Slashdot Mirror
New Botnet Dwarfs Storm
ancientribe writes "Storm is no longer the world's largest botnet: Researchers at Damballa have discovered Kraken, a botnet of 400,000 zombies — twice the size of Storm. But even more disturbing is that it has infected machines at 50 of the Fortune 500, and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques that hinder its detection and analysis by researchers."
Forbid Windows OSs from running in the USA because it's a defacto tool for terrorism.
How many of those zombies are Linux platforms?
Seven Days with Ubuntu Unity
A few years ago, you saw you were infected by all the popups that apperared out of nowhere. But now, there is no way to tell for sure, is there? Every time my computer does something strange, I'm worried that I might be infected.
"It's too bad that stupidity isn't painful." - Anton LaVey
With an "80%" miss rate by AV tools, It would be very helpful to know what software anti-virus programs do detect Storm and Kraken? So that responsible users can check their PC's.
Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.
There are still Fortune 500 companies that allow unimpeded outbound SMTP traffic from their general userbase?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Maybe if people stopped relying on antivirus and malware detectors alone, and started educating their users and locking down their systems (instead of giving everyone root / local admin rights), we wouldn't have this problem...
Security isn't a technology problem, it's a people problem.
"The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day."
So that's why I have been getting so much spam lately.
The biggest one is the one that hasn't been found yet.
All the emails it's sending are to names like sarah_conner@, sconner@, sarahc@, etc.
Does anyone else find it absolutely aggravating that these stories
1. Never tell you how you know if you're infected, and
2. Never tell you how to clean up your shit if you are.
However, they always give massively generalized statistics on how vulnerable you are!
Thanks, asshats.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
And right after Kraken, will come Leviathan!
There just aren't enough words.
I assume a lot of those are Macs? Because I read on /. that Macs are as insecure as Windows machines and that Apple even takes longer to fix bugs ...
Yeah, go and mod me flamebait or troll ... but I really would like an answer from all those MS apologists.
When your "security" is based entirely on reactive methods and file signatures (like standard AV products), obscurity is extremely effective.
.exe files (oh, and changing the settings to actually show the extension is helpful too), obscurity doesn't work so well.
When your security is based on not giving every user local admin rights, and educating them not to run random
I mean really, this thing would never have started if people could learn to not run Image.exe.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
This is old news. We knew about this back in 1830:
Below the thunders of the upper deep;
Far far beneath in the abysmal sea,
His ancient, dreamless, uninvaded sleep
The Kraken sleepeth: faintest sunlights flee
About his shadowy sides; above him swell
Huge sponges of millennial growth and height;
And far away into the sickly light,
From many a wondrous grot and secret cell
Unnumber'd and enormous polypi
Winnow with giant arms the slumbering green.
There hath he lain for ages, and will lie
Battening upon huge seaworms in his sleep,
Until the latter fire shall heat the deep;
Then once by man and angels to be seen,
In roaring he shall rise and on the surface die.
This is not security through obscurity.
This is hiding in obscurity.
The program is not secure, it is simply good at hiding itself.
Someone who doesn't notice a 10x or more increase in outbound traffic?
Or, more likely, someone who just does not check the logs.
""We know the picture... ends in an .exe, which is not shown" to the user, Royal says."
.exe it isn't a picture, you shouldn't keep calling it one.
If it ends in
I should apologize, I read a scroll of genocide but had no idea it was cursed - now the moat is full of krakens and evidently they seem to be spreading...
Also, have you seen how much spam they are sending out? "Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day." - if all 400000 bots did that that'd be 200 billion a day. That has to represent a pretty large (albeit distributed) cost to ISPs
*''I can't believe it's not a hyperlink.''
Comment removed based on user account deletion
You are a bit late.
Linux skipped the desktop and went directly to the laptop and smaller.
liqbase
Comment removed based on user account deletion
They can have firewalls, but if they don't monitor them they're not very effective.
The same with intrusion detection systems.
Being a network administrator requires some effort, every day. Not much effort. Particularly if you have some scripting skill. But it still requires some effort.
They shriek of a problem, they offer no solution.
What the hell good is that?
Chicken Little did better.
Toad-san
Last I heard, they were arguing the exact opposite - non-Windows systems are too hard for the government to break into.
And who knows, perhaps Kraken is sending your data to HLS on the side? If I made a government spy virus, I'd disguise it as a spambot too... the signal is lost in the noise.
This, needless to say, could also explain the surprisingly low discovery rate on standard AV tools.
[/tinfoil hat]
Honestly, I blame Microsoft. It was they who decided that a file having a name AND a type was too complicated for users. Yes even I find the extension vs mime type confusing at times, but at least I've never run an executable that I thought to be an image.
Live today, because you never know what tomorrow brings
I've kept count, and it takes exactly seven clicks to get Windows to show file extensions, not counting the button that closes the settings window.
AntiVirus software has been relatively useless for the past few years. They charge extra just to detect basic "non virus malware" and they still dont detect the REAL threats!
AV vendors ought to be ashamed of themselves. Even more so, the customers should be ashamed of themselves for continuing to pay for a program that doesnt REALLY protect them.
We MUST move away from definition-based "protection" and move to behavioral-based protection. Unfortunately there's only one major player who's trying to do that. That is Microsoft, with Vista's User Account Control. Unfortunately, that is also the feature that people dislike about Vista, and way too many people turn it off.
It's funny how badly people hate the tools need to protect a PC.
I agree with you there. If the extensions were on by default still, its something we can educate against. "Don't run anything that ends in .exe and comes by email" is fairly easy to understand.
Without them, its a lot harder to tell just what you're clicking on. Turning it back on is the first thing I do whenever I install Windows.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Sure, give everyone Vista.
You're not right. There's nothing preventing any user from setting up executables directly in his home directory; hell, back in my shell account days, I must have had the equivalent of a pretty good-sized unix system in ~/bin, ~/usr and ~/var.
Your solution simply does not address the dancing bunnies problem.
I have not been infected while running XP now in some time. It all amounts to a bit of healthy paranoia.
