WINE: A New Place for KLEZ to Play?

An anonymous submitter sends in this cautionary tale about Wine being maybe a little too good at emulating Windows. Update: 10/23 21:05 GMT by M : Better links: mirror 1, mirror 2.

yo yo

it's da rebellion! (extended "it's a trap" dance mix)

Wait a minute

[Old+Wolf]

Aww, I thought Linux users were too clever to run viruses..

Uhhhh....

[JoeLinux]

Nice thing about WINE is: it can be shut OFF, then there is no environment to flourish in. ("/usr/local? Hell, I'm trying to find C:\windows\system")

JoeLinux

Re:Uhhhh....

[Shoten]

Yeah, until you decide to turn it back on again, right? Windows machines have an "off" switch too...whether it's a matter of unloading from memory or powering down, it's no different.

Re:Uhhhh....

HAhahahahahahaha, yes, you are stupid.

Wine is an emulation layer. Klez can have all its fun inside of wine while wine is on. Luckily, all the nice linux stuff is spared from you armageddon.

Windows has an off switch, but it turns back on inside of Windows! You lose that and fire and brimstone will kill your family.

Re:Uhhhh....

[JoeLinux]

McAfee has a windows virus checker that works in linux. Genius idea. So you can run linux, protect Mickeysoft asshats from stupid virii, and even run their programs...and shut it off and scan for viruii when needed.

JoeLinux

Re:Uhhhh....

[NumberSyx]

Yeah, until you decide to turn it back on again, right? Windows machines have an "off" switch too...whether it's a matter of unloading from memory or powering down, it's no different.

You might want to rethink that statment. If you turn the power off on a Windows machine (or a Linux box for that matter), you have a paper weight until you turn it back on. On the other hand, I can completely uninstall Wine from my Linux box and still have a fully functional computer. There is a difference.

Re:Uhhhh....

virus
n. pl. viruses

*sigh*

Re:Uhhhh....

This reminds of last days some other OS when windows was emulating it. Redhat linux 8.0 and Mandrake 9.0 and other distro's are one of the best desktop I have seen so far from Linux. I use RH8.0 now everyday even at work I use winex to play some game The signs are on the wall that windows days are over and Linux is eating up the desktop market from windoze. I know Bill is having nitewares (hehe) about linux. M$ cash cow is desktop and office package and now Linux does that better people are adopting it left and right.

Re:Uhhhh....

On the other hand, I can completely uninstall Wine from my Linux box and still have a fully functional computer. There is a difference.

Well, except those things you were running Wine for in the first place.

Re:Uhhhh....

[Nailer]

Yes, but if your day requires you to run Outlook 2000 throughout your day, then its not practical to shut Wine off (the Ximian Connector still doesn't do everything Outlook does with regards to Exchange).

One mitigating factor: codeweavers do built in a protection against executable attachments in their winex product.

• Run Office setup fro myour menu (thats ~/cxoffice/bin/officesetup)
  
• Click configuration
  
• Hit the advanced button
  
• Notice the Outlook security tab, which is turned on by default. "prevent MS Outlook fro mrunning files with these extensions: vbs;wsf;vbe;wsh;hta;bat;pif;exe;scr;lnk"
  
• Wait for StarOffice to get anough market share to have its own real viruses.
  

Re:Uhhhh....

[ColaMan]

VET also has one as well - their distribution CD that gets mailed out quarterly is a bootable linux cd with a linux version of their scanner on it. Pretty good if your system's hosed.

Re:Uhhhh....

You're an idiot.

Re:Uhhhh....

viruii? That's new. I'm sure you mean "viruses", the actual plural of virus.

You are really fucking stupid. Also, anybody who calls Microsoft "Mickeysoft" is obviously twelve and/or rejected by society.

Re:Uhhhh....

[BorgCopyeditor]

On the other hand, I can completely uninstall Wine from my Linux box and still have a fully functional computer.

Sure, if by "fully functional" you mean "will not run those MS apps I installed Wine for in the first place."

Re:Uhhhh....

[mpe]

If you turn the power off on a Windows machine (or a Linux box for that matter), you have a paper weight until you turn it back on. On the other hand, I can completely uninstall Wine from my Linux box and still have a fully functional computer.

Also you can set up WINE so that any alterations to the virtual Windows environment are automatically undone. Whilst you can do this with Windows too it's more complex and not virus proof.

Re:Uhhhh....

[Hostile17]

Sure, if by "fully functional" you mean "will not run those MS apps I installed Wine for in the first place."

No loss there

Re:Uhhhh....

[brucmack]

Perhaps a more accurate comparison would be to a multi-boot windows machine... Since that kind of machine can uninstall the infected OS and reinstall it.

Oh, and if you've just uninstalled something that you use, how is it that your computer is still fully functional?

Figures

[marduk00]

Only the things you don't use or want work well with Wine.

Re:Figures

[siegesama]

Lotus Notes, for example.

Re:Figures

+6 funny :)

Re:Figures

[hdparm]

That's insightful mods, not funny

Re:Figures

[Ctrl-Alt-Del]

Some Windows software is pretty darn good, but Lotus Notes has a special Circle Of Hell reserved just for it. If you took all the shoddy products to come out of Microsoft HQ, and combined them into one super-shoddy product, you still couldn't come close to the stinking pile of crap that is Lotus Notes.

And I have to use the darn thing at work :'-(

Re:Figures

One question, if everyone here is so disgusted by MS products why use exchange over lotus notes?
after all lotus notes is capable of being installed on a linux server, and is very command line oriented.
I personaly love notes in its current format and have taken advantage of windows new feature to let me replace outlook with it.
We are experimenting with the offline services for Notes at work (dols) and I can now view all my email offline in html and once an hour it synhc's my mail. Notes is awsome, what is your issue with it ?

Re:Figures

[siegesama]

My day job is designing databases/applications for that mess. I recently was given an assignment to be completed in SQL, JSP and lemme tell you what, it's like a little slice of heaven.

Re:Figures

Notes 4.x and greater works just fine under wine. The real question is when are they going to just write a native client for it??

First Post Or ist it ?

[oh2]

Haha, WINE must be very scary for bill if it even runs the virii that prosper on his software....

Re:First Post Or ist it ?

[WetCat]

If you go to webster
you'll easily find that plural from virus is viruses...

Re:First Post Or ist it ?

[Anonvmous+Coward]

"If you go to webster [webster.com]
you'll easily find that plural from virus is viruses..."

I'm glad you clarified that. I was having trouble understanding what that guy said until you showed up.

Re:First Post Or ist it ?

[oh2]

Well, since I am a 31337 h4x0r I can call it what I want to. Whine on and your mailbox will fill up with actual cans of Spam. ;)

And no, I never use Webster, because SAOL is a lot better even if its only available in dead tree form.

Support your local hackers - preferrably with 2"x4"s.

Re: First Post Or ist it ?

[Black+Parrot]

> If you go to webster [webster.com] you'll easily find that plural from virus is viruses...

What does it say about the plural for "anal retentive"?

Re:First Post Or ist it ?

[WetCat]

Actually, that post was a troll. I know he used the word "virii" just for fun...
May be a new word - virii - plural from virus (computer virus) ?

Re:First Post Or ist it ?

[MrResistor]

If you go to webster [webster.com]
you'll easily find that plural from virus is viruses...

You will find nothing of the sort, since webster doesn't list a plural form of "virus". "Virii", which is correct according to the rules of the english language, is not listed at all, and "viruses" produces the page for "virus", not "viruses".

If you're going to play spelling nazi, you need to start checking your sources a little better.

Re:First Post Or ist it ?

Correct usage

Re:First Post Or ist it ?

[damiangerous]

You will find nothing of the sort, since webster doesn't list a plural form of "virus".

Dicionary.com does though. As does my OED on CD, though they don't have a free version online I can link to.

"Virii", which is correct according to the rules of the english language

You are very much mistaken. I challenge you to find a dictionary or usage guide that supports you.

If you're going to play spelling nazi, you need to start checking your sources a little better.

Says the pot to the kettle. Even the most basic of research would have led you to a plethora of papers demonstrating your error, such as this one and this one.

Re: First Post Or ist it ?

Anuses retentive

Re: First Post Or ist it ?

[syrinx]

What does it say about the plural for "anal retentive"?

Well, for one, anal-retentive is hyphenated...

Re: First Post Or ist it ?

[Black+Parrot]

> Anuses retentive

What? Not ani retenti ???

Re:First Post Or ist it ?

[Phong]

"Virii", which is correct according to the rules of the english language

I'd sure love to hear what those rules are. If you're planning to cite the Latin rule of turning "us" into "i" keep in mind that (1) not all Latin words that end in "us" pluralize using this rule, and (2) you're turning "us" into "ii".

Extra credit: pluralize the following words:

plus, cus, minus, status, ROUS .

Re:First Post Or ist it ?

US english is different from english, clearly.

Re:First Post Or ist it ?

plus, cus, minus, status, ROUS

that's easy: plii, cii, minii, statii (oh that sounds cool), roii...

so git wit da statii quo, dude, maek ur own langwage up as u go,

Re: First Post Or ist it ?

That should be "hypen-ated".

Re: First Post Or ist it ?

No, it isn't.
i.e. http://www.dictionary.com/search?q=anal%20retentiv e%20personality

Re:First Post Or ist it ?

[the_real_tigga]

even more clearly, english latin (US or other) is different from latin (or Roman) latin.

Re:First Post Or ist it ?

[IXI]

Funny that you list ROUS here because this is also the last name of a "pathologist who discovered viruses that cause tumors" (from WordNet 1.7)

Re: First Post Or ist it ?

[Rares+Marian]

Adjective phrases do not have singular nor plural case.

Hello, hello.

I'm trapped in the server ! Help me !
-ct

Alright

[EggplantMan]

I know alot of software developers are anal retentive perfectionists, but this is going a little too far. What's next? EULA emulation?

Re:Alright

[ErikTheRed]

Software developers that are anal-rententive perfectionists start spasming after a few seconds of dealing with the atrocious pile of shit that is the Win32 API, so I wouldn't worry.

Re:Alright

I know a lot of anal retentive perfectionists who will tell you that a lot is supposed to be two words... me, for instance.

Re:Alright

The X api is much better?

Re:Alright

[ErikTheRed]

Yeah, yeah, I try to limit my flames to one per post... Plus it's always safer to bash M$ than it is *n?x around here...

Re:Alright

[blerg]

I know alot of software developers are anal retentive perfectionists, but this is going a little too far. What's next? EULA emulation?

I really think they should embrace and extend the EULA with the simple addition of a large fonted, capitalised "Just kidding!" right at the end.

Re:Alright

[dylan_-]

I really think they should embrace and extend the EULA with the simple addition of a large fonted, capitalised "Just kidding!" right at the end.

Naw, just make it that the user must click "I do not accept" to continue the installation...

/.'ed, here's the google cache

[SexyKellyOsbourne]

That was fast...

http://216.239.39.100/search?q=cache:rlPIVlLKgJQC: articles.linuxguru.net/view/198+&hl=en&ie=UTF- 8

Re:/.'ed, here's the google cache

[CrosseyedPainless]

Just for the record, you are an assclown.
:)

Re:/.'ed, here's the google cache

this is CRAP! do not click!

Re:/.'ed, here's the google cache

Stupid moderators.

DO NOT CLICK ON THAT OVERRATED LINK.

[stupid lameness filter]

S

Re:/.'ed, here's the google cache

[manduwok]

Ok, did anyone else get linked to a site that merely said "Hey everybody, I'm looking at gay porno?"

Re:/.'ed, here's the google cache

Mod this down. Some of us are at work!

Re:/.'ed, here's the google cache

[werd+life]

Umm, anyone who marked that informative obviously
didn't bother to check the links. thanks guys!

Re:/.'ed, here's the google cache

WARNING! the link above is a troll link! do not use

Re:/.'ed, here's the google cache

Dude, that's not even funny.

Re:/.'ed, here's the google cache

[Zio_Ralsa]

You stupid retarded fuck, My mother is in the same room. Mod this dumb shit down

Re:/.'ed, here's the google cache

Thanks for the porn.

