Slashdot Mirror
Linux and the Smile.D Virus keeps us Smiling
pstreck writes "News Forge is running a humor filled satire on the the recent Smile.D cross platform virus. It's a good read and just another reminder of why that other operating system needs to figure out a new security policy."
There is a whole privelage system there, unfortunately, it can't be used by many people right now because of some brain dead applications. Quite a few programs won't run as anything other than administrator. Over time, once the apps get replaced, Windows will have a more viable security system, which will hopefully prevent many of these types of problems.
- YOUR HAVE NOW RECEIVED THE UNIX VIRUS -
This virus works on the honor system:
If you're running a variant of unix or linux, please forward
this message to everyone you know and delete a bunch of your
files at random.
If tits were wings it'd be flying around.
Linux and the Smile.D Virus keeps us Smiling
That pun would work better if it was actually called the Smile.D Virus.
Symantec and ZDNet appear to call it Simile.D.
Windows needs a new security policy.
Linux needs a clipboard.
The funny thing is, a clipboard seems simple by comparision.
Which will appear first?
Writers imply. Readers infer.
The problem isn't that a few brain dead applications can screw up the security policy. The problem is that a few brain dead applications are written with the assumption that there is no security policy, and thus are prevented from running when one is in effect.
Lost: Sig, white with black letters. No collar. Reward if found!
You should have done that fifteen minutes after getting the machine configured.
There should be a moratorium on the use of the apostrophe.
Max V.
NeXTMail/MIME Mail welcome
He Who Is Without Sin Should Cast The First Stone
I personally felt the article was childish. Windows has a lot of malware that take advantage of gullible users by sending them deceptive emails with enticing attachments. Linux on the other hand typically has more savvy users. However pointing and giggling is what I'd expect from teenage high schoolers flush from teh rush of their first kernel compilation and not a supposed journalist like Roblimo.
PS: Yes, I work for MSFT. Yes, I run both Windows and Linux at home. Yes, I've been hit by a Windows virus once (CodeRed off of a web page) and had my RedHat box r00ted twice before I learned the hard way.
That's "more advanced" in the sense of "so complicated no one can really be bothered to figure it out and use it as intended". [Ambiguity intentional.]
But that doesn't mean that the Linux security model is perfect - it just means that the Smile.D virus writer was too lazy to actually try to get root on the Linux boxes the virus gets exposed to. Consider the following facts:
- Local root holes are everywhere on a Linux box. Most
distributions, especially Red Hat and SuSE, install literally dozens of
setuid-root applications. Most of these applications are completely
useless to the average person, and serve only to open up holes in system
security.
- Setuid root applications are a necessary evil because the UNIX
security model is outdated. Need to change the system time? How about
binding to a low-numbered port (hello Apache and fingerd)? Or making files
immutable? Or mounting a floppy disc? Every single one of these
operations requires root privilege, either by the user or by the command a
non-root user invokes. The more paths to root there are on the system, the
more potential holes exist.
- Remote root holes are everywhere. Ever run wu-ftpd? Or sshd?
Or BIND? Or rpc.statd? You probably do, but the average Linux luser
doesn't even realize it, and doesn't waste their time playing sysadmin and
keeping up with patches constantly. So she will have no idea why her
system was 0wned and is being used to run an eggdrop bot on dalnet. At
least Microsoft has the sense to ship systems with unnecessary services
disabled.
I once saw source code for a worm written by several Polish nationals. This worm was able to exploit weaknesses in Linux systems to gain root access and spread. Don't think it can't happen just because the Smile.D author was an idiot - or else you will be rudely awakened when it strikes./fug
Throw off the shackles of copyright law.
$ rm -f -r / /: Permission denied
rm:
I can't even get the unix virus! I'm such a luser.
Ya know, for the longest time, I really thought that they only thing the /. editors could do was post links to other articles (they sure as heck can't be bothered to run ispell). Every once in a while, though, I see something like this. I'm not saying that this was a brilliant piece of journalism or even satire, but at least roblimo can write a real article (where "real article" is being very generously applied to something that only has 23 sentences in it). Why doesn't this happen on /.? It happens on newsforge....
Just wondering.
1) Any of the Windows viruses/worms that are of the "double click the attachment" variety would work just as well on Linux as they would on Windows, were there more "Windows users" using Linux. They modify/damage user files and replicate themselves though email... who needs root to do that? I think the main reason you don't see as many of these is 1) the ratio of Windows desktops to Linux desktops is very large, and 2) Linux users usually know not to touch attachments like this. So if you're a virus/worm writer, why bother with Linux at all when your code can spread 100 times as fast though the Windows systems?
2) That comment about a Linux virus being easier to clean up is a bunch of crap. I've seen plenty of novice Windows users try to remove viruses from thier system using instructions and fail, and it's not because "there are no hidden files." It's because manual removal of viruses on Windows usually involves using system utilities and commands that most Windows computer users have never used before (regedit, command prompt.) Sure, the instructions are easy to follow for Linux... it's because you're a Linux user, and have to use the equivalents of these Windows utilities in every day tasks anyway.
