But you see, the large telcos and cable companies have co-opted the system, and now are using legislation, and unfair practices to keep any competition from getting into the market. When is the last time you saw a new DSL provider *other* than the phone company?
If you have DSL, there is a good chance you have a choice of providers.
My ISP is AT&T (SBC). I can also buy my DSL service from Sonic.net and DSLExtreme.com and one other provider that I can't remember the name of right now. Sonic and dslextreme's promo prices are slightly higher than AT&T's promo prices, but they are still much lower than AT&T's regular month to month prices.
For three years now, I have been paying the "introductory" rate for my DSL service with SBC/AT&T. It was $39.99/mo for 3mbit service in 2004 when I first signed up, $29.99/mo for 3mbit service last year and I just renewed for this year at $19.99/mo. This year they tried to force me into switching to $39.99/mo after my contract expired and I told them to cancel my account and I would switch providers. They decided to give me the $19.99 rate.
My case is not a special one. Just about everyone is the US who can get DSL service can buy their DSL from someone other than their phone company. Most people just don't realize it.
"I turned them off in my XP because there's really no point, as far as I can see."
Actually, sometimes when you submit them, you get sent to a page on Microsoft's site with an explanation of the problem and a link to the fix. I've seen it happen with a graphics driver and TI GraphLink software.
So sending in the crash reports are not useless at all.
The first time I ever noticed lose spelt incorrectly was in the Game Operation Flashpoint which was released around 2001. In the triggers in the mission editor one of the choices upon activation was "loose". Also in the scripting language, the functions "getdammage" and "setdammage", damage was also spelt incorrectly.
Since creating missions for Operation Flashpoint required in hours in the mission editor tweaking triggers, and scripts, in the various game forums almost everyone would regularly misspell both lose and damage when posting messages. Even those that knew the proper spelling would do it. It became somewhat of a joke, as everyone knew it was wrong but would continue to do it out of habit.
Operation Flashpoint effectively trained thousands of people to misspell both lose and damage.
So don't blame us "USians" for it. Blame those Czech developers at BIS and their kick ass battle simulator.
Maybe some idiots make decisions based on stats, but IME managment makes decisions based on what their staff can handle. If you've got a bunch of penguin heads then Apache will probably win out over IIS, and if you've got a bunch of Microsofties....
[i]"Because GOOD Windows admins PATCH their Windows boxes every month, and therefore would not have an continuous uptime of more than about 30 days at a stretch."[/i]
Oh come on, that's just bullshit. As with any OS, most Windows updates patch local vulnerabilities that are irrelevant in server scenarios. Patching all of your servers every month is not neccessary if the vulnerable compenents are never used. What threat does an Outlook express/IE/Media Player vulnerablity pose on a server?
"meanwhile most Linux patches can be done with minimal disruption and usually without a reboot."
Very true, but kernel vulnerabilities do require a reboot, and linux has had many of those....but.....most of them are local vulnerabilities and need not be patched right away on most systems - hence the long uptimes linux admins like to jack off over.
To the contrary, I've only had problems with ATI products.
My first issue was with a card called the Rage Fury Maxx circa 1999. It had *two* processors and 64MB memory. Those were insane specs back then and of course, I expected it to perform well. Well, with D3D games it did performed much better than my Voodoo3 3000, but in OpenGL games the performance was virtually the same, and the two games I played the most (halflife and some other game) were OpenGL. Halflife did D3D, but it looked like absolute crap, so that was a no-go. After a few months, I moved to Windows 2000, and came to find out that there was no driver it, and there never would be. The official message on ATI's site about the Rage fury Maxx said something to the effect of, "Due to the Rage Fury Maxx's hardware design it is technically impossible to write a driver for NT based operating systems". WTF?! I sold the card to a friend of mine for ten bucks and continued to use my Voodoo3 card for quite some time after that.
The second experience was with an ATI Video Wonder TV tuner card. The card worked 'okay', but there were some slight issues I had with it that were annoying. So I went to their site and they had some Beta drivers that supposedly fixed some issues. I installed them and found that they fixed my issues, but removed some important functionality that the previous driver had so I decided to uninstall it. Well the driver had registered itself with Windows file protection serving and became absolutely impossible to remove. I'm sure there was a way to disable the windows file protection and remove the driver, but that was beyond the scope of my knowledge, so I ended up having to reload my system to get rid of the driver. Besides that drive issue, sometimes the TV would freeze while playing and after killing the TV application, the only way to watch TV again was to reboot the computer (presumably because the driver still thought you were watching TV and was busy).
