Slashdot Mirror
Linux and the Smile.D Virus keeps us Smiling
pstreck writes "News Forge is running a humor filled satire on the the recent Smile.D cross platform virus. It's a good read and just another reminder of why that other operating system needs to figure out a new security policy."
There is a whole privelage system there, unfortunately, it can't be used by many people right now because of some brain dead applications. Quite a few programs won't run as anything other than administrator. Over time, once the apps get replaced, Windows will have a more viable security system, which will hopefully prevent many of these types of problems.
I got coveted frist prost. Not you. hahahah wanker
Obviously Linux does not have the same problems as windows, and it is designed in a way that it should always be more secure. But, isn't this a just the beginning of of viri now that a significant amount of people uses alternative operating systems like Linux. Are there any good virus protection programs for Linux? If so do they compare to Nortan
I have been under the illusion for many years that an "operating system" was supposed to be in charge of the machine AND the applications which run under it.
If a few "brain dead applications" can screw up the "security policy", I'd suggest that perhaps the term "security policy" is misleading.
Everyone should upgrade security fixes, but are these upgrades start at something like $500 for a new fully licensed version of Microsoft Office and just go from there? Upgrading when having to deal with licenses and required upgrade programs does not seem like too much fun for me.
If only a Windows computer had an easy upgrade like Gentoo Linux that could be typed in one line:
make -u world
- YOUR HAVE NOW RECEIVED THE UNIX VIRUS -
This virus works on the honor system:
If you're running a variant of unix or linux, please forward
this message to everyone you know and delete a bunch of your
files at random.
If tits were wings it'd be flying around.
Than THAT guy? I've never had a virus for longer than one day, and that was when someone else opened an email on my computer. I run XP, its not too hard to be smart. Its an unfair comparison with Linux and Windows because most of the people using Windows are basic users. But also with Windows, you can be an advanced user. With Linux, you practically have to take a class to use an OS where the benefits don't outweigh the minuses.
Linux and the Smile.D Virus keeps us Smiling
That pun would work better if it was actually called the Smile.D Virus.
Symantec and ZDNet appear to call it Simile.D.
Did it ever occur to you that maybe linux doesn't have viruses because nobody cares about linux? That maybe there is something you are missing in the fact that there are hundreds of millions of people who are more willing to pay for Windows than get linux for free? That maybe calling people who don't use linux morons isn't the best way to attract users?
Linux does have potential, and has made great strides is a short time, but until the community gets past its attitude problem, it will be self-limited to a niche of geeky tech boys. Linux is too difficult for end users, and yes it has bugs. Rather than calling the users stupid for not being able to patch the code, why not get busy and fix the bugs, and do a little usability testing after.
NT has a much more advanced (and better) security model than Linux. But it doesn't do much good when people happily login to their computers using administrator accounts because some dumbass program wants administrator privileges.
Windows needs a new security policy.
Linux needs a clipboard.
The funny thing is, a clipboard seems simple by comparision.
Which will appear first?
Writers imply. Readers infer.
Its all fun and games til someone loses a drive.
The day before I heard about said virus, I stopped logging into my computer as root for normal usage. I'll keep this in mind as a warning.
Now, I don't know much about Linux's inner-workings so for all I know it could be the best thing since sliced bread. But I have to ask: what makes Linux so much better than any other OS that it warrents its users having such a snarky attitude?
Could you elaborate on 'much more advanced' for me? I've never used NT...
http://students.washington.edu/djwatson
Haven't tried myself but from what I've read it seems that the whole Lindows thing is running as root all the time.
This must be a feature. You can't emulate the total Windows experience unless you are susceptible to every random virus that comes along.
Why won't you wait long anought to let me read the links before slashdotting a site. No matter, Google cache here
The problem isn't that a few brain dead applications can screw up the security policy. The problem is that a few brain dead applications are written with the assumption that there is no security policy, and thus are prevented from running when one is in effect.
Lost: Sig, white with black letters. No collar. Reward if found!
Lured by its low cost, I replaced Windows 98 on my computer with Linux.
Man, I think you need to examine how much your time is worth.
An already installed, already paid for, already functioning operating system cannot be undersold.
Writers imply. Readers infer.
The difference between Linux and Windows is that anyone can sit down, install Windows and get email.
With Linux, there's a steep learning curve. You've had to invest dozens of hours of free time by the time you have networking and a scriptable mail client configured.
The types of users who are spreading Windows mail viruses are the types who would never even be able to configure and run Linux.
If you think that's something to be proud of, you need to stop and think about that for a minute.
He Who Is Without Sin Should Cast The First Stone
I personally felt the article was childish. Windows has a lot of malware that take advantage of gullible users by sending them deceptive emails with enticing attachments. Linux on the other hand typically has more savvy users. However pointing and giggling is what I'd expect from teenage high schoolers flush from teh rush of their first kernel compilation and not a supposed journalist like Roblimo.
PS: Yes, I work for MSFT. Yes, I run both Windows and Linux at home. Yes, I've been hit by a Windows virus once (CodeRed off of a web page) and had my RedHat box r00ted twice before I learned the hard way.
First it was obvious it was a prank. Released somewhere the same date as McAffe and Microsoft blabed about tightening security of windows (if you can't make one better, then make others worse, just put a good commercial and that's it)
Now, I'm humored. I guess even viruses don't want cross platform portability. I Guess, "that kind of lame job stays for dull products like mozilla and openoffice."
The last hope is gone, and now, with lack of viruses, we non-win users should send something like this to each other
"this is a virus, if not, you just pretend that you don't know, set your alarm clock to 5th every month at 4:36AM, on that time log in as root and delete all files from your hard drive. In the morning when youu wake up start bitchin' where your files have gone. BUT BE PROUD, YOU'VE GOT VIRUS LIKE THE REST OF THE WORLD"
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Are there any good virus protection programs for Linux? If so do they compare to Nortan
As far as compability go I don't think there is one no. Maybe they can handle 5 or 6 viruses, but thats it.