3) "So it looks like the old dream of Linux eventually overtaking Windows and becoming the world's most popular operating system will never come to pass..." Well, if Linux was to become easier to use for the users who suffer from attachment-clicking syndrome, and who don't have the skills/balls to follow clean-up instructions, suddenly Linux will be alot more popular, will see alot more viruses, and virus scan software will still be business as usual.
I don't even know where to begin. Should I begin by saying that calling people "morons" because these people don't immediately reformat their computer and install Linux is a bit of a stretch? Or should I point out that Lindows automatically logs users in as root on their Linux boxen? Or should I wonder aloud how Roblimo would like programmers to make money if not by making useful utilities like virus scanners?
This whole article takes the disgusting tone of insulting people who obviously aren't as "smart" as the article's author. I find this elitism disgusting, and frankly, embarrassing to the greater geek community.
How many of us are quick to insult people who don't know the difference between root and another user? How many of us call the repair guy because we don't know how to repair the air conditioner, refrigerator, or our car? Would you like it if your mechanic said, "I can't believe you don't know the difference between 10W30 and 10W40. You're obviously a moron."?
Face it, folks, not everyone wants to be a computer expert. Not everyone wants to get involved in flamewars like vi vs. emacs or Linux vs. Windows. They just want to turn on their computer and have it work. And with any operating system, those same people will have to learn how to maintain it by applying patches (just like you have to maintain your car by taking it in for maintenance every so often.)
The fact that this article is categorized as "humor" doesn't make the elitism any less inherent. We should be educating people about the importance of software maintenance, not bashing them for being "morons" because they don't want to know the technical stuff. To most people, computers are a tool to get a job done, not a religion. Windows makes it easy to do most jobs. Therefore, most people are pretty happy with Windows.
Mod me down if you wish. I have 50 karma and I don't care much about karma ratings anyway. But I think this is important for a lot of geeks to understand -- just becuase we may have more technical knowledge does not give us the right to call people with less technical knowledge "morons" -- humor category or not.
Simpli - Your source for San Jose dedicated servers and colocation!
Blah blah blah Windows bad.
Blah blah blah Linux good.
Blah blah blah idiots use Windows.
CmdrTaco posted this? I'm so shocked!
This article is not satire, is not it original, nor is it well written.
I wish I could moderate CmdrTaco down for being a troll just once.
SetupWeasel
Ever since segfault's demise, I've been longing for articles like this. Sorry slashdot, but sometimes fake news just don't match up to the real thing.
Howz about some of yous guys start a fake news site (preferably not sponsored by our dear friends from Redmond).
OK. Linux is not that safe from certain types of viruses (such as the lion worm, etc).
In all fairness, saying that there are Linux viruses is like saying that the Concept virus was a Windows virus. I am not aware of any Linux virus (that attacks the system using vulnerabilities presented by the Linux kernel). Usually other programs are the source of the risk.
The issue of security from viruses is similar to the issue of security from hackers. It is a never-ending battle, and network services are points of attack. Some pieces of software are better than others at controllign the degree of compromise resulting from their failures. That is all.
LedgerSMB: Open source Accounting/ERP
Do any of the mods (besides the first mod) have any humour section in their brain? Mod parent Up!
Think nothing is impossible? Try slamming a revolving door.
Here we go again! Let's laugh at people who think "that Bill Gates deserves their money", let's laugh at people who buy anti-viruses, let's laugh at Windows while we're at it, and of course, let's praise our wonderful unbreakable operating system. Ah! This virus fails to infect me, viruses are so uneffective against l33t linux! Nobody can root me, nobody can root me!
Am I the only one not laughing? Am I the only one watching with, not fear, but interest and attention, the great innovations being done in the field of the Linux viruses?
We have a virus that can infect both Linux and Windows binaries. A virus that can try to infect a Linux box from a Windows box. A virus that is extremely hard to detect and destroy on Windows. Sure, it doesn't work well enough, yet. It's, after all, only the third generation virus. But it is nevertheless a great technical achievement, a new milestone release, a step towards havoc.
When these viruses will be able to infect a Linux partition from a Windows partition, or a Windows partition from a Linux partition, each time bypassing the security and anti-virus of the operating system it is infecting - hey, the OS is not even running! - will you laugh that much? Nobody can root you? And what about a virus that has ext2-level access to your root partition? Yes, from Windows? Who is 100% Windows-free? Who never has two OSes on the same machine?
Virus authors are showing are growing interest to Linux, and as more and more viruses are able to spread on Linux, more and more anti-viruses Linux will need. You might not like it, but it seems unavoidable to me. And if you really hate the anti-virus companies, start an open-source project. Now.
Let's come back to this discussion in a couple of years. And we'll see if you were right to laugh. I hope so. I don't believe it.
NT has privileges (so users don't need to be
root to do certain operations), access control
lists for all objects, more than 32 groups for a
user, impersonation (so a server can take on the
identity of a connecting user and do operations
on their behalf).