Re:/.'ed, here's the google cache

you, sir, are a piece of shit

Re:/.'ed, here's the google cache

[fobbman]

Warning!! That is NOT the cache. DON'T CLICK IT!!!

Re:/.'ed, here's the google cache

[Globulatrix]

I think if you save up karma you can actually post something at "+2" right off the bat in exchange for that karma.

That's probably what happened here.

Re:/.'ed, here's the google cache

[Old+Wolf]

Anyone who clicked that link didn't bother to engage their brain today. Since when do Google links not say [google.com] after them, or contain other website addresses in the middle?

Re:/.'ed, here's the google cache

I bet she nearly had a heart attack. She'll probably take you to the priest tonight to get blessed/exorcised/baptized/buggered. Have fun!

Re:/.'ed, here's the google cache

You stupid retarded fuck, My mother is in the same room.

That's your fault, not his.

Re:/.'ed, here's the google cache

[jonadab]

> I think if you save up karma you can actually post something at "+2"
> right off the bat in exchange for that karma.

This surprised me the first time it happened. I posted something, and
then I got the message that it had been moderated +1, and was now
scored 3. I went, "huh?" because previously my posts had started out
at 1.

Re:/.'ed, here's the google cache

[IAgreeWithThisPost]

hahah genius!

propz to sexykellytroll

propz to the former CLITS

Re:/.'ed, here's the google cache

That was fast...

http://216.239.39.100/search?q=cache:rlPIVlLKgJQ C: articles.linuxguru.net/view/198+&hl=en&ie=UTF- 8 [216.239.39.100]

I'd mod you up funny as that except I've already posted in this thread :(

Re:/.'ed, here's the google cache

Yet another reason to use w3m.

Re:/.'ed, here's the google cache

If your mother was in the same room as the picture, I'm not surprised you're so upset. So is one of them you? If so, what're you doing on Friday night?

Re:/.'ed, here's the google cache

[LighthouseJ]

haha, I read everyone's responses and I know what they are talking about, I got hit by it a few times last semester (yes, my biological calendar runs on semesters, not report card periods, fiscal years or whatever). Good show old boy.

Re:/.'ed, here's the google cache

[jez9999]

Anyone who clicked that link didn't bother to engage their brain today. Since when do Google links not say [google.com] after them, or contain other website addresses in the middle?

Links to Google caches point to IP addresses, not the google.com domain, so they never say google.com. And they always have the URL of said cached site in the middle.

Re:/.'ed, here's the google cache

[werd+life]

Once again. we need a moderator boot camp
or something. Offtopic? gimme a break.

Well

[RestonVA]

The /. is never far

SLASHDOTTED ALREADY

After seven posts!!?? Criminy people? how am I supposed to learn how windows sucks if you keep making IIS explode!?

Re:SLASHDOTTED ALREADY

I hardly think linuxguru.net runs on IIS.

Re:SLASHDOTTED ALREADY

that was part of the joke, weaselfucker.

Why Emulate Windows

[Zio_Ralsa]

Why emulate windows... it is a piece of crap in my opinion. Microsoft will probably buy them out now.. Microsft will buy anything that opposes them in lieu of putting up a fight. Take the X-box for example, why compete with Nintendo when they can buy all of thier 2nd and 3rd party developers... fuck you Microsoft, fuck you.

Re:Why Emulate Windows

No... FUCK YOU!

Fucking asswipe moron shithead.

(Welcome to /.!)

Re:Why Emulate Windows

[Zio_Ralsa]

What the hell is your problem. I am just voicing my damn opinion.. Microsoft is a big monopoly which BUYS ALL OPOSITION!!!!! So you can go to hell.

Re:Why Emulate Windows

[diaper_tales]

nice try.. :)

Re:Why Emulate Windows

Microsoft is a big monopoly which BUYS ALL OPOSITION!!!!!

A true monopoly would mean Linux and MAC OS and all others would not exist.

monopolistic != monopoly

WOW!!!

[Kip+Winger]

Microsoft all ready bought them!

/.ed

6 comments in and already burned up.

Too good at emulating?

[entrager]

I don't think so. I think it's pretty amazing that this could occur within Wine. I'd be VERY pleased if I were a Wine developer.

Re:Too good at emulating?

[L33t-Geek]

Yes this is the ultimate complement for a developer of wine. When somthing as complex as klez (find out how it works at http:\\www.sarc.com) can run. Thats pretty impressive. I wonder what kind of effects it can have? Could this even be a new target audience for the lamerz that write viruses? -Geek

Re:Too good at emulating?

[AtrophyUnfelt]

It's actually an old Hot Topic shirt. =P

Re:Too good at emulating?

[PylonHead]

Actually, I would be very pleased if I were the Klez developer.

Don't click on the google cache

Mod the parent of this thread down instead of modding it up assuming its a google cache. ITS NOT!

and that would be

my first first post, thank ya! thankyaverymuch! I'm here all week!

PARENT IS NOT A GOOGLE LINK

That's not google...

Re:PARENT IS NOT A GOOGLE LINK

Wait a second, that wasn't a google cache :(

Dam assmonkey

Simple enough...

[toupsie]

Get a Mac. You can still run Linux and Windows and neither can cause catastrophic damage to your system. As a bonus, you get a pure UNIX system as opposed to a UNIX-like system.

Re:Simple enough...

And for no added cost to Apple you get:

(1) A Bigger charge on your credit card.
(2) Less fun hardware to play with.
(3) Only Aqua on your desktop.
(4) A single button mouse. Like you really used those other two.
(5) To pay for the next bug fix. Just like Windows.

Not tell me again why I would want a Mac?

Re:Simple enough...

[toupsie]

(1) A Bigger charge on your credit card.

I can buy a more expensive x86 based system than Apple makes -- SONY and IBM are too good examples. If you want to be a cheap, go ahead. But its probably the reason you are not hittin' it often...if at all. Chicks dig a phat wallet not a fat ass.

(2) Less fun hardware to play with.

How would you know? If you never played with it because you are too cheap to own one. I play around with Mac hardware all the time. Overclocking, case mods, etc.

(3) Only Aqua on your desktop.

I also have Graphite, KDE and Gnome as choices on my desktop in Mac OS X. Do you even know what you are talking about?

(4) A single button mouse. Like you really used those other two.

My Kensington Turbo Mouse has 5 buttons along with a scroll wheel on it. Where do you get this one-button mouse only idea? Guess you never used Mac OS X before.

(5) To pay for the next bug fix. Just like Windows

I get free updates when they are available. Where do you get this idea? Have you ever used Mac OS X?

Not tell me again why I would want a Mac?

You can actually get something done and run UNIX at the same time?

Re:Simple enough...

[Farley+Mullet]

Okay, I know i'm feeding the trolls, but on at least three of your counts, you're just plain wrong:

Only Aqua on the desktop - I suppose that you're comparing it to all the choices availibe for Linux, but the thing is, with fink packages, you can run X with which ever window-manager and desktop environment you want, either rootless alongside Aqua, or in its own full screen. So if you happen to be a big AfterStep fan, for instance, you can run it fullscreen and only be a hotkey away from the Aqua desktop.

A single button mouse - Having owned my Powerbook for a few months now, most of the time when I use the single button trackpad (and keyboard modifiers), I don't notice that I'm missing much (even using Gnome apps that I used to run on my Linux box), but when I do need a 3 button mouse, I just plug my old USB mouse in, and it, uh, works.

To pay for the next bug fix - Bugfixes and security updates come free, and fast via software update. So do "point" OS revisions like 10.2.1. You do have to pay for major OS revisions (like 10.2), but that's an entirely different thing than a "bugfix"

Re:Simple enough...

Dude, calm down. I am sure you don't have to worry about hitting off with the chicks, but I am sure all your ass-buddies love your cute little mac. .

Re:Simple enough...

[NetFu]

Oh come on!

As an ex-Mac user of 9 years, I can honestly see your B.S. from a mile away. VMWare (not to mention VirtualPC for Windows) will let you run Linux or anything else except the Mac safely in your Windows PC. And I have no use for the Mac OS any more, anyway.

And if you want a "pure" UNIX, try one of the FREE flavors of BSD -- did I mention those "pure" UNIXes were FREE? I used Mac OS X since it was called NeXTStep 3.1 (up through Mac OS X 10.1), so I can tell you that Mac OS X is FAR from pure in the UNIX world.

I never thought I'd see a Mac user touting the value of a Mac as being its UNIX "purity". Oh, how the world is CHANGING...

Wine is not an emulator ...

[sammaytg1]

It's a linux implementation of windows apis. IT really shouldn't be suceptable to virii like windows is. I would really like to know more about this (the article has already been slashdoted)

Re:Wine is not an emulator ...

[SpamapS]

Its not just "windows" that is susceptible to viruses. It is the API that is too trusting, and the file permissions. When you run wine, you generally own all of the files (default is ~/.wine/fake_windows). So you're going to be able to do anything you could on a windows box.

Its not all that surprising that a virus would run without problems. Many of them do exploit actual bugs in the Windows code, but most of them just make regular old crappy Win32 API calls.

Re:Wine is not an emulator ...

[shadow303]

I read it before it was picked up here. Some guy got an email with the virus attached. He wasn't paying much attention, and he clicked to open the attachment in Kmail. Because of MIME stuff (or something like that), it associated the executable with wine and it was up and running before he realized what he'd done.

Re:Wine is not an emulator ...

[doc_side]

Umm, why shouldn't it be susceptible to 'virii', like windows is? Never mind that linux can be infected with a virus... Now your telling me that something that was reverse engineered to run windows programs, with bug for bug compatibility, can't run some virus that is running win32 specific code?

Re:Wine is not an emulator ...

[cjpez]

I was under the impression that the goal of the Wine project was to not only implement all of Windows' API, it would also implement the APIs such that any bugs which would occur in Windows would also occur in Wine. To make the environment as nearly identical as possible. I could be wrong, though . . .

Re:Wine is not an emulator ...

it took me a few mins to read this post, then look up the links to support my claims... i had to go put something on the stove, and then preview and submit my post.. prolly took 10 or so mins with distractions. so now i post, but someone posted within my 10 min span, and now i'm redundant.

Re:Wine is not an emulator ...

[Dog+and+Pony]

That always comes up, "Wine Is Not an Emulator". Well, doesn't they say that more because they want a cool recursive acronym than anything else? :)

It is more than just an implementation of the API, since it obviously emulates the registry and some file system capabilites. Granted, this may be just because this api needs it to work, but it still takes it beyond just the api.

ObDeadServerComment

The server is apparently running IIS under Wine.

Re:ObDeadServerComment

[L33t-Geek]

No way it could be this unstable and running on a linux box. Id guess its running Windows 3.11 for work groups with a 3rd party webserver. -Geek

Re:ObDeadServerComment

Dammit Dammit Dammit. Every time I post a trollish AC comment I get a +5. Arrrgh.

Damn it...

[SexyKellyOsbourne]

No infinite popups, no Nimda attacks, no -blasting- WAV file, nothing.

Try this instead:

http://dms100.org/worksucks/

Re:Damn it...

you are still a piece of shit

That's some hot shit.

[Kip+Winger]

I'm masturbating to it right now!

Wine and / mounted as Z: ?

[Havokmon]

I swear when I read the article earlier today (It was posted on Desktoplinux and NewsForge already), that the guy said that by default, "/" was mounted a Z:.

I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?

The only potential issue I can see is that your whole home directory is 'shared' between Linux and Wine by default.

Maybe I just read ~/ as /

Re:Wine and / mounted as Z: ?

[IamTheRealMike]

I swear when I read the article earlier today (It was posted on Desktoplinux and NewsForge already), that the guy said that by default, "/" was mounted a Z:.

CodeWeavers Wine and WineHQ CVS setup their initial configuration differently I think. You can alter what drives are mapped to what easily enough in the config file, or using the configuration GUI.

Re:Wine and / mounted as Z: ?