While many Linux advocates prefer installing purely with a text based installer and do not use autoprobing, one can get Linux installed much more easily than Windows. Windows will eat up your whole harddrive and many times it just is unwilling to install. I have never had a problem installing with the Redhat installer. In addition, using email is much easier with Linux, it's built in!
That's "more advanced" in the sense of "so complicated no one can really be bothered to figure it out and use it as intended". [Ambiguity intentional.]
Get a copy of Webster's Dictionary and look up 'irony'.
But that doesn't mean that the Linux security model is perfect - it just means that the Smile.D virus writer was too lazy to actually try to get root on the Linux boxes the virus gets exposed to. Consider the following facts:
- Local root holes are everywhere on a Linux box. Most
distributions, especially Red Hat and SuSE, install literally dozens of
setuid-root applications. Most of these applications are completely
useless to the average person, and serve only to open up holes in system
security.
- Setuid root applications are a necessary evil because the UNIX
security model is outdated. Need to change the system time? How about
binding to a low-numbered port (hello Apache and fingerd)? Or making files
immutable? Or mounting a floppy disc? Every single one of these
operations requires root privilege, either by the user or by the command a
non-root user invokes. The more paths to root there are on the system, the
more potential holes exist.
- Remote root holes are everywhere. Ever run wu-ftpd? Or sshd?
Or BIND? Or rpc.statd? You probably do, but the average Linux luser
doesn't even realize it, and doesn't waste their time playing sysadmin and
keeping up with patches constantly. So she will have no idea why her
system was 0wned and is being used to run an eggdrop bot on dalnet. At
least Microsoft has the sense to ship systems with unnecessary services
disabled.
I once saw source code for a worm written by several Polish nationals. This worm was able to exploit weaknesses in Linux systems to gain root access and spread. Don't think it can't happen just because the Smile.D author was an idiot - or else you will be rudely awakened when it strikes./fug
Throw off the shackles of copyright law.
$ rm -f -r / /: Permission denied
rm:
I can't even get the unix virus! I'm such a luser.
Ya know, for the longest time, I really thought that they only thing the /. editors could do was post links to other articles (they sure as heck can't be bothered to run ispell). Every once in a while, though, I see something like this. I'm not saying that this was a brilliant piece of journalism or even satire, but at least roblimo can write a real article (where "real article" is being very generously applied to something that only has 23 sentences in it). Why doesn't this happen on /.? It happens on newsforge....
Just wondering.
1) Any of the Windows viruses/worms that are of the "double click the attachment" variety would work just as well on Linux as they would on Windows, were there more "Windows users" using Linux. They modify/damage user files and replicate themselves though email... who needs root to do that? I think the main reason you don't see as many of these is 1) the ratio of Windows desktops to Linux desktops is very large, and 2) Linux users usually know not to touch attachments like this. So if you're a virus/worm writer, why bother with Linux at all when your code can spread 100 times as fast though the Windows systems?
2) That comment about a Linux virus being easier to clean up is a bunch of crap. I've seen plenty of novice Windows users try to remove viruses from thier system using instructions and fail, and it's not because "there are no hidden files." It's because manual removal of viruses on Windows usually involves using system utilities and commands that most Windows computer users have never used before (regedit, command prompt.) Sure, the instructions are easy to follow for Linux... it's because you're a Linux user, and have to use the equivalents of these Windows utilities in every day tasks anyway.
3) "So it looks like the old dream of Linux eventually overtaking Windows and becoming the world's most popular operating system will never come to pass..." Well, if Linux was to become easier to use for the users who suffer from attachment-clicking syndrome, and who don't have the skills/balls to follow clean-up instructions, suddenly Linux will be alot more popular, will see alot more viruses, and virus scan software will still be business as usual.
I don't even know where to begin. Should I begin by saying that calling people "morons" because these people don't immediately reformat their computer and install Linux is a bit of a stretch? Or should I point out that Lindows automatically logs users in as root on their Linux boxen? Or should I wonder aloud how Roblimo would like programmers to make money if not by making useful utilities like virus scanners?
This whole article takes the disgusting tone of insulting people who obviously aren't as "smart" as the article's author. I find this elitism disgusting, and frankly, embarrassing to the greater geek community.
How many of us are quick to insult people who don't know the difference between root and another user? How many of us call the repair guy because we don't know how to repair the air conditioner, refrigerator, or our car? Would you like it if your mechanic said, "I can't believe you don't know the difference between 10W30 and 10W40. You're obviously a moron."?
Face it, folks, not everyone wants to be a computer expert. Not everyone wants to get involved in flamewars like vi vs. emacs or Linux vs. Windows. They just want to turn on their computer and have it work. And with any operating system, those same people will have to learn how to maintain it by applying patches (just like you have to maintain your car by taking it in for maintenance every so often.)
The fact that this article is categorized as "humor" doesn't make the elitism any less inherent. We should be educating people about the importance of software maintenance, not bashing them for being "morons" because they don't want to know the technical stuff. To most people, computers are a tool to get a job done, not a religion. Windows makes it easy to do most jobs. Therefore, most people are pretty happy with Windows.
Mod me down if you wish. I have 50 karma and I don't care much about karma ratings anyway. But I think this is important for a lot of geeks to understand -- just becuase we may have more technical knowledge does not give us the right to call people with less technical knowledge "morons" -- humor category or not.
Simpli - Your source for San Jose dedicated servers and colocation!
Yes, pay $XXXXX for a no warranty bugs-non-free security patch for a fucked-up system,
It can be called more-advanced-sophisticated-reselling-no-warranty policy
Blah blah blah Windows bad.
Blah blah blah Linux good.
Blah blah blah idiots use Windows.
CmdrTaco posted this? I'm so shocked!
This article is not satire, is not it original, nor is it well written.
I wish I could moderate CmdrTaco down for being a troll just once.
SetupWeasel
An OS with 95% of the desktop market is "that other operating system".. ok.
