USB Autorun Attacks Against Linux

Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.

The price of easy and automatic

[clang_jangle]

I always knew that when they made *nix idiot-proof all hell would break loose security-wise. Android has proven that really thoroughly. It's too bad, really. I had high hopes for it once. Maybe they'll get it together yet though.

Re:The price of easy and automatic

[HermMunster]

I think negative mods would only be given for not addressing what the researcher was talking about. Android isn't using an autorun feature. In fact, he specifically states that his speech addresses only Ubuntu 10.10 and gnome (and not the other desktop managers).

Re:The price of easy and automatic

[Vanderhoth]

I agree with you. Although, based on what I saw in the clips I was viewing the attacks seem to be more related to fancy sloppy interfaces such as auto loading thumbnails of pictures stored on a USB drive. Not so much because *nix is idiot proof, but because there is more of a focus on making a nice looking interface instead of a secure ok looking interface.

I could be wrong.

Re:The price of easy and automatic

[jd]

Can't speak for others, but I understand what you mean. And, yes, the easier something is, the harder it is to maintain security. Sandboxing all autorun code might help but that would degrade the ease-of-use.

Re:The price of easy and automatic

[$RANDOMLUSER]

Just curious here: do you run "emerge --update world" from a root crontab entry?

Re:The price of easy and automatic

[Sal+Zeta]

Fast. Or Secure. Or Useful for the common layman.

Pick Two.

Re:The price of easy and automatic

[elrous0]

The harsh reality is that it's very difficult to make an OS that's both safe and popular. Make it too safe, and it's too complicated and annoying for the common user. And the only way to make it popular with the masses is to remove some of the safety features and usability roadblocks. It's a tightrope that MS and Apple have to walk every day. MS walks it by fighting each security issue that comes up individually. Apple walks it by increasingly turning towards locked-down systems.

Re:The price of easy and automatic

[hedwards]

You mean, Fast, secure, convenient or useful for the common layman.

Pick Two.

The problem with autorun is that it's convenient without having any security involved. By its nature it isn't secure, and I'm not sure why it would be more secure on Linux than Windows, other than it being limited to the user's privileges and needing to be written to handle Linux. And MS has in recent releases done a lot to make it easier to run the OS without always being admin.

Re:The price of easy and automatic

[$RANDOMLUSER]

I've actually seen people in forums say they do this - the point was "Who do you trust"? Frankly, I find many of the more drool-proof new features in both Linux and KDE4 to be less than useless.

When you only make computers for idiots, only idiots will have computers.

Re:The price of easy and automatic

[morcego]

Shoot him.

Re:The price of easy and automatic

[dpilot]

From cron I run "emerge --sync' and "emerge -ptuvDN world". I'll agree, you'd have to be nuts to actually update from cron. At the very least etc-update requires personal care to function with the updates, but not hose your configuration tweaks. At worst, every now and then there's a fiasco like libexpat. Plus there are certain packages that are nearly always problematic, like major XOrg or MythTV revisions.

Re:The price of easy and automatic

[asvravi]

User-friendly
Secure
Functional

Pick any two...

Re:The price of easy and automatic

[jedidiah]

Solaris did automount in the 90s. That didn't mean that it did the sort of stupid things that causes trouble with Microsoft products.

The things to avoid are well understood. Anyone that ignores the past should be flogged repeatedly.

autorun != automount

Re:The price of easy and automatic

[bonch]

Everything in the universe is a trade-off. Make something more popular and accessible, and you lose security and stability. Lock down the software like Apple did to retain security and stability, and you gain the wrath of the online freedom warriors.

Re:The price of easy and automatic

[$RANDOMLUSER]

Agreed that sync and "update fetchonly" are harmless. The question is how much automation do you allow before you have to use neurons to prevent The Bad Thing from happening.

Re:The price of easy and automatic

[postbigbang]

I hate to throw in a well-used aphorism here, but nothing is foolproof because fools are so ingenious. It's the imflamatory nature of the post that attracts so many hits to this.... it turns out that you can hurt almost anything thru blatant misconfiguration. The scope of the attack is comparatively tiny. And you might get all of an attack plane of a half-million users on a good day, provided they use removable storage, and they'll accept something from unvetted sources.

Oh, wait....

Re:The price of easy and automatic

To be fair, this is more of a UDEV, and WM/DE problem in mainstream distro's, rather than specific Linux kernel issue itself, but I won't let the headline, article/video presentation detract from that fact.

Case in point, I can plug infected USB drives into my Linux system all day long without issue (and I do, btw). There is no autorun, mount, and execute set up upon device identification for my system. Yes, I may be the exception rather than the rule, but it's fairly clear to me that the distro. camps, in their efforts to gain notoriety as a desktop replacement against Windows, have implemented shotty security practices to boot. True to form, they truly have provided a desktop replacement for Windows, security failures and all.

With regard to security on Linux, you're either going to do it for them, or teach them to do it for themselves. There is no half measures in the Linux security ball game. You and I both know that because of the versatility and danger that a compromised Linux machine has.

Re:The price of easy and automatic

[SnarfQuest]

It's hard to make software idiot-proof, because idiots are so ingenius.

Re:The price of easy and automatic

[ffreeloader]

I think this is an overblown situation. Nautilus has settings in Preferences that run the full gamut of choices.

1. You can have the system do nothing.
2. You can browse the media without allowing any software to execute.
3. You can auto run anything you insert
4. You can have the system ask you want you want to do.
5. You can choose what application to run upon insertion depending on the content: music, video, software, etc....

I don't remember what the defaults were as it's been a long time since I originally built this computer, but I think it was that auto run was disabled. I run Debian so I don't know what kind of foolishness Ubuntu is doing. .

Re:The price of easy and automatic

[camperdave]

The problem with autorun is that it's convenient without having any security involved.

What is it convenient for, other than as a malware vector? (Which it seems to be really good at, judging from my virus detection reports).

Re:The price of easy and automatic

[Belial6]

The choice I want is to be able to authorize that specific USB device to autorun from now on. I don't want all USB devices to be able to execute files, but I do want to be able to have specific one do it.

Re:The price of easy and automatic

[clang_jangle]

I think negative mods would only be given for not addressing what the researcher was talking about. Android isn't using an autorun feature.

You misunderstood, I never said it did. Android was cited as another example of the pitfalls of "easy and automatic".

Re:The price of easy and automatic

[thetaco82]

create a udev rule

Re:The price of easy and automatic

[clang_jangle]

Just curious here: do you run "emerge --update world" from a root crontab entry?

Yes of course, everyday right after I run "sudo rm -rf /*".

Re:The price of easy and automatic

[gstoddart]

1. You can have the system do nothing.

Really, the only thing that ever should be there is this.

As soon as you enable any automatic action, you open up a vector for this kind of attack.

I think Microsoft did the world a huge disservice when they did this (although, in fairness, Apple could have provided us with this "innovation"), and I distinctly remember watching what happened when you put a music CD into a computer and watched it install and launch it's own annoying software -- this eventually led to the Sony Rootkit. It's a feature I've largely only ever seen abused by malicious software (malware), and malicious entities (copyright holders).

Autorun is just a plain bad idea, in my experience. Deciding that any old piece of code which rolls by should be ran just because it's sitting in the right place is a bad idea.

Re:The price of easy and automatic

[dpilot]

Really Gentoo is probably off-topic for any discussion of LUSER-oriented Linux, anyway. Though I've been running Gentoo for quite a few years now, I advise others against it. The people who should be running Gentoo are the ones who know enough to look beyond my advise and go into it with their eyes open.

Far less likely to be the autorun type, though at this very moment there's quite a discussion going on about getting automount to work properly in a post-HAL era.

Re:The price of easy and automatic

[owlstead]

Yeah, I own an Android phone, and you won't believe what problems I had to put up with security wise! It's rather unusable!

Re:The price of easy and automatic

[Stellian]

There is no autorun, mount, and execute set up upon device identification for my system.

Disabling auto-mount is pointless, you will eventually mount that USB device - why else would you plug it in ? 95% of the Slashdot population will plug and mount a stick received in the mail with the caption "You need to see this".
Before you even have the option of mounting, the attacker has an enormous attack surface, by suppling it's own USB device ID: he can exploit the drivers for any of the myriad mouses, keyboards, cameras etc. that Linux supports by default, and gain kernel access. You will simply see his custom hardware device as a defective USB stick and forget about it.
If the USB device actually turns out to be a flash drive, it can be formated using any file system supported by Linux: ext, FAT, NTFS etc. Each of the drivers have exotic and seldom used features that can hide bugs. Sure, you can do allot by limiting idiotic features in your GUI tools, but a lot of the security is out of your hands.

Re:The price of easy and automatic

[Hatta]

UNIX was always idiot proof. It's hard for an idiot to damage much when there's nothing to click on.

Re:The price of easy and automatic

[ffreeloader]

I agree with you. In Nuatilus you can set it so that any software on removable media cannot be executed, and run something like Rhythmbox upon inserting a music cd. Now, I agree that may be a security hole, but it's also a pretty good option in that no software on the disk can run. It does a lot to stop malware from being executed/installed from the removable media.

Re:The price of easy and automatic

[Smauler]

You can't. I'm a risky user... I've been to plenty of "dodgy" sites in my time. In my entire history of PC use, mostly running win2k and Vista, 99% of the time running no antivirus, I've had one virus infection that I noticed almost immediately and cleaned with no problems. I've got no idea how people accumulate so much crud on their PC.

I'm way from perfect, but I never, ever run anything that I don't deliberately download, and I make sure where I download from. If there's something I'm a little iffy about I'll online scan it, but I do that very rarely. It's served me well..... so far.

Re:The price of easy and automatic

[oliverthered]

Ok, benchmark is windows 95.

What they appear to be saying is that windows is now almost as secure, as a little less secure version of GNU/Linux.

Re:The price of easy and automatic

[icebike]

To be fair, this is more of a UDEV, and WM/DE problem in mainstream distro's, rather than specific Linux kernel issue itself, but I won't let the headline, article/video presentation detract from that fact.