A couple points:
/usr/bin even if I wanted to. In windows, this could be done, but it's not because it would make installing/removing applications (slightly) more difficult. Well folks, a virus is just another program that you just installed; albiet probably accidentally.
1. Most of the hundreds of millions of windows users are windows users because that's what came with their PC. It was bundled with their PCs because of the heavy handed licensing methods that Microsoft applied to the OEMs. That's not the same as saying that the customers prefer windows.
2. It occurs to me that it's very hard for a virus to propagate in an environment where the user (by default) does not have write permission to the directories - and I'm not talking a "read-only" bit that essentially relies on the honor system. In usermode, I can't infect/damage
3. Saying Linux has made great strides in a short time is misleading and somewhat deprecating. I've been using it since 1992 (10 years). That predates all win32 platforms (including Winnt and Win9x, to say nothing about XP, etc.). It's a minor bone to pick, but it's made great strides over the entire course of its existence. Even in the beginning, it was purposely built to take advantage of "great strides" that predated it.
4. Users don't have to patch code. Linux package management excels. I know debian best, and apt-get keeps my system secure with nary a recompile. Patching? I could if I wanted to, but I'm too busy being productive on my system.
5. I agree about not calling people who don't use linux morons.
6. You don't even have to run linux, as far as I'm concerned. I have to draw a line at telling the people in the community to get busy and fix the bugs and do a little usablity testing. Where have you been? Did you know that all that happens. How else can you explain this feature-rich reliable, and usable system that I'm typing this on? Independent estimates have estimated that there is over 1 billion dollars of time invested in a typical linux system and it is all given away for free. Be grateful, not pissy.
We've seen a lot of it over the years from Microsoft and other major companies, but the people who once used to rally it no longer carry it on their news sites, but they actually have become a source of FUD as well.
OK. So this was posted as humor. But somehow it didn't read as humor. It read as an article that claims you need to spend money to prevent viruses on Windows while you could run a virus free linux system by just pumping an 80 IQ.
On Windows you're likely to get a virus from one of two places, either installing software or running software that allows scripts in it's data files.
Both of these are easy enough to defend against, however, it's seems like it's not in the best interest of the Linux community to let that be known. A little Fear, a little Uncertainty, a little Doubt is a much better weapon.
And when it's over, the truth is that had this been presented as a factual article on how simple it is to remain Virus Free on a Linux system, it wouldn't have even been read by many, nevermind submitted to Slashdot.
After all, FUD sells. It just doesn't make me proud to belong to the community selling it.
No Zen is good zen
It wouldn't surprise me if *they* wrote that stupid worm.
there's no place like ~
I've been a techie for many years, but have shied away from Linux. Sure, I've used an old version of Slackware as a Web server or as an IP masquerader here and there, but never tried to use it as a workstation.
The other week, I decided to give it a go. I put a Redhat 7.0 (the latest Linux I had in the house at the time) CD in and got on with it. Very very easy setup! Less hassle than Windows, and certainly quicker. Copying files seemed to take longer, but, you've gotta remember that Windows spends at least 20 minutes restarting itself and setting up all sorts of crap after the files are copied.
So, yeah, I'm no Linux zealot, but they've come along in leaps and bounds on the interface front. Although.. I had to edit a few config files to get my network card working, so it's not for a typical user either JUST yet..
mogorific carpentry experiments
1. The steady transition of Linux from a "geeks only" OS to a corporate mainstay. This will make Linux a more appealing target.
2. The arrogance of those who think that Linux isn't vulnerable.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Your point 1 implies a deep misunderstanding of market economics. OEMs ship windows because thats what the users demand. The customers do prefer windows. Cold hard fact.
point 2: window has been around since 1984. It is an extension of MSDOS which was from 1980. Anyway, I think most of the real progress in bringing linux to the masses has been done in the past 5 years. My opinion only.
point 6: I run mandrake and windows, mainly for xplatform coding. The UI for KDE3 just isnt there yet, nor GNOME or what-have-you. I rate the usability (for naive users) of Linux below Windows 3.0. And thats pretty sucky. In fact, usability and polish is the main weakness of Linux. Only honest usability testing with naive so-called-morons will get the OS past this hurdle.
Comment removed based on user account deletion
Indeed, it hardly operates at all.
I for one would prefer if people would instead refer to it as 'the thing that shall not be named' as the title makes no assumptions, does not encroach on any several thousand year old technologies (I think that before the Romans put glass in them, windows were more of a hole in the wall than the true window experience they are now) and is dark and gloomy enough to reflect all those works forever lost by those forgetting to save every 10 minutes.
As to the virii, I wish Linux was as secure as all that, but as others have pointed out there are a fair number of exploitable suid-root programs with the average large distribution.
I had a read about HURD's security system a few months back and it looks a lot more promising than the traditional UNIX model (something about starting with no permisions and working your way up, rather than starting with all permisions and dropping them for your typical root service). It should be interesting to see if the new ideas work out in the long run, or whether the 30 year old security model will once again show that it got that old for a reason.
