abanded, after a brief experiment, a
policy which required "super secure" passwords - that is, passwords
with with difficult-to-guess (and remember) mixtures of upper- and
lower-case, numbers, symbols, etc.
Sinister Midget
I keep my passwords on a thumbdrive, encrypted using this:
http://www.fpx.de/fp/Software/Gorilla/
Even Wintards could use it. Not that they have any hope of security.
But they can pretend.
--
Consider for a moment any beauty in the name Ralph.
-- Frank Zappa
Mart van de Wege
<about sudo>
> I said, it allows you to run 1 command and if you use sudo -s as many
> commands as you would like. WTF do you guys *THINK* it does? Give you
> magical powers?
As I said, RTFM.
sudoers(5) explains exactly why you are making a fool of yourself.
Chris Ahlstrom
this bit o' wisdom:
> Sandeep Kumar wrote:
It wouldn't be so bad if they did just this, but they often follow it up
with mandatory changing of the password every month.
--
Wiker's Law:
Government expands to absorb revenue and then some.
William Poaster
> Fingel <aus...@Fingel.com> writes:
>
> <about sudo>
>> I said, it allows you to run 1 command and if you use sudo -s as many
>> commands as you would like. WTF do you guys *THINK* it does? Give you
>> magical powers?
>
> As I said, RTFM.
>
> sudoers(5) explains exactly why you are making a fool of yourself.
1] You're assuming he can read.
2] You're assuming he can understand what he reads.
Ron House
>
> <about sudo>
>> I said, it allows you to run 1 command and if you use sudo -s as many
>> commands as you would like. WTF do you guys *THINK* it does? Give you
>> magical powers?
>
> As I said, RTFM.
>
> sudoers(5) explains exactly why you are making a fool of yourself.
>
> Mart
>
He's said he's read the manual, and he's said why he thinks his argument
is correct. A reasonable answer to that is to quote the section of the
manual that contradicts him and explain why. But you are just swearing
at him and refusing to explain why you think you are right. I know who
has higher credibility.
Want to swear at me too now?
--
Ron House
Australian Birds: http://wingedhearts.org
Principle of Goodness academic site: http://principleofgoodness.net
Gregory Shearman
I always use
GentooPenguin$ su -c <command>
===============================
It only runs *one* command as root. It is dangerous to use:
GentooPenguin$ su
==============================
Being root is very dangerous. I will always review a command a number of
times before executing it as root. I've not been caught by making a
stupid mistake and even if I were, I've got reliable backups.
--
Regards,
Gregory.
Gentoo Linux - Penguin Power
Gregory Shearman
So you think this will get grandma to install a trojan:
"To get a free case of Depends you need to download this file and
execute it as root on your machine".
Mate, There's a sucker born every minute but I don't think there's many
suckers born that are as stupid as do the above.
Gregory Shearman
Really? When are the public at large allowed to go around a large
office, rummaging through the computer hardware, sensitive (paper)
files, etc? You'll be asked what the hell you are doing and be lucky not
to be arrested. What a stupid idea. The real danger is from the 'net,
not physical access to computers.
Sheesh... if this is the level of security debate then God help us.
Sandeep Kumar
> On 2008-11-25, Sandeep Kumar <deep839...@gmail.com> wrote:
>> On Tue, 25 Nov 2008 11:54:10 +0100, Richard Rasker wrote:
>>
>>> Erik Funkenbusch wrote:
>>>
>>>> Ok, this may seem off topic, but i'll get to how it's on topic in a
>>>> moment.
>>>>
>>>> "Mac OS X targeted by Trojan and backdoor tool"
>>>> http://news.zdnet.com/2424-9595_22-251586.html?tag=nl.e550
>>>>
>>>> "It is a downloader, and it contacts a remote server to download the files
>>>> it installs," Intego said in an advisory. "This means that, in the future,
>>>> the downloader may be able to install payloads [other] than the one it
>>>> currently installs."
>>>>
>>>> "The Trojan is found on porn websites posing as a codec needed to play
>>>> video files, a technique used to trick the user into downloading and
>>>> installing it."
>>>
>>> Gee, I think I better tell my 76-year-old mother-in-law to stay away from
>>> those porn sites now, even though I told her that she wasn't at risk with
>>> her Linux machine ..