My third experience was (is) with an ATI card that is in my Alienware laptop. It came with a GeForce 9600 mobility card. It blue screens quite frequently and the culprit is of course, the ATI driver. My coworker has the same laptop with the same card, and had experienced the same bluescreens. I just installed a new driver for it that was released recently and it has not bluescreened in awhile, so I'm crossing my fingers.
Finally, here at work we recently received five new desktop systems which came with some new ATI model. They were all having extremely strange errors. Not bluescreens, but weird hang-ups and freezes which were very intermittent. We finally figured out the culprit - the ATI DRIVER. We updated the driver and all is well...for now.
So, I pretty much avoid anything made by ATI like the plague, not because I love Nvidia, but just because of several bad experiences over a many years with ATI, and the fact that Nvidia's stuff generally works. Oh, and plus I'm a FreeBSD user. Not much ATI action going on in the land of Beastie.
I needed a case that a) Didn't look tacky, b) had room for multiple hard drives, c) had a decent power supply, d) didnt cost a fortune, and most importantly e) had a front door than covered the power button. The only maker I could find that made what I needed was Antec. I bought this one for my wife's machines and this one for mine. I needed one with a door because my toddler likes to push buttons. I bought a baby-proof thingy that is designed for cabinets that wraps around the case and our PCs are now "toddler proof".
Congratulations on figuring out that life isn't fair fuckwad. Are you jsut going to troll slashdot for the rest of your life from your cubicle or do something about it? I hear Cuba is a nice place to live.
Your home partition being mounted noexec is not standard, and not something that I think regular users would ever put up with. It certainly is more secure, and a good practice in secure setups, but is it practical for the masses?
Hell, one of the big featues I've seen linux users tout over Widnows about linux is that regular users can install software in their own home directory. You can increase security by limiting functionality, but that usually doesn'y fly with the Moms, Dads and Grandmas of the world.
My point has always had been that if a linux/unix/bsd had the number of computer illiterate users that Windows has, they would all be riddled with malware; The reason being that these novice users would demand a distro with the type of ultra functionailty that Windows has. They would wan't support for video and flash and java in their browsers, and they would want easy software installation - either loki-style or package style, like rpm. Put all of this functionality together with novice users and you have a recipie for disaster.
"Show me how you can make "C:\Documents and Settings\" noexec in Windows then."
You can't in the sense that you can in unix, but see my point abover about novice users not putting up with crap like that. You *can* set permissions on an existing profile (c:\Documents and settings\user) so that that user cannot execute files that they save inside of it, but the implimetation is not perfect. For example, you can't execute.exe files at all, and you can't execute cmd or bat files by double clickling on them in explorer - but, you can execute cmd or bat files by opening up cmd.exe and running them run the command line, you can also execute.vbs files by double clicking on them, and from the cmd.exe shell via cscript.exe or wscript.exe. I suppose malware could operate like this as long as they consisted entirely of batch or windows script files, but that seems doubtful to me. A user can fully utilize a computer with their profile set like this, but I question the usefulness of this in the real world(tm).
"It's precisely because of the design that Linux is more secure. Each resource is owned by User, Group or World. Each can be granted read, write or execute access. A so called virus executed by User can not access system areas, by design."
Besides jsut describing a feature that every modern OS has, you again are working with the false assumption that a piece of malware would need root access to take advantage of the systems resources. Don't get me wrong. I advocate the use of least priviledge (look at my sig), but I don't look at it as the panacea that you do.
"Malware cannot install unless it has root baring defects in the applications which does not invalidate safer by design."
Wrong. Executables can be placed in the users profile and run without the need to root access.
"I have a shell script in/usr/local/sbin executable by Users. Clicking on it in Konqueror does absolutly nothing. How can I get it to run by clicking on it like a novice?
#!/bin/bash echo hello world ls/root
lol! It ran allright, you just didn't see it. Try this (and unless you're writing a shell script that actually requires bash, quit putting that non-standard #!/bin/bash crud in your scripts. It only serves to make it non-portable)....