As bad as this sounds, my policy on the net is 'trust no one'. If I get an email with an attachment from a friend or family member and I wasn't expecting it, I write back and ask them what it is. If I was expecting it, I give it a scan before I open it. If I'm talking with someone and they send me a link (doesn't matter the chat program and NONE of mine will auto open a link) I ask where it goes and what it is. If I don't get an answer or a straight answer, I just ignore it. Once a week I give my desktop and laptop machine a good once over with the virus scanner (I use Kaspersky), two spybot scanners (Spybot S&D and Ad-Aware by Lavasoft), then do a general PC health routine of defrag and scandisking. This usually takes place on Saturday morning when I'm too busy watching cartoo..errr..cleaning the house.
It's not that I think my friends and family are out to infect me, they have good intentions. However their machines intentions are only dictated by the person in control. People don't want to know about security on their machine. For most people it just gives them email and porn and as long as either keeps popping out when they push the button, they really don't care. My mom got infected once when out browsing the net (she likes looking for odd stuff, like blown glass bird feeders and stuff) and got hit when looking over one site. I cleaned off her PC and she asked me what she could do to stop it from happening again. I hated giving my mom the 'common sense speech' but I did, and then showed her what I do to keep myself clean. Her schedule isn't as anal as mine, but once a month she goes through, full scans and now she is more careful about where she goes. Yet to be reinfected, but we shall see.
"Quote me as saying I was mis-quoted." -Groucho Marx
I've always said, "Kray-Ken". I think that's because that's how my mother used to say it. She knew cool things, but I suspect the word is old enough and spread widely enough that there's probably not an actual 'right way'. I haven't honestly wondered since seventh grade when I was reading John Wyndham. "Wake the Kraken".
I was thinking about how words evolve just yesterday when I was unable to look up the pronunciation of something online or anywhere. Can't recall the word or name or whatever, but while thinking about it, I thought about Newfoundland in Canada's Atlantic provinces. Pronounced variously as "New-Found-Land", "Nooh-Fund-Land" and my personal preference because it seems the most honest and salt-of-the-earthy, "Noohfun-Lan", home of the affable "Noofie". Dear me, and all silly national pride nonsense aside, but I do love this country to bits! The whole place is teaming with hobbits and wizards.
Anyway, I think what I'm saying is that words move and we shouldn't try to stop them.
-FL
Beware the Botnet Dwarfs!
Users need no special permissions to run executables, and for most people, rm -rf $HOME would be as disastrous as rm -rf /. If we're talking about malware, it's trivial to get a user program to run on login without administrative privileges.
The only viable long-term solution is to put email clients, web browsers, and other sensitive programs each in their own separated, limited environments to contain any damage. The approach works for network servers; why not for clients?
They also offer services to help companies deal with exactly this sort of problem. Convenient, no?
This guy's the limit!
Ok so obviously the only way to tell if you or someone you know is apart of a botnot these days is to monitor the traffic at the firewall / router. For business this is easy, but does someone have a recommendation for home use? Something I could install at my parents place and view the logs of all network connections going to and from the router. I know I could setup a BSD box, but I would rather have something that uses as little power as possible... could a hacked Linksys router running something like Sveasoft firmware work?
The only alternative I can see is to plug in a box running Snort or Wireshark between the Router and the Cable Modem / DSL Box from time to time. Which leads to my next question, whats a good place to go to to get the signatures for this sort of traffic? Been ages since I've looked into anything like this.
FTA: "The primary C&C servers are hosted in France, Russia, and the U.S., according to Damballa."
The new Axis of Evil?
It was the first one to go down and it only took 2 minutes.
http://www.news.com/8301-13579_3-9905095-37.html
Amazing. I never thought of how intelligent it would be to only report on problems that have solutions. Why bother with things that we haven't solved yet?
Was I the only one that read that topic and thought that the news was that they replaced the zombies in the botnets by dwarves?
It would make sense too since Dwarves are smaller and stronger and also don't hunger for brains...
alias possession='chmod 666 satan && ls
Seems like a forty minute mandatory, "How to not screw up" tour could fix a lot of these bot problems.
-FL
serious question:
most folks don't send more than 50 mails a day (number pulled out of a** and is for illustration only)
so how about this ISP anti-spam approach:
1) if a user sends more than 350 emails in a week, or more than 100 emails in a day, the ISP emails the user with a 'do you have a zombie' email.
this would list the subjects & initial contents of emails sent.
user could either reply 'yup, I send a lot of email please bump me up to a higher trigger level' or 'please help me fix this - I'm not really a viagra salesman'
x days/emails after the warning, the ISP could start blocking stuff if there was no response to their warning mail.
This would give people a chance to know if their machine was infected (I think mine is clean - but I certainly don't monitor outgoing smtp traffic) and generally provide a service to all at little inconvenence.
Would this be bad ??? Is it really hard to spot a zombie PC that is sending spam out through your network?
VLC Remote for iPhone and Android
Or, maybe, countries trying to move forward too fast and without watching their step. How many people here know/work in a company where IT doesn't get the budget it needs for proper network defense?
You are in a maze of little twisting passages, all different.
Once upon a time, there was a city where most people lived in tents. Most were made of ripstop nylon, but there were some made of canvas, blue tarps, and some were basically old garbage bags.
Obviously, tents aren't that secure. Most people didn't bother to even try to secure the flaps on their tents, some bought and installed luggage padlocks to secure the zippers, but even those were only a slight hinderance in this city that relied mostly upon trust and goodwill. All an intruder needed was a knife to slash a hole in the fabric or a stitch-puller to intrude on others' tents, for the purpose of mischief, hiding radios that only broadcast advertisements, stealing information, and the like. Some even set-up shop in other folks' tents, posting advertising and selling goods and services, simply not caring about the actual owners' wishes.
There weren't only tents in the city. Some people did live in wooden or stone shacks, and a few of the tent-dwellers even modified their tents into reinforced shanties with sheets of metal and plywood. They were largely ignored by the criminal element, simply because the time and effort it took to break into one reinforced tent or shack, they could break-into several tents and accomplish the same ends. Given that the overwhelming number of ne'er-do-wells in this city only possessed pocketknives, they lacked the means to break into the stronger structures, and typically had to resort to tricking the residents of those structures into leaving the doors ajar.
Windows has two critical traits that cause it to be such a problem on the internet: it's easily compromised and extremely popular. If either factor wasn't in its favor, the problem probably wouldn't be quite as serious, but Windows just hasn't developed appropriately for use in a multiuser, networked computing environment. The same rules that apply when you're camping in the wilderness when you're isolated become absurd when you're building a shelter when there are other people, including criminal elements, in close proximity.