>>> Richard Rasker
>> It might just as well be a site advertising a free case of Depends adult
>> diapers.As the baby boomer generation ages this may very well become more a
>> target.
>
> So you think this will get grandma to install a trojan:
Sure.
How about a free vacation to Florida?
A free cruise?
etc/
> "To get a free case of Depends you need to download this file and
> execute it as root on your machine".
Yep..
And iff someone offered you a free lotto ticket for a million dollars and
all you haed to do was..........
> Mate, There's a sucker born every minute but I don't think there's many
> suckers born that are as stupid as do the above.
You are an idiot if you don't believe that.
It's even worse than we have discussed.
Sandeep Kumar
Really?
And when are each and every employee screened to determine if they have no
connections to the underworld.
You do know that much of credit card theft is related to planted people
inside the operation who leak the information for money.
Obviously you have no clue what you ar babbling about so why not go back
into your cave and play with VI some more.
> Sheesh... if this is the level of security debate then God help us.
You seem to be an idiot with no clue.
Fingel
her cmputer because she say a popup online that told her she needed to
press "ok" to "fix several problems" with her computer. Its hard for
them to tell what is legit and what is not.
--
3A:29
Mart van de Wege
> Mart van de Wege wrote:
>> Fingel <aus...@Fingel.com> writes:
>>
>> <about sudo>
>>> I said, it allows you to run 1 command and if you use sudo -s as many
>>> commands as you would like. WTF do you guys *THINK* it does? Give you
>>> magical powers?
>>
>> As I said, RTFM.
>>
>> sudoers(5) explains exactly why you are making a fool of yourself.
>>
>> Mart
>>
>
> He's said he's read the manual, and he's said why he thinks his
> argument is correct. A reasonable answer to that is to quote the
> section of the manual that contradicts him and explain why. But you
> are just swearing at him and refusing to explain why you think you are
> right. I know who has higher credibility.
>
> Want to swear at me too now?
Yes, because his own quotes from man sudo in this thread show that he
forgets an important qualifier to 'sudo runs one command as root'.
You're an illiterate idiot as well.
Ron House
> Ron House <rho...@smartchat.net.au> writes:
>
>> Mart van de Wege wrote:
>>> Fingel <aus...@Fingel.com> writes:
>>>
>>> <about sudo>
>>>> I said, it allows you to run 1 command and if you use sudo -s as many
>>>> commands as you would like. WTF do you guys *THINK* it does? Give you
>>>> magical powers?
>>> As I said, RTFM.
>>>
>>> sudoers(5) explains exactly why you are making a fool of yourself.
>>>
>>> Mart
>>>
>> He's said he's read the manual, and he's said why he thinks his
>> argument is correct. A reasonable answer to that is to quote the
>> section of the manual that contradicts him and explain why. But you
>> are just swearing at him and refusing to explain why you think you are
>> right. I know who has higher credibility.
>>
>> Want to swear at me too now?
>
> Yes, because his own quotes from man sudo in this thread show that he
> forgets an important qualifier to 'sudo runs one command as root'.
>
> You're an illiterate idiot as well.
>
> Mart
>
-s The -s (shell) option runs the shell specified by the
SHELL environment variable if it is set or the shell as
specified in passwd(5).
And the shell allows you to type as many commands as you want, right?
Seems to be exactly what Fingel said above, unless there's some great
subtlety that you haven't pointed out to us. Cancel that, I just tried
it out, and I can run as many commands as I like, not just 1. Now who's
the foul-mouthed illiterate idiot?
Peter Köhlmann
Pressing OK on a wintendo Toys-R-Us machine is not the same as downloading a
file, putting it into a writeable directory, navigating there and give
exec-rights to it and *then* executing it
On every part of those steps needed a user dumb enough to fall for that
bullshit will botch it.
The result is that too few infections will survive (user dumb enough, but
somehow managed to do it correctly [little sister was present]), making
the "virus" ineffective. As the virus writers are aware of that too, they
do not even attempt it.
Naturally nothing is really immune to malware, and linux is no exception.
The question is always: Does the achieved result match the effort needed?