[ShavenYak]

Typically the reason some Wine installations create Z: mapped to / is because when Wine starts, it needs to be able to find your current directory and the windows executable you are running in a space that's mapped to a windows drive.

In other words, if I'm sitting at a prompt in the directory /usr/local/sasquatch and try "wine bigfoot.exe" to run the bigfoot.exe file, unless there's a Windows drive mapped that gives access to /usr/local/sasquatch I'm gonna get an error. Mapping a drive to / prevents the error.

Still, if you run wine as a non-root user, the windows processes shouldn't have access to anything to which your user doesn't have rights.

Re:Wine and / mounted as Z: ?

[Havokmon]

In other words, if I'm sitting at a prompt in the directory /usr/local/sasquatch and try "wine bigfoot.exe" to run the bigfoot.exe file, unless there's a Windows drive mapped that gives access to / usr/local/sasquatch I'm gonna get an error. Mapping a drive to / prevents the error.

I realize that, but that wasn't my question. I think my question would be, Why would someone ever do that? I mean, at least there's an /opt or /usr debate for Linux apps. It just seems overly excessive to me to allow 'Windows' access to the whole drive. (Or drives, EVERYTHING is mounted somewhere under root)

Especially if you happen to have su'd to root, and forgot to exit - say you walked away from your desk. Yeah, I know Wine's config has historically been per user, but I believe a global config is on it's way, if it's not here already.

Everyone rips on Lindows for running users as root, I think if someone is distributing a Wine rpm with a root drive mapping, they should be flogged too. I thought Security meant starting with nothing, and granting pieces as you need them?

Re:Wine and / mounted as Z: ?

[dolmen.fr]

I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?

Are you crazy to run Wine as root ?

Oh, yes, I got it: you want a true Windows emulation of course!

Re:Wine and / mounted as Z: ?

[Havokmon]

I've just recently done a wineinstall to clean out my wine settings, and I don't have a Z:. Does that happen if you're running as root?

Are you crazy to run Wine as root ?

Yes, you would be crazy to run Wine as root. I merely asked what would cause a Z: drive to appear mapped to '/'. Would Installing Wine as root cause that config?

You apparently COMPLETELY misread what I wrote.

Or more likely, this being Slashdot and all, you never read the article which said the guy who was infected had Z: mapped to '/'.

Re:Wine and / mounted as Z: ?

[ShavenYak]

I think my question would be, Why would someone ever do that? I mean, at least there's an /opt or /usr debate for Linux apps. It just seems overly excessive to me to allow 'Windows' access to the whole drive.

I agree, and I don't give Wine access to anything but a fake C drive, the floppy, the cd-rom, /home/(user), and a shared data directory to which all the users have access.

Everyone rips on Lindows for running users as root, I think if someone is distributing a Wine rpm with a root drive mapping, they should be flogged too.

In defense of whoever packages Wine like that (if anyone), it still won't allow a malicious Windows program to do anything a malicious user or Linux program couldn't do on its own. The Windows binary has only the privileges of the user running Wine.

Re:Wine and / mounted as Z: ?

[Havokmon]

In defense of whoever packages Wine like that (if anyone), it still won't allow a malicious Windows program to do anything a malicious user or Linux program couldn't do on its own. The Windows binary has only the privileges of the user running Wine.

I've found it very easy to su to root, walk away, and completely forget that that particular console is root.. Yes, I've accidentally run Wine as root that way - Of course it didn't work because it couldn't find a config...but if they're not already here, global configs are on the way.

Re:Wine and / mounted as Z: ?

[ShavenYak]

Not to be picking at you, because I've done it myself - but if you walk away from a root console, the security of Wine is the least of your possible worries. I wish su had a timeout, where if you didn't use it for a couple minutes it would exit (only if it was at the shell prompt, obviously).

Incidentally, I don't think Wine is actually reading /etc/wine/config yet, but the current Mandrake packages (at least, possibly others) will copy the /etc/wine/config to ~/.wine/config if the user doesn't have a config already.

Re:Wine and / mounted as Z: ?

[Havokmon]

Not to be picking at you, because I've done it myself - but if you walk away from a root console, the security of Wine is the least of your possible worries.

Heh. Good point. But the odds of someone walking into my office and knowing how to operate my Linux desktop are about slim and none. And you're assuming my screensaver doesn't lock :)

It IS, though, entirely possible that I could try and run something in Wine that would be dangerous to my desktop.

Now, my Netware console isn't locked, so a root window on my desktop really is the least of my worries :P

Old Story, Kinda

[GigsVT]

There was a story a year ago about sircam running on Wine.

I'll say this only once...

[iceT]

If you lie down with dogs, you'll get up with fleas...

Does anyone know if Norton Anti-Virus runs under Wine? ...anyone...?

Re:I'll say this only once...

[Graspee_Leemoor]

"If you lie down with dogs, you'll get up with fleas..."

More like if you lie down with dogs you'll get on farmsex.com.

graspee

Re:I'll say this only once...

[Ed+Avis]

There was recently some discussion on the Wine newsgroup about limiting emulated applications' access to the system. This could be handy for dealing with semi-malware or just programs that don't fully like the emulated environment (and might need to be prevented from doing too many suspicious is-it-really-Windows checks). The reply was that since a Wine emulated program is running as an ordinary executable, it could call Unix system calls anyway, so there would be little point (from a strict security point of view).

However, something like NetBSD's and OpenBSD's recently added feature to monitor system calls and define policies could potentially be very handy for running binary-only programs you don't fully trust: and of course most such programs are on the Windows platform.

Re:I'll say this only once...

[spinlocked]

Does anyone know if Norton Anti-Virus runs under Wine?

No, but:

# rm -rf /usr/local/wine

does.

Re:I'll say this only once...

[alienw]

As much as I hate to shatter your imaginary world, I have to say that NAV is a completely useless program designed to suck money out of your pocket. There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.

Re:I'll say this only once...

[Camulus]

I would say about 95% of the time you are right, but Outlook and Outlook Express are not the only things that cause problems. However, there have been several other issues especially with the Indexing Service and IIS. Remember Code Red and Code Red 2?

Re:I'll say this only once...

[joto]

Does anyone know if Norton Anti-Virus runs under Wine?

No, but:

# rm -rf /usr/local/wine

does.

That would be a wine-bug then. Windows (NT) file-protection should make it impossible to delete an already open file.

Re:I'll say this only once...

[Ozymandias_KoK]

Not to burst any bubbles, but Outlook is quite safe once you've got the security update, which has been out for some time now. Of course this does nothing for the installed base that have never been updated, but I suppose that's why MS is trying to buildup the autoupdate features more. (Moreso for the OS than Office, but still...)

Re:I'll say this only once...

[joto]

As much as I hate to shatter your imaginary world, I have to say that NAV is a completely useless program designed to suck money out of your pocket.

No it isn't. While a reasonably intelligent person with some experience with windows should easily be able to keep his windows box free of viruses, most users are not.

If you've ever been administering windows boxes for others, NAV corporate edition, or some other corporate antivirus software is really a life-saver.

There are no more viruses on Windows than there are on Linux. What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook.

Last time I checked, there was about 3 viruses for Linux. I have heard some stories about new ones, so now there might be 10-15. The number of viruses on Windows increases with over 50 per month. As for the frequencies of those viruses: I've yet to actually discover a virus for linux (other than reading about it). On the other hand, with my windows box, I actually have to be careful.

What gets media attention are the Outlook scripting worms, and the only reason Linux can't get them is because it doesn't have Outlook. Run Outlook under wine, and you will get the same worms. It's not a fault of the OS, be it Linux+Wine or Windows, but a problem of the Outlook application.

Or outlook express, which is distributed as a part of the Windows OS. There are also problems with permissions (most linux distributions have somewhat sane permissions, most Windows installations have not (because after installing it, they are anything but sane).

And while there are few reasons to run anything as root under linux (except for the occasional sudo), the only practical way to use Windows is to be logged in with administrator rights (e.g. autocad requires this).

On the other hand, it is true that linux is susceptible to viruses just like Windows. The main thing going against that now is lack of popularity, and an educated user-base. But there are also lots of good technical reasons why it would be harder on linux. And the lack of outlook, default shares, IIS, and over-user-friendlyness certainly also help :-)

Re:I'll say this only once...

[iceT]

I have to say that NAV is a completely useless program designed to suck money out of your pocket

Uh-huh. Next you'll be telling me that it's all a conspiracy and that viruses are written by the AV vendors themselves.

There are no more viruses on Windows than there are on Linux.

I TOTALLY disagree with that statement. You can look at any virus tracking system and see that CLEARLY there are more viruses for Windows. *IF* you had said that Linux is no less suseptible to viruses than Windows, I actually might be inclined to believe you...

With one exception.

Most software in Linux was not designed to run applications automatically for the user. Windows software WAS EXPLICITLY DESIGNED to do that.

IE (and anything that uses that rendering engine, including Outlook, Outlook Express, and etc.) was designed to run VB scripts silently, without knowledge of the user, and with full access to everything the user has access to on that system.

The software on Windows was designed for ease of use above everything else. This design goal went through EVERY aspect of almost EVERY piece of windows software. From Office (macros) to Exchange (5.5 default IMS configuration was an open relay), and SQL*Server (default 'sa' account w/ no password). That's why your mother can use it. Security and easy to use are more contrary to one another than complimentary.

Since windows is designed to do everything as 'root' and also designed to do everything 'silently', it makes it a much juicier target for virus. Linux is, at a minimum, tougher to write viruses to. Most 'viruses' under Linux require that the user actively run a program.

Will Linux ever be 'immune' to viruses? Doubtful... but it at least makes it a LITTLE tougher for people to SPREAD the viruses.

Now... wanna talk about system vulnerabilites...?

Re:I'll say this only once...

but the file is not open based on the way *nix handles files. files are loaded into memory and not left open. even if the executable is deleted the program will still be running.

Re:I'll say this only once...

[dolmen.fr]

'Wine policies' would be a good thing, but doing it at the higher level would be better.
Maybe running Wine inside a restricted User-mode Linux would be the solution.

However the problem for theese restricted environments is the configuration: the UI must be powerful but easy to use or else nobody use it. You mostly need them when you want to test an unkown application just downloaded. You know that if you don't like the application you'll throw it away, so you don't want to waste half an hour to configure the restricted environment.

This is the case with Java policies: the Java VM has a powerful permission system, but it is so much a pain to understand (I have not yet figured it out) and to configure that nobody uses it. The consequence is with WebStart applications where developpers don't use restricted policies when signing, and instead ask the user for all permissions. How can I trust a text editor that asks "all permissions", which includes "access to the network"?

Re:I'll say this only once...

[Ed+Avis]

For end-users, there could be ready-made policies for the most popular applications. But by doing that you might be vulnerable to (spurious or otherwise) legal threats from the authors of those applications.

User-mode Linux is probably overkill; if you can restrict the system calls an application makes to the kernel then you have already controlled its access to the outside world. Although possibly a virtual machine approach would be simpler and so easier to secure.

As I said, a 'Wine policy' would be leaky, but kernel-level control of system calls (perhaps with a Wine layer on top to return nice error values to the application) should be watertight. Apart from covert channels (like signalling messages in Morse code by varying the system load), but it's not usually worth worrying about those.

Re:I'll say this only once...

Does anyone know if Norton Anti-Virus runs under Wine?

I don't know about wine, but it's not doing too well on the "family" win95 box these days. It seems to hate Eudora 5.1, blowing everything up in a BSOD. So I guess it's back to McAfee...

Re:I'll say this only once...

[daikaiju]

I doubt that Autocad require administrator rights (thought I admit I've never used it)... most likely if it's a W2K box the user will need power user (semi admin rights) or you need to loosen the registry settings with a security template. Both options are less secure and I would not use them if... forget it switch to Linux.

Slashdotted...sad

[NineNine]

Earlier this week it was a supposed "hardware guru" website that had an article about high performance web servers, and now it's "linuxguru" that gets Slashdotted. I can personally say that if you can't set up a server to take a Slashdotting, I put no stake whatsoever in what they have to say. If you can't set up a server to handle a spike in traffic, then you really don't know what in the hell you're talking about when it comes to server hardware/software.