Not even a problem Mainstream Distro problem. Its exclusive to Gnome's method of thumbnail creation on a plugged in device. He only demonstrated it on Ubuntu with Gnome, and specifically with Nautilus file manager, but its probably the fault of GVFS, Gnome's virtual file system.

He specifically mentions that this exploit does not work with KBuntu.

So once again Linux gets painted with a user space exploit.

Re:The price of easy and automatic

[blacklint]

These days, autorun (at least without prompts) is a terrible idea. But back in the days when the main thing put into CD drives was pressed games with most of the content on the disk and malware was more for shits and giggles than true malicious intent, things seemed very different.

That said, I really appreciate the "what would you like to do?" dialog, or KDE's list of recently inserted media. Yes computer, I inserted some media, i'm probably going to want to do something with it. Completely ignoring my deliberate action and doing nothing is a bad interaction.

Re:The price of easy and automatic

[clang_jangle]

UNIX was always idiot proof. It's hard for an idiot to damage much when there's nothing to click on.

Brilliant! My new sig, thanks.

Re:The price of easy and automatic

[Khashishi]

At least you can choose a distribution that doesn't have all sorts of security issues.

Re:The price of easy and automatic

[melikamp]

True, but vulnerabilities can and will be patched, as long as the drivers are free. Autorun, on the other hand, is a feature for stupid, by the stupid, and there's no patch against stupidity.

Re:The price of easy and automatic

[hairyfeet]

As a guy that deals with Windows home users all day, allow me to answer that: It takes out about 10 minutes of arguing with a customer over the phone on" how to get the CD thingie to work".

Before autorun it would be "Okay do you see My computer on the desktop? No? Okay go to start>computer....the start button...the little round button thing in the lower left corner...no the left, that is the taskbar on the right where the clock is..okay you found the start button now go to computer..on the upper right side...no the right" Get the picture? It is so much easier to say "stick in the disc, a menu will pop up, go "clicky clicky next next next".

Am I proud that we have to lower security in Windows? No, but after dealing with so many users that frankly couldn't find their ass with Mapquest and a GPS unit I understand, oh Lord how I understand. Sadly short of setting everyone up with thin clients (or using SteadyState, which MSFT seriously boned the pooch by getting rid of thanks to WGA BS in Win 7) to make a machine useful for the clueless, which lets face it are the ones driving sales in the first place, you have to allow stupid shit like autorun. Otherwise you get what I put up above, which is conversations I've had WAAAAY too often dealing with home users.

Re:The price of easy and automatic

[marcello_dl]

Kind of a false dichotomy, there can be a different experience than windows, that`s why linux desktops often seem inspired by mac...
Would users adopt linux if/when it becomes "easy as windows"? I think that users want to change as little as possible. They are right, it is stupid to learn new things needed to do the same stuff as before. I think exactly like that too.

But I have been a user long enough to realize that proprietary systems means always relearning how to do same things differently, either because of upgrades or the attempts by some vendors to lock users in unique operating procedures, so that they will find the competing systems unfamiliar.
So I chose linux and did the long term lazy thing, that is paying off very well for me.
Example, you think ubuntu is getting too different (the lock in I was referring to earlier)? fall back on aptosid or mint or debian itself.

Besides I think that desktop linux is already as easy as windows, or I should say with a somewhat lower number of real world annoyances (1 vs 2 glitches this weekend, for me)

Re:The price of easy and automatic

[Yvanhoe]

Not even a problem Mainstream Distro problem. Its exclusive to Gnome's method of thumbnail creation on a plugged in device. He only demonstrated it on Ubuntu with Gnome, and specifically with Nautilus file manager

...which is, if I am up to date, one of the most popular default install of the linux world as of today. This problem IS serious. It is a Gnome/Ubuntu problem, not specifically a linux one, but downplaying its seriousness is not wise.

Re:The price of easy and automatic

[inode_buddha]

If they don't like morons then maybe they should "clicky clicky" stop creating them. Or enabling them. FFS nobody seems to have a problem with the concept that they need to learn how to drive a car... and it sounds like either your WISP or your Windows admin is a lazy turd.

Re:The price of easy and automatic

[icebike]

You're right of course, I didn't mean to suggest it be ignored. Until fixed, people should know their usb devices, and disable the thumbnail feature in Nautilus.

He stressed throughout the entire presentation just how hard it was to pull this off, and he made use of exploits in a font management system that have since been patched. (The exploit of crashing the thumbnail generation was not sufficient to get him anywhere, he needed yet another exploit beyond that. to obtain shell access.) There are other exploits he could have used, he deliberately chose one in a library that has not been modified since the year 2000.

And all he managed to do was to break out of a locked screen saver as the user that was last logged on. No root exploit here. No privilege elevation. He seems sharp enough that I don't doubt he could have gone the extra mile and perhaps built a more nefarious hack, but all he really did was kill a task running with the privileges of the logged in user.

And as he stated, virtually impossible to exploit remotely even if you socially engineer someone into plugging in the thumb drive. (He needed to know key load addresses of various modules, which while statistically clustered, are not absolute).

So that leaves having physical access to pull this off. When you have that, all bets are off.

But you are correct, it shouldn't be ignored. Even if GVFS crashes it should not allow continued execution of random data. It needs to be fixed. And perhaps that is part of why Ubuntu is moving away from Gnome in future releases.

Re:The price of easy and automatic

[icebraining]

How do 2, 4 and 5 open up a vector for this kind of attack? As long as no untrusted code is run automatically, it should be fine, no?

Re:The price of easy and automatic

[icebraining]

Having the luser oriented Ubuntu didn't stop the development of expert oriented distros. You share what makes sense, you keep to each what doesn't.

More user share means more hardware support, more investment, etc, which some distros can use without succumbing to the fancy and useless GUIs.

Re:The price of easy and automatic

[Belial6]

Fair enough, but that won't work on Windows and I want to do it without having to go in and edit config files. Modern OSes already have mechanisms to set the default behavior of inserted media. Having that simple UI that already exists also handle authorizing specific media shouldn't be asking too much.

Re:The price of easy and automatic

[HermMunster]

What I find funny is that, if you watch the video, what I said makes perfect sense. No whoosh. Thus the "whoosh" becomes satirically funny, in a way.

Re:The price of easy and automatic

[SanityInAnarchy]

Notice how your parent post was modded to +5, and this one was modded to -1.

I'm really, really sick of this meme of "I'm going to say something blasphemous to Slashdot, so of course I'm about to get modded down." I tend to see plenty of intelligent comments that go against whatever you think the groupthink is, and they tend to be modded up, although there are some cases where bitching about mods causes an otherwise intelligent comment to get modded down in a twisted sort of self-fulfilling prophecy.

Re:The price of easy and automatic

[smi.james.th]

So Linux guys, next time you think everyone should use Linux just think of some of the totally clueless Windows users you've had to deal with and then imagine having to dumb down Linux until they could use it. Scary damned thought ain't it?

Might I just point out that this isn't the case at all... Most of the "dumbing down" that you get in non-technical user oriented distros like Ubuntu is just a fancy cover for what's underneath, which is mostly Debian. Even if the user can screw up his own files, the underlying security of Linux is still there, and he won't be able to mess up the OS or the other users' things. I haven't read anywhere about this exploit gaining root access the way a typical autorun exploit on Windows would.

I used to run Slackware and Gentoo on my machines, because I loved doing things the esoteric way :-) but these days I'm running Mint on all my boxes, for reasons of time and so that my family can also use them, mostly. They work well. They're easy enough for my mother to use, and still have a shell available for me when I want to do something a bit more technical. There's no reason that Linux can't be accessible to users and offer the "Linux guys" all the geekiness that they want at the same time.

Re:The price of easy and automatic

[Jessta]

By making it easy for them to understand the implications of their actions.
Allowing hidden things to happen that cause security issues and then blaming the user is stupid.
Too many systems expect too much of their users.

Re:The price of easy and automatic

[1s44c]

Disabling auto-mount is pointless, you will eventually mount that USB device - why else would you plug it in ?

Quite often I want to put a new filesystem on the device, do a dd backup of it, or blank it with shred. Automount is annoying in those cases.

Re:The price of easy and automatic

[JasterBobaMereel]

Autorun, run something I almost certainly did not want you to and has not been checked?

It gets turned off on windows machines because it is insecure, then added to some Linux boxes and mostly just annoys people ....

It is good for nothing ...?

Re:The price of easy and automatic

[Peter+Mork]

I find Autorun very convenient. I carry my personal files on an encrypted USB drive. When I plug the drive into a USB port, it's convenient to have the Truecrypt mounting software auto-mount the encrypted drive automatically (well, prompting for the password automatically). Navigating to Start, Computer, arrowing to the right USB drive, opening that drive, arrowing to the auto-run file, and entering a password is much more complicated than entering a password. This is an operation that I perform on average once or twice a day, but sometimes more if I'm moving from computer to computer.

Re:The price of easy and automatic

[AmiMoJo]

Windows Vista/7 have some protection against driver flaws. Many drivers have now been moved to user-space so even if exploited only get you user level access. Most USB stuff works that way, e.g. by calling the low level USB driver layer (which is run at system level) and then processing the data at user level. That reduced the attack surface to just the low level driver which is easier to make robust and gets regular updates via Windows Update.

I'm sure there must be something similar for Linux. Aside from the security benefits it also means that if a driver crashes it doesn't bring the whole system down.

Re:The price of easy and automatic

[HermMunster]

Most modern distro's won't execute that command.

Re:The price of easy and automatic

[hairyfeet]

Funny how I got modded down for pointing this out, isn't it? BTW you brought up Ubuntu, which Linux guys ALWAYS trot out as "See we can do dumb!" but you are wrong, oh so wrong. You see you will need to dumb down Ubuntu another 4 or 5 levels before it will be acceptable by Joe Consumer!

Example: Why do you think Dell throws up warnings all over the place if you try to buy a Dell by just browsing to their site? Did MSFT throw them a bribe? Nope, they have enough experience to know as I do that home users don't even know WHAT an OS is and think they are all the same. I hear a dozen times a day "it has Windows" which could mean Win95-Win 7, and the user has NO clue there are any differences! So you will either have to make installing Windows software seamless ala ReactOS or put up a dozen "This is NOT Windows!" signs when they attempt it or they will BLAME YOU.