#!/bin/sh echo "#!/bin/sh" > ~/.kde/Autostart/virus.sh echo "kdialog --msgbox \"hello world\"" >> ~/.kde/Autostart/virus.sh chmod 755 ~/.kde/Autostart/virus.sh kdialog --msgbox "Hello world \"virus\" installed! Please restart your kde session" exit
The example above works like a charm on my box, which is KDE 3.5.2 on FreeBSD 6.1. Assuming you ahve a stadard KDE install (which novice users would), it should work on your linux system too.
Now, after clicking through the dialog, restart your kde session and watch it execute automatically. There are other places it can be installed including the crontab, which would make it start at bootup.
"You do if the malware wants to run its own SMTP engine as only root can allocate ports."
Who said anything about running a smtp engine? Most consumer ISPs block machines from running their own SMTP engine anyway, so it would be better for the malware to just act as a client and use the user's or an outside SMTP server. As for IRC, I never said run as IRC server, I said connect to one. This is how bots go out and retrieve commands from their master. No root access is required for that.
"You do need root access to alter the boot sequence. The boot sequence is locked to root access only. A script run as User can not access system files.
You don't *need* to alter the boot sequence, and you don't *need* to alter system files.
"You don't need a keylogger to access the X keyboard buffer."
Exactly.
"Here when I email myself virus.sh I get prompted to open in gedit or download the file and the executable bit is stripped off. Email me a script and demonstrate how to execute it by opening an attachmen"
You can try it yourself. using the script I pasted above. Set the execute bit, archive it into a tar/gz file and email it to yourself. Save the attachment, extract it using ark and click on it in konqueror. Windows users who infect themselves with email worms go through this exact progression all the time. Are you saying that novices on linux would not do the same stupid things? I think you are severely underestimating the power of stupid people in large groups.
"A locked down nix system cannot click and run. A locked down Windows system is unusable.
But a functional *nix system can. A locked down *nix system would be just as unusable as a locked down Windows system, and thus, not used by novices.;)
"You wish"
I don't wish anything. I just understand how the security models for both windows and unix work and I know the entry points for both.
"I pointed out that the real reason is that it is very difficult."
But it's not due to the design of linux. It's due to the lack of targets and novice users.
"It's still almost impossible to run without wilfull user action."
No, not really.
"This is how a novice would get a Linux 'virus`.
01. download file
Yeah, they could "download a file" (or an email attachment), or be hit by an application exploit just like in Windows. Off the top of my head I can think of a few apps which have had remote code execution exploits very recently - firefox, KDE, mplayer, realplayer, acrobat, zlib, gaim - all very popular desktop apps that novices would almost certainly use if they used linux.
"02. open a console"
No. Modern desktop enviroments like KDE (which novice users would be running) do not require a console to run things.
"03. login as root"
Since when did malware need root? Do you need root in linux to send email (spam). Do you need root in linux to connect to an IRC server or a webpage (DoS bots)? Do you need root in linux to start a program up automatically at boot or login (~/.shrc, ~./.xinitrc , ~/.kde/autostart , crontab)? No, of course not. Of course once a peice of malware did get in, gaining root in linux would only be a matter of time, as keyloggers can be installed in X without the need for root access.
"04. chmod on the file to execute"
Application exploits obviously do not require this. Email worms in Windows are packaged as zip files and novice users unzip them and infect themselves regularly. Email worms in linux could be packaged in archives too - *with the execute bit pre-set* - and with novice friendly desktop enviroments like KDE, opeing an archive and executing the contents is only a few mouse clicks away.
"05. type./run.virus
They'd be owned long before that.
"With Windows all the novice has to do is click on a web link or open an attachment."
And there really is little difference with linux. These newbie friendly linux distros offer the same level of desktop functionality as Windows does. If they didn't, novices would never be able to use them. Many linux users today are just as ignorant about computers and security as your average windows user. Heck, recently I saw a long-time desktop linux user post on some forum about how he just discovered this cool command called `shutdown -r now` that would reboot linux computer if X died. These type of people are ripe for expliotation. There just aren't enough of them.
I've looked for reasearch like this before, as the commonalites between the spread of biological agents and electronic malware has always interested me, but have never seen this.