Re:Slashdotted...sad

[GigsVT]

Most people don't understand that just throwing more computing power at the daemon doesn't help. Apache does not come in a default configuration that is ready for heavy use production. The default config is pretty conservative, to prevent it from crashing the whole OS.

Re:Slashdotted...sad

[LordHunter317]

Understand some people don't have enough bandwidth to handle a thorough /.'ing. Sooner or later, the site is goign to stop responding simply because you run out of effective bandwidth. Also understand not everyone can afford what they talk about.

Re:Slashdotted...sad

[NineNine]

You're exactly right. It's that way with *any* web server. That's what I'm saying... you can't be much a "guru" of any kind if you can't tweak a web server/database server to take a serious load.

Re:Slashdotted...sad

[LordHunter317]

That wasn't what I was quite referring to.
I meant physical bandwidth, like a T1. Chances are, if your pipe is small enough, the site is going to stop responding during a /.'ing no matter how good your server is. I could rig up a Quad PIII box to serve a site, but you're still not getting in if my only pipe is a 56K modem.

Re:Slashdotted...sad

[NineNine]

Well, in all actuality, it's just burstable bandwidth for most sites... so what I'm wondering, is every Slashdotted site served off of somebody's cable modem at home? *Any* decent pipe should be able to handle a few thousand new users a second. If my server did this, you can be damn sure I'd be asking for a refund.

Re:Slashdotted...sad

[scenic]

That's not really fair. It's expensive to put up a site that can handle a slashdotting. Think of sites that host via a third party or shared hosting to keep costs down.

There are a lot of smart, knowledgeable people out there who don't want a $500+/month hosting or bandwidth+power bill.

Sujal

Re:Slashdotted...sad

If you're setting up a quad PIII web box to run over a 56k modem, then you sure as hell are clueless.

What you probably meant was places like hosting sites that limit you monthly.. once that 15/30/45 gigs runs out, zip, that's it.

Re:Slashdotted...sad

Understand some people don't have enough bandwidth to handle a thorough /.'ing. Sooner or later, the site is goign to stop responding simply because you run out of effective bandwidth. Also understand not everyone can afford what they talk about.

Why is it when a Linux related site gets slashdotted its a bandwidth issue and when its a Miscrosoft site...its Microsoft?

Re:Slashdotted...sad

[MarcoAtWork]

between being able to set up a server that can take a Slashdotting and being able to afford a setup that can take a Slashdotting there is quite a difference (esp. in your bank account after you get the bandwidth bill...)

Re:Slashdotted...sad

[LordHunter317]

Even so, you can still 'burst' the bandwidth past the point where it the network can handle it.

Though I'm fairly sure the server is probably poorly/not correctly configured as well. Though a lot of times, I bet they don't know they are goign to get /.'d until its too late, and don't change their config until its too late.

Not that laziness is an excuse for this kinda event.

Re:Slashdotted...sad

[AntiTuX]

2 words: static webpages.
I know for a fact that if my ass was getting slashdotted, I'd be setting up static webpages faster than you can say "holy fucking shit where's my bandwidth?" I personally make a static archive of all my dynamic pages automatically just in case something like that happens. The problem lies in the fact that slashdot doesn't archive sites, nor do they give any type of notice before bringing the hordes of lamers from all over the internet to that site's front door. That's a "bad" thing.
I wonder if anyone's brought a lawsuit against slashdot(or their parent company, OSDN) for effectively destroying their servers.

Re:Slashdotted...sad

[Neck_of_the_Woods]

Well that is great, lets assume your servers...being a porn site listed on your sig are set to handle this sort of thing. That is great, and I will also assume that you have a burstable t1/ds3/oc connection. Great for you. Not everyone running a sites has this set up. Some people have one server, with a t1. Which is very easy to slashdot. Not a server farm, jacked to the nines(pun intended) with a burstable ds3.

Re:Slashdotted...sad

> If you can't set up a server to handle a spike in traffic, then you really don't know what in the hell you're talking about when it comes to server hardware/software.

And I guess if you can't build a skyscraper to withstand a 7-6-heavy kamikaze, you suck as an architect.

Right?

Re:Slashdotted...sad

[csnydermvpsoft]

I wonder if anyone's brought a lawsuit against slashdot(or their parent company, OSDN) for effectively destroying their servers.

That'd be like a store suing a newspaper for giving them some good press and swamping them with customers. Though /. giving sites a few hours' notice would be a good thing IMHO.

Re:Slashdotted...sad

[rbenech]

Maybe the wonderful coders at OSDN should make a 'SlashCache' (static page) of a page that is mentioned on the front of an article instead of relying on the article submitter to link to a google cache. It would be automatic of course. And the static page would revert back to a direct link after volume drops.

Re:Slashdotted...sad

I can personally say that if you can't set up a server to take a Slashdotting, I put no stake whatsoever in what they have to say. That's a pretty foolish attitude.

Someone can know what they're talking about, but still have a slow pipe. Someone can be an expert -- even at networking issues -- and find working with web servers (especially huge overkill-behemoths like Apache) to be uninteresting. Someone can have something worthwhile to say, and have no idea that they're about to be Slashdotted.

I think it's really funny that you think a "hardware guru" should know (and care) enough about web servers to take a slashdotting. You have an unusual concept of hardware.

Re:Slashdotted...sad

[The+Bungi]

Have you ever talked shit with your friends (if you have any) or fantasized about, oh, owning a Lamborghini Diablo or dating a supermodel? Or maybe just improving your personal hygiene?

Well, you better get on it bud. Because by the tone of your post it seems you espouse that if you even think about something then you should also, by definition, be able to do it - and more importantly, afford it.

Bandwidth costs money. It has more to do with economics than with vaunted technical skills like yours.

Re:Slashdotted...sad

[CodeShark]

Good point, AC, I'd give you a moderator point if I had one available and you'd logged in.

In my case, for example, consider this: having done this for a few years now, I can set up one Linux or BSD based machine as a great web server capable of fully loading a T-1 or larger data pipe. Static pages, images, streaming software, dynamic pages, the whole nine yards. Could probably do a passable job setting up a set of machines to act as a transparent site even if it took setting up a small cluster of machines to handle the load (images on one machine, data on another, apps, etc. on the main web server, email somewhere else, etc.). I won't say that I could do it with half my brain tied behind my back, no sleep in a couple of days, one hand in a cast, or some big brag, but it's just not that difficult once you have done it a few times and hung around the security conscious folks enough to learn what it takes to secure a machine or set of machines from malicious outsiders. [Give me a couple decent developers and together we'd could make any site you wanted really scream in just a few days].

With my average or better web server setup skills, does this mean I am using my own server setup? No, and I don't plan to any time soon, because none of my skills can prevent a wonderfully configured site from getting /.'ed because the bottleneck isn't usually in the machine, but the size of the data pipe connected to it.

Consider this as well: I usually locate my sites at one of a few good web hosting companies that have good co-location points and massive datas pipe to/from their server farm(s). So the server and the data pipe can handle it, if I want. However, for most sites I set up, I don't want or need the risk of getting a surprise high dollar bandwidth bill because /. or similar is suddenly pointing at my site and hogging all of the hosting company's bandwidth? No. Do I want have or want to spend the money to set up my own data center? No.

Why not? Because IMHO one of the best things about the 'net is that it gives many people who would not otherwise be "heard" a place to give voice to whatever message they deem important. One of the worst things about the net is that some people confuse tech savvy with message, just as the previous poster did.

Do I have something worthwhile to say? Occasionally. Should you respect what I or another writer has to say, when it is worthwhile, no matter what bandwidth they have available to them? I hope so, and for myself I would rather listen to and support the person with one wise voice pushing text messages on a slow data pipe than spend my time and money on a thousand fools pushing worthless content on a fat one.

Re:Slashdotted...sad

[Jonathan+the+Nerd]

This has been addressed before. (My suggestion: email the site administrator an hour or so before the article is posted to give them time to prepare for the pounding.)

WINE emulation too good?

[grahamlee]

Hi folks!

The new version of WINE is available! It costs a mere $450 per seat, and after an extensive rewrite of the Windows ABI emulation exports NO functionality whatsoever!
BTW for optimum emulation, we recommend running WINE at nice -20.

COMING SOON - WINE SP1.
The all-new WINE Service Pack removes the ability to run MS-DOS programs, and stops you viewing any digital broadcast medium. This is to enhance your computing experience.

W00t!!

Way to go WINE!!!!

So, the question now is; Does WINE run Norton AV, McAfee, or InoculateIT?

WINE can't emulate it.....

[Kip+Winger]

First off, WINE does not even have the ability to emulate Windows. WINE does not have the power or capability to EVER emulate Windows or any microsoft product. Next time you lie something, slashdot, make sure you know what you're talking about.

Ah yes, Wine . . .

[Pike65]

All of the advantages, none of the . . . oops.

Re:Ah yes, Wine . . .

Actually, it has all too many of the oopsies, it would seem...

Re:Ah yes, Wine . . .

[MAXOMENOS]

Alas, if only WINE ran Visual Studio so I could get my MCSD without putting WinXP on my box..

Re:Ah yes, Wine . . .

[seann]

runs visual basic quite good

Warning!

Above link is not cubicle safe!

The good comes with the bad

[sjbe]

Kinda obvious but easily forgotten. Being able to run windows apps is a two edged sword in many different respects. Access to good applications versus potentially reduced interest in linux development. Ability to run applications not built for linux versus inconsistant ability to run some of those same apps. And now of course, access to Windows apps versus the viruses that often go with them. The good comes along with the bad and there are plenty of unintended consequences to go around. Any engineer will tell you that there are tradeoffs for any design decision. WINE is no exception. Caveat emptor...

They Hate Us for our Freedoms!

[TrekCycling]

Does this mean these other countries are Hated even more for their freedoms?

What's the deal?

[jorlando]

Wine is supposed to run Windows apps... a virus is a Windows app as any other... If the Wine user is running Outlook what else he can wait for? The vulnerabilities still there...

Re:What's the deal?

Except our unsuspecting friend wasn't running Outlook, he was running Kmail.

Re:What's the deal?

[jorlando]

Whatever... outlook was an example... Wine isn't an emulator, but creates an intermediate layer (an emulation layer? :-) so a Win app can run under Linux... Due to the misterious ways that software use to assign itself to run applications (or extensions, if you prefer) Wine was handling attachments (maybe one with a .pif, .bat, .exe or a .scr?)... It's a merit to Wine, but IMHO not big deal, even expected...

The same will happen with other types of infected executables... in various degrees, since I think that Wine wouldn't accept a FORMAT C: like command... at least, I hope so... :-)

Now, if Wine could be polited to handle the old DOS demos (if you never heard about demos look at http://www.oldskool.org/demos/explained/ ) THAT would be a great day for mankind :-)

Re:What's the deal?

[Sabalon]

Close, but read the article. The guy was running KMail. He got a windows program sent to him which he opened. Upon opening it, KMail decided that for the MIME type, wine should handle the program, just as it may decide the acrobat should handle pdfs.

If someone sent the guy notepad and he did the same thing, notepad would have run.

The only noteworthy thing of this article is that all the API's that Klez uses is obviously supported by Wine and Klez can be added to the list of working applications under wine.

i would think

[papasui]

the obvious solution would be not to run WINE as root. The filesystem permissions should prevent excessive damage.

Re:i would think

Try telling that to the Lindows developers.

Re:i would think

[scenic]

I hear this a lot, and it's a sort of silly argument to make for a desktop machine. I mean, I don't care about what's /usr or /usr/local or whatever. I care a little bit about /etc (which is easy to back up) and a hell of a lot more about the stuff in my home directory (and other areas where I have write permissions). On a desktop, viruses/worms suck, period, even if you use a regular user account for daily access.

I use a Linux box at work and at home, and my laptop runs OS X, so I'm not saying this as a slight against the Unix variants out there.