Another Example: As you say Ubuntu is just "debian with pretty" which makes it completely unacceptable to the vast majority of home consumers, why? Because Ubuntu is STILL CLI heavy and home users won't stand for it. Contrary to /. groupthink home users will NOT learn and have NO desire to be anything like the nerds here. Think about your last Debian Apt Upgrade..did you use CLI even once? Have you needed or used CLI in the last 6 months? If so it is NOT ready for home users end of discussion. Hell most home users won't go near Windows control panel because it is scary, you think you can drop them in a 70s era term and expect them to deal? Get real!

So if anything your post proves my point: What Linux users consider "easy" and "noobish" is about 100 levels more difficult than a home user will deal with. If it has more complexity than your average DVD player they won't have it. I have Windows users that haven't done anything but run their programs for years between problems, you just don't get that with Linux that frankly isn't designed to be a desktop but a server anyway. I sat up a half a dozen boxes here at the shop and ran Ubuntu on them from 6-9.04 and not a single one survived the 6 month update cycle without "something" getting broke. Sound, wireless (a lot) video (everything but old Intel IGPs) always something broke and the first and only answer was "open up bash and type.

So I hate to burst yours and the other Linux guys bubbles, but you say "open up bash and type" to a home user, you know what the very next words out of their mouth will be? "How much for Windows Home again?"

Re:The price of easy and automatic

[Stellian]

So, spoofing device IDs to exploit a latent vulnerability in an obscure driver is an enormous attack surface? [...] most obscure usb devices are not included in my own kernel compiles.

The ability to exploit ALL usb drivers that ship with Linux is indeed an enormous attack surface. The attacker needs to find a single flaw in ANY of those drivers. The more obscure the driver, the higher the chance that it has security issues, and allot of obscure drivers add up to millions of obscure lines of code that were most likely not written or audited in an adversarial security mindset like other parts of the kernel.

Sure, you can compile your own kernel, write your own kernel, or build your own relay computer out of relays and be perfectly safe.

Re:The price of easy and automatic

[Lord+Kestrel]

Yes, you can disable auto-loading. It's actually turned off by default when you roll your kernel, it's just that all the major distros enable it.

Re:The price of easy and automatic

[JasterBobaMereel]

...until you find the computer that does not autorun but the spyware detects truecrypt, asks you for the password, and then sends it to the spyware author ....?

Re:The price of easy and automatic

[TheLink]

And if one particular Linux distro somehow becomes very popular, the attacker can just target it.

I doubt attackers are interested in the tiny numbers of people who "compile their own linux kernels" but are still too stupid to realize what the real problem is.

Stop copying Windows please!

[JustNiz]

Autorun as a concept just sucks.
Copying whatever Windows does, warts and all, into Linux, just sucks.
When is this insanity going to end?

Re:Stop copying Windows please!

[pclminion]

Yeah, having a computer automatically react to a piece of media... What a stupid idea. Next thing you know they'll be using computers to compute things, and then we've just gone straight to hell.

Re:Stop copying Windows please!

[0123456]

When is this insanity going to end?

When developers stop listening to new users who say 'But I can do this in Windows, why can't I do it in Linux?'

Re:Stop copying Windows please!

[hedwards]

It really depends how you do it. It's one thing to go the UAC route and have the computer notify the user that something has been inserted and request authorization to do something, and quite another to make that decision for the user. Certain actions really shouldn't be allowed to be completed completely on their own, autorun is definitely a candidate for that.

Re:Stop copying Windows please!

[$RANDOMLUSER]

Exactly.

87.3% of all the biggest forehead-whapping Windows security bugs have come from Microsoft's (really Bill Gates) love of whizzo features that look really cool in a developers conference keynote but don't survive the first three minutes of critical thought or exposure to the real world.

I'm specifically referring to things like where IE or Windows Explorer execute code of unknown provenance to provide "previews". Windows Explorer once had a bug which could execute arbitrary code via JPEG preview. Of course, the Outlook preview exploits are LEGION, but we can also include VB macros included in Word and Excel "data" (hahaha) files. Only a sick love of flashy features, consequences be damned can account for this.

Re:Stop copying Windows please!

[meerling]

Why would anyone do that, my cat likes being plugged into the router...

Re:Stop copying Windows please!

[OzPeter]

Autorun as a concept just sucks. Copying whatever Windows does, warts and all, into Linux, just sucks. When is this insanity going to end?

I insert a DVD into my player - and it just plays.

I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

I'm sure there are a zillion other examples of systems that just start doing things in readiness of what the would like. So why do you think the average consumer is *not* going to expect things happen automatically?

Re:Stop copying Windows please!

[0123456]

I insert a DVD into my player - and it just plays.

A DVD player has one intended use and only one intended use: playing DVDs.

I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

A camera has one intended use and only one intended use: taking photos.

So why do you think the average consumer is *not* going to expect things happen automatically?

Computers are used for many things other than playing DVDs. Why should the operating system assume that just because I put a DVD in the drive, I want to play it?

Re:Stop copying Windows please!

[Imagix]

I insert a DVD into my player - and it just plays.

What else is it going to do, but play the DVD?

I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

Again, what else are you going to do with it? Those are only two examples of nearly single-purpose items doing that single purpose. Easy to figure out what that's going to do.

Re:Stop copying Windows please!

[bonch]

Autorun as a concept just sucks.

Why?

Copying whatever Windows does, warts and all, into Linux, just sucks.

If that's true, then you'd better not use GNOME or KDE.

Re:Stop copying Windows please!

[phtpht]

It's ok to start playing the movie or load up a slide show of the photos, because all that is just data. What's not ok and where the autorun FAILS is the possibility to execute arbitrary software without user's consent or notice. The same distinction goes with HTML vs Javascript.

Re:Stop copying Windows please!

[Sal+Zeta]

The concept is useful enough, if you realize what the user needs. They don't care about autorun per se, they care just about displaying the content from their media in less time as possible. That's their problem.

The feature, "Autorun" in such case, is a solution. And if you try to re-implement a solution without understanding the original problem, you're doomed to make the same errors of the first implementation. By looking at the GNOME interface, despite its really good production values, it's apparently a common error.

Re:Stop copying Windows please!

[flight666]

But the whole point of this discussion: What if there is a bug in the library that renders that *data*? All of a sudden, your data is no longer very data-y, and much more executable-y than you might have intended.

For reference, take a look at the (lengthy) list of bugs in any of the image processing libraries.

Re:Stop copying Windows please!

Are you in the habit of inserting media you don't intend to actually access? I mean, really.

Re:Stop copying Windows please!

[sourcerror]

You seem to fear buffer overflow. Then write it in Java. /ducks

Re:Stop copying Windows please!

[mlts]

Not just a piece of media. A piece of untrusted media. The computer needs to consider all media as suspect and require the user to take action. It shouldn't do anything else.

The media should be mounted, and mounted noexec, nosuid, no-nothing. That's it. No autorun, no autoplay, no autoboot, no -nothing-. The user can decide what to do with the media once it is mounted. If the user wants to run stuff from the media, they can remount it with the permissions ready.

Of course, there is always the issue of PEBKAC errors, but short of yanking root from the user a la Android or iOS, there isn't much the OS can do here.

Re:Stop copying Windows please!

[0123456]

Are you in the habit of inserting media you don't intend to actually access?

Yes. The last time I remember this happening, I put a DVD in the drive because I was going to play it after I finished reading my email and the stupid operating system decided to start up the DVD player, getting in the way of what I was going at the time.

And I'm definitely, absolutely, certainly, 100% in the habit of inserting media where I don't want to open up a browser window which runs random buggy codecs in order to display thumbnails that I 100% don't give a damn about.

Re:Stop copying Windows please!

[SudoGhost]

But I can blame Microsoft for my computer getting viruses in Windows, why can't I do it in Linux?

Re:Stop copying Windows please!

[Jonner]

The presenter in TFV says that because autorun always prompts the user, it's not a big security risk. He spends much more time talking about exploiting bugs in various software layers, including kernel, root-running userspace, and normal user processes.

I'm not sure that I agree that always asking permission to autorun something is safe enough, but it is far less onerous than how Windows used to work.

Re:Stop copying Windows please!

[ddd0004]

I agree that autorun isn't completely wrong, but as always the weakest link in the security is the user. If you were to disable autorun, you could probably accomplish a similar effect by writing "execute the file named xxxx and enter your root password" on the disc or usb drive. Most users wouldn't question it for a second.

Re:Stop copying Windows please!

[msuarezalvarez]

Was that rendering of updated mini windows GNOME or compiz (which you configured to do that...)?

Re:Stop copying Windows please!

[Jaqenn]

Can we agree that when not comprimising the integrety of your system, thumbnail sized previews of a large collection of image files is a desirable feature?

Because I like it a lot, and if you claim that it's useless for everyone, everywhere then I think that calls into question anything else you might claim.

Re:Stop copying Windows please!

[adamofgreyskull]

How obtuse. It's not the computer "automatically reacting" that is the problem. It's the nature of the reaction. A good/sensible reaction might be to mount the media (with the noexec option even) and open the folder in the default file manager. A bad/idiotic reaction is to blindly trust whoever created the media and automatically run anything on it that says it should be run, without first prompting the user. The presentation talks about a lot more than simple autorun, but since that's what you're talking about...

Re:Stop copying Windows please!

[bloodhawk]

Technically speaking and security wise autorun as a feature that sucks balls. In user land though it is an obvious thing, "when I plug this thingie in why doesn't it just work?". Sadly there is always a tradeoff between security and usability, either we need to stomp on the bad guys harder (unlikely) or we need to make security easier for the end user that really don't want to know how everything works, they just want to plug it in and have it work.

Re:Stop copying Windows please!

[JustNiz]

Why? Several reasons: The biggie being that you can't always necessarily trust the media you just inserted. Without autorun at least you have the option to look at the disk before it blindly runs whatever is on there.

Another reason is that just because I insert some media drive does not mean I always want to do the same thing to it.