Exactly how is my response to the parent "flamebait"?
/. readers/posters are biased toward Linux and Open Source. Is this not true?
/. users are biased the reply should be "So?"
Point (1), the majority of
If the above is true then is it safe to say that these same people have made up their minds that Linux and Open Source is superior in many ways than Windows and closed source?
Are there not numerous examples of grandmothers and small children (there's an 11 y/o girl in my house that can install Suse w/ no problems. She is of average intellingence) who use linux? If and adult cannot perform a task so simple a child can do it then is there a problem with labeling that person a moron/lame?
The entire purpose of the post is to point out that
1)Slashdot is biased and said bias is based on facts and experience. Whenever someone makes a statement that
2)To counter the assertion that Linux is more difficult to use than Windows. It is not.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
Buh??? Why would you need to write a virus to do this, most linux boxes out there have lots of stuff you can exploit to get root yourself.
Have you read this article? It's not funny unless you think "of course, Linux doesn't get viruses" is funny. 'Cause it says that about a million times.
Since when twelve year old kids write on Newsforge? He says : "and I assume that once they've gotten the idea (from where I do not know) that Bill Gates deserves their money more than they do"
:) Just pathetic.
Where does he come from? I paid $300 for my monitor, does it mean that oh I shouldn't pay them, I better keep the money to myself?
As usual, when you can't beat MS, troll away
CmdrTaco, don't post sucky articles for your sucky friends just because they ask you to. Read the sucky article yourself first. It sucks.
Now do you see how non-constructive criticism feels?
-bugg
It should be noted that the default Windows mail client almost automatically executes attachments (double click on an insconpicuous icon), while on Linux, you will usually have to save the attachment, then manually execute it. So, no, that variety of viruses wouldn't work just as well.
"How many people do you know who habitually run their Linux systems as root?
In my case, the answer is 'zero.'
So that's the end of that."
Woah, not so fast there, buddy.
Lots of the newer "user friendly" Linux distributions like Mandrake and Lycoris allow Linux newbies to install the operating system without creating a separate user account. Worse yet, some of them allow the root user to have NO password at all! As these Linux distributions get more popular and easier to use, you can expect more and more computer newbies who don't understand computer security to leave their systems logged in with administrative accounts with no passwords to protect them.
One of the main reasons that Windows is venerable to virus attacks is that it's users often aren't as security savvy as *NIX users are. All it would take is a few thousand home users running Linux logged on as root without any passwords or security patches for a Linux virus outbreak to become a reality.
Fortunately, this probably will never happen. Not because it's technically impossible, but because all the programmers with that kind of skill are mature and ethical. If you look at the biggest viruses we've had, almost all of them are dysfunctional and poorly written, and obviously the product of an immature kiddie.
Now, my point: IMHO, there's only one thing protecting Windows from highly destructive viruses, and the Unices from any viruses at all. It has nothing to do with the technical merits of the system, or the tech-savviness of its users, neither of which can stop a well-written virus (there will always be a hole somewhere). The key factor is the honor of the programmers.
Different communities aggregate to different OSes, and warez kiddies and hax0rs seem to me to exist almost entirely in the Windows world. The reason Linux doesn't have any viruses is because nobody is trying to write any. Until this changes, I don't expect anti-virus software for Linux to become necessary anytime soon.
You would be correct, but only if security was an absolute. It is not.
What does it mean to "be secure?" It is easy to spew common *ix security logic when that is all you know and think about when security is the topic. You have to take a step back to understand the nature of security.
I'm rusty on *ix history, but I'm fairly certain security was never a top priority of the original Unix, until later. If you check up I'm sure you will find that security actually _was_ added to *ix on a as-needed basis.
As an example consider this: until fairly recently (mid to late '90s) denial-of-service was not a threat. *ix admins everywhere had to rush to turn off common "safe" services such as ping, finger, etc. as a result of what they believed was security.
The _biggest_ threat will always come unannounced and from a never suspected "location." What *ix has for security is simply barriers for the patterned attacks. Security has been a buzzword of sorts long before Microsoft--and will continue to be a "buzzword" as long as people foolishly believe that security is an absolute.
Dijkstra Considered Dead
How many people do you know who habitually run their Linux systems as root?
Overall the article was good. I agree that now with StarOffice, Mozilla, Ximian, the nearly 2 click install from SuSE 8, etc. There really is no good reason to deal with all the Windows BS. Anyways, the one problem I had was that Roblimo was talking about the average Windows user. And I believe that the average Windows user would be a lot more likely to run things as root than learn how to use sudo. How many install instructions say:
Become root, then run: make install
Without people knowing what that means and why it can be bad, their systems are just as easy a target for viruses as Windows computers. Either way, it's an education thing.
You are an idiot. What he meant to say is that some programs for Windows which are meant for general use by all users were written like a "this application must be run as root" UNIX application.