Trust me, I would be much more upset at losing all my digital photographs or code or whatever. Losing the OS isn't really any more or less inconvenient than losing all my data. But losing all my data permanently would really be awful.

Now, I back up most everything periodically, so I figure I'm better off than, let's say, my mom, who rarely backs up anything. Or my sisters, who used to back up to floppy until I explained to them how silly that was.

Not having root just prevents certain "shady" things from happening, but in the end, you can do everything as your normal user. I can start up daemons via my normal startup scripts (some of which get called when X comes up, for example), modify binaries that are owned by my user (many applications these days under Linux and OS X), and open network connections for DDOS attacks. The only nice thing is that I think I'm unable to do things like SYN floods (I think... there are definitely limits on RAW sockets, I believe) and certain nastier attacks without root access or the proper access set up.

Sujal

Re:i would think

[IamTheRealMike]

the obvious solution would be not to run WINE as root. The filesystem permissions should prevent excessive damage.

Excessive damage to what? The application binaries and data, which can be replaced in hours? Or your home directory full of work, some of which might never be replaced?

Re:i would think

[damiangerous]

Or your home directory full of work, some of which might never be replaced?

So create a user named "wine" with no write access to anything you care about. Su to it and run Wine. Problem solved.

Re:i would think

[kasperd]

Not having root just prevents certain "shady" things from happening, but in the end, you can do everything as your normal user.

If you run everything as root, your system will probably be as vulnurable as any windows system. Not running as root does of course not prevent all attacks, but it does prevent the most nasty ones. A worm with root permissions can do nasty things to your kernel, filesystem, libraries, and standard executables. If such things happens a reinstall will be your only way back to a normal situation. If OTOH the worm only has access to a single unpreveleged user, the system integrity is unaffected. In this case root can log in and watch what is going on, and there is no way the worm could hide anything. You will be able to compare the users file against the last backup, you will be able to see exactly what files the user has created on the system, you can watch his network access. And cleaning up is easy, just kill all the users processes, delete all his files from /tmp and /var/tmp, and finally restore his home directory from the latest uninfected backup. You can use diff to look for suspicious changes. And the backups can be done regularily by a cron job run as root, and can even be stored online.

And now that you actually have a fine multiuser system, why not use this fact? If I want to run something I just downloaded from the net, I usually run it under a dummy user ID. And whenever I run Wine, it is done under a dummy user ID. And you can prevent the user from doing certain things on the network, it is just a matter of a few iptables rules. On my system even if I ran Klez under Wine, iptables would deny it access to SMTP.

Re:i would think

[Sloppy]

Amusingly, this is sort of a case where the filesystem permissions failed. It sounds like this guy had WINE set up as a "viewer" for .EXE files, so KMail "viewed" the attachment with WINE. If you think about how this was probably implemented (speculating and analoquizing is so much more fun than actually looking up the answer ;-), then KMail probably wrote the attachment as a file somewhere under /tmp and without executable permission (both because it wouldn't make sense for KMail to +x it, and also maybe because of how the admin would probably mount /tmp). And then ran WINE with the temp file as argument.

And WINE executed it anyway. Major blunder.

Which just sort of goes to show, Unix's executable permission bit, is really mostly just "advisory" and not really enforced by kernel. (How could it?) Filesystem permissions, feh.

Re:i would think

[Sloppy]

And WINE executed it anyway. Major blunder.

Actually, as I think of this more, I get less certain.

Suppose you set up KMail to use python as a "viewer" for .py files. Would I treat python running a script that isn't chmodded +x, as a python bug? I don't think so. Hmm.

The real problem is foolish decisions about setting up external viewers. I no longer blame WINE.

Re:i would think

[kingsqueak]

If WINE auto installs mime types of any sort that affect globally used *nix apps, that should be corrected. The biggest festering bleeding problem with Windows is the fact that a mail client will auto-execute anything. If a moron wants to associate an suid WINE to handle VB script attachments viewed in a mutt session let him, but WINE certainly shouldn't be setting up risky associations by default as the article implies.

If the 'victim' setup those mime associations, he should be prevented from breeding.

Either way, a correction is needed.

Re:i would think

[bockman]

The problem probably was that Konqueror and KMail shared the same MIME info. It may make sense that when you click on an icon of a .exe, konqueror starts Wine to run it. It doesn't in the case of Kmail. Kmail should at least be aware of which 'helpers' (wine or python or whatever) actually run arbitrary code and offer a warning/confirmation window.

The whole point of e-mail viruses is that Windows blurs the distintion between data and programs, in the name of usert-friendlyness (showing that too much friendship is dangerous). Linux should try instead to implant the distinction between 'passive contents' and 'active programs' in all its users. In this respect, the idea of having all 'interpreters' program, including perl, python and whatsnot, to rispect the 'executable bit' of files is not bad, although I believe it will never happen now that distros are after to desktop users.

Correction

WINE is not an emulator.

In fact, WINE stands for:

WINE
Is
Not an
Emulator

Re:Correction

[Genyin]

WINE is not an emulator.

Not an emulator my ass. It is emulating a bunch of win32 API functions; while it might be called an implementation of the win32 API or somesuch, that implementation is emulating the primary implementation. If there is a bug in Windows' version, and wine supports it the way it should be, it is a bug because programs don't run.

The goal with WINE is to run windows apps, and that requires emulation, not just an implementation.

Re:Correction

[someguy42]

God I love those recursive acronyms! WINE Is Not an Emulator

Slashdot crashed my machines

On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load.

I now have two dead machines because they linked us anyways.

-James Blackwell

Re:Slashdot crashed my machines

Here ya go:

Re:Slashdot crashed my machines

[windex]

This is -1 at the moment, and everything, but the pages really do say not to link from slashdot.

Search for "articles.linuxguru.net" on google, then have it show its cached version.

Now, there may not be legal grounds, but uh, come on guys.

Re:Slashdot crashed my machines

[Old+Wolf]

Start a courtcase against slashdot then..

Re:Slashdot crashed my machines

[OnyxRaven]

...moderated funny... gah.

Aanyway, why not do what a few other sites do... in Apache just reject anything with a referer from slashdot.org domain. redirect it to something like a tripod page that says "your link has been rejected - linked from slashdot" or something.

or heck, just drop the request. Make them mirror it.

Re:Slashdot crashed my machines

Thats fuckin lame. Boo slashdot.
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
and now cause the lameness filter says too many caps.
boooooooooooooooooooooooooooooooo

Re:Slashdot crashed my machines

Run IIS next time so we can blame Microsoft. We dont like to see Linux servers go down for the same reason.

Re:Slashdot crashed my machines

Why not enforce your request by denying all referers from slashdot? It's not a perfect block, but it makes getting to it a lot more difficult.

Re:Slashdot crashed my machines

...moderated funny... gah.

Well, of course it's moderated funny. It's funny that the /. editors don't actually read the pages they link to. It's funny that someone actually thought they did... and thought they read them carefully enough to notice the foodnote at the bottom.

Funniness all around. It's certainly not "interesting" or "insightful" for anyone whos been coming to /. for more than a month...

Re:Slashdot crashed my machines

[stubear]

Sue slashdot, well actually their parent company. You notifid slashdot to not link to your site for very specific reasons and they ignored the notice knowing full well what the consequences of their actions would likely be. I'd be interested to see what a ruling like this would do to hyperlinking and deeplinking of web sites.

Re:Slashdot crashed my machines

[DustMagnet]

Don't say "your link has been rejected - linked from slashdot", we're smart enough to figure a way past that (If you're not, go read CNN). Just say, "Bandwidth Exceeded". That way I wont know that my referrer link that was being checked.

I run Proxomitron, but normally allow referrer information out.

Re:Slashdot crashed my machines

What the hell are you running that some web traffic brings the machine down? I can understand bitching about the bandwidth costs... but web traffic crashing a web server?

Here's a nickle. Get some real software...

Re:Slashdot crashed my machines

[JJAnon]

I did take a look at your pages, after the slashdotting subsided. The Please do NOT link us slashdot plea is not really visible, unless you know where to look for it. Also, you should know by now that most people who submit links to slashdot don't bother to read articles, so expecting them to read a plea is not very realistic :).

Re:Slashdot crashed my machines

[Tet]

On the footer of *every single page* at linuxguru.net, we specifically request that slashdot not link our stories because we can't handle the load. I now have two dead machines because they linked us anyways.

I'd have thought a "Linux Guru" would know how to block traffic referred from Slashdot, preferably at the firewall (if you have content based filtering), or at the webserver if not. In addition, it's not that hard to throttle traffic back to a level your servers can handle. Again, something a guru should know. Aaah, yes... the penny drops. You're the same James Blackwell that's been flaming Larry McVoy on LKML. It all makes sense now...

Re:Slashdot crashed my machines

Yes. I'm the same James.What's more is if you check with me tomorrow, I'll probably still be James.

I still think that a polite note on the bottom of a page that's been there for two and a half years is and should be sufficient.I naively thought that this would be sufficient for slashdot to not link. Checking the referrer would mean a twelve character regex being performed every single time the page is viewed.

This is a small site we're talking about with an average of 1200 hits a day and 4,000 hits on an excellent day. Do the math: 1200 * 365 * 2.5 * 12 = 13 million character comparisons, not including php overhead, for one link once in two and a half years.

Introducing checks into mainline code is something that should not be done trivially Tet. Don't take my word for it. Search in the LKML archives about it. Linus talks about it with the Linux kernel often

Re:Slashdot crashed my machines

[Phork]

nice calculations, to bad your logic was wrong, because you would be an idiot to do that in php, you would do it with mod_rewrite.

Re:Slashdot crashed my machines

What do you mean by 2 dead machines? Did they physically die do to a hardware failure from being slashdotted? Or is it similar to a DOS attack where nothing else is able to happen? I would be interested in hearing what actually happens when a server is slashdotted.

Re:Slashdot crashed my machines

[Dog+and+Pony]

PHP? You gotta be kidding me.

Here you go: http://httpd.apache.org/docs-2.0/misc/rewriteguide .html#access

Re:Slashdot crashed my machines

[tshak]

Except that IIS supports this nice feature called a throttle which would give many /.'ers a "Server Busy" error but would also A) allow current sessions to browse the site at a reasonable speed and B) not take the server down. Of course, packet monitoring is available at the OS level, but it's nice to have it controlled and gracefully handled by the web server. AFAIK Apache does not yet support this (although I have no experience with 2.x which no one really uses anyway).

Re:Slashdot crashed my machines

[|<amikaze]

So, what you're saying, is that even the Editors don't read the articles before posting? I realize that most users don't read them before commenting, but the editors... They should be role models!

Re:Slashdot crashed my machines

['The+'.$L3mm1ng]

Search for "throttle" on http://modules.apache.org/search.

Re:Slashdot crashed my machines

['The+'.$L3mm1ng]

Search for "throttle" on http://modules.apache.org/search

HAHAHA

got me on that one.

You Rock

Looks like you nailed a lot of people with that one (not me fortunately). Looks like you managed to get some slashbots twice!

Excellent work!

Hey, who needs a story?

[Otter]

Heh, 57 comments so far, only one of which is from someone who read the article (before it was posted here).

Makes it seem kind of unnecessary to have obliterated their server -- could have posted the same "Don't click on that link!" and "The plural of 'virus' is 'viruses', buttmunch!" posts without it. ;-)

SO What?

[SniffleBear]

Amtrak is pretty good at emulating Windows too!

FUCKWITS

Stop bitching just 'cos you fell for that. It's moderated Troll for a fucking reason, you idiots!

A similar writeup about Klez and WINE

[Adam9]

Well, this article that I found here that discusses the limitations of Klez on WINE and how Sircam was able to run on WINE. All in all, it appears to be a limited threat.

GARD

Get A Real Dictionary. Real language geeks own a copy of the OED.

Ingredients...

[LegendOfLink]

Putting too much M$ in Linux makes bitter WINE.