A particularly noxious example is the way Windows media player repeatedly demands you start a media library on your PC, and that its practically impossible to stop it automatically searching for and automatically adding media content anytime you plug in any kind of removeable storage.

Re:Stop copying Windows please!

This.

GP's post simplifies the issue to "features = more insecurity; thus do not add features!", which is entirely missing the point of making things user-friendly to begin with.

Thumbnail previews of images -are- extremely useful. Anybody claiming otherwise can go right ahead and grab the 1,000 images currently on my CF card and find me the one of the windmill with orange blade tips. 3... 2... 1... GO! Good luck if all you've got to go on is the filenames.
Of course to -make- those thumbnails, pieces of code have to be executed.. and if one of those pieces of code contains an exploit that gets triggered if fed a specifically-crafted image, then yes.. that sucks. But that doesn't make the feature suck - it makes that code suck.

The same applies to VB macros. I write VB macros for companies that work with Excel - do I like doing so? No. Do I think that a custom solution for what they're trying to do may be more appropriate? Yes. Does that mean that a macro that copies only data fields for a given week number to a sheet area, prints it, then copies a variant thereof to a new file based off of a template for their customers, prints that, and saves it to a week-numbered-filename should not be written and instead the user should do this manually because of the "ZOMG security!" aspect? Uhmm.. no.

The answer to features exposing security issues is not to knee-jerk reaction to removal that feature, it's to address the security issues and -only- remove the feature if addressing the security issues appears to be unfeasible (the feature itself is the security issue, somehow) or is projected to take a long time during which users would still be vulnerable - with the feature re-introduced once the security issue -has- been addressed.

Honestly, some of the comments here smell of long-time Linux users feeling saddened that the 'riff-raff' is coming into 'their' world through the user-friendly distributions.. while they should really be applauding the adoption and working with those distributions to provide both a user-friendly -and- secure environment.

Re:Stop copying Windows please!

[sjames]

Automatic reaction is one thing. Automatic trust is quite another. Would you sit blindfolded on a street corner with an offer to drink anything given to you by anyone? Why would you want a computer to do that?

Re:Stop copying Windows please!

[pclminion]

Why would you want a computer to do that?

I wasn't aware that a computer did that. My Windows machines don't. My Linux machines don't.

If some random Linux distro is automatically running programs from inserted media, it sounds to me like somebody had a major brain fart. "Autorun is the problem" is not my first assumption...

Re:Stop copying Windows please!

[LWATCDR]

React is a good thing.
It can mount it or offer to show you the contents. Even offering to run a setup program or installer can have merit.
But to just run a binary is foolish. The user should at least have to ok the action.
React good. act without consent and or control is a bad thing.

Re:Stop copying Windows please!

[Thundersnatch]

Windows Explorer once had a bug which could execute arbitrary code via JPEG preview.

Of course, most Linux and BSD systems had vulnerabilites just as bad, where a simple view or preview would trigger an exploit.

Vulneabilities with PNG, gzip, TIFF, PDF, and many others. This happens when everything from your browser to the desktop manager's icon system uses the same vulnerable libary. OSX and Linux systems are simply a more obscure target, and not somehow immune from file parsing vulnerabilities. And before you go off on a "but the user isn't running as root" rant, recognize that Microsoft locked down user privileges by default starting with Windows NT version 4 in 1996. But only, of course, when those windows machines were part of a Windows domain...

Re:Stop copying Windows please!

[sjames]

What do you think AUTO-RUN means then?

Windows has toned it down a bit by now asking first before running an executable (at one time it would just run it without asking and MS swore that was just fine)

Re:Stop copying Windows please!

[icebike]

Watched the video and you will see its not really Autorun at fault here (Because there is no "Autorun" in the microsoft sense of the word.
Its not like its launching a program on the thumb drive.

The exploit simply takes advantage of the rendering of thumbnails for the content of the files on the drive. He speculates that you could construct a thumb drive that has some broken files an purposely crash the thumbnailer, and then attempt to load something else after it crashes from probable locations in memory.

Its specific to Gnome. Not generic in Linux.
Not quite the same thing as the Microsoft autorun exploit.

Re:Stop copying Windows please!

[GameboyRMH]

If you RTFA'd (it involves watching a long-ass video so I don't really blame you) you'd see that this doesn't actually exploit Autorun at all (although I agree it's a terrible idea). The exploit shown is a hyper-complicated hack that exploits a thumbnailer process. It is really just crazy-complicated, the guy had to disable AppArmor and ASLR (memory load location randomization) to get it to work at all. That said any of the various thumbnailer applications for various formats are potential targets.

Re:Stop copying Windows please!

[Kjella]

Computer may be multi-purpose but there are many discs that are single-purpose or close to it. Like say if you insert a driver disk, it's very likely you are trying to install a driver. If you insert a game disc, it's very likely you are trying to install/play it. Yes, you might be making a CD image or whatever but you're looking very hard to find the 1% exceptions and not the 99% common use case, this is what's called a "sane default". Exceptions such as yourself probably know how to disable it, either by holding down the shift key to disable it once or to disable it permanently. From a usability perspective in a world without malicious discs, I have absolutely no problem seeing the benefits. Inserting the disc is my command to the computer, telling it twice is redundant and poor usability. You can pretend that's not a sacrifice but it is, there's not always a win-win between security and usability.

Re:Stop copying Windows please!

[Homburg]

Without autorun at least you have the option to look at the disk before it blindly runs whatever is on there.

But this article is about exploiting bugs in the file manager, that is, the software that you would probably use to "look at the disk." It's not really about autorun at all - the same vulnerabilities would occur if you manually mounted the USB disk and manually opened the file manager.

Re:Stop copying Windows please!

[phtpht]

But the whole point of this discussion: What if there is a bug in the library that renders that *data*? All of a sudden, your data is no longer very data-y, and much more executable-y than you might have intended.

For reference, take a look at the (lengthy) list of bugs in any of the image processing libraries.

Well, bugs can be fixed. But if you make it a deliberate feature to recklessly run anything that comes into your computer then there's little hope.

Re:Stop copying Windows please!

[bit01]

to be fair, there is valid need for some features for certain level of users.

To be fair, these features should be designed for their target audience, protecting them as appropriate. Windows just engages in a UI version of truthiness.

If all features are useless and crap Windows would not have maintained the huge market share as it currently does.

If the market is not well informed you mean. M$ has been manipulating people with pretty icons, and buggy function, for decades.

---

Marketing talk is not just cheap, it has negative value. Free speech can be compromised just as much by too much noise as too little signal.

Re:Stop copying Windows please!

[renoX]

The problem exist even when you don't execute code of arbitrary provenance: there have been security bugs on image decoders..
The main issue here is that image decoders should not be able to do *anything else* than decode images (even if they have bugs), but we don't use proper architecture such as object capabilities currently(*).

* a step in the good direction was made by Google with Chrome and its sandbox, but currently this kind of good design is the exception not the norm :-(

Re:Stop copying Windows please!

[xaxa]

Did anyone have time to watch the video? It's an hour long, so I don't have time, but from the first few minutes I don't think the problem is with autorun, but with the other things that happen automatically -- generating thumbnails for media files, for instance.

Re:Stop copying Windows please!

[Stuarticus]

Remember in 95/98 when inserting a slightly damaged disc would lock your comp for 4-5 mins while it tried to read the disc?

Re:Stop copying Windows please!

[Jonner]

The video (did you even watch/listen to it?) is not FUD and thoughtless fanboyism is no more constructive than FUD. The presentation doesn't make any overall comparisons about the relative (in)security of one OS vs. any others. It simply presents and explains real risks about the way desktops systems are configured by default.

The presenter explains how it is quite possible to gain control of a default configuration of Ubuntu (though the same techniques would probably work with other distributions of GNOME on GNU/Linux) by constructing the right file system structure on a USB mass storage device and causing it to be plugged into a running machine. The attacker need not be present if he can get someone to plug in a USB device that he provides.

It doesn't seem that anyone is using this approach to do anything malicious right now, but that's only because Ubuntu and GNOME on GNU/Linux are not yet big enough targets, especially compared with Windows. These weaknesses in security need to be dealt with now, before Free desktop systems become big enough targets. We can learn from Microsoft's mistakes.

Re:Stop copying Windows please!

[tabrnaker]

Ah, don't you know any better? You can't bring logic and pointing out someones ignorance to a bitch fest, it's just a party killer.

They never learn

[udoschuermann]

Any system is vulnerable when it automatically opens or executes email attachments, automatically executes arbitrary commands delivered on a removable volume, and hides file name extensions to fool users into executing things that looked like something harmless.

Any software vendor who thinks about adding such features should receive a savage thrashing. If they actually enable such features by default, they should be shot with prejudice.

Re:They never learn

[RobertLTux]

"Any software vendor who thinks about adding such features should receive a savage thrashing. If they actually enable such features by default, they should be shot with prejudice."

but wouldn't shooting them with say a smith&wesson loaded with FMJ rounds do more "good"???

Thanks, Miguel

[Compaqt]

Anybody want to post a quick-fix to avoid turn off AutoRun in Ubuntu?

Re:Thanks, Miguel

Use Kubuntu instead.

Re:Thanks, Miguel

[HermMunster]

On option the researcher is explains how to turn it off the option to browse media when a removable storage device is inserted. Nautilus > Edit > Preferences > Media tab

Un-check the box for "Browse media when inserted".

It won't be long before the code is examined and corrected.

Keep in mind his speech is about Ubuntu 10.10 and specifically gnome running as the desktop manager.

Re:Thanks, Miguel

[Rockoon]

Win7 most definitely does some of the things mentioned in the article out of the box, such as loading resources from executables and producing thumbnails for images on USB drives.

Its likely that you can dig out of any modern OS sandbox (Linux or otherwise) when giving them malformed input.. look at how much effort Apple has put into protecting iOS, and contrast that with how many ways that its already been rooted... and thats a completely locked down example of failure. Now imagine how badly Windows, Linux, and mainstream BSD must be at sandboxing.

As Raymond Chen would say... this stuff is going on on the wrong side of the airtight hatchway.