And until now in the case of linux the answer was "no". And as long as the
virus writers do not come up with a completely new trick, this is unlikely
to change. And frankly, I have no idea what that "new trick" should be
Hadron Quarks assertition that it "just needs someone to write a mail app
which will behave the dumbest way possible (the windows way) and exec
attachments" is a typical Hadron Quark lunacy. It does not "just need
someone to write that app". It also needs download sites, *lots* of
advertisement (why would someone go to such a site) and above all, it needs
users willing to download such garbage although they already have several
good mail apps. Additionally, they need to be stupid enough (that is, they
have to be dumber than Snot Glassers victims) to do that, although the
entire linux community would inform them what a really stupid idea that
would be
Yes, according to Hadron Quark it is "very simple".
He just forgot the obstacles in the way. But then, he is no linux user.
Never was, never will be
--
Microsoft's Guide To System Design:
Let it get in YOUR way. The problem for your problem.
Gregory Shearman
Here's a clue:
When something sounds too good to be true. It isn't.
> etc/
>> "To get a free case of Depends you need to download this file and
>> execute it as root on your machine".
>
> Yep..
> And iff someone offered you a free lotto ticket for a million dollars and
> all you haed to do was..........
See above.
>> Mate, There's a sucker born every minute but I don't think there's many
>> suckers born that are as stupid as do the above.
>
> You are an idiot if you don't believe that.
Ok, According to you, I'm an idiot. Discussion over.
> It's even worse than we have discussed.
In your own mind, of course.
Gregory Shearman
Sorry, but your grandma needs to have someone else care for her machine.
She's obviously not capable of such a task.
Gregory Shearman
Well, at my organisation, when we are employed. A clearance is required
from the Federal Police (USA equivalent - FBI).
> You do know that much of credit card theft is related to planted people
> inside the operation who leak the information for money.
How much? As much as malware and fraud coming from the internet? Good
luck with your proof of concept.
> Obviously you have no clue what you ar babbling about so why not go back
> into your cave and play with VI some more.
>
>> Sheesh... if this is the level of security debate then God help us.
>
> You seem to be an idiot with no clue.
You are now <PLONKED>
I don't communicate with insulting, trolling arseholes. Into the Bozobin
with you.
Johan Lindquist
Gregory Shearman was all like, "Dude,
[..]
> So you think this will get grandma to install a trojan:
>
> "To get a free case of Depends you need to download this file and
> execute it as root on your machine".
>
> Mate, There's a sucker born every minute but I don't think there's
> many suckers born that are as stupid as do the above.
And yet people actually accepted to pay some "competition fees",
handing out their credit card number /over the phone/ to a total
stranger who called them up out of the blue, to win tickets for that
"free cruise for four people" just earlier this year.
If you don't realise that some people are incredibly gullible, you're
living in fantasy land.
--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
12:20:55 up 34 days, 1:08, 2 users, load average: 0.33, 0.21, 0.11
Linux 2.6.27.2 x86_64 GNU/Linux Registered Linux user #261729
Gregory Shearman
> So anyway, it was like, 05:47 CET Nov 26 2008, you know? Oh, and, yeah,
> Gregory Shearman was all like, "Dude,
>
> [..]
>
>> So you think this will get grandma to install a trojan:
>>
>> "To get a free case of Depends you need to download this file and
>> execute it as root on your machine".
>>
>> Mate, There's a sucker born every minute but I don't think there's
>> many suckers born that are as stupid as do the above.
>
> And yet people actually accepted to pay some "competition fees",
> handing out their credit card number /over the phone/ to a total
> stranger who called them up out of the blue, to win tickets for that
> "free cruise for four people" just earlier this year.
>
> If you don't realise that some people are incredibly gullible, you're
> living in fantasy land.
>
Did you actually read what I wrote?
"Mate, There's a sucker born every minute but I don't think there's
many suckers born that are as stupid as do the above."
I said "many" not "any".
Of course there are the statistically few who are terminally gullible.
That's how spam works. Think of it as Darwin in Action.
Richard Rasker
> So anyway, it was like, 05:47 CET Nov 26 2008, you know? Oh, and, yeah,
> Gregory Shearman was all like, "Dude,
>
> [..]
>
>> So you think this will get grandma to install a trojan:
>>
>> "To get a free case of Depends you need to download this file and
>> execute it as root on your machine".
>>
>> Mate, There's a sucker born every minute but I don't think there's
>> many suckers born that are as stupid as do the above.