Odds Update: #@ +1, Relevant

bin Laden alive in Afghanistan 70-1

bin Laden alive in D.C. 2-5

Dick Cheney Resigns To Play Dr. Strangelove
In The Movie 2-1

George W. Bush Re-"elected" 4-1

Jeb Bush Re-"elected" 10-1

Giants Win World Series 2002 4-1

Angels Win World Series 2002 2-1

Jon Katz Found Looking For Commodore-64 in
Afghanistan 1-2

WINE = good

[RomikQ]

Well, I haven't seen the article, cause it's been slashdotted, but to all that talk about wine virii execution - look at this (the author of the screenshot is C-Pro).

Besides, I mean, just as with any other tool, you need caution. If you run wine as root with the whole tree as e: then sooner or later you're gonna regret it. The level achieved by wine emulation is amazing, so there are going to be security flaws if you don't know what you are doing, just as with any product with functionality as extensive as wine's

just goes to show....

[yipyow]

ok, so i haven't seen the article. but this just goes to show that although running windows apps under linux using wine may be useful, what we are really wanting to do here is stop using that stuff anyway, by writing apps to replace them. isn't that why most of us run linux anyway, because we can't stand the alternative?

chris

Re:just goes to show....

According to the article, the user was using Kmail, which launched wine to run Klez when the user attempted to open an attachment.

Klez was the only thing wine was being used for in this case.
So, is anybody working on a replacement? ;)

one word:

[real_b0fh]

duh

Act of Crazy

[bigbinc]

Maybe somebody will explain emulation to me. We load/run linux/mac in order to find alternative so that we can run windows emulation on linux/mac. It is cool technology wise, but does it really make much since. It is like recursive user interfaces. Somebody should run linux on windows under wine. linux->wine/windows/->linux. It did this in bochs, it was kind of cool. Oh yea, to answer my question I guess it is cool to run windows software through emulation, thats all...

It's not a Wine problem...

[Olmy's+Jart]

Fine... Why in blue blazes did KMail run Wine in the first place. Why would KMail run any attachment? It's one thing to run a viewer on an image like a .jpg. It's a totally different sort of thing to run the attachment. What are they going to do if they get a foo.sh file. Run it under bash? That's basically what they've done here. This is exactly why Microsoft got in heat over these worms and why these things run rampant on MS systems even if the users are not admin on that system.

It's a security bug, a security hole, just like the ones in LookOut, and it ain't a Wine problem. This one belongs on bugtraq.

Re:It's not a Wine problem...

[Yosho]

It's one thing to run a viewer on an image like a .jpg. It's a totally different sort of thing to run the attachment.

No, not really. For you it's easy to tell the difference; a JPG is obviously a safe image file, while files with .exe or .sh are potentially dangerous (depending on your OS). But from a program's point of view, the only difference is that you open a .jpg with, say, the GIMP, while you open a .sh with BASH.

If somebody sends you a file with the extention .xe3 (random example), and KDE says there's a program associated with that, how is KMail supposed to know whether it's safe to open it or not?

All KMail can tell is that an attachment is an attachment; it's not safe to open anything automatically, not even something that (you think) is an image.

Re:It's not a Wine problem...

[Dr_LHA]

It worked just because of the way it would run a jpeg viewer. The MIME type instructs kmail that windows executables are supposed to be executed using the "wine" executable (e.g. wine sol.exe). So KMail isn't executing the program, it's executing a "viewer" that "views" (runs) Windows executables. The fact that this opens up a huge security hole just shows how careful you have to be.

Re:It's not a Wine problem...

[kasperd]

• How is KMail supposed to know if it is safe to "run" the attachment?
• How is KMail supposed to know how to "run" the attachment?

It is two different questions, but the answer is the same. You give KMail a list of filetypes, and tell it what to do with them. The list could contain a flag specifying dangerous filetypes. If that feature does not exist in KMail, the filetype should be ommited from the list.

To me this sounds like a bug in the configuration rather than the software. And it does sound like a configuration mistake in the default install of this distribution.

Re:It's not a Wine problem...

[JoeBuck]

You are using the identical defense that Microsoft used to circulate when people complained about Outlook opening all attachments. KMail (and other mailers) need to be able to distinguish between "safe" and "unsafe" attachment types.

Re:It's not a Wine problem...

[Phasedshift]

Why not simply have a small list of MIME types that are allowed to be 'viewed', that does not include .sh, .exe, and other potentially harmfull things? Make it easy to add/remove things to the list, and have more/less restrictive versions of said list of MIME types?

Or you could add a popup window, so when you try to execute anything potentially dangerous, the window asks you if you really want to 'view' a .sh, .exe, etc file. You would need to also have the MIME types that are considered 'dangerous' able to be easily added to/removed from. (I don't like this idea as much)

Re:It's not a Wine problem...

[gmarceau]

Why did Wine accepted to run a file which didn't have +X permissions? That would be Wine's contribution to bugtrack.

Re:It's not a Wine problem...

[lmfr]

Why does perl? Why does bash? Why does any interpreter execute any file you specify it? +x or not.

Re:It's not a Wine problem...

[iabervon]

The fundamental problem is the concept of "opening" a file. Having an operation that's easy for the user to invoke, but that could do basically anything, is a really bad idea. (Yesterday, I tried to open a door and I ended up opening a restaurant. Today, I tried to open my wallet and opened a wound on my leg. Then I tried to close my wallet, but closed my bank account instead. Anyway...) It was a bad idea on the Mac, it was a bad idea on Windows, and it's a bad idea on Linux.

What KMail wants to let you do is "view" a file. You view .sh files with a text editor. You view .jpgs with GIMP. You don't view Windows executables. Programs that view files are safe to use (unless there's a bug in the viewer).

You may, at some point, want to execute a file. You do this with exec(). You don't do this with a viewer.

If you insist on acting on files without any concern for the operation you're going to do on the file, I'd suggest using "rm", which will work on any file, regardless of type, and will cause relatively little damage in the long run.

Re:It's not a Wine problem...

[zurab]

To me this sounds like a bug in the configuration rather than the software. And it does sound like a configuration mistake in the default install of this distribution.

Just don't jump to that conclusion. KMail uses file MIME types that are registered in KDE - that is configurable for and by each user and any apps they may install that may run the appropriate script to either create a new type or get control of the existing one. MIME types then can be and are used by variety of apps such as Konqueror, KMail, KBear, etc. that launch external apps or plugins that are registered for a given type. You can register *.bat, *.exe, *.com, *.vbs files' MIME type and associate them with Wine. Now, if this was done as a default from that guy's distro you may have a point; but also that user may have compiled and installed his own Wine and associated the above file types on his own.

On a side note, KDE has a very nice configuration tool for file MIME types that can be accessed by right-clicking on any file.

Re:It's not a Wine problem...

[the_real_tigga]

yeah, like i always have to do a "chmod u+x foo.exe" to be able to "wine foo.exe".

think again, before you chmod +x all your .jpg files so nautilus can "execute" them...

Re:It's not a Wine problem...

ut from a program's point of view, the only difference is that you open a .jpg with, say, the GIMP, while you open a .sh with BASH.

Are you now or have you ever been an intern at Microsoft?

Re:It's not a Wine problem...

[IamTheRealMike]

Because you run windows apps with wine by typing "wine app.exe" - the actual exe file itself never passes through the kernel, so never has UNIX security enforced.

Re:It's not a Wine problem...

[sandman_eh]

True. Although to be fair we don't know that KMail didn't set the file +x . What we can take away from this though is that it would be a good idea to implement at least on option (if not make it mandatory) such that files without +x are not run by interpreters. If your feeling nice I suppose you might let file without +x run in a sandbox - but I think not at all is better. Then programs such as KMail can indicate the the these files are not safe for execution by not setting them +x

Re:It's not a Wine problem...

[gmarceau]

Good point. Typing "perl foo.pl" bypasses a missing execution flag just as successfully as "chmod +x foo.pl && ./foo.pl".
However, in Wine's case, there is no way not to bypass the flag. There should be a way to make the flag apply, and it should be the default.

Re:It's not a Wine problem...

[lmfr]

In linux you can achieve the same functionality of "#! /bin/sh" for windows executables, java binaries, images, etc, with "Kernel support for MISC binaries".

Mind you, it was broken last time I tried (sigh).

Re:It's not a Wine problem...

[lmfr]

That would be an idea. But it gets down to a proper configuration of mime types, which shouldn't had allowed for this to happen in the first case.

And anyway, the acls for syscalls and files, etc, would be to specific to the application...

LINUXGURU??

Ya right. Who the hell setup their crappy web system.... If it can't handle getting slashdotted then it's crap. Linuxguru should think about changing their name to wesuck.com

WINE is not an emulator

[YahoKa]

"... a little too good at emulating Windows."

Whoa there cowboy! Wine is not an emulator (hence the name.) This is from their FAQ:

Is Wine an emulator?
Unfortunately, no. Wine provides low-level binary compatibility, but currently only for OSes running on Intel-compatible chips. /I

Your 15 minutes

[FreeLinux]

Enjoy it while it lasts. Afterall, at this point, what are you gonna do?

Just hope and pray that they don't repost the same story tomorrow. It's been happening a fair bit lately.

article text

The WINE project is becoming increasingly popular and useful to those who would continue to use proprietary, free, and unported opensource software available only for Microsoft Windows. I've tested it with a few games I had purchased while I still used Windows, and it surprised me. The WINE project, and the two popular forks in the project, WineX, and Codeweavers WINE, have come along quite nicely, albeit it slowly, over the last few years. I give a lot of credit to the many developers that have poured a lot of their time into the project, but, with the good, the bad must be accepted.

Recently a friend of mine, proficient in Linux, and not what you would call a 'newbie' to computing, received an email from a customer. The email was vague and included an attachment. In KMail, he decided to view the attachment, thinking it was simply an image. He clicks it, nothing happens, no viewer, no error, nothing but a few seconds of milling around, and then more nothing. Then, the wine notification pops up. By this time he had realized the file was a Windows executable, and that he'd just executed it with wine because of the MIME typing capabilities of KDE, and WINE's integration with the desktop.

If he were running windows, I would've slapped him upside the head, everyone with any sense at all would've expected an odd email with an attachment to be a ready and willing virus or worm. Of course, this was no different, this attachment contained the worm known as WORM_KLEZ.H. However, because of the sense of security from worms of this nature bestowed to Linux users, by the same type of ignorance in assumption that spreads them amongst Windows users, he never expected the attachment to be a virus or worm that would infect and operate as it normally does. Unfortunately, this is exactly what happened... click, boom, Klez goes nuts, etc., etc., etc.

The virus itself is simply a worm, it's what you'd call a 'dumb virus', in the sense that it isn't extremely complex, doesn't change itself around much, and basically works as fast as it can before it is easily obliterated by common virus scanning software. The basic idea is that it infects you, spreads itself by emailing from your computer to as many contacts as possible, then does its damage, if you want more detailed information, Trend Micro has plentiful information about Klez and other viruses and worms available on http://www.antivirus.com/.

Now, you may be wondering how it infected and actually 'worked', I know I certainly was. In this particular case, our cool customer known from here on out as 'John' for 'John Doe', had wine installed, and you see, the default configuration for most wine installs, shares your root linux directory as a drive visible to the applications running inside of it. If you know anything about the Klez worm, you'll remember that not only does it search for address books, etc, it will search for many other common file formats on the entire system, searching for email addresses, dropping PE_ELKERN.D, and various other silly virus/worm/intrusive type things.

So far we have the first two parts of the Klez's basic operation, infection, and email address reaping. What is next? Let's say it together kids "PROP A GA TION" yay!!! Now, this is probably one of the most important parts of a worm's life cycle. If it doesn't propagate, it isn't really a worm or a virus. It's just a pointless, irritating program.

Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them.

Now, a few things must be noted about this particular situation. KLEZ is not a high risk worm, so by no means was this a massive problem for this person. Also, the infection did not include files that were not Windows exectuables, so the native filesystem was left unharmed. The spooled emails were taken care of and the effects overall were minimal, if not simply classified as an 'annoyance.'