When most people, including most people on slashdot, run windows, I dont think you can call it "that other operating system".
No.
Get a copy of Excel and run it on Linux.
Writers imply. Readers infer.
Ever since segfault's demise, I've been longing for articles like this. Sorry slashdot, but sometimes fake news just don't match up to the real thing.
Howz about some of yous guys start a fake news site (preferably not sponsored by our dear friends from Redmond).
There was the famous Internet Worm which infected a bunch of different Unix versions. Pretty famous story. There was the famous DoS attack on Yahoo and Ebay. Was it mounted from Windows boxes?
Stupid article, if you ask me.
I passed the Turing test.
It's like a black guy wanting to be a jewish.
The operating system provides the mechanisms
for security (and Windows NT/2K/XP does) but
this doesn't help if applications don't make
use of the mechanisms, by insisting on running
in a privileged mode for example. Just the same
problem can exist on UNIX systems.
OK. Linux is not that safe from certain types of viruses (such as the lion worm, etc).
In all fairness, saying that there are Linux viruses is like saying that the Concept virus was a Windows virus. I am not aware of any Linux virus (that attacks the system using vulnerabilities presented by the Linux kernel). Usually other programs are the source of the risk.
The issue of security from viruses is similar to the issue of security from hackers. It is a never-ending battle, and network services are points of attack. Some pieces of software are better than others at controllign the degree of compromise resulting from their failures. That is all.
LedgerSMB: Open source Accounting/ERP
Do any of the mods (besides the first mod) have any humour section in their brain? Mod parent Up!
Think nothing is impossible? Try slamming a revolving door.
People that have only drank Bargs Rootbeer always says its the best before even trying IBC Rootbeer (which is the best). I cant stand people that do that, why don't you try them both before spouting out worthless opinions. And if you can't figure out how to open the bottle to try it then we don't want your opinion.
*DrugCheese rants*
Here we go again! Let's laugh at people who think "that Bill Gates deserves their money", let's laugh at people who buy anti-viruses, let's laugh at Windows while we're at it, and of course, let's praise our wonderful unbreakable operating system. Ah! This virus fails to infect me, viruses are so uneffective against l33t linux! Nobody can root me, nobody can root me!
Am I the only one not laughing? Am I the only one watching with, not fear, but interest and attention, the great innovations being done in the field of the Linux viruses?
We have a virus that can infect both Linux and Windows binaries. A virus that can try to infect a Linux box from a Windows box. A virus that is extremely hard to detect and destroy on Windows. Sure, it doesn't work well enough, yet. It's, after all, only the third generation virus. But it is nevertheless a great technical achievement, a new milestone release, a step towards havoc.
When these viruses will be able to infect a Linux partition from a Windows partition, or a Windows partition from a Linux partition, each time bypassing the security and anti-virus of the operating system it is infecting - hey, the OS is not even running! - will you laugh that much? Nobody can root you? And what about a virus that has ext2-level access to your root partition? Yes, from Windows? Who is 100% Windows-free? Who never has two OSes on the same machine?
Virus authors are showing are growing interest to Linux, and as more and more viruses are able to spread on Linux, more and more anti-viruses Linux will need. You might not like it, but it seems unavoidable to me. And if you really hate the anti-virus companies, start an open-source project. Now.
Let's come back to this discussion in a couple of years. And we'll see if you were right to laugh. I hope so. I don't believe it.
Not really a humor-filled satire, on first glance. More like another bitter "why doesn't everyone use Linux like me" article from Robin (not that I would have suspected anyone else). I suppose you could call it extremely blatant, utterly obvious sarcasm, but satire would be putting it on a pedestal.
There are in fact more evidence: one popular distribution is called Mandrake, a word with many devilish connotations. Another is Red Hat; guess who's hat and why the color is red.
I thought Mr. Taco was referring to OpenBSD.
NT has privileges (so users don't need to be
root to do certain operations), access control
lists for all objects, more than 32 groups for a
user, impersonation (so a server can take on the
identity of a connecting user and do operations
on their behalf).
True, but you can make a special user account that only has the privileges the application(s) need. Let them run local only, with difficult PW's. And, you can always set a service not to "interact with the desktop".
my 2 cents....
That's a mighty big we.
Don't forget that there is more than one kind of root beer. I can even make my own. That doesn't mean that I get mad when people prefer a particular kind of root beer. I just don't like it when they think that because they like what they like that I haven't tried, and dismissed, their brand of choice.
Oh, and there's no g in Barq's
Writers imply. Readers infer.
Except some programs WILL NOT run without admin rights. They require them to run.
You dismiss my brand of choice and say its inferior to yours. You cannot say that without trying them both. I can since I have tried them both. Yours sucks ;)
*DrugCheese rants*
We've seen a lot of it over the years from Microsoft and other major companies, but the people who once used to rally it no longer carry it on their news sites, but they actually have become a source of FUD as well.
OK. So this was posted as humor. But somehow it didn't read as humor. It read as an article that claims you need to spend money to prevent viruses on Windows while you could run a virus free linux system by just pumping an 80 IQ.
On Windows you're likely to get a virus from one of two places, either installing software or running software that allows scripts in it's data files.
Both of these are easy enough to defend against, however, it's seems like it's not in the best interest of the Linux community to let that be known. A little Fear, a little Uncertainty, a little Doubt is a much better weapon.
And when it's over, the truth is that had this been presented as a factual article on how simple it is to remain Virus Free on a Linux system, it wouldn't have even been read by many, nevermind submitted to Slashdot.
After all, FUD sells. It just doesn't make me proud to belong to the community selling it.
No Zen is good zen
Warning, the bsd daemon likes to rape penguins!
I don't understand what you're talking about!
By not releasing their source code, Windows in impenetrable! There's no possible way to know how their systems work without releasing the code behind it.
Next thing you know, people will be saying the operating system crashes all the time!
Silly people!
"PC Load Letter? What the $@#% does that mean?!"