>
> And yet people actually accepted to pay some "competition fees",
> handing out their credit card number /over the phone/ to a total
> stranger who called them up out of the blue, to win tickets for that
> "free cruise for four people" just earlier this year.
>
> If you don't realise that some people are incredibly gullible, you're
> living in fantasy land.
Yes, some people fall for scams, social engineering etcetera. And yes, there
are Linux users among these people, and more so if Linux' popularity
increases further. So yes, Linux systems will most likely get infected that
way.
The only question is, at which scale? If Linux would have, say, a 10-20%
market share, what would be the infection rate?
The Wintrolls here would make it believe that it will be in the same
ballpark as the infection rate of Windows boxes -- somwehere between 25 and
50% of all machines world wide. I think this won't happen, ever.
The "target audience" is simply too small: rather gullible, non-too-savvy
people who nevertheless have enough knowledge to either enter a root
password (which many don't remember), or jump through some CLI hoops. It's
impossible to predict the actual infection rate, but I think one can safely
say that it's very unlikely that it will ever cross the 1% mark. Just
compare it to cracked Linux servers: only badly administered, unpatched
machines get cracked; this is a very small amount compared to the huge
number out there.
Richard Rasker
--
http://www.linetec.nl
Ezekiel
"Richard Rasker" <spam...@linetec.nl> wrote in message
news:492d3c00$0$721$7ade...@textreader.nntp.internl.net...
> Johan Lindquist wrote:
>
>> So anyway, it was like, 05:47 CET Nov 26 2008, you know? Oh, and, yeah,
>> Gregory Shearman was all like, "Dude,
>>
>> [..]
>>
>>> So you think this will get grandma to install a trojan:
>>>
>>> "To get a free case of Depends you need to download this file and
>>> execute it as root on your machine".
>>>
>>> Mate, There's a sucker born every minute but I don't think there's
>>> many suckers born that are as stupid as do the above.
>>
>> And yet people actually accepted to pay some "competition fees",
>> handing out their credit card number /over the phone/ to a total
>> stranger who called them up out of the blue, to win tickets for that
>> "free cruise for four people" just earlier this year.
>>
>> If you don't realise that some people are incredibly gullible, you're
>> living in fantasy land.
>
> Yes, some people fall for scams, social engineering etcetera. And yes,
> there
> are Linux users among these people, and more so if Linux' popularity
> increases further. So yes, Linux systems will most likely get infected
> that
> way.
The key here is that it is /people/ who are gullible to social engineering
scams. This is independent of what OS (if any) that these people use.
> The only question is, at which scale? If Linux would have, say, a 10-20%
> market share, what would be the infection rate?
The percentage of people who fall for these scams isn't going to change
because they are using a different computer or OS.
> The Wintrolls here would make it believe that it will be in the same
> ballpark as the infection rate of Windows boxes -- somwehere between 25
> and
> 50% of all machines world wide.
I don't know what percent of computers get infected because of social
engineering and user stupidity. That percentage won't change by all that
much. The number that will drop (with Linux usage) is the percentage of
people who are vigilant and careful yet still get infected.
> I think this won't happen, ever.
> The "target audience" is simply too small: rather gullible, non-too-savvy
> people who nevertheless have enough knowledge to either enter a root
> password (which many don't remember), or jump through some CLI hoops.
> It's
> impossible to predict the actual infection rate, but I think one can
> safely
> say that it's very unlikely that it will ever cross the 1% mark. Just
> compare it to cracked Linux servers: only badly administered, unpatched
> machines get cracked; this is a very small amount compared to the huge
> number out there.
There have been enough 'badly administered, unpatched' Linux machines
hacked (Ubuntu servers, Schestowitz, etc) so once you get more users, you
can count on even larger numbers of Linux machines to be administered much
worse than they are today.
Johan Lindquist
Gregory Shearman was all like, "Dude,
> On 2008-11-26, Johan Lindquist <sp...@smilfinken.net> wrote:
>> So anyway, it was like, 05:47 CET Nov 26 2008, you know? Oh, and, yeah,
>> Gregory Shearman was all like, "Dude,
>>> So you think this will get grandma to install a trojan:
>>>
>>> "To get a free case of Depends you need to download this file and
>>> execute it as root on your machine".