Re:Thanks, Miguel

[lilo_booter]

Yes, but he also shows how the vulnerabilities stem from libraries which the desktop uses, and how, potentially, there are vulnerabilities all the way down, right to the kernel itself. No simple fix - short of turning off all automatic execution of processes against any unknown source (which is what I have done for quite some time - I do have thumbnail generation on local files, but after watching that, I think I'll give that the boot too :)).

Re:Thanks, Miguel

[ub3r+n3u7r4l1st]

When you decompile it that's open source.

Re:Thanks, Miguel

[HermMunster]

Yeah, that's what I meant by "It won't be long before the code is examined and corrected."

Re:Thanks, Miguel

[OFnow]

"turn it off the option to browse media when a removable storage device is inserted. Nautilus > Edit > Preferences > Media tab"
Color me ignorant or an idiot, but there seems to be no 'Nautilus' mentioned in my 10.10 Ubuntu menus.

Re:Thanks, Miguel

[DEmmons]

he doesn't mean to choose 'Nautilus' in your Ubuntu menus, he means choose 'Edit' (and so on) in your Nautilus menu. Nautilus is your default file browser - any time you open your home folder or another you're looking at a Nautilus window. for example, click Places -> Home Folder. you're looking at your home folder, and Ubuntu doesn't bother to tell you the name of the program creating the file browser window for you, but if within that Home Folder window you click Help -> About, you'll see it. (I'm not trying to be pedantic, plenty of things were non-obvious to me when I started so I try not to assume anything is obvious to others).

Comment removed

[account_deleted]

Comment removed based on user account deletion

OSes should be immune from this out of the box

[davidwr]

Auto-run is convenient and all but systems should NOT automatically execute content from devices unless the user has specifically told them it's okay.

A recommendation for out-of-the-box "autorun" experience:

Query the type of the media, but do so without running any code of any type on the media.
Authenticate the data used to determine the type of the media AND any "auto run" code typically associated with that type of media OR decide you can't authenticate it.

Present a box to the user for "trusted" content:

This disk claims that it contains [a program | music | video | files | whatever ]. This claim is sign by [company] and its chain-of-authentication includes [highest-level signer], a company trusted by [operating system vendor | you]. To see more details click [here].

What do you want to do? [list of choices, including "do nothing," "open as a folder," "run the disk" (aka autorun), "play music," "play video," etc.]

[ X ] Do the same for other media of this type signed by this signer.
[ _ ] Do the same for other media of this type signed by any trusted signer.
[ _ ] Do the same for other media of this type even if it is not signed.

Present a box to the user for signed content that cannot be authenticated:

WARNING: This disk claims that it contains [a program | music | video | files | whatever ]. This claim is sign by [company] but this signature cannot be authenticated. To see more details click [here].

What do you want to do? [list of choices, including "do nothing," "open as a folder," "run the disk" (aka autorun), "play music," "play video," etc.]

[ _ ] Trust this signer in the future.
[ _ ] Do the same for other media of this type signed by this signer.
[ _ ] Do the same for other media of this type signed by any trusted signer.
[ _ ] Do the same for other media of this type even if it is not signed.

Present a box to the user for unsigned content, which would typically be "unlabeled" content that the computer has to figure out for itself:

This disk appears to contain [a program | music | video | files | whatever ].

What do you want to do? [list of choices, including "do nothing," "open as a folder," "run the disk" (aka autorun), "play music," "play video," etc.]

[ _ ] Do the same for other media of this type [bold]NOT recommended[/bold]

Almost all media would be "unsigned" until a standardized method of signing is developed. Signing would typically only authenticate the type of media the disk claimed to as well as the executable code of any autoexec.exe-type program that runs if the user "runs the disk" or any media-type-specific on-disk code that runs if the user "plays the media," not the entire disk.

Re:OSes should be immune from this out of the box

[Sal+Zeta]

This is not a "out-of-the-box" experience. It's looks like more to a Tax-Form experience. You would spend more than 10 minutes trying to understand what to do.

And the attention span of the common user is around 7 minutes. Yahoo Answer would be filled in less than half an hour with questions on how to disable it.

Re:OSes should be immune from this out of the box

[Anne+Thwacks]

You will be out of your box after having to deal with this a few times.

Re:OSes should be immune from this out of the box

[adamofgreyskull]

Seriously, watch the video. Autorun isn't the only problem.

Query the type of the media, but do so without running any code of any type on the media.

Until nefarious person inserts a USB device that, for example, exploits a vulnerability in the code that queries the media. e.g. "Hey Mr. USB drive, tell me your VendorId plz!" "exploitstring" "Oh nooooo!".

As for the rest, it won't ever work. If anything prevents a user from quickly accessing the movie/game/pictures they think are on the DVD/CD/USB device they will either take the quickest route (enabling auto-run/auto-display of any untrusted media) or a completely random route, any of which could cause code to be executed, except the "Do Nothing" option. Not to mention the fact that autorun isn't the only problem. (Seriously, watch the video).

The problem is that an exploit in any of the myriad layers involved in dealing with inserted media makes the system vulnerable. Before your prompt is even displayed the media would have been touched by device discovery code, file system drivers etc. and now...your new authentication code. And then, if the user selects "open as a folder", a seemingly benign action, a bug in the way the file manager handles image/PDF previews (seriously, watch the video) could result in code execution!

While a nice idea in theory, it does little to prevent a truly determined attacker, especially if they have cooperation from all but an expert user.

Re:OSes should be immune from this out of the box

[PRMan]

And the attention span of the common user is around 7 seconds, if that.

FTFY

It's bad but not the end of the world.

[Beelzebud]

Linux servers, that run on command line don't have these issues. I know this is shocking to some people, but 99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive. Security is good, but paranoia isn't. Anyone that actually cares about safeguarding their data won't be running a server with a GUI on it anyway. Even the Apache Foundation had to learn this the hard way.

Re:It's bad but not the end of the world.

[hedwards]

I don't think that this problem is limited to servers, I don't see any reason why this wouldn't work against a person's personal computer. Which is the real problem, folks that are administrating a server shouldn't be regularly putting thumbdrives and such in and shouldn't be allowing random other people to do that either. All this really demonstrates is that a computer where people can access the console is not secure. That's been known for how many decades now?

Re:It's bad but not the end of the world.

[andrewd18]

99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive

Correct. Instead they care about installing a keylogger to your hard drive and then accessing your credit card information.

Re:It's bad but not the end of the world.

[adamofgreyskull]

And what of the Linux servers that are connected to over SSH using username/password authentication from those filthy little desktops used by mere mortals tasked with administering them?

Re:It's bad but not the end of the world.

[drsmithy]

Anyone that actually cares about safeguarding their data won't be running a server with a GUI on it anyway.

I have yet to see any data stored on a server that isn't easily accessible from at least one, and usually a lot more, clients connected to that server. Have you ?

Re:It's bad but not the end of the world.

[Travoltus]

"Linux servers, that run on command line don't have these issues. I know this is shocking to some people, but 99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive."

Look up the word "botnet".

Re:Oh boy

[HermMunster]

Has there really ever been anyone responsible for Linux making claims of "the year of Linux"? Or has it just been some random users that once made a reference?

Linux's Appeal to a Mass Market

[Major_Small]

It appears to me that Linux may have started thinking about focusing all it's efforts on being a more stable, secure OS, but to gain acceptance in a more mass market, they need to do things that, while they reduce security, increase their general user base. Sure, it's Linux, so you can strip it down to near nothing and have a rock-solid, dependable, secure system designed for a specific hardware setup, but if they want to stay alive, they may need to realize that they need less secure measures that allow the typical end-user to use their OS behind the scenes without any extra effort on their part. TLDR:To (Probably most) people, ease of use is more important than security, and some software developers working around Linux may be seeing that. However, being Linux, the hardcore can always build their system to be the fort Knox of data. If anything, this is a good thing IMO. Keep the security-conscious aware of issues, but let the average end-user go about their business as they will.

Re:Linux's Appeal to a Mass Market

[Rich0]

Sure, it's Linux, so you can strip it down to near nothing and have a rock-solid, dependable, secure system designed for a specific hardware setup, but if they want to stay alive, they may need to realize that they need less secure measures that allow the typical end-user to use their OS behind the scenes without any extra effort on their part.

Uh, define "stay alive" for me? It is an operating system. It isn't alive, so it can't stay alive. It will exist in perpetuity, or until the last person deletes their copy of the source code.

Most of the people who maintain linux don't really need these features, and they will likely continue to maintain it indefinitely without them - unless something better comes along (and then why should we want linux maintained anyway?). Sure, it might have microscopic market share on the desktop, but I don't get paid to manage linux desktops, so that doesn't really bother me...

Autorun ist stupid

[gweihir]

Doesn't depend on platform. Autorun is always a huge security risk. It was invented for lazy users that do not want to know how to use their computer properly. At this time (and for the foreseeable future) this kind of laziness comes at a price and that is vulnerability to rather simple to execute attacks.

The real benefit of Linux here is that, unlike Windows, you can get distributions that would not dream of implementing something as stupid as autorun. On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry". But implementing insecure features will of course make Linux insecure. Nobody sane debates that.

Re:Autorun ist stupid

[gweihir]

Wups, need to spell-check headlines as well....

Re:Autorun ist stupid

[gweihir]

I understand this very well. We spend half a decade or more to tech our kids to read and write. If a fraction of that would be applied to computer usage, the problem would go away. There is no excuse for incompetence with regard to widely used cultural tools. If you do not have the basic skills to use that tool, stay away from it.

Autorun is not something that can be made secure, ever. So it should not be implemented anywhere and people should learn how to do without it.

Re:Autorun ist stupid

Who needs to edit the registry? Windows versions since 9x have GUI configuration tools to disable auto-run. Any "modern" Windows OS since 2000 has very sensical GUI tools, no cryptic adventure through obscure configuration files scattered throughout the filesystem is necessary. ;)

Re:Autorun ist stupid

it can be imposed through group policy, and in Windows 7 you just need to uncheck a box.. nothing cryptic about it..

Re:Autorun ist stupid

[BenFenner]

I too am against auto-run as any card carrying geek would and should be. I too feel it was invented for lazy users that do not want to know how to use their computer properly. However, as I age I tend to check that feeling, and look at the opposite angle.