To the question you pose, I think the answer is probably going to turn out to be, "Actually, yes". The overwhelming majority of current exploits are against pathetic Windows security, where there is little separation between the outside vs. inside, and no compartmentalization on the inside to limit the damage. There will still be some level of crime and confidence games in communities that have greater individual security, but the casual and inexperienced criminals wouldn't have the sort of free reign they enjoy when it takes little skill or knowledge to accomplish their goals. Would an internet dominated by Linux and OS X still have machines compromised into zombies on botnets? Of course, they're still maintained by humans who don't all care about security and fall for tricks. But it wouldn't be anywhere near on this magnitude.
... and God just builds a better idiot.
A great deal of the problem here isn't necessarily Windows, it's the people who use it. In an attempt to make its operating system easier for the idiot to use, Microsoft has added "features" that increase the vulnerability as well, particularly the "I'm-ok-you're-ok-can't-we-all-just-get-along-and- share-our-deepest-darkest-secrets" design philosophy that's behind so much of the Windows experience.
But the vast majority of Unwashed Humanity shouldn't even be using a *light switch*, nevermind a computer! Even otherwise very intelligent people are so completely clueless when it comes to things that come to them in email and on web sites. I swear, if I sent out an email asking people to cut out their large intestine and email me a scan of its contents, most of them would happily do it, and thank me for the privilege.
I tell my family to follow two rules:
1. Everything you read on the internet and in email is a complete and utter lie from someone you do not know, which will steal all your money, rot your brain, and leave you (male or female) with an unwanted love child. You should completely delete all email before reading.
2. See Rule #1.
Microsoft advocates Trustworthy Computing. I recommend Paranoid Computing instead, because *nobody* can be trusted!
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
I find it easier to believe that that antivirus tools just suck.
I read the internet for the articles.
Instead of filtering torrents, your local ISP should be redirecting their deep packet inspection efforts on thwarting spambots. Regardless how deep it is buried in your OS, at some point it is going to have to announce its presence when it starts spewing spam. With >90% of the internet being choked up with spam, shouldn't ISPs worry about spambots rather than P2P? If spam is detected, a friendly email could be sent back to the source indicating that your PC is likely infected with malware.
Also, if more people ( not everybody ) switched to alternative operating systems such as Macs and Linux, (preferrably different distros) it would be much harder for malware to propogate, as they would have to split their efforts at hiding in many different targets and spreading between incompatible systems.
My rights don't need management.
In other words, never.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
And _I_ consider the existence of antivirus tools to imply an OS that just sucks.
Let us not become the evil that we deplore.
This will never stop with the current security model. Attacks like this work just as well on the other major operating systems. Let's move away from reactive security and fix the root cause.
BitFrost (see http://wiki.laptop.org/go/OLPC_Bitfrost [laptop.org]) is the set of security mechanisms present in the OLPC.
Though I certainly wouldn't care to summarize the entire thing, here's what it comes down to.
User programs don't automatically get the running user's full rights. A calculator has no reason to delete your documents, so why should it be able to? And without your knowledge to boot. On the OLPCs, documents are kept in a special storage area. It isn't a matter of owner read access. In general, for a program to get a user's file poofed in to its chroot sandbox, it has to ask the document service (which presents a consistent dialog). Further, a text editor doesn't need to access the network. The user can access the network, but his or her programs can only do so if explicitly allowed to (various such rights are set at install time, configurable later). Certain combinations of program rights are disallowed at install time (such as both network access and webcam access) but can be enabled later. Plus a lot more.
Sudo/UAC sound nice and all until you realize that programs and users are separate entities.
Yes, there's a lot to learn from the OLPC project. It's designed to be used (safely) by computer-illiterate children who can't (or can scarcely) read. If you think that sounds like a good description of computer users in general, then you're absolutely right. Security as seen in *nix and Windows makes perfect sense for protecting users from each other. That was the goal back in the day. The people with access to a server were supposed to have a general idea of what they were doing (entirely on them if they didn't), and in that case *nix security works well. But computers have gotten more personal, and that assumption is now blatantly false. Anyone thinkng that Windows security problems stop at buffer overflows, or that Linux on the desktop will change anything, is a fool.
"Strangers have the best candy" -Me
If it's truly undetectable, how would you know what percentage of cases were undetectable? Surely, be definition, you couldn't tell?
In other news, most women think I'm damn sexy. It's just undetectable in 99% of cases. But I'm sure they do!
Well, at least you have an opinion. It's really the mark of users that plain suck. Give all those same users who click on everything and anything that sounds vaguely interesting a nice, shiny new Ubuntu machine - ALL of the users mind you - so replace most people's Windows machines. See how long it takes those same people to be rooted. Now what will you complain about? Their sucky OS? Or their lack of ability to treat their computing resources as carefully as they SHOULD be treating their government ID's such as SSN's in the US and bank info, etc.? It's the users - not the OS.
I think the last cracking contest established that it was far easier to compromise the OSX machine(at least at that moment in time).
My OSX friends are more likely to click on everything because they have this belief that just because they are running OSX they are safe from everything. No need for a firewall or antivirus either.
My Linux friends tend to be a bit more paranoid, they all run firewalls, but many don't use a antivirus product.
My Windows friends are all over the map, from security paranoid to "computing sluts" who click on anything that looks fun(needless to say it is impossible to convince those people that they are to blame for the PC needing reimaging every 6 months).
I use them all at least occasionally, but when I do online banking I use Knoppix. A bootable CD/DVD OS that runs for a short time is the only way to know you are not compromised short of disconnecting the ethernet port.
since antivirus is available for all major OS's that benchmark isn't so useful ;)
Actually while I don't totally buy this (Windows gets a lot of "drive by" infections) you do make a compelling point. Even a "secure OS" cannot help if the users is willing to type their admin password at anything that asks for it.
Of course, you could make code show what it will do upfront ("This program will create files in your home directory, but won't open any network ports, or modify any files it didn't create"). This is something that could be done (I think Microsoft's "managed code" is a valid template for this approach). But the UI is really hard to nail, and the user must still read and understand what's being proposed. Consider: "This program will modify system files and read any files on the system, and open network connections both on the local zone and the Internet", does the average user allow that to run? Perhaps not, but what if it's pron?! Seriously, though - can an OS be secure, if it's users don't make rational choices?