It wouldn't surprise me if *they* wrote that stupid worm.
there's no place like ~
Not that I have anything against Linux, but we can't afford to be smug about security issues.
I've been a techie for many years, but have shied away from Linux. Sure, I've used an old version of Slackware as a Web server or as an IP masquerader here and there, but never tried to use it as a workstation.
The other week, I decided to give it a go. I put a Redhat 7.0 (the latest Linux I had in the house at the time) CD in and got on with it. Very very easy setup! Less hassle than Windows, and certainly quicker. Copying files seemed to take longer, but, you've gotta remember that Windows spends at least 20 minutes restarting itself and setting up all sorts of crap after the files are copied.
So, yeah, I'm no Linux zealot, but they've come along in leaps and bounds on the interface front. Although.. I had to edit a few config files to get my network card working, so it's not for a typical user either JUST yet..
mogorific carpentry experiments
Well, now, lessee...I've used DOS, Windows 3.11, Windows95, Windows98, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, FreeBSD 4.5, and Mandrake Linux 8.2
Yes, I've used a good number of Windows packages, and not too many Unix variants. I've also only used a pathetic newbie distro like Mandrake. Such is life.
I run a smallish website that sees a fair amount of traffic. I use a SQL Server backend with IIS serving - I've had it running on Apache and PHP and it sucked. Mod_Perl was just plain evil. I thought about using MySQL, but I have actual respect for my data. PostgreSQL was an option, but I wasn't in the mood to fuck with it.
I'm happy. Maybe a thousand people a day hit the site, spend some time there, and get what they need. No one has broken in and no data has been vaporized.
Slashdot got me all hot and bothered to run an Open Source OS. I installed FreeBSD and set up IBM's DB2 (using Linux binary compatibility) under a development license. I hated it.
I switched to Mandrake, which was pretty, and I hated it.
I realized that I actually liked the setup I was running, and quit blowing my free time on screwing around with the clones.
Funny thing, though - I am currently partitioning a spare laptop to use as a FreeBSD development station. I spent the morning browsing Postgres, and decided to take a crack at some development.
Writers imply. Readers infer.
1. The steady transition of Linux from a "geeks only" OS to a corporate mainstay. This will make Linux a more appealing target.
2. The arrogance of those who think that Linux isn't vulnerable.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
By far, Virgil's is the best. Check out www.bevnet.com for details if you've never heard of it before.
When are you (people) going to understand that /. is openly and deliberately biased towards Linux and open source? This is something you should accept or go away to some Windows forum. The majority of /. readers/posters are people who have already made up their mind that Linux is superior in many ways to Windows. Also, there are enough grandmothers and small children using linux that I think it's safe to say that if you can't use it you are a moron/lame.
Undastando?
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
Comment removed based on user account deletion
Exactly. And how would firemen make money if they didn't have devastating three-alarm fires to put out? Nobody ever thinks this through when they talk about improving building code.
Don't buy this ignorance. There are 100s of local exploits on linux and even a few local exploits on OpenBSD discovered every year. All this dude had to do was add in a priveledge escalation attack, and boom it's a full-fledged linux virus. But it was merely a proof of concept of a virus that A) is hard to detect and B) is cross-platform. Get your heads out of your asses, this means something. It means you are no longer safe from viruses just because you run linux. Not that you ever were - this only means that virus writers have begun to look at linux machines as possible targets.
Use tripwire, folks.
Unix was designed from the begining as a multi-user system, in which security was needed. Windows was designed as an easy to use consumer OS, then security was needed as it grew. Securing an already existing system always leaves room for gapping holes. Security isn't just another buzzword, but I'm sure the Microsoft Marketing jugrnaut will make it one soon. "Windows .NET Server, now with Added security!"
I've been reading the articles about this virus for the last 10 minutes and I just realized that it's name is Simile and not Smile. Plus I admit that I login as root a lot. And all along I thought my IQ was over 100. Bummer.
(B) + (D) + (B) + (D) = (K) + (&)
Buh??? Why would you need to write a virus to do this, most linux boxes out there have lots of stuff you can exploit to get root yourself.
The article said that Roblimo knows zero people who run as root, therefore there's no virus trouble.
I in fact, know no people who run Outlook. Therefore there are no windows virus problems. So what's all this showing up in my mailbox?
Mod-up parent.
I hate to think just how much time I've wasted trying to configure various Windows applications to run with minimum privilege. Developers either don't understand the security model or just don't care about designing software with security policies in mind, leaving admins stuck with software that is a major headache to lock down appropriately.
This whole was essentially one big flamebait factory.
-B
Lots of address processing programs for mailing lists are like this. Try running Melissa Data's Mailers+4 on NT. Ha!
Lots of fund raising and endowment management programs also require full admin privs, too, and these are not cheap programs. Blackbaud's Raiser's Edge starts at 6 figures - uses Oracle - is not pretty, either.
Have you read this article? It's not funny unless you think "of course, Linux doesn't get viruses" is funny. 'Cause it says that about a million times.
Since when twelve year old kids write on Newsforge? He says : "and I assume that once they've gotten the idea (from where I do not know) that Bill Gates deserves their money more than they do"
:) Just pathetic.
Where does he come from? I paid $300 for my monitor, does it mean that oh I shouldn't pay them, I better keep the money to myself?
As usual, when you can't beat MS, troll away
CmdrTaco, don't post sucky articles for your sucky friends just because they ask you to. Read the sucky article yourself first. It sucks.
Now do you see how non-constructive criticism feels?
-bugg
NT security model is too complicated: A lot of specialized privileges (like load/unload device drivers, bypass file security to make backups,...), Access Control Lists (ACL) to control access to files and the registry...
This complexity makes both administrators and developers (not to talk about end users) mess everything very easily.
It should be noted that the default Windows mail client almost automatically executes attachments (double click on an insconpicuous icon), while on Linux, you will usually have to save the attachment, then manually execute it. So, no, that variety of viruses wouldn't work just as well.
How does this Simile.D "virus" propagate itself on Linux systems? After reading the symantec description, I still don't know.