The analogy is not neccessarily false when you introduce the factor of human interaction into the equation. Since computers are operated by humans, and very large percentage of malware depends on human interaction, the lack of enough potential hosts can indeed make the spread of certain types of malware impossible.
For example, if a person must open up a email attachment and execute some bad code in order to get infected and spread the worm further, potential targets are a large factor in the ability of the worm to spread. Just as only a certain percentage of people who come in contact with a sick person will actually get sick themselves, only a certain number of people who get email worms in their inbox will fall for it and infect themselves. The mitigating factors are different of course, but the end result is that the inectious agent, whether it be biological or electronic must have sufficient contact with other potential hosts to propogate.
So the common thread that makes the biological/electronic analogy work is humans. The person who volunteers to teach spaggetti art to 3 and 4 year olds at the pre-school, is more likely to catch a cold than the person who doesn't - just as the person who browses porn with IE while logged on as an admin is more likely to catch some nasty malware than someone who doesn't.
Network borne worms that require only internet conetivity (no human interaction) to spread are another story. Because every potential host on the planet is reachable in a matter of milliseconds, and contact with another vulnerable host guaratees infection, the percentage of vulnerable hosts on the net is almost irrelevant. The BlackICE worm from a few years back is proof positive of this.
"Also, be prepared to compromise. You never seem to get 100% of a solution from a manager. Which is why you need to present the 75% or 90% solution, in addition to the 100% solution."
In the public sector it's similar, except you take the 100% solution, double it, and then present it as the 100% solution.
You are correct, but running as a limited user does protect the system and makes cleanup of malware easier. Yes, a users files are *the* most important thing, but, the vast majority of windows malware is written to hijack the computers' resources (for example to act as a spam/DoS bot), raqther that mess with users' files.
There is also an extra amount of protection that running as a non-admin user gives in Windows. Due to the fact that almost all Windows users run with admin rights, almost all malware assumes those rights. because of this, malware simply die when they can't drop their loads into the places they don't have access to. It basically "security by obscurity", but it's still useful...for now.
Just FYI, my WinSUDO hack is based on "makemeadmin". It uses the same concept, but takes it further by by allowing you to run virtually anything as admin by just right clicking on it and entering in your own password.
I am the author, and have been eating my own dogfood (using WinSUDO) for months now. In fact I just used it ten minues ago to install the "windows vista upgrade advisor" on my PC.
The bottom line is, it works great. Previously I had some dire warnings on my page about WinSUDO being an early version, and to beware, but I have removed them, as I've only gotten positive feedback about the program and never had a report about it screwing anything up. Of course, the standard "don't blame me if your computer breaks" disclaimer applies, and is still on the page, but the program is too simple to cause any serious problems.
"Can it fool enough people into making it a worm? This happens all the time in Windows,"
Yeah it happens all the time because enough people run Windows.
Look at it this way. If you send out an email worm to 100,000 email addresses, 90,000 of them will arrive in a windows users inbox. If only 5% of the Windows recipients users fall for it and infect themselves, and the malware manages to harvest an average of 23 email addresses from each machine, the second volley of emails will go out to 103500 more email addresses - more than the original batch. Even if less fall for it, and the volume of email decreases after each volley, the worm will still spread to quite a few people before dying out.
Now, out of the first 100,000 worm emails sent, how many will land in the inbox of a desktop linux user? 4000? How in hell could the worm ever even hope to spread?
"This happens all the time in Windows, but I've never heard of a tar-based worm."
Pretty much all Windows email worms from the last three years have come in zip files. A couple even came in encrypted zip files with the password in the body of the email - and users still fell for them and spread the worm. If everyone ran linux they would most certainly be using a desktop enviroment like KDE which allows you to open up archives just by clicking on them.
"This isn't so much about security as it is about encouraging stupid behaviour. Windows does."
You are not giving stupid people enough credit here.
Slashdot Mirror
But you see, the large telcos and cable companies have co-opted the system, and now are using legislation, and unfair practices to keep any competition from getting into the market. When is the last time you saw a new DSL provider *other* than the phone company?
If you have DSL, there is a good chance you have a choice of providers.
My ISP is AT&T (SBC). I can also buy my DSL service from Sonic.net and DSLExtreme.com and one other provider that I can't remember the name of right now. Sonic and dslextreme's promo prices are slightly higher than AT&T's promo prices, but they are still much lower than AT&T's regular month to month prices.