Still, I'm not running Windows here...
Actually you mean "fewer complaints". But they'd be much more rabid!
(Hey, I'm a Mac user too... but I can see the funny side)
The Cylon invasion has officially begun.
* Making waffles just so I have something to Twitter *
"The government" is a really nice abstract term, perfect for conspiracies.
...) the government itself is not above the law.
The "government", aka the FBI, the NSA, etc, do not randomly break into machines.
What they do do, they do with the permission of the majority of elected representatives and thus, by proxy, with your permission.
The basic fact of government in a democracy is that, unlike in every other system of government (islamic, communist, dictatorship,
If you have proof of your claim, take it to the courts and the government WILL modify it's behavior.
Now muslim governments, or china's government, or other foreign governments will have no qualms whatsoever using these networks, and you have no legal recourse. That's what sovereignty means. Or they may buy these networks from criminals like spammers do.
Also criminals do this, you *may* have legal recourse, but they ignore it (that's the definition of the word criminal). So unless your government can use violence against said criminals, you're out of luck. Now *that* is the function of the FBI.
Or both of these may buy from eachother (like e.g. afghani drug cartels buying immunity from Chinese provincial govt. or from the taliban, you see islamic justice *is* for sale (price for murder : 200 camels, or 1 (male) slave, or 2 female slaves, payable to the victim's family, and yes you'd think this was a joke, it's not))
damm,
a little wine with that chip on your shoulder?
- Choose "Explore"
- Select "Tools" -> "Folder Options"
- Choose the "View" tab
- Scroll down and uncheck "Hide extensions for known files types"
- Click "OK"
If you have a file masquradign as image, it must be shown as what its real extension is(and optionally hide any superfluos extensions from view).Granted, it won't solve stupidity,but will make anyone think twice before clicking an .exe file.
Really? I'm pretty sure that Bush has used signing statements to indicate that his administration is, in fact, above the law. I'm not sure what else a document that essentially reads "I don't like what Congress is telling me to do, and I'm not doing it" attached to laws that are being signed into effect can possibly mean.
Try not to take me more seriously than I take myself.
What is an average user?
You obviously aren't from around the States, are you?
...and this is a highly popular piece of OSS on Windows... Thunderbird and getting SMTP logs.
.ini file, or even an XML file, using notepad - think again.
An SMTP server was giving me a vague error... I couldn't send mail because of it, but because I couldn't see any of the events leading up to it, just the last response, I was stuck.
So I figured I would turn on logging of commands sent/retrieved and check those out.
Best option: If you think it would be a configuration option in the UI - think again. It's how it should be, but it's not.
Next best option: If you think it would be a configuration option in Tools > Options... > |Advanced| > General > [config editor...] (hideous in its own right) - think again.
Next best option: If you think it would be a configuration option involving opening a
Next best option: If you think it was a command-line parameter (that you could, arguably, edit into a shortcut if you fear the command line) - think again.
Absolutely the worst option: If you think it's an environment variable - DING-dee-flipping-DING-DING, we have a winner.
http://www.mozilla.org/quality/mailnews/mail-troubleshoot.html
Now I'm plenty computer-savvy, but environment variables? Really now. I just want Thunderbird to be able to optionally log the traffic. That's not something that should be an environment variable that I'd have to set again and again (or create a separate batch file + shortcut for, etc.). That's something that should be in the config editor at worst or be a checkbox in Tools > Options... > |Advanced| > General / Network & Disk Space. It's not like the dialog doesn't have room for it - what, with 1/5th of the dialog being -blank- at the bottom.
That said, I'm not lumping -all- OSS in with this particular bad experience (there's plenty of others)... some is very well-written and well-supported.
Oh how I miss the OS8MT on the Z80 processor...
But OpenVMS will do as well...
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Comment removed based on user account deletion
Has one ball and one tit? Couldn't say the same about the average linux user tho.
Depends, are we talking the original series or the Red Alert spin-off?
Well, that comment aside, I'd say judging by the anti-Islam, anti-communism, anti-China rhetoric implies they are from around the States.
I'm not saying that this rhetoric is typical of the US, only that being American is typical of this rhetoric. (Also, I'm not implying that China is some shining beacon of fairness, but it's interesting to see the way the "evils" are listed.)
I swear we should be allowed to give mod points to sigs... "-1, Offtopic"
Each of your Internet connections should have a firewall.
Each of those firewalls should be set to deny ANY outbound connections to email ports EXCEPT from your email servers.
There's no need for packet inspection. Nothing else should be connecting to those ports.
And those ports are 25, 465 and 587.
Then just monitor your email server to watch for any unexplained spikes in outbound messages.
Yes, someone could delete the contents of their home directory by so doing. He or she could NOT affect anything beyond that by clicking on it. This also assumes they have made the script executable. And, strictly speaking, your script is not a virus. It does not self-propagate.
Let us not become the evil that we deplore.
Yes, it's true. There is AV software for Linux systems. It is for mail servers that serve Windows clients. Read the documentation, it's in there. Thanks for playing, though ;-)
Let us not become the evil that we deplore.
I agree with you that users are themselves a major security concern. I disagree that your scenario would produce the results you claim because I have been a system administrator for Windows and Linux (and the rare Mac) and I have seen the damage users can do to each kind of system. My Windows users needed far more help fixing things they had broken than my Linux users of all levels of skill (mostly novices, though).
With that said, I am becoming tired of people propagating the myth that it is all about the users or even about the market share. It is not. It is about openness and design.
Let us not become the evil that we deplore.
"Seriously, though - can an OS be secure, if it's users don't make rational choices?"
You can make system files immutable in Linux with chattr, an immutable file may not be overwritten by root unless chattr is first run, to remove the immutable flag.
furthermore, you can during install, use chattr to set files immutable, and then set user:owner of chattr to user chattr and set permissions to only allow user chattr to read or execute chattr as well as making chattr immutable so root can't replace it.
So yes, you can idiot proof a Linux system. Even if they still have sudo permissions so they can install new programs.
the basic point of this would be to have some type of chrontab based scanner, a remote administrator (eg: the guy who set it up for mr. i love porn and am stupid) and basically is mr idiot isntalls bad software mr remote admin can remove it, and make fake files in his owner/user group so that mr idiot can't install it again (although without access to chattr it might be hard to prevent mr idiot to find out how to use sudo to delete those files when he asks on a message board how to get around this 'error' when he tries to install software etc..)
although it's SO much easier to just not give Mr idiot sudo permissions and allow mr remote administrator approve any software Mr idiot wants on his system. the point was can linux be idiot proofed, and yes it can, in many functional ways.
https://www.gnu.org/philosophy/free-sw.html
Bullshit.