Yes, it's just so complicated. Here is an example of a few of the available group policies:
"Access the computer from the network"
"Allow logon through Terminal Services"
"Change the system time"
"Create a pagefile"
"Deny access from the network"
"Deny local logons"
"Deny logon through Terminal Services"
"Force shutdown from a remote system"
"Load/unload device drivers"
"Logon as a service"
"Logon locally"
"Perform disk volume maintenance"
"Shut down the system (locally)"
"Take ownership of files and other objects"
Wow, if those aren't in plain English I don't know who can't figure them out. NT's security model is very complex, yes, but very capable as well. It just so happens that the crack dealer under the Longfellow Bridge is selling MCSE certifications for $5 a pop as well, so MCSE's are a dime a dozen. If you're looking for a good NT admin, you need to look hard. Just the same reason you won't hire that 17 year old who "has 12 years UNIX experience."
It should be noted that, under Windows, the OS tries to execute files simply because they are named in a certain way, such as having ".exe", ".bat", ".js", ".vbs", etc. at the end.
Whereas under unix, simply renaming any old file with a ".exe" at the end does not cause the OS to try to load and run it -- "execute" is a specific flag and permission that must be set and granted.
So "just clicking on attachments" will never work under Unix (barring an exceptionally retarded mail client -- and please don't bring up the old, and fixed, Pine buffer overflow; it's not the same thing), and will always work under Windows.
Until MSFT changes this (and how about killing those retarded drive letters while you're at it?), virus, worm, etc. problems will be common on Windows.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Your point 1 implies a deep misunderstanding of market economics. OEMs ship windows because thats what the users demand. The customers do prefer windows. Cold hard fact.
********
This is complete baloney. Most users have never tried anything else. Microsoft has taken control of the distribution channels, so there is no place for consumers to have a choice. If they go into best buy they get a choice between Windows and Windows. How would they manage to choose Linux in that scenario? Or Mac? They would have to have known about it before hand, AND know where to find it, AND know what it's capabilities are.
That's like saying the Chinese people prefer communism. The fact is the system doesn't give them a choice. Hopefully in the future the grassroots Linux movement will enable more choice and knowledge for users, but that takes time. Don't pretend like it's a choice today because it isn't.
As to your other point, preferences differ, but most people like KDE or GNOME as much or better than Windows, although less than Macintosh. GNOME, I know has gone through such usability testing as you mention. I don't know about KDE. What, specifically, do you find sucky about them?
Engineering and the Ultimate
Good point, but the fact remains that of all those hundreds of millions of Windows users nearly 100% could switch to Linux, but haven't. That does count for something.
********
No. It doesn't. It would count for something if
a) all those users knew what Linux was.
b) all those users knew the advantages and disadvantages of both systems
c) all those users knew how easy it is to switch
The fact is, 99% of those users don't know any of the above, and thus cannot make that choice. Add into that the amount of disinformation there is on Linux, and the possibility of this user knowing about this valid choice, and that it is valid, drops to near 0.
As for using Linux without editing config files, my wife and I do so every day. Installed and use regularly, and had to do a whole lot less configuration than with Windows. Even changing the video card was handled automatically, and the system detected and installed the appropriate 3D drivers for my new card automatically.
Engineering and the Ultimate
Don't kid yourself... the fact attachments take several clicks to open rather than one doesn't make this type of virus less potent.
The body of the email can always provide instructions on how to run the file. *IF* Linux becomes more popular on the desktop, converted Windows users will probably find them working around restrictions and differences between Linux and Windows to do alot of things.
There's nothing stopping anyone from writing a Linux email client similar to Outlook that allows one click opening of executable attachments. And there's nothing stopping software that's easier to use from becoming the most popular... and then say hello to viruses and worms.
The only truth in this article was that people, in general, are ignorant when it comes to computers.
Yes, there are plenty of people who just want to "turn it on" and have it work, but you boot up and DHCP a public addy via a cable modem/xDSL line, you ought to at least be *aware* of the potential for abuse. And that goes for both Linux and Windows. We won't discuss this fact with dial-up users but they don't get it either.
At least my grandmother (85 year old grandmother) has an excuse. As long as she can e-mail and browse she really doesn't want to know anything else, so I'll take care of that for her. But that's a different situation. Most of them time we're talking about people who have at least a limited knowledge of computers and should be able to understand these things. The least the Cable/DSL providers could do is include a picture and a little description of what the hell they're getting into.
I run a switched network at home with a firewall that's solved most of my problems. But my father's hooked straight to a cable modem and until a month ago when I told him he was vulnerable he had no clue.
And that is the real problem. Because users in general (1) don't patch and/or (2) don't even realize they're "on" the Internet.
As far as a few comments here about Linux being too difficult for most users, tell that to my 8 year old daughter. She doesn't have a problem at all running SuSE.
I don't have a solution, but I certainly admire the problem.
hold on a second there..
first off, it's the engineers that draw up the blue prints, the developers just carry it out.
second, i can't see how it's the software's problem that the OS has a uneasily understood security model. i'm thinking, either you have privledge, or you don't, end of story.