For three years now, I have been paying the "introductory" rate for my DSL service with SBC/AT&T. It was $39.99/mo for 3mbit service in 2004 when I first signed up, $29.99/mo for 3mbit service last year and I just renewed for this year at $19.99/mo. This year they tried to force me into switching to $39.99/mo after my contract expired and I told them to cancel my account and I would switch providers. They decided to give me the $19.99 rate.
My case is not a special one. Just about everyone is the US who can get DSL service can buy their DSL from someone other than their phone company. Most people just don't realize it.
"I turned them off in my XP because there's really no point, as far as I can see."
Actually, sometimes when you submit them, you get sent to a page on Microsoft's site with an explanation of the problem and a link to the fix. I've seen it happen with a graphics driver and TI GraphLink software.
So sending in the crash reports are not useless at all.
The first time I ever noticed lose spelt incorrectly was in the Game Operation Flashpoint which was released around 2001. In the triggers in the mission editor one of the choices upon activation was "loose". Also in the scripting language, the functions "getdammage" and "setdammage", damage was also spelt incorrectly.
Since creating missions for Operation Flashpoint required in hours in the mission editor tweaking triggers, and scripts, in the various game forums almost everyone would regularly misspell both lose and damage when posting messages. Even those that knew the proper spelling would do it. It became somewhat of a joke, as everyone knew it was wrong but would continue to do it out of habit.
Operation Flashpoint effectively trained thousands of people to misspell both lose and damage.
So don't blame us "USians" for it. Blame those Czech developers at BIS and their kick ass battle simulator.
"And thats not because my girlfriend ran of with a robot."
Can you blame her? I heard the robot is like a machine in bed.
"Even the more hardened versions have problems because they delve so deeply into the operating system."
So oh great converter to linux, tell me about the security "problems" IIS6 has had due to it delving so deeply into the system.
Maybe some idiots make decisions based on stats, but IME managment makes decisions based on what their staff can handle. If you've got a bunch of penguin heads then Apache will probably win out over IIS, and if you've got a bunch of Microsofties....
[i]"Because GOOD Windows admins PATCH their Windows boxes every month, and therefore would not have an continuous uptime of more than about 30 days at a stretch."[/i]
Oh come on, that's just bullshit. As with any OS, most Windows updates patch local vulnerabilities that are irrelevant in server scenarios. Patching all of your servers every month is not neccessary if the vulnerable compenents are never used. What threat does an Outlook express/IE/Media Player vulnerablity pose on a server?
"meanwhile most Linux patches can be done with minimal disruption and usually without a reboot."
Very true, but kernel vulnerabilities do require a reboot, and linux has had many of those....but.....most of them are local vulnerabilities and need not be patched right away on most systems - hence the long uptimes linux admins like to jack off over.
Not knowing when your flight's gonna take off can kill you?
...is decent, but could be summarized even more.
1. I don't like change
To the contrary, I've only had problems with ATI products.
My first issue was with a card called the Rage Fury Maxx circa 1999. It had *two* processors and 64MB memory. Those were insane specs back then and of course, I expected it to perform well. Well, with D3D games it did performed much better than my Voodoo3 3000, but in OpenGL games the performance was virtually the same, and the two games I played the most (halflife and some other game) were OpenGL. Halflife did D3D, but it looked like absolute crap, so that was a no-go. After a few months, I moved to Windows 2000, and came to find out that there was no driver it, and there never would be. The official message on ATI's site about the Rage fury Maxx said something to the effect of, "Due to the Rage Fury Maxx's hardware design it is technically impossible to write a driver for NT based operating systems". WTF?! I sold the card to a friend of mine for ten bucks and continued to use my Voodoo3 card for quite some time after that.
The second experience was with an ATI Video Wonder TV tuner card. The card worked 'okay', but there were some slight issues I had with it that were annoying. So I went to their site and they had some Beta drivers that supposedly fixed some issues. I installed them and found that they fixed my issues, but removed some important functionality that the previous driver had so I decided to uninstall it. Well the driver had registered itself with Windows file protection serving and became absolutely impossible to remove. I'm sure there was a way to disable the windows file protection and remove the driver, but that was beyond the scope of my knowledge, so I ended up having to reload my system to get rid of the driver. Besides that drive issue, sometimes the TV would freeze while playing and after killing the TV application, the only way to watch TV again was to reboot the computer (presumably because the driver still thought you were watching TV and was busy).