I've been to hacker conventions, and I've seen how heavily the government recruits the people there.
I've seen the laws that keep getting signed, saying that the executive branch is now above the law, and can search, spy and seize without consequence.
I've also seen the people who are running for office. I don't believe any of them will be any better. It doesn't matter who I vote for, or whether I vote at all.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
Well, at least you have an opinion. It's really the mark of users that plain suck.
I really wish this was the case, but OS vendors could do much much, much more to make their systems secure by default. As for the metric that users suck, sure they do. Last I read, however, compromises that had no user interaction were still responsible for more incidences than ones that have a user interaction component, There are a lot more trojans out there than worms that compromise machines silently, but the latter hit a lot more machines at a time and more often.
Give all those same users who click on everything and anything that sounds vaguely interesting a nice, shiny new Ubuntu machine - ALL of the users mind you - so replace most people's Windows machines. See how long it takes those same people to be rooted.
Actually, they would probably last a lot longer. The truth is, Linux is attacked less by automated worms so most users would fare better. It is not that Ubuntu is really much better for security than Windows (it is better in some ways, worse in others) but there is one big thing Ubuntu has going for it. Canonical does not have monopoly influence on the desktop OS market.
Ubuntu currently has security that is appropriate to the threat posed by malware attacking it. Regardless if that security is currently better or worse than Windows, there is no reason to think Ubuntu would not continue to provide whatever level of security is desired by users. You see, Canonical sells services based around Ubuntu. Most of the contributors to Linux are users (either on a large or small scale) or are hired by users. If Canonical does not provide them with the security they want, they can and will go elsewhere. There are lots of Linux distros and companies selling services based upon it. In a worst case, Linux can fork to provide users what they need. Basically, is comes down to motivation. If Ubuntu is not good enough, Canonical loses money; ergo, Canonical will invest in security improvements so they can make more money.
When Windows does not provide the appropriate level of security to make the average user happy, Microsoft does not lose significant money. In fact, in many cases machines are slowed down by malware such that the user does switch to a new vendor. The problem is, they switch computer vendors (from Dell to Lenovo for example) and Microsoft actually gets an extra sale out of it. Usually the influence MS wields in the desktop OS market makes switching to another OS vendor impractical or uneconomical, especially given MS's ability to break interoperability with other OS's and lock in user's via their data, applications, etc.
Now what will you complain about? Their sucky OS?
It is not even that Windows sucks on technical merits. They suck because they are the biggest target and they don't care. When I go down to the bar, I don't wear a bulletproof vest of any sort. When I browse the internet from a Mac or Linux machine I don't bother with sandboxing my browser or running it in a VM that resets every time I use it, or even running antivirus software scans. I don't need to. If, I take a business trip to Baghdad, I'll probably wear a vest. Most people would not think to do so. For someone at a tourist bureau in Baghdad to try to persuade people that Baghdad is a more secure place than Minneapolis is absurd. For them to argue that there are more troops protecting you in Baghdad than in Minneapolis is beside the point. For them to argue their are concrete emplacements and checkpoints to catch "bad guys" is likewise beside the point. The measures in place are insufficient to deal with the level of threat presented. This is true for Baghdad and Windows.
And to answer your second question, if Ubuntu were regularly compromised in daily use, yeah I'd argue its security sucks. There is a lot of work that can be done to make every OS more secure for users, but for the most part only Windows has a big problem for normal
Russia? Of course! See the evil government who doesn't agree with the USA! France? Of course! They didn't even want to enter an illegal war along the USA! U.S? This means there are terrorists operating inside the American borders, targeting the people of the USA! They must be stopped! Bush needs to be given emergency powers to stop this threat!
Ah! My buddy Anonymous! How are things at the Coward house? Anyway, let's consider those systems that have antivirus for their mail services only to be exempt, shall we? How does that change your list?
Let us not become the evil that we deplore.
But isn't xen a more mature FOSS solution than virtualbox? not to mention xen is true FOSS and not some half proprietary software that business have to pay for, vs a feature stripped 'gpled version...'
https://www.gnu.org/philosophy/free-sw.html
point. click. root.
Help stamp out iliturcy.
OK, I can see that. But this isn't really helpful without either:
An Admin
Reducing the OS functionality
Actually I can even imagine securing Windows if we're willing to use an admin to nurse every install. (More likely we have one boot image, and all users boot that, or some kind of WinTerm type solution)
I would agree that Unix (and Unix-a-likes) makes securing the OS simpler (well probably some Windows maven would find some similar wheeze on XP/Vista) but it's not really going to fly if Mr Idiot-And-I-Love-Pron owns (not pwns) the box.
Windoze suxxors! It and people who use it should not be allowed on the interweb! They should all be using [insert linux distro] Linux! Then, they wouldn't have this problem!
Carry on now.
Ubuntu. It really is dead easy to use for common tasks that people want to do.
My mom however is virtually a day-1 beginner when it comes to computers (she just got her first one), and she loves it. She goes about, going to websites and emailing her friends blissfully unaware of the threat of malware, and I spend no time at all cleaning up her system. Wish I could say the same about other friends and family members whose Windows systems sometimes take hours to clean up.
What do you think people are trying to do that's so difficult in Linux? Put a Firefox icon on the desktop, and you've just covered what I suspect the vast majority of home-users do with their computers most of the time. There's a desktop, graphics and everything.....it's not like you boot up Ubuntu and get faced with a bash shell to run commands and VI to edit all your docs....
"Better" is subjective. All I know is, the people I've set it up for seem to like it, and they don't seem to miss the viruses/spyware.
Yeah, I imagine there's plenty of hardware that doesn't have Linux drivers available, but (luckily) that hasn't been an issue for me yet.
Now that's just crap. Inexperienced users are, in my experience, the most likely people to smile and nod when someone helps them to install things like AV and a software firewall, and then immediately turn 'em off when they either don't know what they're doing (pop-ups from the firewall asking permission for program x to connect to the network) or if they don't get the result they want (I clicked on the picture-icon, but it wouldn't let me view it, so I turned off the AV).