And, if that was the case, I could, as a semi advanced user (hell I use vi and berkely mail, but I've played with enough elisp to do this) make my emacs mail mode invulnerable to the virus after about 10 minutes of coding, and without having to recompile anything. And I seriously doubt your claim. All email viruses rely on "conviently" auto-executed code. There is little if any of that in emacs outside of hooks that only change the mode or state of emacs in some way (ie. turn syntax coloring on if the file ends in .c). Emacs has been around since the '70s, it has survived long periods of time as *the* predominant text editor without any significant viruses that I have heard of. Security can't rely on your code being on fewer computers. Security must be designed into the kernal, the APIs and each and every program used. This has been done to varying degrees of success on every unix and unix clone, and is just now, 30 something years later, being proposed on the Windows platform.
...and this lie crawls out of its mouth: 'I, the state, am the people.'
duh...
...and this lie crawls out of its mouth: 'I, the state, am the people.'
Do not run untrusted code.
Do not run any program as root that is not either a part of your original distribution or an install script for a program you know has not been tampered with (check the md5 on the tarball), and whose author you trust.
Never run any mail program that runs code that is mailed to you (good luck finding one for *nix that does that anyway).
Follow this program, and you should remain virus free on any reasonably designed operating system.
...and this lie crawls out of its mouth: 'I, the state, am the people.'
Dijkstra Considered Dead
It means exactly what it says. Here is the explanation from MS TechNet for those with feeble minds:
Another user right that is sometimes modified is the right to access a computer from the network. On some networks, the security policy dictates that administrators must work from the console of the server. Consequently, the Administrators group is removed from the right to access the computer from the network on all servers. Because administrators cannot access the server remotely, potential hackers are forced to gain physical access to the system or compromise security using an ordinary user account.
Kind of how you can't FTP, etc. as root by default on a Linux box. But it's system-wide, and applies to all groups/users the policy is applied to.
Not sure what you mean. Run 'gpedit.msc' to load Group Policy; assign it to whatever group/user you want. It denys logon except from the local console. I.e., you can't map a network share to the box/domain in question.
I doubt people who are interested in Linux care about the so-called "attitude" problem of it's users. Most of the attitudes are from college age whipper-snappers on /.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
I had a discussion about this exact same topic with a buddy of mine (Professor of Economics) last week. He is a Linux user (recently), and he says that if there were no advertising, and Linux was installed by default, people would "demand" Linux.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
I gave my neighbors kids a PC for christmas. I installed Mandrake on it. (mainly so if they need support I can just ssh in and fix it.). They are 8 and 12 yrs old. I have YET to have them tell me something doesnt work or they are confused about something. This is their FIRST computer. The 12 yr old uses WIndows at school sometimes. I hear complaints about the schools computers, but not her own. It may be an isolated incident, however....
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
That is pure bullshit and you know it. ANYBODY can walk up to a Linux console with X and get their email. Lok at KDE and GNOME. And for about 30 years, peopl ehave been getting their mail in UNIX by typing pine.
For those who can't remember the word pine, you can even make a shell script menu:
Welcome to SUnOS.
Type pine for mail
slrn for news
logout to logout
wp for WordPerfect
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
FreeBSD 4.5....10 Minutes on a Cyrix 166.
After logging in, I can get my mail!
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
I agree. I had an argument with an MS lackey the other day. he says "2 CDS to install an OS??!!" I said yes, when you install windows, you have to download everything to get a working system. WHen I install Linux , I have ALL the tools I need.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
Hmm...I've been using USB on Linux for around 2 years. I can burn CDS, watch DVDS and browse the web at the same time on Linux. My digital camera is in /mnt/camera.Has been that way for years.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
i can't see how it's the software's problem that the OS has a uneasily understood security model
It's the software's problem, then it's the user's problem, then it's the company's problem, then it's everybody's problem. Attributing blame to the front end does not stop the effects.
either you have privledge, or you don't, end of story
A bit is on or off, end of story.
It depends. If you have sshd running, it depends what username it's running as when it's running as a service, and if it authenticates against the NT users 'n groups (like MS telentd that comes with Win2k - it even adds some encryption to make it more ssh-like), you take on the security policy of that specific user that you logged in as. If it doesn't you take on the security policy of the sshd's running username.
It all depends on if the daemon you're authenticating against is authenticating you against the SAM database (i.e. your NT username/password). Then the NT security policies apply. IOW, programs that would be covered by this would include network shares, ftp, iis, etc. - they all authenticate against the NT users and groups. (I think they call it 'integrated authentication' now.)
Does that answer your question, or am I still misunderstanding?
Actually Windows XP (and now Windows Update is distributing a 9x/2K version of the plugin) auto-updates in its spare time.
Check your facts.
-Jayde
What's a sig?
runas is nice, but it really does not work as advertised. A lot of programs don't seem to work properly using runas, and pretty much no installer will (especially the 99% that require a reboot).