My third experience was (is) with an ATI card that is in my Alienware laptop. It came with a GeForce 9600 mobility card. It blue screens quite frequently and the culprit is of course, the ATI driver. My coworker has the same laptop with the same card, and had experienced the same bluescreens. I just installed a new driver for it that was released recently and it has not bluescreened in awhile, so I'm crossing my fingers.
Finally, here at work we recently received five new desktop systems which came with some new ATI model. They were all having extremely strange errors. Not bluescreens, but weird hang-ups and freezes which were very intermittent. We finally figured out the culprit - the ATI DRIVER. We updated the driver and all is well...for now.
So, I pretty much avoid anything made by ATI like the plague, not because I love Nvidia, but just because of several bad experiences over a many years with ATI, and the fact that Nvidia's stuff generally works. Oh, and plus I'm a FreeBSD user. Not much ATI action going on in the land of Beastie.
Even the 'cheap' antec cases are great.
I needed a case that a) Didn't look tacky, b) had room for multiple hard drives, c) had a decent power supply, d) didnt cost a fortune, and most importantly e) had a front door than covered the power button. The only maker I could find that made what I needed was Antec. I bought this one for my wife's machines and this one for mine. I needed one with a door because my toddler likes to push buttons. I bought a baby-proof thingy that is designed for cabinets that wraps around the case and our PCs are now "toddler proof".
There is no such thing as "fair".
Jesus, you're like a fucking broken record.
Congratulations on figuring out that life isn't fair fuckwad. Are you jsut going to troll slashdot for the rest of your life from your cubicle or do something about it? I hear Cuba is a nice place to live.
man hier is good one too in *BSD. Do they have that in linux distros, and more importantly, if they do, are they up to date/accurate?
Your home partition being mounted noexec is not standard, and not something that I think regular users would ever put up with. It certainly is more secure, and a good practice in secure setups, but is it practical for the masses?
.exe files at all, and you can't execute cmd or bat files by double clickling on them in explorer - but, you can execute cmd or bat files by opening up cmd.exe and running them run the command line, you can also execute .vbs files by double clicking on them, and from the cmd.exe shell via cscript.exe or wscript.exe. I suppose malware could operate like this as long as they consisted entirely of batch or windows script files, but that seems doubtful to me. A user can fully utilize a computer with their profile set like this, but I question the usefulness of this in the real world(tm).
Hell, one of the big featues I've seen linux users tout over Widnows about linux is that regular users can install software in their own home directory. You can increase security by limiting functionality, but that usually doesn'y fly with the Moms, Dads and Grandmas of the world.
My point has always had been that if a linux/unix/bsd had the number of computer illiterate users that Windows has, they would all be riddled with malware; The reason being that these novice users would demand a distro with the type of ultra functionailty that Windows has. They would wan't support for video and flash and java in their browsers, and they would want easy software installation - either loki-style or package style, like rpm. Put all of this functionality together with novice users and you have a recipie for disaster.
"Show me how you can make "C:\Documents and Settings\" noexec in Windows then."
You can't in the sense that you can in unix, but see my point abover about novice users not putting up with crap like that. You *can* set permissions on an existing profile (c:\Documents and settings\user) so that that user cannot execute files that they save inside of it, but the implimetation is not perfect. For example, you can't execute
"It's precisely because of the design that Linux is more secure. Each resource is owned by User, Group or World. Each can be granted read, write or execute access. A so called virus executed by User can not access system areas, by design."
/usr/local/sbin executable by Users. Clicking on it in Konqueror does absolutly nothing. How can I get it to run by clicking on it like a novice?
/root
;)
Besides jsut describing a feature that every modern OS has, you again are working with the false assumption that a piece of malware would need root access to take advantage of the systems resources. Don't get me wrong. I advocate the use of least priviledge (look at my sig), but I don't look at it as the panacea that you do.
"Malware cannot install unless it has root baring defects in the applications which does not invalidate safer by design."
Wrong. Executables can be placed in the users profile and run without the need to root access.