>>>
>>> Mate, There's a sucker born every minute but I don't think there's
>>> many suckers born that are as stupid as do the above.
>>
>> And yet people actually accepted to pay some "competition fees",
>> handing out their credit card number /over the phone/ to a total
>> stranger who called them up out of the blue, to win tickets for
>> that "free cruise for four people" just earlier this year.
>>
>> If you don't realise that some people are incredibly gullible,
>> you're living in fantasy land.
>
> Did you actually read what I wrote?
I just read how you call people who don't think anyone wuold be fooled
by easy tricks idiots, so, yes.
> "Mate, There's a sucker born every minute but I don't think there's
> many suckers born that are as stupid as do the above."
>
> I said "many" not "any".
You pretty much discarded the idea that people are gullible.
> Of course there are the statistically few who are terminally
> gullible. That's how spam works. Think of it as Darwin in Action.
Right, so there would be people who can be tricked into doing
stupid stuff. I don't see the reason to go off on anyone who says
differently.
Rather identify the problem with ignorant and non-technical users
and fix that, if there is one at all.
--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
13:22:10 up 34 days, 2:10, 2 users, load average: 0.14, 0.12, 0.09
Chris Ahlstrom
this bit o' wisdom:
> Mart van de Wege wrote:
>> Ron House <rho...@smartchat.net.au> writes:
>>>
>>> Want to swear at me too now?
>>
>> Yes, because his own quotes from man sudo in this thread show that he
>> forgets an important qualifier to 'sudo runs one command as root'.
>
> -s The -s (shell) option runs the shell specified by the
> SHELL environment variable if it is set or the shell as
> specified in passwd(5).
>
> And the shell allows you to type as many commands as you want, right?
> Seems to be exactly what Fingel said above, unless there's some great
> subtlety that you haven't pointed out to us. Cancel that, I just tried
> it out, and I can run as many commands as I like, not just 1.
You guys need a meeting of the minds.
--
<Mongoose> knghtbrd: and the meek shall inherit k-mart
Johan Lindquist
Richard Rasker was all like, "Dude,
> Johan Lindquist wrote:
[..]
>> And yet people actually accepted to pay some "competition fees",
>> handing out their credit card number /over the phone/ to a total
>> stranger who called them up out of the blue, to win tickets for
>> that "free cruise for four people" just earlier this year.
>>
>> If you don't realise that some people are incredibly gullible,
>> you're living in fantasy land.
>
> Yes, some people fall for scams, social engineering etcetera. And
> yes, there are Linux users among these people, and more so if Linux'
> popularity increases further. So yes, Linux systems will most likely
> get infected that way.
>
> The only question is, at which scale? If Linux would have, say, a
> 10-20% market share, what would be the infection rate?
Not huge, probably.
I'm just surprised at the apparent venom with which people are met
who suggest that there are ways to trick even linux users into doing
stupid things with their system.
Some even go as far as to call people idiots for pointing out that you
could execute a single command and gain root access from that point
onwards, if you're an authenticated user on the system.
> The Wintrolls here would make it believe that it will be in the same
> ballpark as the infection rate of Windows boxes -- somwehere between
> 25 and 50% of all machines world wide. I think this won't happen,
> ever. The "target audience" is simply too small: rather gullible,
> non-too-savvy people who nevertheless have enough knowledge to
> either enter a root password (which many don't remember), or jump
> through some CLI hoops.
It's interesting, though, to note that on one hand there's the windows
fan base who claim 100% infection rate when linux "gets popular", and
on one hand there's the linux fan base who are completely oblivious to
the way some distributions are set up by default, which does indeed
mean there's a potential vector for malware to be introduced.
> It's impossible to predict the actual infection rate, but I think
> one can safely say that it's very unlikely that it will ever cross
> the 1% mark. Just compare it to cracked Linux servers: only badly
> administered, unpatched machines get cracked; this is a very small
> amount compared to the huge number out there.
I wouldn't place any bets where the outcome hinges on people not doing
something stupid, personally. Even so I'm not hugely worried about
an onslaught of virus infections when linux does take over the world
either.