Yep, some of it's hit or miss, but for a lot of people, something like Open Office, or even Google Documents does what they need. People like my mom or quite a few people I know will never use most of the features in Office, if they even use it at all. Quite a few of them need a machine for email and web access, and not a whole lot more.
I agree, and go so far as to say that for the kind of user I'm talking about WINE would probably be a disaster. If they *need* Windows apps, I'd point them at Windows, but a lot of people just don't *need* it.
Some bring out the best in others, some the worst. Some bring out far more.
I'm happy using linux, and I giggle when windows-users get infected, but I never barrage them with Linux advertisement. They usually get infected because they are browsing the web or viewing emails in outlook express with admin rights
PS my 7 year old XP laptop has never had a virus.
Sorry, just had to reply...
Nothing will happen; the OS will stop it. How? By the trivial means of not allowing downloaded files to be executed unless I explicitly edit their permissions to turn on the execute bit.
Yes, this really would help. Mere double-clicking can be done reflexively. But more complex instructions like "save this to your filesystem, then open a terminal window and type 'chmod +x free_porn.sh', and then double-click it for free porn!" gives your victim just that little bit longer to realise that they're being conned. Is it 100% secure? No, of course it isn't. Is it more secure than an OS that will blindly execute anything that has a filename ending
I take it you have never visited freshmeat or sourceforge.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
It's Vinge's Mailman!!!
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
'sudo apt-get install kraken' doesn't do anything. can someone help please?
See, you are not a fanboy because your laptop still has XP on it. If you were a fanboy, you would be evangelizing Linux to all your friends and would not have Windows on anything.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Anyone actually confirmed this? Checked it out at all?
It is meaningless in this situation. But I'm sure you enjoyed it.
Zombies send the email themselves. Why would they need to bound a message through a different zombie? All they would end up doing is spamming their own zombies.Only in your mind. Again, all that would accomplish is that the zombies would end up spamming their own zombies.No, they do not. Because if they used a port other than the three I have identified, the email would not be received by any legitimate email server. Again, all they would end up doing would be to spam their own zombies.You are confusing "command and control" of the zombies with the act of a zombie sending out spam.
They are not the same. Yet you have confused them.
Mice? Clicking? Sissies.
Windows+E
Alt, T, O
Ctrl+Tab
Tab, Tab, H, H, Space, Tab, Tab, Space
Alt+F4
Easily done in under 5 seconds.
This shit is like the Konami Code.
I just want to say that this is one of the most interesting comments I've seen on Slashdot. Not because it is well-written (it is), but because I learnt something from it, which is too rare on Slashdot. I'm not a Linux zealot (though I use it exclusively at home now) and am bracing myself for when it does become a popular target for widespread attack. This is an argument about Linux security that I've read that really addresses it which I hadn't heard before. The "thousand eyes" principle may provide another security advantage over Windows, but I don't know. This point however, is very well argued. Thank you.
H.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
Don't underestimate me.. I've performed WAY more complex operations than that in order to obtain free porn.
It also guarantees that no regular-Joe home users will ever use that OS because they don't want to have to change permissions on every shitty time-waster game they download from the internet.
btw, you can actually make a nice secure user 'chattr' who is not root and have a fairly secure password length for when the Mr remote admin needs to use chattr to install updates, etc. just make sure Mr Idiot is safely logged out when doing the updates.
thought if this after i posted, although technically Mr idiot can "sudo su chattr" if he's a sudoer unless, you require all user chattr logins to shhd. not sure off hand how to do that on Linux, more used to how to do that on BSD systems.
https://www.gnu.org/philosophy/free-sw.html
ah of course, the easiest way is to set su to user su or some such have it chattr and of course belonging and executable only by user su.
https://www.gnu.org/philosophy/free-sw.html
Well, if by "set up everything for them" you mean installing Ubuntu, how is that any different than someone buying a Windows machine that came pre-configured?
Like what? I'm talking about very casual users, who don't do a whole lot beyond web browsing and the occasional bit of word-processing. They've needed far less attention from me than similar Windows users who manage to become infested with all sorts of bizarre malware. The Windows users tend to ask for more help from me to begin with, not less.
I have, and I've also used Open Office (not perfect, but not awful) and FireFox on Linux. Like I said, some do, some don't. I also mentioned that this is a subjective judgment, if you think most of them suck, that's what you think. If I think some of them don't, that's what I think. Just a matter of taste I suppose.
Some bring out the best in others, some the worst. Some bring out far more.
Your argument here is interesting because of two points. First, generally restricting new programs so that they cannot do anything they want. The second and more focused point is preventing installers from writing files here there and everywhere. I think default ACLs to restrict programs are going to be very important to the future of computing. Keeping programs contained within a given part of the filesystem is also useful and I'd argue an approach that does well in this regard is the application packages used on OS X. It is a win in that it removes the need for installers in most cases (drag and drop beats running random code) and provides a folder where all an applications files can be stored. It allows applications to write to specific other locations, but just config files, not binaries and there are advantages to storing the config files outside the package.
This is something that could be done (I think Microsoft's "managed code" is a valid template for this approach). But the UI is really hard to nail, and the user must still read and understand what's being proposed.I agree with this although I'd make a few points. MS's UI is a travesty. It is not just poor, but it makes the same UI mistake people have been complaining about for years. The "OK/Cancel flaw" has been well documented and explained by numerous experts. MS has little excuse for doing it all over again. Second, I think if you get to the point of asking users to authorize or deny specific activities it should only be as a last resort after several other passes that attempt to resolve the issue.
Consider: "This program will modify system files and read any files on the system, and open network connections both on the local zone and the Internet", does the average user allow that to run? Perhaps not, but what if it's pron?!Has your OS certified this software is from a specific vendor? Has your antivirus provider certified this software as specifically safe or unsafe? Given that it is uncertified software from somewhere unknown I think it is very important to give the user good options. Don't give them buttons that say: (OK)(Cancel). Give them buttons that say: (Allow program_name to run, but restrict access)(Don't allow program_name to run)(Allow program_name to run and have complete control of the computer)(Advanced options). If they click the first option try running the software without letting it touch the network of system files and see what happens. If that fails automatically run it, but give it access to dummy files and network access. If that too fails, let it run in a clean VM with a bridge to the network (while watching that VM/network for potentially malicious behavior like running a mail server that sends a lot of traffic).