"I have a shell script in
#!/bin/bash
echo hello world
ls
lol! It ran allright, you just didn't see it. Try this (and unless you're writing a shell script that actually requires bash, quit putting that non-standard #!/bin/bash crud in your scripts. It only serves to make it non-portable)....
#!/bin/sh
echo "#!/bin/sh" > ~/.kde/Autostart/virus.sh
echo "kdialog --msgbox \"hello world\"" >> ~/.kde/Autostart/virus.sh
chmod 755 ~/.kde/Autostart/virus.sh
kdialog --msgbox "Hello world \"virus\" installed! Please restart your kde session"
exit
The example above works like a charm on my box, which is KDE 3.5.2 on FreeBSD 6.1. Assuming you ahve a stadard KDE install (which novice users would), it should work on your linux system too.
Now, after clicking through the dialog, restart your kde session and watch it execute automatically. There are other places it can be installed including the crontab, which would make it start at bootup.
"You do if the malware wants to run its own SMTP engine as only root can allocate ports."
Who said anything about running a smtp engine? Most consumer ISPs block machines from running their own SMTP engine anyway, so it would be better for the malware to just act as a client and use the user's or an outside SMTP server. As for IRC, I never said run as IRC server, I said connect to one. This is how bots go out and retrieve commands from their master. No root access is required for that.
"You do need root access to alter the boot sequence.
The boot sequence is locked to root access only.
A script run as User can not access system files.
You don't *need* to alter the boot sequence, and you don't *need* to alter system files.
"You don't need a keylogger to access the X keyboard buffer."
Exactly.
"Here when I email myself virus.sh I get prompted to open in gedit or download the file and the executable bit is stripped off. Email me a script and demonstrate how to execute it by opening an attachmen"
You can try it yourself. using the script I pasted above. Set the execute bit, archive it into a tar/gz file and email it to yourself. Save the attachment, extract it using ark and click on it in konqueror. Windows users who infect themselves with email worms go through this exact progression all the time. Are you saying that novices on linux would not do the same stupid things? I think you are severely underestimating the power of stupid people in large groups.
"A locked down nix system cannot click and run. A locked down Windows system is unusable.
But a functional *nix system can. A locked down *nix system would be just as unusable as a locked down Windows system, and thus, not used by novices.
"You wish"
I don't wish anything. I just understand how the security models for both windows and unix work and I know the entry points for both.
Where to even start!
./run.virus
"I pointed out that the real reason is that it is very difficult."
But it's not due to the design of linux. It's due to the lack of targets and novice users.
"It's still almost impossible to run without wilfull user action."
No, not really.
"This is how a novice would get a Linux 'virus`.
01. download file
Yeah, they could "download a file" (or an email attachment), or be hit by an application exploit just like in Windows. Off the top of my head I can think of a few apps which have had remote code execution exploits very recently - firefox, KDE, mplayer, realplayer, acrobat, zlib, gaim - all very popular desktop apps that novices would almost certainly use if they used linux.
"02. open a console"
No. Modern desktop enviroments like KDE (which novice users would be running) do not require a console to run things.
"03. login as root"
Since when did malware need root? Do you need root in linux to send email (spam). Do you need root in linux to connect to an IRC server or a webpage (DoS bots)? Do you need root in linux to start a program up automatically at boot or login (~/.shrc, ~./.xinitrc , ~/.kde/autostart , crontab)? No, of course not. Of course once a peice of malware did get in, gaining root in linux would only be a matter of time, as keyloggers can be installed in X without the need for root access.
"04. chmod on the file to execute"
Application exploits obviously do not require this. Email worms in Windows are packaged as zip files and novice users unzip them and infect themselves regularly. Email worms in linux could be packaged in archives too - *with the execute bit pre-set* - and with novice friendly desktop enviroments like KDE, opeing an archive and executing the contents is only a few mouse clicks away.
"05. type
They'd be owned long before that.
"With Windows all the novice has to do is click on a web link or open an attachment."
And there really is little difference with linux. These newbie friendly linux distros offer the same level of desktop functionality as Windows does. If they didn't, novices would never be able to use them. Many linux users today are just as ignorant about computers and security as your average windows user. Heck, recently I saw a long-time desktop linux user post on some forum about how he just discovered this cool command called `shutdown -r now` that would reboot linux computer if X died. These type of people are ripe for expliotation. There just aren't enough of them.