--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
13:24:52 up 34 days, 2:12, 2 users, load average: 0.10, 0.13, 0.09
Chris Ahlstrom
this bit o' wisdom:
> There have been enough 'badly administered, unpatched' Linux machines
> hacked (Ubuntu servers, Schestowitz, etc) so once you get more users, you
> can count on even larger numbers of Linux machines to be administered much
> worse than they are today.
I have a bigger worry about Linux... vendor-subsidized malware preloaded
on consumer boxes.
--
Today when a man gets married he gets a home, a housekeeper, a cook, a cheering
squad and another paycheck. When a woman marries, she gets a boarder.
Chris Ahlstrom
this bit o' wisdom:
motzarella in the headers is always a good indicator of the performance of
future postings.
--
Truth is hard to find and harder to obscure.
Ezekiel
"Chris Ahlstrom" <lin...@bollsouth.nut> wrote in message
news:bsbXk.307$YU6...@bignews8.bellsouth.net...
> After takin' a swig o' grog, Ezekiel belched out
> this bit o' wisdom:
>
>> There have been enough 'badly administered, unpatched' Linux machines
>> hacked (Ubuntu servers, Schestowitz, etc) so once you get more users,
>> you
>> can count on even larger numbers of Linux machines to be administered
>> much
>> worse than they are today.
>
> I have a bigger worry about Linux... vendor-subsidized malware preloaded
> on consumer boxes.
I don't understand why a vendor (as in Dell, HP, etc) would preload known
malware. But I can see vendors installing 'trial software' the same way
they ship you a Windows machine with preloaded trialware installed. They do
it simply because it adds up to free revenue for them. (Unless it's this
preloaded trial-ware that you're calling malware.)
Richard Rasker
I believe it will matter which OS is used, because the OS can make it more
difficult for social engineering tricks to succeed. With Windows, it's
enough to put a .exe file out there in a clickable link. The file will
download automatically if the link is clicked, and Windows will only ask
once if the file should be executed or saved. If the user clicks "Execute",
he's screwed. In other words: just two or perhaps three simple clicks are
enough to get infected.
And with most Windows users "clicking away" all kinds of messages, warnings
and pop-ups all the time, the success rate of the malware will be quite
high.
In Linux, a similar attack may also start with one click, which downloads
an .rpm or .deb file, with a similar question, but with one important
difference: Linux asks if the file should be downloaded or "opened with the
software installer" -- instead of just "executed". OK, I don't think that
it'll make that much of a difference, but, people will generally be more
aware that they're about to install something, not just run it.
The Linux asks for the root password -- and this is the point at which
people start thinking, if only because most people don't know their root
password by heart. And this is the point at which another lot of people
will not carry on -- because they're not used at all to having to enter a
root password to accomplish things on the Internet.
The same goes for jumping through CLI hoops, to execute stuff without root
rights, with even less chance of success, because it's more complicated
than clicking and typing a password.
And another big factors is of course the choice of distribution itself; an
attack with a .deb file will only work on Debian-based distributions, for
instance.
So yes, I believe that even social engineering attacks will have less
success on Linux than they have on Windows, because Windows makes it easier
for users to do the wrong thing. Every extra action required from the user
decreases the chances of success for malware through social engineering.
But no doubt, Linux boxes will get hacked this way.
...
>> say that it's very unlikely that it will ever cross the 1% mark. Just
>> compare it to cracked Linux servers: only badly administered, unpatched
>> machines get cracked; this is a very small amount compared to the huge
>> number out there.
>
> There have been enough 'badly administered, unpatched' Linux machines
> hacked (Ubuntu servers, Schestowitz, etc) so once you get more users, you
> can count on even larger numbers of Linux machines to be administered much
> worse than they are today.
I only mentioned servers as an example; also, most server vulnerabilities
stem from bad PHP scripts and the likes. Only very few desktop users will
even start running servers, so this number of hached servers most likely
won't increase in any significant way.
bugbuster
That only works if the shell is authorized in /etc/sudoers which would
seem to be a bad idea.
Bug
chrisv
>You may not think it, but true story, my grandma installed spyware on
>her cmputer because she say a popup online that told her she needed to
>press "ok" to "fix several problems" with her computer. Its hard for
>them to tell what is legit and what is not.
Would she also cough-up her credit card and social security numbers,
if someone called and asked?