The reason this is such an important subject to cover, isn't this instance of infection, but, the possible vulnerability that using WINE in such an insecure (and default) way can provide. For example, a knowledgeable virus programmer could use this situation to make multi-platform viruses, that could detect files by their 'magic file type' similar to the way the tool 'file' does, and infect them through wine. I understand, that this is highly unlikely to occur any time soon, but, I think you can probably imagine many other ways that this opens doors for virus problems to the relatively virus-clean environment of Linux.

The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains. Even if only KLEZ for now, others will in the future, be compatible. The other is: I am willing to bet that 90% of you WINE users out there, can view drive Z, or something similar and get your root file system tree, and something like drive Y provides your home directory READ-WRITE. Please, don't do this, unless it is absolutely necessary, minimize the interaction between your WINE environment, and the real linux environment, specify a directory for wine shared files and keep them separate from your linux home files, etc. This will help to minimize the post-infection damage a virus can accomplish.

Finally, the most important 'bug' most distributions have, is allowing a Windows executable to be run with wine without an obvious chance for interception, by default. Sure, it comes up with a window, telling you that wine is running, and allowing you to disable the notice, however, it does NOT warn you about the application being executed in such a way that you could stop it before it was started. Even Java does this with code that is signed for permissions; it still asks you if you are sure you want to give it permissions.

As it goes, I was unable to easily obtain any previously written information on securing WINE properly, and I am no security expert. Some basic tips would include, configuring the program, read all of the options, don't let it set itself up completely for you.If anyone has any tips they would like to share, please do.

Sour grapes

[Subcarrier]

Is it really such a big surprise that something based on Bill's produce quickly turns into vinegar? Storing it somewhere cool (Linux) isn't sufficient to make a good wine, you know.

If Klez won't run...

..then Wine ain't done.

THIS IS A TROLL, MOD DOWN.

[jeeryg_flashaccess]

http://uptime.netcraft.com/up/graph/?mode_u=off&mo de_w=on&site=www.linuxguru.net&submit=Exam ine

Yes, but ....

[xabi]

Yes, but does it run in a new Sharp's Glass Computer?

Boooooooo!

still somewhat secure though..

[vinn]

Wine can't do anything the normal user couldn't
do. Now, a user might not want to mailbomb all of his friends,etc, but the virus still runs with the user's rights. It's not going to delete his whole hard drive (unless he has the rights to) and it's not going to infect system binaries. So At least there's a little bit of protection compared to normal Windows.

Re:still somewhat secure though..

protection compared to normal windows?

Hum. Nobody on this computer (except me) can delete or edit files anywhere except in their approved program's folder and their own desktop/folder.

Oh wait. Linux zealot. You wouldnt understand the fact that Windows has had separate user environments since NT. right.

Re:still somewhat secure though..

and we all know that EVERYONE runs NT right? There's no single user environment for Windows anymore.

No more windows 98, ME or setting someone as administrator in any version of NT, 2000, XP.

I'm glad we cleared that up.

If you're running linux, you have multiple users. Those users by default can only delete their own files.

Speaking of Wine...

[dcuny]

I was just looking at the latest WINE news and saw an interesting comment regarding Xandros and CodeWeavers that didn't seem to appear in yesterday's discussion of Xandros:

• There's a little more behind this than meets the eye. Both Xandros and CodeWeavers have a significant share owned by a holding company, Linux Global Partners . Other companies in their portfolio include Ximian, Gobe, Metro Link, and GNU Cash. All of the companies are fully independent, but as Linux Global Partner's web site states,

• Our operating strategy is to integrate our partner companies into a collaborative network that leverages our collective knowledge and resources. With the goal of holding our partner company interests for the long-term, we use our collective resources to actively develop the business strategies, operations and management teams of our partner companies.

Maybe I'm being paraniod here, but it looks like Linux Global Partners is buying up lots of Linux technology. And given that Xandros doesn't follow the "free as in beer" model, I've got to wonder how this bodes for the future of Linux. I mean, the projects are still under GPL, but that doesn't mean it will be released for free. Clearly they are in this to turn a profit.

I guess the free ride has to end at some point.

Re:Speaking of Wine...

[JDBrechtel]

"Clearly they are in this to turn a profit."

My god no! The bastards!! A profit???

Re:Speaking of Wine...

Yeah, it's horrible isn't it? That someone out there might have actually chosen to start a -BUSINESS- in order to maintain their livelihood, live the life most of us want? God, I hate it when people plan their lives out well and have good business sense.

Re:Speaking of Wine...

But it's a profit on the backs of those brave souls who contribute *for free*. Many of whom don't realise they're bending over for Linux Global.

Aaargh!

[LPetrazickis]

Ten posts into the thread and "all right" has already been misspelled as "alright", "viruses/viri" has already been misspelled as "virii", and "already" has already been misspelled as "all ready".

Must not learn how to use guns, obtain a license for one, buy one, find a clocktower on a map, ascend it, wait twenty minutes until my breathing returns to normal, and start shooting people.:)

Re:Aaargh!

i do not under stand wy yuo komplane abote teh spalling on salshdto i am abel 2 under stand evrything taht si riten!

Re:Aaargh!

CmdrTaco obviously was in charge of spell-checking the posts today...

Re:Aaargh!

You complain about spelling, but what about grammar? Does grammar take a back seat to spelling? Geeks like to put punctuation outside the quotation marks, but the proper form is inside the quotation marks. Also, your second sentence lacks a subject. Though it is understood to be "I," it really is a fragment as-is.

I think you should just let it go. If we all complained about the poor spelling on Slashdot, there would be no other posts. This is an open forum, not an English class and I think it should be treated as such.

Oh, and one other thing: already can be spelled all ready. All ready means, everyone is ready. If used improperly, such as "we are already," then you can complain.

Please take this gently. I want to educate, not infuriate. Now class, time for recess!

Blocking based on referer

Apparently I'm going to have to. I thought
having a polite request in the footer was
enough for slashdot not to link.

But yes. You can bet that when everything
settles down, I'm going to put in a check for
referrers for slashdot.org. :)

SAMBA is also vunerable

I've said it before, and I'll say it again:

Klez crawls network shares. So if you saved a few bucks by setting up samba servers, you'd better be running antivirus on them.

If you've got an ftp site that Windows users are uploading files to, you'd better be running antivirus on them.

Sure, the virus won't run on Linux, but it'll still spread as soon as someone on a Windows box uses one of these files.

That is all.

Boon for antivirus industry?

[FreeLinux]

The antivirus industry will love this. Who knows, they may even contribute to WINE. You see, so many Linux users have this false sense of security, assuming that since Linux hasn't been significantly targeted by virus writers that, Linux is virus proof. Big mistake, as demonstrated by this story.

Now, Linux users will catch and spread a long list of old Windows favorites making the demand for commercial antivirus software go up again. This John Doe caught Klez a rather non descript worm. Imaging Anna Korunikova in the inboxes of most Linux geeks. ;)

Better see about Norton Command Line Scanner or perhaps...

rpm -e wine-*

misc

this reminds me of the time i crapped in my pants and then fell in it.

get used to it....

[morgajel]

This is relatively tame.

As much as I hate saying this, I fear it's going to get a lot worse. As/If Linux gains popularity on all systems, including desktops, you can expect there are going to be a lot of disgruntled windows people out there who will become unemployed because they can't grow with technology. I'm expecting to see a lot of linux software start getting messed with and drastic increase of linux trojans and viruses.

don't believe me?
Look at how much software has been backdoored lately- bitchx, ssh, and sendmail. That's a BIG FUCKING DEAL. As we continue, expect the crosshairs to be levelled towards us. There's gonna be a conspiracy. I'm not making any accusations, but keep in mind that the opensource movement is putting pressure on a group of companies that aren't exactly known for their ethical behavior.

of course I know I'm probably just a paranoid nut, but hey, that's a good thing to be in our field.. ...and this is one of the few times where my sig doesn't apply.

Re:get used to it....

[ngoy]

Oh please, blaming an increase on viruses and trojans on "Windows people" (what, are we like pod people?) is pathetic. The increase is directly releated to the growth of Linux as a viable alternative to Windows. The reason it is targeted more is mainlydue to things like the Russian mod and related hackers, because where the servers are is where the money is. If the bulk of web servers were *nix, then there would be tons of exploits, hacks, etc...by those who have a financial interest. The rest of virus writing crowd just have a joy for creating MASS havoc, so when a majority of desktops are Linux, guess where the majority of viruses are going to be?

NIANALU (No, I am not a Linux user), and don't plan to be one for the foreseable future. Windows works fine for me, and no, I am not unable to grow with technology, and have no fear of becoming "unemployed" by Linux. If my company decides to implement it, then by all means I will go with the flow. Until then, I don't have the urge.

ngoy

Re:get used to it....

Oh please, blaming an increase on viruses and trojans on "Windows people"

Well, now that you mention it...

Re:get used to it....

NIANALU said:

Oh please, blaming an increase on viruses and trojans on "Windows people" (what, are we like pod people?)

Well, now that you mention it...

Re:get used to it....

[morgajel]

is that so?
"Apache 22859123 63.51%"
"Microsoft 9139785 25.39%"

according to your logic, apache should have... 3x the number of worms and viruses.... oh that's right, apache also runs on microsoft operating systems, unlike IIS, so that should increase it's vunerability even more.

I'm not here to start a war, and I could have easily ignored you until you were "-1 flamebait"'ed into nonexistince.

my point was a companion to the one you slopped out- obviously there's gonna be your general nutjobs and script kiddies making viruses, but they're not the ones I'm worried about. I'm worried about the industrial espionage level stuff.

Don't think it'll happen? don't think the companies will stoop that low? Ask all those dead voters that sent letters of support to the justice department in the "right to innovate" campaign... ...come to the dark side... you know you want to:)

Re:get used to it....

[dzym]

As we continue, expect the crosshairs to be levelled towards us. There's gonna be a conspiracy.

Why the hell not? The reverse has been true for a long long time. Now them evil Micro$haft Windo$e luser$ get a chance to strike back at a bunch of elitist whining pricks.

Almost time to get a taste of our own medicine.

Re:get used to it....

[aaarrrgggh]

If you really want to go for the conspiracy theories, wouldn't finding holes be a great way for MSFT to shake up some fear in the CIO's office? Especially if you let go of a bunch of vunerabilities at once...

Re:get used to it....

[Sunnan]

I can see why people would target specific OS:es because of various grudges.

GNU/Linux (and the BSDs) however, has a great advantage as in it's free software.

Whenever a new trojan, worm or virus comes out for Win, the security companies can't do anything except "scan for them and remove them", while free software folks can actually fix the security issues in the OS or program itself, often in a manner of days.

Yes, it'll be subject to more and nastier attacks the more popular it gets (because of, among other causes, the issues you list), but we've got a full disclosure policy, remember?

Unlike proprietary software, our stuff gets tighter and tighter for every hole reported. (Hmm, I just thought of a number of tawdry puns to go with that sentence. Don't go there.)

Sure, Microsoft and the others release bugfixes ("security updates") at their whims, when they figure that there's enough of a financial loss in not doing so.

Re:get used to it....

[ngoy]

OIC. In context of the latter part of your message I understand what you are referring to, but the disgruntled masses of MSCE's still made no sense. Most of them are paper MCSE's and couldn't use a command line since the mouse doesn't work well in it.

To reply to the point of the webserver statistics though, do you really think the good hackers get caught? Microsoft gets the publicity because:
1)It is a monopoly, and pretty much everyone hates those
2) Their products are easier for the less technically inclined to hack
3)Everyone wants to bash Microsoft

I wasn't aware of the webserver penetration, that is enlightening information, but that just means that there are more insidious ways that people have found to hack in that we will never know about.

ngoy

Re:get used to it....

There's gonna be a conspiracy.

There's already a conspiracy - a conspiracy to put us programmers out of a job by coding for free. Name another industry that has professionals that give up their money (time==money) for corporations? None!

Re:get used to it....