"How many people do you know who habitually run their Linux systems as root?
In my case, the answer is 'zero.'
So that's the end of that."
Woah, not so fast there, buddy.
Lots of the newer "user friendly" Linux distributions like Mandrake and Lycoris allow Linux newbies to install the operating system without creating a separate user account. Worse yet, some of them allow the root user to have NO password at all! As these Linux distributions get more popular and easier to use, you can expect more and more computer newbies who don't understand computer security to leave their systems logged in with administrative accounts with no passwords to protect them.
One of the main reasons that Windows is venerable to virus attacks is that it's users often aren't as security savvy as *NIX users are. All it would take is a few thousand home users running Linux logged on as root without any passwords or security patches for a Linux virus outbreak to become a reality.
Win2K certainly has more variety in the types of access that may be granted a user, but when *one* application requires full access to WINNT\SYSTEM32 you can kiss your security model goodbye as there is usually no way you can grant access to the application itself and must instead give the user full access. Been there done that, M$ security models are a joke and a bad one at that.
Fortunately, this probably will never happen. Not because it's technically impossible, but because all the programmers with that kind of skill are mature and ethical. If you look at the biggest viruses we've had, almost all of them are dysfunctional and poorly written, and obviously the product of an immature kiddie.
Now, my point: IMHO, there's only one thing protecting Windows from highly destructive viruses, and the Unices from any viruses at all. It has nothing to do with the technical merits of the system, or the tech-savviness of its users, neither of which can stop a well-written virus (there will always be a hole somewhere). The key factor is the honor of the programmers.
Different communities aggregate to different OSes, and warez kiddies and hax0rs seem to me to exist almost entirely in the Windows world. The reason Linux doesn't have any viruses is because nobody is trying to write any. Until this changes, I don't expect anti-virus software for Linux to become necessary anytime soon.
How many people do you know who habitually run their Linux systems as root?
Overall the article was good. I agree that now with StarOffice, Mozilla, Ximian, the nearly 2 click install from SuSE 8, etc. There really is no good reason to deal with all the Windows BS. Anyways, the one problem I had was that Roblimo was talking about the average Windows user. And I believe that the average Windows user would be a lot more likely to run things as root than learn how to use sudo. How many install instructions say:
Become root, then run: make install
Without people knowing what that means and why it can be bad, their systems are just as easy a target for viruses as Windows computers. Either way, it's an education thing.
http://www.solucorp.qc.ca
Create a virtual server, in which you'll do all your "dirty internet" works, such as e-mail,running new programs etc
It will no effect in your "production" virtual server where you store your important documents and other stuff.
If you are paranoid enough, you can check your virtual servers from parent server using secure (out of virtual server access) rpmdb.
You can be root on any of that servers and be secure anyway!
Duh. Double Duh To The Moderator Who Thought Your Post Was Insightful.
You won't be smiling when you die of AIDS, queer boy.
All that security, ruined by the fact that Grandma Root will still wipe out the system when she runs the virus. (User Accounts That You Create During Setup Are Administrator Account Types)
What time is it/will be over there? Check with my iPhone app!
rm -rf ~
THIS is exactly the mindset that keeps us from getting a common cut-and-paste infrastructure between different apps.
For some reason I find that a computer is a tool not an appliance that is as easy to operate as a dishwasher. Thus When I first started learning computers in the early 80's on vax machines along with some of the early programming languages. I found unix to be much more of a tool than when microsoft started to dumb down the amount of knowledge required to use computers and started to define how it should be used and try to shut out other OS's from the market. Thus linux is a much better tool and OS than Windows due to windows usability that is predefined by microsoft. Linux is really not as hard as some portray it to be. It's just because microsoft has leveraged there interface to make it non conducive to use your brain and actually know what is going on. If that is what you want your OS to do then windows is for you. By the way the modern Linux distributions these days can acctually install and be online with email in 40 minutes or less with little user knowledge or interaction.
MY
$.02
but
makes for a good flame war.
I was about to mod you up, but I decided it would be better to add to your comment.
I'm the IT manager of a medical laboratory and I suffer from this very same problem. Our software vendor has written DB software that MUST not only be run as administrator on the server, but the server must ALWAYS be logged in as admin to function correctly.
This is just crazy -- and as a small/medium sized company, we're pretty much locked in to this proprietary package due to the cost of migrating. I've managed to lock down the workstations to compensate, but god help us of someone ever gains access to the server room or the server itself.
I second the previous user -- mod the parent up!
-jhon
You are an idiot. What he meant to say is that some programs for Windows which are meant for general use by all users were written like a "this application must be run as root" UNIX application.
So just hit Ctrl-Alt-Del and click "Lock Workstation"
Geez, I almost feel like trying Linux and running as root just to get a virus...any virus!
Yes, it's just so complicated. Here is an example of a few of the available group policies:
"Access the computer from the network"
"Allow logon through Terminal Services"
"Change the system time"
"Create a pagefile"
"Deny access from the network"
"Deny local logons"
"Deny logon through Terminal Services"
"Force shutdown from a remote system"
"Load/unload device drivers"
"Logon as a service"
"Logon locally"
"Perform disk volume maintenance"
"Shut down the system (locally)"
"Take ownership of files and other objects"
Wow, if those aren't in plain English I don't know who can't figure them out. NT's security model is very complex, yes, but very capable as well. It just so happens that the crack dealer under the Longfellow Bridge is selling MCSE certifications for $5 a pop as well, so MCSE's are a dime a dozen. If you're looking for a good NT admin, you need to look hard. Just the same reason you won't hire that 17 year old who "has 12 years UNIX experience."
It should be noted that, under Windows, the OS tries to execute files simply because they are named in a certain way, such as having ".exe", ".bat", ".js", ".vbs", etc. at the end.
Whereas under unix, simply renaming any old file with a ".exe" at the end does not cause the OS to try to load and run it -- "execute" is a specific flag and permission that must be set and granted.