Life does require a BIT of training, to avoid being scammed. Even for
grandmothers.
ml2mst
> After takin' a swig o' grog, Gregory Shearman belched out
> this bit o' wisdom:
>
>> On 2008-11-26, Sandeep Kumar <deep839...@gmail.com> wrote:
>>
>>> You seem to be an idiot with no clue.
>> You are now <PLONKED>
>>
>> I don't communicate with insulting, trolling arseholes. Into the Bozobin
>> with you.
>
> motzarella in the headers is always a good indicator of the performance of
> future postings.
Peter Köhlmann yesterday already pointed out after "Sandeep's" second
posting that it's probably Flatfish.
Now last night he posted this:
[quote]
On Wed, 26 Nov 2008 02:53:44 +0000, Roy Schestowitz wrote:
To add to my previous message could one imagine what it would be like if
this was an X-ray machine or a heart monitor?Getting locked out of one's
own car is one thing, dying is certainly another far more serious problem.
[/quote]
I'm quite sure Roy never posted the quote above. No idea what Flatty is
up to, but it's probably for future "evidence".
--
|_|0|_| Marti T. van Lin
|_|_|0| http://ml2mst.googlepages.com
|0|0|0| http://osgeex.blogspot.com
Chris Ahlstrom
this bit o' wisdom:
> "Chris Ahlstrom" <lin...@bollsouth.nut> wrote in message
>
>> I have a bigger worry about Linux... vendor-subsidized malware preloaded
>> on consumer boxes.
>
> I don't understand why a vendor (as in Dell, HP, etc) would preload known
> malware.
Why not? They preload Vista <nuk nuk nuk>.
> But I can see vendors installing 'trial software' the same way
> they ship you a Windows machine with preloaded trialware installed. They do
> it simply because it adds up to free revenue for them. (Unless it's this
> preloaded trial-ware that you're calling malware.)
(Yes -- that stuff generally sucks. At best, it is a ploy to get more money
from you later. But it often interferes with the purpose of having a
computer, at least from my point of view.)
--
I've always considered statesmen to be more expendable than soldiers.
chrisv
>>
>> The percentage of people who fall for these scams isn't going to change
>> because they are using a different computer or OS.
Actually, it will, fsckwit. Like most fsckwitted trolls, you seem to
see only in black and white, as if the only possible outcomes are
"completely eliminates the issue" or "no change at all", with nothing
in-between.
Obviously, you're wrong. Obviously, you're a fsckwit.
Hadron
Totally immaterial point.
They were discussing enabled sudo -s.
--
"Every piece of evidence I've heard from developers inside Microsoft
supports my theory that the company has become completely tangled up in..."
-- William Poaster <w...@leafnode.amd64.eu> boring people again in comp.os.linux.advocacy
Peter Köhlmann
Actually, no. Mis-configuring things and then act as if that is the norm is
not "immaterial". Any sudoers file which would contain that is to be
considered harmful.
> They were discussing enabled sudo -s.
Pray tell where it is enabled by default that way
--
Failure is not an option. It comes bundled with your Microsoft product.
Ezekiel
"chrisv" <chr...@nospam.invalid> wrote in message
news:l3qqi4t9579eonj74...@4ax.com...
Obviously the percentage of people who fall for social engineering scams
isn't going to be 100.000% as it is today. Only a complete moron (ie -
*you*) would think that it would. But the number of people who do fall for
these things isn't going to change just because somebody changed the OS on
their desktop.
So if you want to make the argument that the number will change then it will
probably go *UP* since users will be lulled into a false sense of security
thinking that because they run Linux... it's now okay to run some app/script
that was emailed to them.
Mart van de Wege
You.
gast@gareth:~$ sudo -s
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for gast:
Sorry, user gast is not allowed to execute '/bin/bash' as root [...]
gast@gareth:~$ logout
See? Even sudo -s is subject to restrictions as set in the sudoers file.
And since both you and Fingel keep reading over this qualification in sudo(8):
'... as specified in the sudoers file ... '
it is an objective *fact* that you are illiterates.
Sandeep Kumar
> You may not think it, but true story, my grandma installed spyware on
> her cmputer because she say a popup online that told her she needed to
> press "ok" to "fix several problems" with her computer. Its hard for
> them to tell what is legit and what is not.
That happens all the time.