Seriously, though - can an OS be secure, if it's users don't make rational choices?I think the key is to give the users good choices and only as a last resort after automated work by the experts has failed. Never give users cryptic choices. You have to avoid training users into thinking allowing access to programs equates to programs working. Right now clicking "OK" for most users is a conditioned response that people do like putting gas in a car. You click "OK" all the time to keep your computer running stuff. That association needs to be broken. Granting access should be a separate issue to whether or not a program will run. A user can validly want to run a program so they can look at porn, but still not trust that program. A secure OS should let them run it, but still not trust it. Let it connect to he internet and access a dummy address book file and take control of a dummy Webcam and install a keystroke logger in the VM and send that useless data to some third party. Then, the user can look at their porn and still be secure as much as possible.
With .deb files you don't need to worry about the execute bit. But then the user would need root to install .deb files anyway.
Carbon based humanoid in training.
New Slashdot meme:
"Wow.. cool.. Imagine a Botnet of these!"
To replace antiquated Beowulf Cluster reference.
Menus: Linux=function, Windows=vendor, OS X=as little as possible. Makes a statement, don't you think?
If the user thinks it's something they want, they'll do anything. Hell, if people search google for hours to find out how to play the codec du jour they downloaded their moviez in, they'll jump through *any* hoops the instructions include, even if it were a 20-step "guide".
Who is General Failure and why is he reading my hard disk?
We need an EOI link, exterminate operator, that'd get their attention.
I miss Rich Cook, he's sick and can't write anymore. Here's a couple of his books given freely.
http://www.baen.com/library/rcook.htm
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
And the internetz is an instrument for spreading illegal copies of music. The internetz is so illegal..
Privacy is terrorism.
That's exactly the point I'm (unsuccessfully) trying to make. Making this easy to understand is hard. Anyone who thinks otherwise should then consider that the computer's owner is nine years old. (I pick nine as I was nine when I had my first computer)
We read this is as the application saying: "give me a blank cheque, and while you're at it, the keys to your car".
You could, but then grandma would go to a website and download the "free virus check" for her linux box, and it would get infected. Since she needs to run the check (the popup in Firefox told her so), she'd just sudo and install it, per the included directions. You see, it's not the OS, it's the users. Sure, windows is an easy target, but its an easy target because there are so many users who don't know better. You can infect any machine that has internet access and a local accomplice with administrative rights. Since a single user system - i.e. just about any home system - has someone with the ability to elevate to administrative privileges sitting in front of the keyboard ready to install the virus^Wnew solitaire game, there is no real barrier.
Instead you should ban the internet. It will be much more effective in stopping bots, though it may reduce other desirable characteristics of modern computing.
Is it just my observation, or are there way too many stupid people in the world?
My sister installed Linux on her laptop (she lost the Windows key she had, and someone gave her a Linux CD, and she couldn't be bothered to go back to Windows after realising Firfox was the same on both). .tar.gz file, double clicked it (or right click) and extracted it, and then double clicked the binary. Nothing complicated needed.
She happily downloaded a game (no idea what), it was a
I find it par for the course that the commentator on zdnet says java and sun, but Macaulay, per theregister, says javascript.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
It has much less to do with popularity than with featuritis. More features means more cracks to (intentionally) fall through.
Well, the feature creep is part of what is driving the popularity, but that's reversing the causality.
ps: fanboys are a misfeature of any popular OS
pps: 10% is not exorbitant. Don't confuse lack of a stripped-down model for high prices. Complain about the lack of a stripped-down model, instead.
ppps: insane (sparse) memory usage is also a misfeature of any modern OS. Solve the hard computation problems with processor speed and sparse memory organization. Let the user upgrade to 512M+ (AppleMac) or 1G+ (MSVista), and depend on better memory management to avoid swapping.
This will be the year the AppleMac catches up with MSWindows in being vulnerable. Maybe.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Comment removed based on user account deletion
That's something Microsoft has been notoriously lax on. Unless it makes them a little money, in which case they give the bare minimum required to make the money, then leave the user to fend for himself in a hostile environment that is oriented to discouraging him from thinking for himself.
Apple has been an order of magnitude better, but that is not enough. And they've been slowly backing off of that, and are not so now.
These days, seems like everyone wants you to pay them for thinking for you.
(Linux, of course, well, shoot, even Linux is getting its share of wizards. Visual access to the settings, human readable help, verification of the settings, and a human language explanation of the settings set, that's okay. But the current setup assistants try to think for the user, try to tell the user what he wants based on incomplete criteria. They give visual partial access, human readable partial help, partial constraints instead of verification, and precious little human readable explanation of the results.)
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Well, we should say, don't use sudo except as an admin user that you never surf the web with.
The solution is to prompt the user to make, not one, but two non-root accounts when they start the system up the first time or install the OS. Spell it out like this:
"This one is for admin. It will have no general purpose web browsers, e-mail, etc., in the doc/start menu unless the user him/herself puts them there, only stuff useful for admin. DON'T USE IT FOR ORDINARY STUFF! Give it a really hard password that you write down and keep in the safe or whatever."
"And this next one is for ordinary, day-to-day use. DON'T USE IT TO INSTALL THINGS OR DO OTHER ADMIN STUFF. Give it a hard password that you can remember."
And you don't let the ordinary GUI agent for sudo to run for an ordinary user unless the admin goes into the user setup and selectively allows the ordinary user to run it. And there is a warning there, short and to the point: "Checking this box may allow evil things to happen while the user is surfing the web or reading e-mail or doing other work."
And the same warning should be prominently displayed in the GUI agent for sudo anytime it runs.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Even live CDs will not be very effective if the malware writers find their way to the boot sectors (which is quite possible with a lot of unsupported but in-use previous versions of MSWindows).
Yes, MSWindows is, in part, a victim of its own popularity. But Bill & Steve have been far too reluctant to give up the market share.
So, even though it seems unfair to say so, when no system could (in theory) prevent the stupidity of the user from causing the user pain, it is still Microsoft to blame for how bad things have become. Microsoft and us, because we drank the kool-aid. We bought their bill of goods.
If we lived in a world where people were surfing the web on Amigas, Macs, MSWhatever boxen, Ataris, Acorns, Apple ][32, TRS 80 level VIIs, Tandy Color Computer 32s, C64x64s, Sinclair128s, etc., the malware business would be a lot harder to make a profit in. There would, of course, be more platform-specific exploits, but not nearly the minefield we have now.