So "just clicking on attachments" will never work under Unix (barring an exceptionally retarded mail client -- and please don't bring up the old, and fixed, Pine buffer overflow; it's not the same thing), and will always work under Windows.
Until MSFT changes this (and how about killing those retarded drive letters while you're at it?), virus, worm, etc. problems will be common on Windows.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Bill Gates was sitting in his office one day. "If I could have a penny for every time Windows crashes," thought Bill Gates to himself as he reached for his calculator, "...wait a minute... I do get a penny for every time Windows crashes!"
Whoever marked this flamebait didn't read the entire post- the whole point was in how Taco here posted a story that was flamebait. Or did you not notice the comment about non-constructive criticism?
"that other operating system" has a USB driver that actually works.
"that other operating system" supports my scanner, my DVD+RW drive, my 1394-enabled camera, and shitloads of other stuff which at this rate probably won't ever work as well on "this" operating system.
Don't kid yourself... the fact attachments take several clicks to open rather than one doesn't make this type of virus less potent.
The body of the email can always provide instructions on how to run the file. *IF* Linux becomes more popular on the desktop, converted Windows users will probably find them working around restrictions and differences between Linux and Windows to do alot of things.
There's nothing stopping anyone from writing a Linux email client similar to Outlook that allows one click opening of executable attachments. And there's nothing stopping software that's easier to use from becoming the most popular... and then say hello to viruses and worms.
Agreed, but you cannot blame windows for faulty software design. Also, .NET apps supposedly have a very fine-grained security policy (haven't messed around with it as of late), so applications can request priviledges as they need them and only for those areas it needs.
why run from Vincenzo?
The only truth in this article was that people, in general, are ignorant when it comes to computers.
Yes, there are plenty of people who just want to "turn it on" and have it work, but you boot up and DHCP a public addy via a cable modem/xDSL line, you ought to at least be *aware* of the potential for abuse. And that goes for both Linux and Windows. We won't discuss this fact with dial-up users but they don't get it either.
At least my grandmother (85 year old grandmother) has an excuse. As long as she can e-mail and browse she really doesn't want to know anything else, so I'll take care of that for her. But that's a different situation. Most of them time we're talking about people who have at least a limited knowledge of computers and should be able to understand these things. The least the Cable/DSL providers could do is include a picture and a little description of what the hell they're getting into.
I run a switched network at home with a firewall that's solved most of my problems. But my father's hooked straight to a cable modem and until a month ago when I told him he was vulnerable he had no clue.
And that is the real problem. Because users in general (1) don't patch and/or (2) don't even realize they're "on" the Internet.
As far as a few comments here about Linux being too difficult for most users, tell that to my 8 year old daughter. She doesn't have a problem at all running SuSE.
I don't have a solution, but I certainly admire the problem.
install literally dozens of setuid-root applications
Last time I checked, unless I am root, I could not change, or over-write any setuid root app on my box. And this is how it's been for a long time.
Setuid root applications are a necessary evil because the UNIX security model is outdated
I could say so much more about this piece of shit, but all I really need to say is fingerd - WHO THE HELL RUNS THAT STILL?
Remote root holes are everywhere
Every distribution I know of has some way to automatically update your system every night without intervention. Holy Shit! Do any average Windows users do that?
Would someone please mod this down? I am so sick of reading post by people who have no clue what they are talking about.
It is quicker to rebuild machines on demand and grant everyone local admin access than to try and work out why most apps won't run due to lack of admin access. This is not really a flaw of the app, this is how MS has built its security from the beginning. In fact, only MS applications appear to run correctly without local admin access.
login as root on a console, type soundconfig then hit enter. See what happens. You should get a textbased window that will walk you through a quick sound configuration. You use enter to enter and tab key to move around. If it works, you get to hear leee-nus torrrrr-valds sayin howdy.
If that don't werke, get a 5$ sound card, use that. I had to do that with some mobo I had that I used for a friends machine with built in sound that I built for him. I yanked the little attachment for the plugs out, installed an old card, I think a soundblaster 16 or something, it was like 3 or 5 dollars from local nerd shop used, worked great then with that soundconfig utility, IMO, one of the slickest things in linux, heh. As an old classic mac guy, I am always astounded that intel-ish machines running..whatever OS... DIDN'T have normal natural sound, as all macs have always come with great sound right outta the box..
hold on a second there..
first off, it's the engineers that draw up the blue prints, the developers just carry it out.
second, i can't see how it's the software's problem that the OS has a uneasily understood security model. i'm thinking, either you have privledge, or you don't, end of story.
duh...
...and this lie crawls out of its mouth: 'I, the state, am the people.'
Actually I blame both to a certain degree. The vendor about a level of magnatude higher -- but blame enough for both.
runas /?
(grr. fucking 20-second delay...)
You can blame Windows for making it damn near impossible to do a good software design.
There are reasons why democracy does not work nearly as well as capitalism.
-- David D. Friedman
```Access the computer from the network'''---What the hell does this mean?
There are reasons why democracy does not work nearly as well as capitalism.
-- David D. Friedman
While this article was under the homour section, it still reeked of zealotry that is completely useless. The article claims that Windows is always full of bugs, and viruses and that linux is so great with being immune to viruses, and being free and all. Sure thats great. I have used linux before, but found myself going back to Win2k because I enjoyed using it more. At the time, I think it was mandrake 7.0, I thought linux was a decent OS but I couldn't play any games, and certainly didn't want to take the time to configure wine to play some of my games. Also, I don't like taking time to compile code. I'd much rather download a program, and be able to install it by double-clicking an icon. Also, during the entire time I have ran Windows, any version, I have never once been infected by a virus. I also never use virus software. The reason for this is probably because I don't open email from people I don't know, or if it was unrequested in the first place. Ok, I'm done ranting about that, just had to give my two cents. P.S. I do run linux as a ftp/webserver on my Windows network as well.