What if ATM designers thought the same way?

What if I slid my ATM card into the machine, and instead of automatically detecting the account number and pertinent info, loading up a screen asking for my PIN, and facilitating the transaction; what if I had to use a terminal/command prompt to get the machine to read the magnetic strip on the card, load the account number, send the account number off for look-up, then enter my PIN, then request account authorization, all just to get to the point where I can see my balance, make a deposit or transfer?
Is security not important for ATM's?
What if the ATM designers were smug Linux admins?

Re:Autorun ist stupid

[BenFenner]

Replying to myself.

The difference is that automatically running arbitrary or untrustworthy code is the problem.
Making systems easier to use for the lazy, ignorant masses is not the problem.
The latter is a worthy goal. The former is a security faux pas. They are not necessarily one in the same.

Re:Autorun ist stupid

[dkleinsc]

I was actually giving a serious response to a serious point, but your subject line inspired me to make the response in a silly way.

Re:Autorun ist stupid

[Spoonofdarkness]

Incompetence with widely used cultural tools is our human birthright! I will continue to hit my thumb with a hammer during attempts at home repair, even now that I've had years of experience and understanding of the mechanics and proper use of said hammer.

Re:Autorun ist stupid

[gad_zuki!]

> On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry"

Or easily via GP.

Re:Autorun ist stupid

[HiThere]

Actually, autorun probably could be made safe. This would involve insuring that there were no stray pointers, buffer overruns, etc., so the best way to do this is probably a virtual machine that can't write outside of a specified directory. That way the worst that could happen would be that the directory would be corrupt.

To make it even tighter, run it in a copy of a directory, and remove the copy when the process ends.

Mind you, I don't think most current computers are fast enough to make this approach acceptable to users, but I believe that your assertion is incorrect. Autorun *can* be made safe if you do it in a properly limited way.

P.S.: Another way that might be almost as good would be to run the autorun processes as a special user with extremely limited rights. Again, one would want to reinitialize the locations that that user could write to when the process was complete.

And there are probably other approaches that would work. They all severely restrict what the autorun processes can do. I can envision approaches that allow a file to be saved on process termination, but not ones that allow that file to then, itself, be run as a normal process. XPM files that were verifibly safe could, of course, be produced. I'm not as sure about SVG. Basically, the requirement seems to be that the process would need to produce a file of a type that could be verified to be safe.

N.B.: This all requires extra computation. That doesn't mean that it's impossible.

Re:Autorun ist stupid

[gweihir]

Indeed. But quite frankly, as a German native speaker I have problems reading English with a pseudo-German accent.

Re:Autorun ist stupid

[gweihir]

Your faith in the possibility of Software without vulnerabilities is laudable, but misplaced. All these approaches have been tried and are being tried, only to be successfully attacked again and again.

Re:Autorun ist stupid

[gweihir]

I completely agree. Also, single-purpose devices like ATMs are a lot easier to secure in practice. Easy enough that most cannot be hacked from a card's magnetic strip. They also do not run any code from that strip.

Re:Autorun ist stupid

[HiThere]

No, they aren't tried. An emulator isn't a chroot jail. And being able to emit a verifiably safe file isn't something that any common approach has used. (I won't say that no approach has ever used it...email used to be like that before they included html processing...and it *was* safe.)

OTOH, allowing tar files to set executable status of files is a vulnerability, so they can't emit a tar file. Or an html file. Or lisp, python, ruby, etc. Not sure about C, Java, etc. Those need to be compiled before they become dangerous. Maybe require that they start with the chars *3*4*a=*, as that should be illegal in any language.

Re:Autorun ist stupid

[DeVilla]

I consider this only one example of of Linux made worse by Ubuntu and the like in their quest to appeal to the one they condescendingly refer to as "Joe Sixpack". You can throw things like security, good design and expertise to the wind claiming the average user won't care for only so long before you realize they'll care when it's gone.

You can still find distro's that haven't made all these mistakes, but it's getting way out of the mainstream even for Linux.

autorun is the worst thing to happen to windows

[mshenrick]

this is why i disable it. autorun is the worst thing to happen to windows

Re:autorun is the worst thing to happen to windows

[RichM]

On the contrary, I would say that making the first user on a system an Administrator is Microsoft's biggest mistake.
On a modern Windows 7 machine, it works similarly to Ubuntu or OSX where it will prompt you for for a root/admin password if it needs it.
If most Windows users were running as a restricted account, the most damage they would do is to their profile.

Exactly

[boristhespider]

MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt. (I never saw an issue with it myself, actually. Seemed no more irritating than going sudo on Linux or OSX's own authentication prompt. Unlike many, I actually really quite liked Vista, although I use OSX most of the time.) MS listened to their users and allowed them to scale it back in Windows 7, creating a million new security holes and causing a million people -- including Linux users posting on Slashdot, although not necessarily the same ones -- to complain about security flaws in Windows.

MS have made many stupid mistakes over their history and not least due to the ancient and creaking XP (and, even worse, the immediately-owned ME) have a history of shit security. Thing is they tried to patch it up in an easy way and people bitched and puled enough that they had to make it less secure again.

That, of course, ignores the other few million security flaws riddling the kernel. I'm just talking about the UAC here.

Re:Exactly

[Nimey]

Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.

They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.

Re:Exactly

[IchBinEinPenguin]

Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period?

You had me a "Vista"...

Re:Exactly

[Smauler]

I never saw an issue with it myself, actually. Seemed no more irritating than going sudo on Linux or OSX's own authentication prompt. Unlike many, I actually really quite liked Vista, although I use OSX most of the time.

Seconded. I see it about once a week, when running something that needs access to the internals, or installing something new. It's only annoying on a new installation, and that's understandable.

ps. What's happened to italics :P

Re:Exactly

[multisync]

MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt.

If you are referring to UAC, it is hardly a "GUI sudo prompt." sudo requires you to prove that you are an authentic user by providing your password each time you open a shell to perform an administrative task (and every fifteen minutes after), and you also have to be a member of the sudo group (which only the first account created at install time is by default).

All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action. This is also useful, in that it prevents some web site from installing a piece of malicious software without the user's knowledge, but it is far from a "GUI sudo prompt."

This is the reason it was met with derision by Slashdotters (and I don't recall many "fits of nerd rage," although a few might have snorted Code Red through their noses when they realized how impotent - and easily disabled - this new Microsoft "security feature" was).

Re:Exactly

[Sancho]

I tried the RCs of Vista. Copying "protected" files to "protected" areas (including c:/, and most directories therein, including user-created ones) required three confirmations. Performing my job, I came across operations requiring 5 confirmations. Installing software which thought that it needed root could have countless prompts.

MS fixed a lot of this just before release, but a lot of people I knew tried these early versions and wrote off the OS completely.

A combination of the MS fixes and software becoming smarter about required permissions means that using Vista today is quite pleasant, for Windows.

Re:Exactly

[trickyD1ck]

All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action.

Unless you are a limited-rights user. Then you have to enter admin credentials.

Re:Exactly

[melikamp]

Italics are bugged, can be fixed via Stylish.

Re:Exactly

[boristhespider]

Yes, I did, I got it before SP1. I had Ubuntu dual-booting on the machine at the same time and was running a Macbook with Tiger, followed by Leopard. (I think I had openSuSE and Arch on the machine at various points too but I defaulted to Ubuntu after a while.) I honestly didn't notice much difference (unlike the entertainment of watching mod points go up and down on that post :) ) -- at least in how annoying it was.

W7's approach of letting you set the level of UAC introduced an extra security flaw. That was really my only point... Off-topic, and so far as I know, accurate, and backed up by a totally subjective judgement on Vista's UAC vs sudo and OSX's authentication prompt.

Re:Exactly

[exomondo]

unlike the entertainment of watching mod points go up and down on that post :)

Pro-Microsoft posts will lead many to brand you a 'Microsoft Astroturfer'.

W7's approach of letting you set the level of UAC introduced an extra security flaw.

Security is annoying and if you annoy users they'll often complain, particularly if they don't understand the reason for the security or the implications of removing it. MS (well actually all OS vendors) really need to put out a campaign that educates users in a brief - and im guessing 'entertaining' - way so they at least understand why it's annoying.

Re:Exactly

[boristhespider]

wow. ok, i didn't encounter that. i did have two in a trot but it was rare enough that it didn't get in my way. mileages vary, of course.

Re:Exactly

[boristhespider]

I'd say I don't know who'd do anything different but then I remember my parents' W7 machine is set up as single-user, automatic login and user has rights. So UAC is just a click-through and totally pointless.

I've run Windows as a limited user ever since 2000. My experiences with Vista are by no means typical of normal people, and since I'm primarily a desktop user (plus latex plus intel fortran plus xming plus emacs) are also by no means typical of every Vista user...

Re:Exactly

[boristhespider]

"Pro-Microsoft posts will lead many to brand you a 'Microsoft Astroturfer'."

which is impressive given i also said their security record is shit and the w7 kernel is stuffed with security flaws... ah well, i've never bothered karma whoring.

i gave up trying to educate people in security when about ten years back i tried to explain to my dad (who is far from an idiot with computers compared with others i know, who are far from idiots in real life) why it's a bad idea to run as an admin and why you log into your computer each time. he didn't understand. too stuck on the old single-user model he'd seen with the sinclair spectrum, dos 5, dos 6, windows 3.1, windows 95 and windows 98.

i *think* he gets it by now, but his machine is still single-user admin rights. so i despair.

Re:Exactly

[exomondo]

That's why UAC was so annoying to most users...everyone ran as Admin but had no idea that doing so had consequences, once they were forced out of that habit there was a backlash.