Besides, runas is only in windows 2000. It is not in NT4, or any other windows (unless maybe it is in XP). It is, in my opinion, too little, too late. People bitched about not being able to use Windows like unix, running as an unprivileged user and using su or sudo on the rare occasions when they were doing something (like installing) that needed administrative privileges. So microsoft made runas, which pretends it is su, but really isn't as good a solution, because it does not really work.
it is the software's problem if the develops the app in such a way that it can only be run by the administrative user.
is grandma installing windows herself?
I could ... make my emacs mail mode invulnerable to the virus after about 10 minutes of coding, and without having to recompile anything.
and in windows i could tick off a checkbox that allows automatic scripting. Does that mean everyone does it? of course not. and if you think people are going to want to write code to fix thier email virus vulnerabilities you have been smoking too much crack lately, my friend.
copy & paste between applications... install just about any program with a friendly looking installer instead of "apt-get install appname", "rpm -ihv appname", or "tar zxvf appname; cd appname; ./configure; make; make install" ?
1) SuSE sets up ssh automatically so I can login from remote machines. I never do this, but it's there and figuring out how to switch it off takes too much effort, so I never bothered. It won't allow root logins, but because I use the same password for my root account as for my email, and because my mail program saves my password, anyone who logged in as me could find out my root password easily enough.
2) Most users aren't used to the idea that they need to choose good passwords for local machines. Especially users coming from windows, which has virtually no remote access features, are quite likely to set their user passwords to something obvious, safe in the knowledge that the only person that has "physical" access to their box is them.
3) Combine this with an open ssh/xdm system, and you're asking for trouble. You don't even need to get a virus, just run a portscanner for SSH, then start a password cracking system. Most users don't pick good passwords, this is well known, and unless distributors take care to lock down systems SSH/XDM will come and bite their asses.
Last time I checked, unless I am root, I could not change, or over-write any setuid root app on my box. And this is how it's been for a long time.
however you CAN overflow them and send executable code through that DOES run as root.
I bet if the 'market share' of Windows and Linux was reversed, there'd be Linux viruses taking advantage of every root expliot available.
This happens already; people are already taking advantage of every remote (and local) root exploit available. There are many examples of poor programming on BUGTRAQ et al showing that linux applications can be just as poorly written. Marketshare has absolutely nothing to do with viruses.
Heh, I just went straight edge a month ago (finally quit niccotine and caffiene). The point is, I fix it, mail it upstream, they try it out, fix it up a little, within a few hours, you can download it from the fsf and all their mirrors. Only one person needs fix it if they do it right. And unchecking that checkbox seems not to work for alot of viruses (ie. spoofed mime types - looks to mailer like mpeg, mailer says to OS hey do what you do with this file, OS sees executable script, kablooie). I really hope I am not being trolled here...
...and this lie crawls out of its mouth: 'I, the state, am the people.'
*ix admins assume that because they have a secure _design_ they are free from exploit. The fact is you could just as easily exploit sendmail in 1988 as you could in 1998. You don't need to figure out design flaws when there are easier ways to gain access to a system. It's not just sendmail, either. Or bind. It's CGIs which allow you to run any command, etc. I think it could be argued that there is a design flaw in *ix because it allows any program running access to the outside world. Most people won't see it that way, though. They will continually believe that they have achieved some security nirvana and will foolishly believe that the only security issues present just need "ironing out." What they fail to see is there will _always_ be bugs present and there will _always_ be exploits.
Dijkstra Considered Dead
If Microsoft really wanted to sabotage Linux they would port Outlook to Linux - except that none of the distributions would have it on their disks and the Linux community would roar in anger if they did.
The reason that we don't have horrible design decisions in Linux like exist in Outlook is that Linux programs are designed by the people who write them - while programs like Outlook get features grafted onto them by clueless managers who couldn't write the programs if their lives depended on it.
The open source model tends to protect the code by the simple barrier of the requisite skill level needed to produce open source code; open source code effectively can't be produced by dumb asses.
...because there are no hidden files on Linux...
.*
What? No hidden files? Hmmmm. What about dotfiles? Go to your home directory and type:
ls -lad
Those are pretty common. Of course, you could argue they're not really hidden from the user, since the command I just typed reveals them, and so will half the ftp clients and a number of the file managers out there in the world, and so only shell geeks who know how to reveal them consider them hidden anyway. Still... it wouldn't be hard for a virus to hide some part of itself in an obscure or innocuously named dotfile to make itself harder to notice or remove....
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Actually, Windows' privilege model is quite ineffective. Many privileges control the LAN-Manager, not the OS Kernel itself (eg. "Create permanently shared objects")
There are privileges like "Control Auditing" - but there is nothing like "allow this process to only ADD audit records to audit files" or "allow this process to only READ audit files".
There is also nothing like "Allow restricted IOCTL calls", "Allow mount/umount".
Windows grants all privileges to users, not to the binaries in the file system. A process can not spawn a more privileged subprocess, because Windows does neither support setuid/setgid, nor does it suppport privilege sets for programs in Windows' file system. All these facts make the Windows privilege concept rather ineffective.