It means exactly what it says. Here is the explanation from MS TechNet for those with feeble minds:
Another user right that is sometimes modified is the right to access a computer from the network. On some networks, the security policy dictates that administrators must work from the console of the server. Consequently, the Administrators group is removed from the right to access the computer from the network on all servers. Because administrators cannot access the server remotely, potential hackers are forced to gain physical access to the system or compromise security using an ordinary user account.
Kind of how you can't FTP, etc. as root by default on a Linux box. But it's system-wide, and applies to all groups/users the policy is applied to.
How is that enforced?
There are reasons why democracy does not work nearly as well as capitalism.
-- David D. Friedman
Not sure what you mean. Run 'gpedit.msc' to load Group Policy; assign it to whatever group/user you want. It denys logon except from the local console. I.e., you can't map a network share to the box/domain in question.
I think you mis-understood. I mean, what keeps me from binding a disguised sshd to a port, and logging in using that port?
There are reasons why democracy does not work nearly as well as capitalism.
-- David D. Friedman
i can't see how it's the software's problem that the OS has a uneasily understood security model
It's the software's problem, then it's the user's problem, then it's the company's problem, then it's everybody's problem. Attributing blame to the front end does not stop the effects.
either you have privledge, or you don't, end of story
A bit is on or off, end of story.
It depends. If you have sshd running, it depends what username it's running as when it's running as a service, and if it authenticates against the NT users 'n groups (like MS telentd that comes with Win2k - it even adds some encryption to make it more ssh-like), you take on the security policy of that specific user that you logged in as. If it doesn't you take on the security policy of the sshd's running username.
It all depends on if the daemon you're authenticating against is authenticating you against the SAM database (i.e. your NT username/password). Then the NT security policies apply. IOW, programs that would be covered by this would include network shares, ftp, iis, etc. - they all authenticate against the NT users and groups. (I think they call it 'integrated authentication' now.)
Does that answer your question, or am I still misunderstanding?
It's 3:24 here, so I may not fully understand you, but it sounds like ``Access the computer from the network'' is voluntarily enforced, unless you want to log in using a daemon running as someone else. Is that correct? I.e., if I can get a valid log-in, I can run sshd from that and use that to get remote logins from anywhere, right?
There are reasons why democracy does not work nearly as well as capitalism.
-- David D. Friedman
Thanks for your explanation. I really must get around to reading up the relevant MSDN pages sometime.
... Pointer to a SECURITY_ATTRIBUTES structure. Let's see. The SECURITY_ATTRIBUTES structure contains the security descriptor for an object... Ok, what's a security descriptor? Looks like I need to call one of GetSecurityDescriptorControl(), GetSecurityDescriptorDacl(), GetSecurityDescriptorGroup(), GetSecurityDescriptorLength(), or one of the 10 others listed there. I wonder which...
Hmm. HANDLE CreateEvent(LPSECURITY_ATTRIBUTES lpEventAttributes,
Blow this for a lark.
CreateEvent(NULL, TRUE, FALSE, "MyEvent") will do...
This is not meant to be sarcasm. I think this is what most developers will do when faced with the choice of fully-implementing Microsoft's security system or just passing a NULL pointer.
Similarly, if you remotely administer the SAM on that workstation you log on using the IPC$ share.
Not Meta-modding due to apathy.
runas is nice, but it really does not work as advertised. A lot of programs don't seem to work properly using runas, and pretty much no installer will (especially the 99% that require a reboot).
Besides, runas is only in windows 2000. It is not in NT4, or any other windows (unless maybe it is in XP). It is, in my opinion, too little, too late. People bitched about not being able to use Windows like unix, running as an unprivileged user and using su or sudo on the rare occasions when they were doing something (like installing) that needed administrative privileges. So microsoft made runas, which pretends it is su, but really isn't as good a solution, because it does not really work.
So just hit Ctrl-Alt-Del and click "Lock Workstation"
Or better yet, just hit Ctrl-Alt-Del and select Debian in your LILO, that should do it.
—
A story on segfault.org
go karma, go!
it is the software's problem if the develops the app in such a way that it can only be run by the administrative user.
is grandma installing windows herself?
1) SuSE sets up ssh automatically so I can login from remote machines. I never do this, but it's there and figuring out how to switch it off takes too much effort, so I never bothered. It won't allow root logins, but because I use the same password for my root account as for my email, and because my mail program saves my password, anyone who logged in as me could find out my root password easily enough.
2) Most users aren't used to the idea that they need to choose good passwords for local machines. Especially users coming from windows, which has virtually no remote access features, are quite likely to set their user passwords to something obvious, safe in the knowledge that the only person that has "physical" access to their box is them.
3) Combine this with an open ssh/xdm system, and you're asking for trouble. You don't even need to get a virus, just run a portscanner for SSH, then start a password cracking system. Most users don't pick good passwords, this is well known, and unless distributors take care to lock down systems SSH/XDM will come and bite their asses.
Do you know what it means to ``bind a port'' (or is that even possible in Windows?)
There are reasons why democracy does not work nearly as well as capitalism.
-- David D. Friedman
No kidding. I run a network of Win2k machines (served by a Samba PDC), and I have all the machines locked down tight. Unfortunately, everytime the boss-man says "I want my users to run this app" that app is one that thinks all users are Administrator.
I just had to hassle with QuickBooks last week. I spent an hour on the phone with them trying to figure out why it would only half run. The "support" guy kept telling me to try it as Administrator instead of a regular user. Sure enough, it ran fine. So I told him then it has a serious bug because it expects the user to be an Administrator. His response was "Our program requires Administrator capability and it's not a bug." WTF?!?!? Why the hell does a stupid accounting program think it needs Administrator capability?
This seems to be an unbelievably common problem: lazy ass programmers that are used to DOS and Win9x just merrily go out and fuck with things they shouldn't, and don't even bother to make note of what they're doing. They're completely clueless that the user may not be an Administrator and may be logging into a network.
If Microsoft really wanted to sabotage Linux they would port Outlook to Linux - except that none of the distributions would have it on their disks and the Linux community would roar in anger if they did.