Okay, when I wake up from the fantasy, I'll admit that not all the cool kludges would/should have survived, but the current homogenized web is just way too easy to attack.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Nothing will happen; the OS will stop it. How? By the trivial means of not allowing downloaded files to be executed unless I explicitly edit their permissions to turn on the execute bit.
Yes, this really would help. Mere double-clicking can be done reflexively. But more complex instructions like "save this to your filesystem, then open a terminal window and type 'chmod +x free_porn.sh', and then double-click it for free porn!" gives your victim just that little bit longer to realise that they're being conned. Is it 100% secure? No, of course it isn't. Is it more secure than an OS that will blindly execute anything that has a filename ending
Why not check out ThreatFire? Get community based protection. You know, from all those botnets.
Calling someone a "hater" only means you can not rationally rebut their argument.
Ah I see... I checked out the 'definition' of fanboy on Wikipedia and indeed it seems I don't fit it. Damn!
Comment removed based on user account deletion
So, I guess it does work!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Sure it's the users! But in the case of windoze systems, the OS helps a lot ;-)
The situation and the cause will probably be different for each of these countries. As a french, I'd say that my country could ba good target for botnets because we have cheap and widely available fast broadband (half of the population has over 5Mb/s, the current edge being fiber 100Mb/s down, 50 up for 29E99/month, taxes included). As a consequence, we have millions of semi-literate computer users that have far more bandwich that they need and wouldn't notice if a few of their Mb/s were stolen. For a botnet manager, they are a far better prey than the average 1-2Mb/s american line.
Just make a variant of firefox thats 100% SAFE for porn, call it HotFOX.
.exe via a stupid user is immediately saved as a .zip converted file, with a simple password so it cannot be accidental.
.EXEs on the web idiots. Stop pandering to dumb prix. It just feeds the .exe is ok syndrome.
.exe download, IDIOTI!!
.exe downloads to .zip, oh and scan them first then do a permanent firewall block.
Safe JS, no java, sandboxed flash, no popups windows under any circumstances, (how hard is that really, come on firefox)
Any downloaded
Oh and thats a note to all software vendors, stop placing
That goes to many Sourceforge projects that make win32 builds with a
Infact go one step further, ISPs should transparently convert all
Fucked up govt pays millions to NSA to monitor users, but do they add any built in protection from virii traffic? no.
So if you work for the govt, or are an NSA agent or some big wig, the onus is on you, get a clue do something that benefits society, not your paypacket and your wifes hand bags.
Liberty freedom are no1, not dicks in suits.
You don't get rooted at Ubuntu by just clicking at things. You need to get out of your way and make your system vunerable.
I am not saying that no user will get virus at Ubuntu. A few will, but those few will have to work very hard toward it.
Rethinking email
Actually, Zombie Alice inside the corp network would try to spam outgoing on its own, if that failed, it would collect a list of e-mail addresses from the corporate network (or just Alice's machine if that's all it can get to) and it would connect to the bot cloud, and distribute the e-amils to not only bob, but a few dozen other bots that were connected at the same time.
I do know how these bots work. I've used ethereal to trace their activity, and MANY bots don't just have a single mode of operation, they can fill multiple tasks, and the bot network has control over what priority each bot's activity is set to and helps determine if a bot does anything at all, just waits for instructions, performs DDoS, spam, collect data, infect other PCs, etc.
Remember, bots make money. If an infection is made, the bot needs to evaluate what it can and can't do from that point. it's then able to do only those things (unless something changes, which they periodically check for).
No, not all bots are this inteligent. Some of them don't even do all these things on their own (few have more than a couple of tricks), but once an infection is made, some bots do nothing more than download other bots... actually, that's how the bot network eveolves. The controller makes a new, better bot, and all the existing bots can connect and dowload improved versions of themselves. This is why they're so damned problematic. There were over a hundred versions of Storm out there (some original, others hacked copies redistributed by others).
There is no contest in life for which the unprepared have the advantage.
Don't forget the file servers that host Windows files, and the web servers where Windows computers can upload stuff...
A antivirus has plenty of uses on Linux.
Rethinking email
Well, my computer will open it on a text editor.
Rethinking email
I'd go one step further - make all but signed apps use managed code, like
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Agreed. In fact I only meant to imply that the self contained "application is a folder" concept used by OS X and OpenStep provided a very easy way to quickly enforce such restrictions with very minor changes to the OS itself.
I'd also argue that it is useful for applications to have the ability to write their own XML config files to a special directory external to itself, and have read access to the XML config files from other user applications. This facilitates several areas of functionality including:
- - shared bookmarks for multiple browsers and version of the same browser and other such data
- - config files that can persist once an application is not available, so if a user runs an application from a CD/DVD, flash drive, or network drive the config can persist across sessions and have system specific characteristics
- - allow users to uninstall/reinstall applications via drag and drop without losing preferences
- - allow for user/group/universal preferences that can combine and which are not lost/overwritten when applications are installed just for one user or group
Apps would not be able to write binary data to files, only XML.This might be a step too far. I can see valid use cases for an application to need to generate binary data files for its own use. Rather, I'd allow the program to generate any files it likes so long as they are contained within its folder (and hence invisible to normal users) restricting them only based upon disk usage.
Things like access control and passwords/encryption would be handed by the OS, and the OS could prevent access to files created by other programs until the user allows it (so no harvesting users documents).Again, I agree this could be very useful, but at this point you're going to have to put in a lot more work and have a very polished UI. lot of users want to install a program to open or modify files they did not create. Think image viewers, editors, PDF tools, text editors, etc. Applying such restrictions by default is fine, but there needs to be a really easy way for users to grant access to all files of a given type within their home directory and network shares.
No we do not need user education, what we need are systems that are designed from the ground up to be secure, ie whitelisting. I want an OS where the only programs that can run are ones the root account has given explicit permission to. We'd still need administrator education but that's actually feasible unlike general user education (see better idiot).
There are 11 types of people, those who know unary and those who don't.
So instead of entering the root password, they have to enter the password of user chattr.
If the user does not have access to the chattr password since they are on a managed system with a savvy administrator - then why did they get access to root in the first place?
I can see this is convenient if the root is needed to do something other than change system files, but it still strikes me as strange.