[morgajel]

I group "paper mcse"'s with/as script kiddies. They're an annoyance, but not so much a threat as the one's who've devoted their lives to it.
I'm worried about the one's who've spent their lives doing one thing, and now that it's going away have little left to do.
*shrug*

You could try Lindows

hey, it even comes bundled with "Connect to the Internet" software from Earthlink!

but

wine doesnt start the routine windows boot files, win.ini etc... so once offed the virus wont return unless the user starts it again.

Hey, watch that language!

Or i'll wash your hands off with soap.

another way

[h4x0r-3l337]

A more effective way of infection would be for dual-boot systems (don't most linux users have a windows partition for playing games?). A linux-aware worm/virus that is run on Windows could access the linux partition (it would have to include filesystem code, but that shouldn't add too much code) and infect any executable there without being bothered by linux security at all. Next time you boot linux, your infected bash runs with full root priviliges. Similarly (but less likely), a windows-aware virus/worm running on linux could try to infect windows-partitions, thereby bypassing any windows-based virusscanner.

Re:another way

[squidinkcalligraphy]

Indeed, filesystem code would barely be necessary; just look into the boot partition, find out where the kernel is kept (using lilo-like code), and infect the kernel. Proceed to laugh in an evil fashion and take over the world.

Gee I'm glad I don't dual boot.

Re:another way

[spitzak]

Actually raw disk access requires privledges in Linux, and I suspect it is true in the newer versions of Windows. So although this was a threat at one time it seems to be less now.

Hah

They'll fall for "I love you...", big time as well.
Prolly Melissa too.

More

[sacrilicious]

Oh what the heck, all of Windows software.

.

This is Interesting

[Anonym1ty]

..."Propagation in wine, this was the part in this particular case that I found so amusing. The computer was running a secure MTA (Mail Transport Agent) and the fake Windows registry for WINE was configured to use the localhost as the SMTP server for internet applications. Otherwise, the Klez would not have known how to send itself. It is possible, that, the Klez worm defaults to 'localhost' for the SMTP server if it cannot find one in the registry, this I don't know and it doesn't seem to be covered in Trend Micro's technical description. Anyway, because of the MTA being localhost, the worm was able to queue all of its outgoing email quite quickly. I actually had the opportunity to remotely shell in as root and view `ps aux` output, showing the various smtpd instances sending this email, while I tried to help John find the spooled emails and remove them"...

This is really interesting. It does show how with minor effort you could prevent this.

Repeat?

Has anyone tried to repeat this stupidity? The article sounds sketchy to me.

KLEZ in my Wine?!

[Maradine]

I've got a 5-gallon carboy in the closet with 12-day old merlot in secondary fermenation. It took me two bloody hours to santize all of my siphoning gear just to make sure i wouldn't skunk on me . . . and now you're saying I have to worry about KLEZ in my wine??

Christ, this homebrew thing just isn't worth it.

Re:KLEZ in my Wine?!

[standsolid]

You don't have to worry about it if you put norton antivirus discs on the rim of your wine glass as you pour some in. Ahhhh... No more viri in your beverages!

Re:KLEZ in my Wine?!

[TechnoVooDooDaddy]

wine doesn't skunk... beer skunks when it's left in sunlight due to the hop oils reacting with the ultraviolet radiation.

wine can get bacteria that will turn it into tart vinegar (lacto or acetic), or slimy or whatever, but i've not yet seen a "skunky" wine

---side topic

[zogger]

--please excuse this side topic, but it is tangential to running windows on under next to whatever linux. Anyone here ever use this voodoo linux? I was looking at their site the other night, thought "hmm,medium cool sounding" just wondered if there were any hand's on comments about it.

Not a WINE-specific problem

[Todd+Knarr]

This isn't just limited to WINE, it can hit real Linux mail programs too if anyone ever writes a Linux/ELF virus attachment. Repeat after me, kids:

Executable MIME types have no place in a mail program!

None, never, no way. Mail program doesn't matter. OS doesn't matter. No mail program should ever, under any circumstances, execute anything attached to an e-mail message, period full stop. You should only execute things from people you trust, and one attribute of e-mail is that you don't even know if the From address is the real sender so how can you trust the message?

Re:Not a WINE-specific problem

[damiam]

Remember that Linux doesn't see .exe as an executable, it sees it as just another data type. How can KMail tell the difference between opening a JPEG with GIMP and opening an EXE with WINE?

Re:Not a WINE-specific problem

[beaubell]

How can KMail tell the difference between opening a JPEG with GIMP and opening an EXE with WINE?

You tell it...

Re:Not a WINE-specific problem

[Todd+Knarr]

Because opening a .exe with WINE means running it, which means there shouldn't be an entry in KMail's MIME-handler list telling it to open .exe files with WINE.

Re:Not a WINE-specific problem

True, but the effects are different. In Linux you potentially use your home directory (unless you're on-line as root and deserve what you get), in Windows you lose the system.

Re:Not a WINE-specific problem

[Todd+Knarr]

You limit the potential infection zone to your directories, yes. As KLEZ proved, though, even a Unix user can do a lot of damage. File ownerships don't prevent a worm from sending out infected mail, or stealing your personal documents (the most incriminating/sensitive documents on a Unix system aren't likely to be owned by root), or even acting as a zombie for a remote-control DDoS (it can't forge IP header fields or use privileged ports, but it can still generate lots of traffic). We're not as wide-open as Windows, but many of the same dangers are there if we leave the door open.

looks like...

[standsolid]

looks like John was running linux for everyday tasks as his root account.... should we feel sorry? Hey, just as an example, i'll give you all my root account password so you can rape my computer all you want. sound good?

Re:looks like...

But it seems that some disto's mount the fat32 driver with write access.
so root is not really needed for the virus to infect your win partition (not that it matters much if you do not use windows)

Klez

[mikerackhabit]

Man, Klex takes on a whole new meaning when it's a kde program.

I choose to miss the point.

[Sloppy]

If you turn the power off on a Windows machine (or a Linux box for that matter), you have a paper weight until you turn it back on.

Don't forget that it works just fine as a paperweight while it's turned on, too, and that's when you need it most of all, because of the fans.

Sheese

[blackpaw]

The main points I'd like to make are: WINE is obviously mature enough to handle the more advanced code that a virus usually contains

Klez does not contain "advanced" code, it contains code that Wine is emulating/loading, the complexity (or not) of its algorthims is irrelevant. Does this guy think binaries come with sections labelled CODE_ADV or something ?

WINE FAQ argument backfires

[jdkane]

This is an interesting find ... In the following excerpt taken from the WINE FAQs, the author tries to make an argument that diversification is needed in the Windows world (thus WINE) so that Windows viruses can't take out as much of the computer population. Well, looks like that argument for WINE just backfired.

Excerpt:
[snip]Code Red did what any "virus" presented with a large homogeneous population would do: it infected more than 359.000 computers in just the first day.[snip]

It is only a matter of time before a more virulent worm appears. The only way to decrease its impact is to diversify the OS population. Because it is an alternate implementation of the Win32 API and runs on top of a completely different OS, Wine does not have the same flaws and thus can provide this needed diversity.

Sorry if I'm wrong...

[norweigiantroll]

But I believe it should be possible just to allow Wine to access only some files, so if a worm like KLEZ is run, it can only access your files under $HOME/somedir, like changing

[Drive F]
"Path" = "${HOME}"
"Type" = "network"
"Label" = "Home"
"Filesystem" = "win95"

to

[Drive F]
"Path" = "${HOME}/wine"

...

Of course it could still mess up some of your Windows-/Wine-related stuff. But I don't see how it could obtain addresses to spread itself to, unless of course you have Windows Address Book, Outlook, or something installed with Wine.

chrooted wine

chroot /home/junk wine

Huh?

Wine being maybe a little too good at emulating Windows.

You're kidding, right??

mod parent down

[braindead]

mod the parent down... the article is NOT about running outlook under Wine. It's about running the work from KMail.

Uhhhh.... indeed

[the_real_tigga]

there is no environment to flourish in. ("/usr/local? Hell, I'm trying to find C:\windows\system")

Except for the worm, or any other program, there is a C:\Windows\System, no matter if c:\ is actually /mnt/win, or /usr/local/winefs or /opt/fake-windows.

It a joke

[fred0110]

Guys, its a joke. Someone emulated it just as an excerise.. Its not really a danger to Linux. :)

How to make WINE into an emulator?

Has anyone tried using bochs?

I dunno what version of KMail that guy was running

[nathanielt]

...but when I get a windows executable as an attachment in KMail and I click on it, it pops up a warning dialog with the following:

"Open attachment 'notepad.exe' with 'WINE'?

Note that opening an attachment may compromise your system's security!"

Now if this guy clicked on the Open button after all that, he's a bit of a fool, eh?

(Open is not even the default button, so he couldn't even have just hit enter.)

more linux than linux

This is a case of "transgenics" the host organism, Linux was made open to infection by the integration of windows capability into its system.

Detailed Klez Analysis

[sheriff_p]

If you want to know how exactly klez works, there's a very detailed analysis here:

http://www.virusbtn.com/resources/viruses/indepth/ klez.xml

The only way to be safe.

[msh104]

Limiting wine risks is a hard thing. this is the best solution i have found until now. install wine like winex does. ( that is, in its own directory structure ) but instead of having /usr/bin/wine{x} to run wine{x} you will run ~/bin/wine{x} ( add PATH=$PATH:~/bin to .bash_profile in your home directory ) if your name is Mark ( like me ) create a new user and a new group with the name Mark_wine. then change the owner and owner group of ~/bin/wine{x} to Mark_wine after that sed userID ~/bin/wine{x} you might want to make sure ~/bin/wine{x} does not have too many permisions. chmod u-a g-w o-a ~/bin/wine{x} will take care of this. then change the owner and owner group of all your wine stuff. if wine chown Mark_wine:Mark_wine -Rf ~/.wine if winex chown Mark_wine:Mark_wine -Rf ~/.transgaming chown Mark_wine:Mark_wine -Rf the user Mark will now be able to run windows apps but the windows apps can NOT harm the user Mark. ( windows programms can still fight with each other though. ) If anyone has better.. tell me.

Poor LinuxGuru

[shahzbot]

You guys have no mercy, do you? Didn't you see LinuxGuru's pitiful, plaintive footer on their web site:

"Please do NOT link us slashdot. We do not have the bandwidth."

Have a heart!

jpt

mod trolling parent down

It is a stupid troll.. same nr of virusses? It is more like 10000:1.

What to learn from this article:

[khz]

Hi all,
this article proofs the validity of an old saying:

You just shouldn't believe everything that is published on the web!

You may believe me, this 'article' on linuxguru.net _is_ a Hoax! :-D

Please see yourself - I am sure after reading it all you will agree to me:

They wrote: (...)
Finally, the most important 'bug' most distributions have,
is allowing a Windows executable to be run with wine without
an obvious chance for interception, by default. Sure, it
comes up with a window, telling you that wine is running,
and allowing you to disable the notice, however, it does
NOT warn you about the application being executed in such
a way that you could stop it before it was started.
(...)

This has always been, is and will ever be *wrong*!

The contrary is true: An explicit warning dialog is shown and the user must click on [Open] there - which is *not* the default button.

e.g. If the user clicks on an attachment called ek_1.exe the dialog will look like this:
"Open attachment 'ek_1.exe' with 'WINE'?
Note that opening an attachment may compromise your system's security!"

Please have a look: screenshot_1

So there is *no* automatic execution of the windows binary, and the user is told exactly what would happen if she clicks the [Open] button, the warning dialog (showing a yellow exclamation sign) is eays to understand:

• It explains _what_ will be loaded/executed and
• it explains _how_ this would be done: by running WINE.

So it is clear that the statements made in this linuxguru.net article are absolutely wrong.

IMHO this is a Hoax published shortly before the release of KDE 3.1
- perhaps in order to apply some FUD technics to potential KDE users.

Karl-Heinz Zimmer
--

Last Post!

[alpg]

At any given moment, an arrow must be either where it is or where it is
not. But obviously it cannot be where it is not. And if it is where
it is, that is equivalent to saying that it is at rest.
-- Zeno's paradox of the moving (still?) arrow

- this post brought to you by the Automated Last Post Generator...