Sandeep Kumar
And yet people will touch a wall that has a wet paint sign on it every
time.They will play lotto.They will go to Vegas hoping to win the big one.
And they will respond to anything when they think they can make a dollar.
It's human nature.BTW I agree with you but it doesn't matter because human
nature is what is the monkey wrench in that argument.
>> etc/
>>> "To get a free case of Depends you need to download this file and
>>> execute it as root on your machine".
>>
>> Yep..
>> And iff someone offered you a free lotto ticket for a million dollars and
>> all you haed to do was..........
>
> See above.
See above.
>>> Mate, There's a sucker born every minute but I don't think there's many
>>> suckers born that are as stupid as do the above.
>>
>> You are an idiot if you don't believe that.
>
> Ok, According to you, I'm an idiot. Discussion over.
If you believe most people won't take the bait you are just kidding
yourself.
>> It's even worse than we have discussed.
>
> In your own mind, of course.
No.In the minds of all the antivirus companies that are making millions.The
proof is already out there but you refuse to believe it.
Hadron
Mart, give it up. All the sliding in the world doesn't change the fact
of what sudo -s DOES when configured to be available.
You have been 0wned. Except it like a man and move on.
--
"It explains a lot. I've not heard of anyone I know, anywhere, buying XP,
and I've not seen it sold whilst I've been in any shops."
comp.os.linux.advocacy - where they put the lunacy in advocacy
Hadron
And everyone knows it .... except .. COLA "advocates". Amazing.
Sandeep Kumar
This is common place these days but still sometimes things fall through the
cracks.
>> You do know that much of credit card theft is related to planted people
>> inside the operation who leak the information for money.
>
> How much? As much as malware and fraud coming from the internet? Good
> luck with your proof of concept.
Not in terms of incidents, however one incident like a copied or stolen
hard drive has the potential for millions of numbers to be comprimised at
once.It has already happened in fact.
>> Obviously you have no clue what you ar babbling about so why not go back
>> into your cave and play with VI some more.
>>
>>> Sheesh... if this is the level of security debate then God help us.
>>
>> You seem to be an idiot with no clue.
>
> You are now <PLONKED>
>
> I don't communicate with insulting, trolling arseholes. Into the Bozobin
> with you.
If it makes you feel better so be it.
Peter Köhlmann
And all those dumb enough to fall for those scams *and* dumb enough to think
that linux will protect against idiocy are not smart enough to pull it off.
Net effect: Still not enough percentage of infected linux machines to keep
malware alife. It will still die out rather quickly
Making writing that malware still a fruitless effort and for that very
reason not very probable
--
Microsoft's Guide To System Design:
It could be worse, but it'll take time.
Peter Köhlmann
> Sandeep Kumar <deep839...@gmail.com> writes:
>
>> On Wed, 26 Nov 2008 06:26:55 GMT, Fingel wrote:
>>
>>
>>> You may not think it, but true story, my grandma installed spyware on
>>> her cmputer because she say a popup online that told her she needed to
>>> press "ok" to "fix several problems" with her computer. Its hard for
>>> them to tell what is legit and what is not.
>>
>> That happens all the time.
>
> And everyone knows it .... except .. COLA "advocates". Amazing.
>
Yes, it happens all the time. On windows machines.
--
Avoid reality at all costs.
Ezekiel
"Mart van de Wege" <mvdwege...@myrealbox.com> wrote in message
news:86prkii...@gareth.avalon.lan...
Well that's great. Except for all of the novice users who don't bother to
configure their sudoers file. Most people will simply continue to use
defaults. And the defaults place no such restrictions. In Ubuntu I can:
zeke@ubu:/mnt$ sudo -s
[sudo] password for zeke:
root@ubu:/mnt#
root@ubu:/# whoami
root
> And since both you and Fingel keep reading over this qualification in
> sudo(8):
>
> '... as specified in the sudoers file ... '
>
> it is an objective *fact* that you are illiterates.
It's total bullshit to compare a system that's been locked-down via the
sudoers file with what *most* people will be using.
Peter Köhlmann
Except it is *not* available on any distro by default. And anyone enabling
it that way should be tarred and feathered.
> You have been 0wned. Except it like a man and move on.
>
You try to keep a strawman alive. Does not work.
--
Another name for a Windows tutorial is crash course