Slashdot Mirror
Ethics of Releasing Non-Malicious Linux Malware?
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.
Just releasing linux is an ethical problem. Hell, I can't even print anything since last saturday.
{fingers in ears} La la la la la la la la la la la la la.......
-- I have a private email server in my basement.
Yes, especially when he includes his full name in TFS, unless of course this Johannes Buchner is his arch nemesis whom he is trying to frame.
I tested your theory by saying "Johannes Buchner" in a stiff jawed English accent - a James Bond sort of accent. And low and behold, my scientific study has come to this conclusion:
Johannes Buchner is in fact an evil genius and he will release this code on to the World bringing havoc to all Linux run internet servers in effect, destroying the internet unless he is paid One HUNdred biiiillllioooon Euroes!
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Two typos in (what was supposed to be) 19 characters. I wish all malware writers were that sloppy.
The state you are in while your HEAD is detached... - wait, what?
The millions of exploits for Windows prove that there are people ready to capitalize on any flaw.
Confirmed. Linux users are now anti-capitalists
Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.
Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!
Yeah but if you punch me in the face, expect me to use Akidio on you and throw you into the nearest wall and use your attack against you. Ordinary people will get punched in the face, but we martial arts students will know what to do if someone is trying to punch us in the face. Grab your wrist, spin around, and throw you into a wall. I studied several forms of martial arts, and I could do a simple block, or just grab your fist and crush it with my hand thus breaking your bones in your hand, or dodge and do a hammer fist on your chest and crack some ribs.
Did I mention I am a pirate ninja? :)
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Of course, why actually sleep with her when you can just brag about her offer on slashdot!
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
The day that somebody starts releasing automated face punching machines into the streets, I certainly will be among the first to buy a helmet.
Post it to the internet with a headline of "Nude Pictures of Brittany Spears!! (Linux only)." Oh, and give it a payload that allows you to pwn the computers it gets downloaded. And then you'll have a Linux botnet!! How cool is that!!
And, next time somebody posts on /. "imagine a beowulf cluster of those" -- well, you'll actually have a beowulf cluster of those.
Oh, and I almost forgot:
3. ???
4. profit!!
Once they develop a conversable chatterbot that targets linux basement dwellers. The bot will say she uses a particular type of webcam software and really wants to show them something.
-The world would be a better place if everyone had a hoverboard
The exploit relies on "loose execution of unverified downloads"...
Is this the joke about the virus that spreads itself by telling the user "send this email to all your friends then format your hard drive" ?
Once you have code executed on a machine that doesn't have good security, you manage to get local root exploit and then do some "really nasty thing" to persist a reboot?
Please?
Really nasty as in escaping offline IDS?
Publish your kiddie exploit, I'm laughing out loud...
: )
Damit! I knew there was a reason it took so long to get to the login screen on my sliderule!
Red to red, black to black. Switch it on, but stand well back.
I work with AS400 and iSeries machines (and I accept your collective condolences). When I first got trained on them, the teachers told us that OS400 has never been hacked. Not having any real data to confront them, I just let it pass. When we covered the section about user ids and passwords, I found out that 400's force you to disable a user id and password after a certain, finite number of logon attempts. This was by design. All user ids, including system administrator ids had to have some number (I forget how high you can set it) of illegal attempts before the id is locked out. (Usually this is set to 3) They explained, smugly, that this was to keep out intruders.
We further learned that user id's could not be set to more than 10 characters. So I raised my hand and asked what happened if all the user accounts got disabled. They said that IBM would have to back door their way in to unlock a system administrator account, and from that account, others could be reset. (This would be BAD and time consuming, so it was good practice to keep a few SYSADMIN accounts around just in case) I asked if they had ever heard of a denial of service attack. Of course they said. So I asked the obvious question, "What if someone wrote a script to log on to every 10 digit user account 3 times with a blank password?" The reply was "Why would anyone do THAT?"
I pointed out that while I couldn't "hack" their system by their definitions, I could sure as heck turn it into a boat anchor, and do it remotely if it was hooked to the Internet... "Yes, but you can't HACK it was the reply..."
Brawndo: It's what plants crave!
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
No, no, no. Ethics cannot be based on money because money is only a means to an end not an end in itself. We must fall back on the ethical basis nature gives us as anything else is artificial.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
You're thinking small. Why miniaturize the laser, when we could instead enlarge the sharks? -John Searle
... is that after a Linux developer writes malware, he/she contributes it to the community. When a Windows developer creates malware, he/she uses it immediately for fun or profit.
If you release it, you had better release it under the GPL, or it really will be an unethical release...
I don't like Linux. This doesn't make me a troll.
It's probably already in emacs.
Why make billions, when you can make... millions?
Yes! Exactly! Today the universe, tomorrow the world!
My other car is a 1984 Nark Avenger.
Non-malicious malware.... Dudware?
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
I'm Johannes Buchner and so's my wife!!!
Linux malware that requires manual running is trivially easy to do. /
Copy and paste: sudo rm -rf
Enter your password
Come back when you have malware that can remotely infect a target machine without user interaction.
Open source it, that way we can all contribute to the malware and discuss if it should use gtk or qt. We know that gnome users will refuse to install anything with qt dependencies and kde users will refuse to install gtk+ dependencies. None of the windows malware coders are willing to release their code to us, so we are limited on integration, especially with wifi. I personally think we should target gnome users, they like stepping on people -- just look at how condescending their logo is. Plus I have a grudge against the way they put their contributers down. Once we get enough malwared machines we can convince windows malware coders to support our platform.
Trying to install linux on my microwave, but keep getting a kernel panic...
Your security process must continuously evolve to meat...
We'll be having none of your sissy vegetable security processes here, my lad.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Okay, you give me a million euro's and i'll give you a million dollars...
This is an important milestone in the Linux to the Desktop campaign.
Without a "healthy malware ecosystem", Linux isn't mature enough to be called a desktop operation system.
Think about the AV industry!
Patents Drive Free Software as Hurricanes Drive Construction Industry
Because a billion is obviously twice as much as a million. It has the bi- prefix.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Woosh