Re:Exactly

[boristhespider]

err, you've only used uac on a machine where you're logged in as a user with admin rights, then. anyone who uses a machine with admin rights as default deserves what he gets, no matter what the os. using linux with admin rights by default is pretty fucking stupid, i'm sure you'd agree - let alone using *windows* with admin rights which is insanity.

if you run as a user without admin rights, windows vista uac demands an admin password. how good that implementation is i don't know - no doubt there are ways around it, i don't know. but it's an authentication screen demanding sys admin rights.

if you already run as an admin then it's your own bloody fault what happens to the computer. and unlike *nix sudo, it does demand an admin password, not your own password (at least, not hte way it's set up by default). how much a security gain potentially needing two passwords (compromised account + admin) is compared to one (compromised sudoers account) is is totally debatable, of course, but at least the way vista set uac up as default you needed an admin password if your user account wasn't admin.

so all but two paragraphs of your rant are, to be fair, based on something that's pretty much false (unless the windows box was set up by an idiot who automatically runs as admin - which i guess even you'd admit is pretty dumb even in a linux box; and at least there the windows machine still says "do you want to do this?" while when i've run as root on a linux or osx machine they've tended to trust that i'm running as root therefore i can do quite a bit without prompting) but did let you talk about "dumb, paranoid Windows users" and bask in your self-satisfied linux glory. well done, i salute you.

Re:Exactly

[boristhespider]

That's entirely possible. I found it no more annoying than sudo perhaps not least because I'd been an admin on Solaris and Linux boxes at work for ages, so I knew what it meant. My Dad.... no.

Re:Exactly

[drsmithy]

If you are referring to UAC, it is hardly a "GUI sudo prompt." sudo requires you to prove that you are an authentic user by providing your password each time you open a shell to perform an administrative task (and every fifteen minutes after), and you also have to be a member of the sudo group (which only the first account created at install time is by default).

Firstly, you need to be in an appropriate group to elevate via UAC. The first user created is in this group by default, just like they are in Ubuntu or OS X.

Secondly, the difference in security between an "OK" prompt and an "enter your password" prompt, in a standard end user scenario, is essentially zero. Unless you think the average person sitting at home is likely to have an attacker break into their house just so they can get admin rights on their PC ?

Thirdly, UAC can be trivially configured to prompt for a username and password if the security policies of the site require it.

This is the reason it was met with derision by Slashdotters (and I don't recall many "fits of nerd rage," although a few might have snorted Code Red through their noses when they realized how impotent - and easily disabled - this new Microsoft "security feature" was).

No, the derision was because, as usual, Slashdotters tend to have SFA knowledge about how Windows actually works.

Re:Exactly

[multisync]

the difference in security between an "OK" prompt and an "enter your password" prompt, in a standard end user scenario, is essentially zero. Unless you think the average person sitting at home is likely to have an attacker break into their house just so they can get admin rights on their PC ?

Computers are used in many places other than the home these days. Unless you are saying the behavior of UAC was different in Vista Home and Business editions.

Besides, suppose you have kids at home, who will merrily click OK on any dialog that pops up? Or employees at work who will do the same?

The difference between being prompted for a password and being prompted to click OK is far from zero.

UAC can be trivially configured to prompt for a username and password if the security policies of the site require it.

sudo is also configurable. I was talking about out of the box behavior. UAC - especially when first implemented in Vista - falls short of being a "GUI sudo prompt."

Re:Exactly

[drsmithy]

Computers are used in many places other than the home these days. Unless you are saying the behavior of UAC was different in Vista Home and Business editions.

UAC behaviour is different when the machine is on a domain - it prompts for a username and password. It's also trivially configurable for those foolish enough to be in some sort of multi-machine, multi-user environment without a domain controller.

Besides, suppose you have kids at home, who will merrily click OK on any dialog that pops up? Or employees at work who will do the same?

Firstly, in those sorts of implicit-trust situations those people will typically know all the passwords anyway. An environment where multiple users have a single account, while "the password" remains secret, is practically unheard of (certainly I've never witnessed one during my ~20 years in the industry that was more than a few months old). Heck, environments with *multiple accounts* where most people don't know at least one other user's login and password are rare enough.

Secondly, they should have their own user accounts without privileges to elevate, UAC should be reconfigured to prompt for a username and password. Fast user switching makes this trivial.

The difference between being prompted for a password and being prompted to click OK is far from zero.

Not in the most common usage scenario for an unmanaged machine (single home user and/or implicitly trusted group of users), it's not.

sudo is also configurable.

I am well aware sudo is configurable. I have spent many weeks of my life over the years configuring it.

I was talking about out of the box behavior. UAC - especially when first implemented in Vista - falls short of being a "GUI sudo prompt."

Untrue. A graphical sudo prompt is essentially exactly what UAC is, in both theory and implementation. The only difference is not prompting for a password on an unmanaged machine, which presents essentially zero additional risk due to the environment nearly all such machines are found in.

The difference between how Windows Vista & 7, Linux (Ubuntu, et al) and OS X treat privilege escalation out of of the box, for nearly all people, is practically identical.

Re:Exactly

[akagawa]

+1.
My sister has been using Vista for a few years now on her Dell and I still remember trying to configure networking for her when she got the machine. We have both wired and manually-configured land-line there and she wanted the land-line (because there is a a dedicated firewall machine for this setup) so I tried to set this up for her. I won't forget the experience, a perfect example of 'ease of use' making things more _difficult_ to use. The stupid OS detected the wireless - provided by our ISP - and do you think the set-up 'helper' would allow me to switch?
Round and round in circles. I spent a half _hour_ trying to first of all persuade it that no, I _didn't_ want to set up the wireless (again) and yes, I _did_ know what an IP address was and how to enter it, and yes, I _did_ want an interface to let me do it, etc...

Every time I'm around and she's using the machine she's swearing at it (and frankly I don't blame her).

At the same time, I've used both OSX (at work) and ubuntu (at home) and I've never been tempted to lose my temper at either. Ubuntu is not conceptually my ideal for a linux distro (I don't like the fact that the repository is binary - yes this is a lot more convenient but it makes it a bit more fiddly for me to build the latest packages of something) but I can't fault its ease of use.
I also get the feeling that security has been built in beforehand rather than pasted on as an afterthought - perhaps this is part of a legacy of being brought up on the net and following a history of *nix values as demonstrated by the Debian developers, the kernel developers and even the canonical and ubuntu developers. I have both a 'traditional' root user (because that's how I'm used to using linux) account and the sudo setup with my ubuntu boxes, but I think the sudo way of enforcing superuser privileges is a decent compromise between usability and security with ubuntu and OSX to be manageable for most users who don't want a lot of hassle.

more like hotplug

[tthomas48]

I think people think he's referring to autorun when I believe what he's talking about is more the "hot-plugging" ability of usb. I.e. I plug in a USB device and some linux kernel device code gets run. These are standard hardware vulnerabilities, it's just that most hardware can't be plugged into a computer as easily as usb.

Re:Of course

[0123456]

You can't claim that Linux > Windows and then suggest it remove features Windows has had for years.

Linux has traditionally been better than Windows precisely because it didn't have features like 'autopwn' that Windows has had for years.

Flawed Linux security model

[Animats]

Linux still has the antiquated "user, group, everyone" security model from the 1970s. By now, we know that outside data can't be given all the privileges of the user. But Linux's legacy security model is so deeply embedded in the UNIX/Linux world that it's almost impossible to get beyond that.

Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.

Re:Flawed Linux security model

[jedidiah]

A more complicated security model is not going to prevent an environment that can trash the user's files from trashing the user's files.

That capability is somewhat hard to avoid as you can't really do work for the user otherwise.

Re:Flawed Linux security model

[0123456]

But Linux's legacy security model is so deeply embedded in the UNIX/Linux world that it's almost impossible to get beyond that.

That 'legacy security model' is there because anything more complex becomes insanely difficult to administer. Do you really think that a user who demands 'autopwn' for convenience is going to be setting up ACLs so that autopwn programs can't trash their data?

And any useful autopwn program is likely to require at least user permissions for whatever the user plans to do with it..

Re:Flawed Linux security model

[Kjella]

You assume that every application needs to run with every permission my user has, which is obviously false. For example this browser could be locked to its own application directory and a download directory. If I want to open anything executable it could trigger some kind of "sandbox to user" prompt like sudo or UAC. Accessing any other file, like for example if I want to upload something could go through a broker process that'd be heavily audited and give the application a handle to work with, yet unable to access anything but that specific file. That way if my browser is compromised it can't do more than wipe my download directory, not my whole home directory.

For example, a media player would work quite fine with write access to its own configuration file and nothing but read access to anything else. Or it could be given specific accesses to certain media libraries if you want to make changes from within the application. There's lots of such things that could be used to tighten security.

Re:Flawed Linux security model

[pseudorand]

It may be antiquated, but it really does work, mostly because it's simple. True, you can't do certain fine-grained things, but try ACLs in Windows. There's all kinds of confusion with inheritance and allow/deny. And that's before you click the Advanced button to set special permissions. Granted, I'm grateful that the complexity means companies need to hire guys like me who understand it, but the simpler Unix security model I think is just more effective. Besides, most modern Linux/Unix filesystems support ACLs (without SELinux) if you need to get more complicated.

Re:Of course

[jedidiah]

> But as you make Linux more user friendly, feature rich, easier to use, it becomes easier to attack.

Of course you can point us to the inevitable viruses, worms and trojans that now afflict MacOS?

If not then your entire rant is just thoughtless jibber jabber.

You get system vulnerabilities from bad engineering practices, not a consumer focused mindset.

Sure I can have it both ways. Just don't do obviously stupid stuff. Don't do things that were proven wrongful in the 80s before any of the current malware innovations were developed.

Re:Smart distros default auto-run

[jedidiah]

A smart distro would disable auto-run entirely and make you go through hoops to install it.

OT: MS instructions for controlling in Windows

[behindthewall]

Maybe OT, but here's MS's information for controlling this "feature" in Windows.

There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.

Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
How to disable the Autorun functionality in Windows

http://support.microsoft.com/kb/967715

(I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)

FreeBSD is much better.