"Remember a great deal of the Internet is still run on BsdUnix or some such varient of Unix. Where are the viruses?"
You are comparing a desktop OS that is used primarily by computer novices with *nix servers. Do you not see a problem with that?
I've looked for reasearch like this before, as the commonalites between the spread of biological agents and electronic malware has always interested me, but have never seen this.
The analogy is not neccessarily false when you introduce the factor of human interaction into the equation. Since computers are operated by humans, and very large percentage of malware depends on human interaction, the lack of enough potential hosts can indeed make the spread of certain types of malware impossible.
For example, if a person must open up a email attachment and execute some bad code in order to get infected and spread the worm further, potential targets are a large factor in the ability of the worm to spread. Just as only a certain percentage of people who come in contact with a sick person will actually get sick themselves, only a certain number of people who get email worms in their inbox will fall for it and infect themselves. The mitigating factors are different of course, but the end result is that the inectious agent, whether it be biological or electronic must have sufficient contact with other potential hosts to propogate.
So the common thread that makes the biological/electronic analogy work is humans. The person who volunteers to teach spaggetti art to 3 and 4 year olds at the pre-school, is more likely to catch a cold than the person who doesn't - just as the person who browses porn with IE while logged on as an admin is more likely to catch some nasty malware than someone who doesn't.
Network borne worms that require only internet conetivity (no human interaction) to spread are another story. Because every potential host on the planet is reachable in a matter of milliseconds, and contact with another vulnerable host guaratees infection, the percentage of vulnerable hosts on the net is almost irrelevant. The BlackICE worm from a few years back is proof positive of this.
"Also, be prepared to compromise. You never seem to get 100% of a solution from a manager. Which is why you need to present the 75% or 90% solution, in addition to the 100% solution."
In the public sector it's similar, except you take the 100% solution, double it, and then present it as the 100% solution.
You are correct, but running as a limited user does protect the system and makes cleanup of malware easier. Yes, a users files are *the* most important thing, but, the vast majority of windows malware is written to hijack the computers' resources (for example to act as a spam/DoS bot), raqther that mess with users' files.
There is also an extra amount of protection that running as a non-admin user gives in Windows. Due to the fact that almost all Windows users run with admin rights, almost all malware assumes those rights. because of this, malware simply die when they can't drop their loads into the places they don't have access to. It basically "security by obscurity", but it's still useful...for now.
Just FYI, my WinSUDO hack is based on "makemeadmin". It uses the same concept, but takes it further by by allowing you to run virtually anything as admin by just right clicking on it and entering in your own password.
I am the author, and have been eating my own dogfood (using WinSUDO) for months now. In fact I just used it ten minues ago to install the "windows vista upgrade advisor" on my PC.
The bottom line is, it works great. Previously I had some dire warnings on my page about WinSUDO being an early version, and to beware, but I have removed them, as I've only gotten positive feedback about the program and never had a report about it screwing anything up. Of course, the standard "don't blame me if your computer breaks" disclaimer applies, and is still on the page, but the program is too simple to cause any serious problems.
"Can it fool enough people into making it a worm? This happens all the time in Windows,"
Yeah it happens all the time because enough people run Windows.
Look at it this way. If you send out an email worm to 100,000 email addresses, 90,000 of them will arrive in a windows users inbox. If only 5% of the Windows recipients users fall for it and infect themselves, and the malware manages to harvest an average of 23 email addresses from each machine, the second volley of emails will go out to 103500 more email addresses - more than the original batch. Even if less fall for it, and the volume of email decreases after each volley, the worm will still spread to quite a few people before dying out.
Now, out of the first 100,000 worm emails sent, how many will land in the inbox of a desktop linux user? 4000? How in hell could the worm ever even hope to spread?
"This happens all the time in Windows, but I've never heard of a tar-based worm."
Pretty much all Windows email worms from the last three years have come in zip files. A couple even came in encrypted zip files with the password in the body of the email - and users still fell for them and spread the worm. If everyone ran linux they would most certainly be using a desktop enviroment like KDE which allows you to open up archives just by clicking on them.
"This isn't so much about security as it is about encouraging stupid behaviour. Windows does."
You are not giving stupid people enough credit here.