The reason that we don't have horrible design decisions in Linux like exist in Outlook is that Linux programs are designed by the people who write them - while programs like Outlook get features grafted onto them by clueless managers who couldn't write the programs if their lives depended on it.
The open source model tends to protect the code by the simple barrier of the requisite skill level needed to produce open source code; open source code effectively can't be produced by dumb asses.
...because there are no hidden files on Linux...
.*
What? No hidden files? Hmmmm. What about dotfiles? Go to your home directory and type:
ls -lad
Those are pretty common. Of course, you could argue they're not really hidden from the user, since the command I just typed reveals them, and so will half the ftp clients and a number of the file managers out there in the world, and so only shell geeks who know how to reveal them consider them hidden anyway. Still... it wouldn't be hard for a virus to hide some part of itself in an obscure or innocuously named dotfile to make itself harder to notice or remove....
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Actually, Windows' privilege model is quite ineffective. Many privileges control the LAN-Manager, not the OS Kernel itself (eg. "Create permanently shared objects")
There are privileges like "Control Auditing" - but there is nothing like "allow this process to only ADD audit records to audit files" or "allow this process to only READ audit files".
There is also nothing like "Allow restricted IOCTL calls", "Allow mount/umount".
Windows grants all privileges to users, not to the binaries in the file system. A process can not spawn a more privileged subprocess, because Windows does neither support setuid/setgid, nor does it suppport privilege sets for programs in Windows' file system. All these facts make the Windows privilege concept rather ineffective.
There are _much_ better concepts than the ones found in Windows - maybe take a look at IBM's OS/400, or at Argus Systems' Pitbull Foundation, which implements an even stronger Privileges/Authorizations concept.
On an Argus box, you could, for example, add the PV_FS_MOUNT privilege to the authorized privilege set of some new mount tool binary on your harddisk, and then add the MOUNT authorization to the privileged authorization set of the same binary.
(Maybe set FSF_EPS if the program does not know how to handle privileges)
When a user executes the binary, the operating system would only put the PV_FS_MOUNT privilege into the effective privilege set of the spawned process, if the executing user has the MOUNT authorization (and if the PV_FS_MOUNT privilege is in the limiting privilege set of the process, which execs the binary - commonly the user's shell).
A user without MOUNT authorization could now display a list of all mounted file systems, but he/she could not mount or unmount Filesystems.
Even a user WITH MOUNT authorization could not mount/unmount file systems, if his/her limiting privilege set has been downgraded and for this reason does not contain the PV_FS_MOUNT privilege any longer.
---
YES, we NEED more powerful privilege concepts in Linux (and in ALL other Standard UNIX systems as well), to protect the OS from privileged daemons which get hacked for some reason.
(And this is also the reason why OpenBSD ist NOT really a secure OS - it highly depends on the fact, that only bug-free daemons have root privileges. A really secure OS would not grant any daemon something which is as powerful as root privileges just to open a privileged port or to use some funny special system calls)
Currently, only Trusted Unices offer strong security - however, most users do not need labeled information security (as defined by TCSEC B1), which is rather difficult to administer.
There should be some "light" version of a Trusted Unix OS without Mandatory Access Control (and maybe with a more simple set of privilege) for normal users.
regards,
octogen
The top question in my mind as I slogged through your rambling post, was and still is "what the hell is this fool's point" and why should they expect me to care?
Any answers?
If Microsoft really wanted to sabotage Linux they would port Outlook to Linux - except that none of the distributions would have it on their disks and the Linux community would roar in anger if they did.
Yep, that is a very good point. I find it pretty odd that this kind of move by Microsoft is probably the only way Linux could gain general acceptance as a client OS in most businesses... and suddenly, for all the roaring of the community, Linux would sell well, would look alot more like Windows, and would start seeing just as many viruses/worms as Windows currently does.
3. distributions that come with built-in security holes. (e.g., Lindows)
I think we've pushed this "anyone can grow up to be president" thing too far.
Sure, it's not the fault of Windows per se but it is the fault of MS to not build their software tools to encourage properly security practice, to include proper security modeling in their OS certification program, and, in general, not getting the message out to their developer community in their mailings, educational programs, and developer conventions.
I bow to you Inthewire. I'm sorry for taking out my frusteration on you. Just tired of things the way they are :\
*DrugCheese rants*
Comment removed based on user account deletion
Comment removed based on user account deletion
Shit, you think anyone here BUYS anything?!? You would get more sales by advertising to the bums at a homeless shelter. :)
Michael Loves Me!
Well, in linux, say, doesn't a script of app run with the security context of the user who runs it as well.
Can't you require than your app runs or installs a special user for what it runs under such as IIS does or Apache does?
why run from Vincenzo?
Comment removed based on user account deletion
That's the problem a large portion of the internet seems to have with humour (I hesitate to say Americans because that would be elitist, racist, Americanist and quite possible terrorist in the current world climate). They don't want to risk offending anyone which results in completely crap humour that only complete morons find funny (like Dave Letterman, come on admit it, he could not be less funny). The really funny stuff is cutting because it has a kernel of truth in it (or common misconception etc). Some people wont like this kernel and take it personally. These people are called anal and need to lighten up for the good of all of us.
The other side of this humour is that you are going to be on the recieveing end one day (which I think is the main complaint). HAVE A LAUGH AT YOURSELF. It's good for you. If that isn't possible then ignore it.
If you can't laugh at yourself then you don't have the right to laugh at anyone else either. Also it makes you that much more attractive for said humour.
DISCLAIMER:
I'm Australian. Here, "How are you, you old bastard?" is considered a suitable greeting to a good friend.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
Microsoft has a badging program and has a huge bully pulpit that they could use to teach everybody that coding software that requires you to run it as administrator is bad practice and end users should not buy such software because it's a security disaster waiting to happen. They've had several years to get the message out and they've declined, all the while earning a well deserved reputation for security laxity.
MS doesn't bear all the fault but they do bear quite a bit of it.