[Blackout+for+Hungary]

It doesn't even recognise my thumb drive, so I don't have to worry about security

Re:Oh boy

[DrgnDancer]

It was quite popular about 8-10 years ago for various media outlets to declare the "year of the Linux Desktop". I can't be arsed to look up specific examples, but they definitely existed. The irony being that Linux has improved dramatically as a desktop OS since most of those claims were widely circulated, yet no one expects it anymore. As far as I can tell, three things have ended the hype:

1) Probably most important: People have realized that what most desktop users want is something Linux will probably never give them. Hand holding and a person to call when things break. Windows' monopoly created a huge pool of reasonably skilled amateur technicians; as well as an ecosystem of professionals ranging from the guy with fliers on the apartment bulletin board, to Best Buy's Geek Squad, to highly skilled consultants and everything in between. Apple answered that with their Genius Bar and highly rated customer service. Linux has answers to it as well, but people don't like searching web sites and such. Red Hat and a few others actually have excellent customer service and tech support, but buying from them (in small volumes, they're way cheaper than MS for high volume sales) makes Linux as expensive as Windows.

2) A credible alternative to Windows on the Desktop emerged in OSX. Sure the hardware is kinda premium, but Apple released an easy to use Unix based OS on fairly affordable hardware. They also tied this with the launch of their retail stores and Genius Bars which provided the kind of hand holding and quick fix solutions that people are used to on Windows.

3) Software and hardware vendors never saw value in cooperating. Next to to the lack of hand holding, this is probably the biggest issue. No thanks to the vendors, the hardware situation is much better than it used to be, but software remains a major hurdle. There are analogs and replacements for a lot of stuff, but they're rarely quite as good, always require a learning curve (on top of learning the new OS), and often times have file conversion issues. Apple got around this because they've always been Microsoft's "see, we're not a really a monopoly" hitching post so a lot of vendors (including MS themselves) have always maintained a MacOS version. Apple's recent success just means that they're making money on it.

So now the Linux vendors concentrate on the server space (which has always been their strength), while producing steadily more polished Desktop OSes that don't get nearly the hype they used to. Meanwhile increasing numbers of tablets, smartphones, and PDAs may make the whole thing irrelevant in ten years. Not that desktop or laptop computers are going anywhere, but portable platforms will probably overtake them in usefulness for non-technical people at some point in the next decade.

Is there a demo online?

[doperative]

Anyone care to post a demo of this Linux autorun vulnerability, one that will compromise my system by inserting a USB device, and with no user confirmation required, and doesn't prompt for the root password ..

Re:Is there a demo online?

[Taibhsear]

And does anyone know how to shut off the autorun function in Ubuntu? Frankly I always found it to be quite annoying, this just gives me more incentive to actively disable it.

Ubuntu

[rrohbeck]

Is anybody else annoyed by the "There is a CD with a software update in the drive" or some such when you leave the installation CD in?
Can you please turn that off Canonical? This just begs for an exploit.

flawed logic

[doperative]

"Linux still has the antiquated "user, group, everyone" security model from the 1970s"

Apple OS X is based on Unix and uses the same antiquated security model as Linux :)

Re:flawed logic

[salesgeek]

That Linux still uses Unix permissions is a testament to elegant, simple design that works. Sure, you can create more granular security models, but in the end, you really can only do three things with a file: execute read write. Having worked with VMS and NT, I always got a chuckle out of having the permissions to write to a file, but not delete it. How's that empty file doing for ya?

potential USB hot-plugging attacks on Linux

[doperative]

Both Slashdot and the presenter should have been more accurate in the title of the presentation. ( I mean you by CmdrTaco )

Easy Defense

[FalleStar]

I actually watched this presentation live, and it is definitely worth checking out. Although this is a good presentation, it's not exactly the hack of the century. The guy still hasn't actually found a way around AppArmor yet so this doesn't work with machines with it enabled. Furthermore, the exploit requires local access to the machine AND have a user account already logged in.

I'm sure 99% of you already know how to do this, but if anyone is interested in protecting themselves from this type of attack regardless simply:

1. Open a Nautilus window.
2. Edit -> Preferences. Go to the Media tab.
3. Uncheck the box that is labeled "Browse media when inserted".

Blindly copying "features" from poorly designed sy

[Larry_Dillon]

I feel like they're follow Windows' tail lights over a cliff.
This sort of mentality is ruining Linux distributions.
If I wanted a dumbed-down buggy system, I'd use Windows.

What?

[Charliemopps]

Autorun plagues windows? Do people still move files from computer to computer via disc? By default this feature is either turned off or there's a popup asking if you want to run whatever it is that's trying to run. The last time I got a virus from autorun was probably on windows 98, maybe even 95.

Looks like WTFV is harder than RTFA

[adamofgreyskull]

Almost every comment here is concentrating on "Autorun" i.e. automatic execution of scripts/executables on media and ignoring the main focus of the talk, which is about exploiting bugs in the way the file-manager handles previews of image, PDF, DVI files etc. situated on the media. More generally he talks about the possibilities of exploiting vulnerabilities in every layer involved when automatically handling inserted media, from device discovery, device drivers, file-system drivers, up to and including the file-manager.

Unless we're all conflating "autorun" with "automount & show the media in a file-manager" now?

Re:Looks like WTFV is harder than RTFA

[KeithIrwin]

Now look here. That video is 51 minutes long. If I spend 51 minutes watching the video before I comment, then my comment isn't going to be up at the top where the most special and important ones are. It's far more important that everyone read whatever I think about things than it is that I have something worthwhile to say. I don't have time for watching videos. Look at that first comment. Two minutes after posting. How can I compete with that if I have to watch a 51 minute video? It's not like I have the ability to stop time to watch the video. And even if I did, would the video even still work? Wouldn't the time stop probably affect the streaming video server? I don't know and just thinking about it makes my head hurt. Enough making me think, I've got commenting to do.

No, it is auto-mount, auto-display, and previews

[buchanmilne]

While he talks about the possibility of driver vulnerabilities and means to exploit them (e.g. a USB device which claims to be a member of a class for which you have found an exploitable driver, but sends corrupt data as an exploit and payload), the exploit demonstrated works by:
-GNOME's stupid default of auto-mounting (KDE just shows you that a device has been plugged in, you have to click it to have it mounted), even when the screensaver is locked
-Opening a nautilus window on the mounted filesystem (again, even when the screensaver is locked)
-Vulnerabilities in a file parser (in this case for dvi files) specific to the PDF viewer
-The ability to kill the screensaver process quite trivially

The thumbnailer was protected by AppArmor, and while he disabled AppArmor for the demo, reckons he could have got around AppArmor with a bit more time.

I use KDE, because the extra "usability" of saving one click is not worth the risk imposed by auto-previewing files without me having the option to say no.

Exploit was done after disabling AppArmor

[buchanmilne]

Linux still has the antiquated "user, group, everyone" security model from the 1970s.

Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.

Actually, the Unix model is so ingrained in all Unix platforms, that getting users who expect broken Unix off it (on Linux) is difficult, and they want the insecurity and convenience of Mac OS X.

And, for the demo, the speaker actually had disabled AppArmor, because with it enabled, his exploit didn't work. He said he would have been able to get around AppArmor (due to one or two controls that we not enforced on the thumbnailer) with sufficient time.

"Complicated" ACLs also often supported on Linux

[Sits]

If you look into how modern distros control device permissions (e.g. on /dev/snd/pcmC0D0p ) you may find they make use of ACLs to allow lists of users access to things (without resorting to groups). However this gets complicated fast.

Additionally, a number of Linux security modules (SELinux, Apparmor, TOMOYO) alloow the use of common apps under a MAC model. Fedora really does run out of the box under SELinux after all.

However, I feel that what is needed is the ability to disclaim privileges even when running as a normal user. There is experimental user namespace work on Linux that w allow unprivileged users to create namespaces which may in the future provide such an ability.

Re:Oh boy

[Smauler]

4) Games.

That's all I use my PC for that requires Windows. E-mail, web, I can get by with almost anything... The only reason I upgraded to Vista was games... I was perfectly happy with win2k as a desktop PC. I don't need, nor care about a polished UI, I just want it functional.

I bought my current PC with the intention of dual booting Linux. However, I went with a fakeraid stripe setup (which resulted in Vista booting to usable in 15 seconds from bootmenu, I kept my old win2k partition), and at that time none of the Linux distros supported it without lots of tinkering. I've not got round to installing it since, since I don't need it (though I have bought another HD for it).

Re:No, it is auto-mount, auto-display, and preview

[tthomas48]

Ahh ok. I really hate videos as conveyors of information. I was just flipping around and found his bit about using a usb device with the kernel exploit.

It's still more inline with the kernel driver exploit than with the way Windows autorun used to be exploitable.

Re:Blindly copying "features" from poorly designed

[Beelzebud]

Well that's the nice thing about Linux though. No one is forcing you to use those features.

A mindset problem

[vaxius]

I think this problem, and the reason why we still have auto run, is that it's assumed that having physical access to a machine is an endgame situation. With that assumed to be true, the thinking goes, why not make content open themselves for the convenience of the user? That's why auto run and other services should be disabled during deployment in a business setting.

ffs people

[smash]

... it was a bad idea when microsoft did it (infuriating, even if it wasn't a security problem, even back in 1995), and now the noob idiots pushing current desktop environment development (which seems to have peaked and gone downhill in about 2004) seem determined to replicate every bad idea and fuckup of windows until linux is just as unworkable.

People run linux because of retarded shit like that on Windows. Don't replicate the problem.

Re:Oh boy

[Baseclass]

I'm not so sure I trust BSD code to be secure.

Help? Linux?

[hesaigo999ca]

Can anyone good with linux, tell me if
a) you can disabe the autorun options by default...
b) can anyone tell me if you can have something like tripwire tell you when a side OS is runnning trying to mess with your setup?

thank you..

disabling Windows autorun

[Bobtree]

Here's a better one: http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks

Thanks to whomever originally posted this.

Distro != Linux

This isn't a Linux vulnerability, it's a shitty distribution vulnerability. Don't use distros designed for idiots, and you won't have a problem with this.

no

[poppopret]

You said "large collection". Thumbnailing that is too damn slow. (and always will be, because images get bigger) I want a responsive UI.

Automount

[Murdoch5]

This is a great reason to NOT have a auto mount enabled. Don't get me wrong I do enjoy auto-mount but at the same time it has a good deal of risk with it because you can't unintentionally mount a FS you didn't mean to.