There are _much_ better concepts than the ones found in Windows - maybe take a look at IBM's OS/400, or at Argus Systems' Pitbull Foundation, which implements an even stronger Privileges/Authorizations concept.
On an Argus box, you could, for example, add the PV_FS_MOUNT privilege to the authorized privilege set of some new mount tool binary on your harddisk, and then add the MOUNT authorization to the privileged authorization set of the same binary.
(Maybe set FSF_EPS if the program does not know how to handle privileges)
When a user executes the binary, the operating system would only put the PV_FS_MOUNT privilege into the effective privilege set of the spawned process, if the executing user has the MOUNT authorization (and if the PV_FS_MOUNT privilege is in the limiting privilege set of the process, which execs the binary - commonly the user's shell).
A user without MOUNT authorization could now display a list of all mounted file systems, but he/she could not mount or unmount Filesystems.
Even a user WITH MOUNT authorization could not mount/unmount file systems, if his/her limiting privilege set has been downgraded and for this reason does not contain the PV_FS_MOUNT privilege any longer.
---
YES, we NEED more powerful privilege concepts in Linux (and in ALL other Standard UNIX systems as well), to protect the OS from privileged daemons which get hacked for some reason.
(And this is also the reason why OpenBSD ist NOT really a secure OS - it highly depends on the fact, that only bug-free daemons have root privileges. A really secure OS would not grant any daemon something which is as powerful as root privileges just to open a privileged port or to use some funny special system calls)
Currently, only Trusted Unices offer strong security - however, most users do not need labeled information security (as defined by TCSEC B1), which is rather difficult to administer.
There should be some "light" version of a Trusted Unix OS without Mandatory Access Control (and maybe with a more simple set of privilege) for normal users.
regards,
octogen
If Microsoft really wanted to sabotage Linux they would port Outlook to Linux - except that none of the distributions would have it on their disks and the Linux community would roar in anger if they did.
Yep, that is a very good point. I find it pretty odd that this kind of move by Microsoft is probably the only way Linux could gain general acceptance as a client OS in most businesses... and suddenly, for all the roaring of the community, Linux would sell well, would look alot more like Windows, and would start seeing just as many viruses/worms as Windows currently does.
3. distributions that come with built-in security holes. (e.g., Lindows)
I think we've pushed this "anyone can grow up to be president" thing too far.
What freebsd does is install the kernel, X(if you request it), and Networking with vi and some minimal programs.Basically a default Windows install!. Add 10 minutes for a network install. A FULL install DOES take about 40 minutes, but no one does a full install. You usualy do a minimum and then do sysinstall to choose the packages you want afterwards
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
Sure, it's not the fault of Windows per se but it is the fault of MS to not build their software tools to encourage properly security practice, to include proper security modeling in their OS certification program, and, in general, not getting the message out to their developer community in their mailings, educational programs, and developer conventions.
Comment removed based on user account deletion
Comment removed based on user account deletion
A man who wants nothing is invincible
A man who wants nothing is invincible
Comment removed based on user account deletion
dan:
How did YOU find about Linux? If you found out, then so can anyone else. You and I are not inherently better. We just have educated ourselves. Anyone else can make that choice.
************
I found out about Linux because someone else told me about it. I then did quite extensive research on my own before knowing about all of it's capabilities. Expecting others to have the time to do such research when they are not even aware the choice is out there is absurd. If someone told them about the choice, would they believe them? Not until they became a household name.
Think about it - why can brand-names charge so much for their product and still have the majority of the market, without being better than the alternatives? Simple, customers recognize the name, and know what to expect. Most people I know don't even know where Aldi is.
Expecting people to educate themselves on topics they simply don't care about is wishful thinking at best. You certainly couldn't convince me to educate myself on car topics. I'll simply ask my father-in-law. Therefore, my choice on cars is simply based on what I have driven around, and what others around me have bought. Since I don't know anyone with a Kia, I probably won't drive one. If I have heard _any_ horror stories with a car brand I don't know, I'll simply skip them, even if the story was made up by someone intentionally trying to discredit them, because how would I know?
************
dan:
About config files: let's be real honest here. When something breaks it usually requires getting down and dirty with the command line. Yes, a lot of the graphical tools are coming along nicely, but to be sure, there is much to be done.
*************
Well, a) I haven't had much break. b) Are config files really harder than the registry editor? You can use a nice GUI editor w/ config files and then restart the service using Red Hat's service manager. I don't see that as being harder than editing registry entries and then restarting services using Windows service manager, do you? Except that the registry often contains a lot of binary data, too.
So no, I don't believe either of your points are valid.
Engineering and the Ultimate
Microsoft has a badging program and has a huge bully pulpit that they could use to teach everybody that coding software that requires you to run it as administrator is bad practice and end users should not buy such software because it's a security disaster waiting to happen. They've had several years to get the message out and they've declined, all the while earning a well deserved reputation for security laxity.
MS doesn't bear all the fault but they do bear quite a bit of it.