Submitted by Researchers from a little-known security software company named Sunbelt Software have seemingly uncovered a criminal identity theft ring of massive proportions. According to one of their employees, Alex Eckelberry, during the course of one of their recent investigations into a particular Spyware application – rumored to be called CoolWebSearch – they’ve discovered that the personal information of those “infected” was being captured and uploaded to a server.
Well my understanding is:
1-It’s a varient that does the “phoning home”.
2-Isn’t CoolWebSearch already known as a troublesome piece of software?
3-By definition doesn’t “Spyware” send information back?
Although I feel sorry for all those who are affected by this – I can’t help but sit here on my Linux workstation and chuckle.
Gone are the days I had to worry about Viruses, Trojans and increasingly-dangerous Spyware.
I’m not saying that Linux is immune, or it’ll never happen in the future, but I am now *very* glad I took the effort to learn and stop having to worry about those problems as much.
With all the problems Windows has (not only the aforementioned, but also invasive DRM and activations) why do so many people see if as an attractive platform? I still, sadly, know people who swear by it!
I’m not saying that Linux is immune, or it’ll never happen in the future, but I am now *very* glad I took the effort to learn and stop having to worry about those problems as much.
Agreed. While I don’t worry about any of that on my own Linux systems, I’m fearful for my friends and family. My older sister & her family are in the worst shape, since they refuse to lock down the computer in any real way and they keep using IE.
When I did moderate security changes, it was too much for them and I had to back the changes out. This is from a family that refuses to use Firefox since it doesn’t run ActiveX…and doesn’t listen when I tell them that ActiveX is a large reason why the computer they have keeps crashing and being hijacked as a spam bot. (They don’t believe me on the spam bot, though there are hints that they are starting to realize that what I say might be true.)
Advice to replace the aging Dell running Windows 2000 with an Mac Mini is ignored…yet, the keep asking me advice on how to deal with the hell hole of a system they use.
The reason? 8 year old daughter keeps loading everything in sight. She’s a smart kid, but can’t be bothered to restrain herself.
That said, it took me 2 weeks to figure out how to lock down a Windows XP system so that it is as moderately as secure as my Linux systems. That’s 2 weeks above and beyond a Windows 2000 lock down/security audit that I did previously. That’s a level of pain that is simply not required under Linux.
Spyware would be just as easy to install on *nux as windows. Keep in mind that people are voluntarily downloading and installing these “cool” applications to help them out and make their POS disposible PC one million times faster. Heck, all you have to do is promise that the application will make coffee for you in the morning and without thinking twice, a million PC users will jump that the opportunity to install the app. It’s not JUST security breaches that put rogue software on desktops. Remember, the weakest link is the human link (Mitnick, I think?).
Agreed. A Spyware app isn’t out to destroy your computer, so there’s no need for it to have root access. A Spyware app in user-mode on Linux can send just as much important data as a spyware app on Windows.
It’s just that your average Linux user is more aware of security and spyware issues.
Disagreed. Most linux software is GPL or other open source linux. Spyware apps will be immediately identifiable as harmfull and can be altered to remove the malicous intent. Also. http://ftp.debian.org isn’t going to host spyware apps so the user will never be able to apt-get them. The windows software intallation method is flawed. And remember, never install any free software that is not open source.
“Disagreed. Most linux software is GPL or other open source linux. Spyware apps will be immediately identifiable as harmfull and can be altered to remove the malicous intent.”
This is basically the “thousand eyes make bugs shallow” argument. Now how many people have actually tested this article of faith?*
Plus you have to keep in mind one thing about the bad guys verses the good guys. The bad guys only have to succeed once, the good guys have to succeed every time.
*Note I’m not just talking about spyware, but any malicious software.
“Also. http://ftp.debian.org isn’t going to host spyware apps so the user will never be able to apt-get them.”
This assumes that all users are going to get all their software from the Debian repository. I can tell you that a lot of Linux users wander outside the domain of their distro’s repository.
Once again people, security comes down to people, not technological solutions.
There is simply no such thing as open source spyware. By definition, it does not exist.
“Spyware would be just as easy to install on *nux as windows.”
Not if one sticks to open source applications. Just use the distribution’s package manager and stick to open source applications in the repositories.
No spyware or malware of any kind. Simple.
The same could be said for Windows, or any OS.
why can we not mod you down ?
you are a complete anti-linux troll,
you know right well that linux WILL NOT run spyware.
you know right well that even if a linux user installed the program himself, it would still not run on a linux system
if you cannot comprehend linux security model, then stfu and leave the replies to people who do
Er, what part of the “Linux security model” that isn’t being comprehended prevents userspace applications from making outgoing network connections and reading files in $HOME when explicitly executed?
Y’know, like, er, Evolution, Thunderbird, Firefox, GAIM, Konqueror and all those other Linux applications do?
Er, what part of the “Linux security model” that isn’t being comprehended prevents userspace applications from making outgoing network connections and reading files in $HOME when explicitly executed?
Y’know, like, er, Evolution, Thunderbird, Firefox, GAIM, Konqueror and all those other Linux applications do?
Er, the fact that since the source is open, slipping in malicious code would be like sneaking into Fort Knox with a full drum core.
I kind of sympathise with this – even in user mode it is not quite a simple business for an unauhorised user to install malicious software on a Linux box. Maybe a determined hacker could – although this would still be hard without actual physical access to the machine, but you average casual spyware vendor is unlikely to have either the time, the patience, the energy, or the resources to try.
Besides you are hitting such a relatively small user base that there is really no profit in it for a criminal to try this.
Linux has an inherantly more secure security model – whatever the MS publicity hawks might claim.
GJ
“I kind of sympathise with this – even in user mode it is not quite a simple business for an unauhorised user to install malicious software on a Linux box”
Hmmm…click on Java Web Start app. Download, click OK on box*, there it is.
*Yes I know that one has to click on an OK box, but then you have to do that with some Windows software too. As one poster already pointed out. The weakest link isn’t the software but the user, and no amount of technology is going to fix that particular problem.
That is a pretty dubious answer, you might well install something in your browser – but it will still have very limited privileges with regard to the rest of your system. Besides this does require some pretty wilful action on behalf of a user – I can’t imagine a Linux user doing this without being pretty sure about what they were doing. It is harder to make that kind of mistake in Linux – because Linux forces you to think a lot harder about these things.
It is at least certainly much harder to make a Linux user install something by just sneaking it past them – as so often seems to be the case with Windows.
Besides which as I said, despite MS’ relentless squealing about the relative merits of the Windows and Linux security models, you have to remember that in the last maybe 5 years there have been literally zillions of spyware and virus infections of Windows machines – and that zillions more spyware apps and viruses are written every day. It doesn’t matter if MS says that ‘Linux patched more security flaws than Windows’ – because in the end none of those so called flaws ended up in any outbreak of serious infection for perhaps even as much as one Linux machine. There have been a couple of proof of concept viruses, but they were written by Linux users too, potentially to expose a flaw – and any vulnerability they uncovered has no doubt long since been patched.
What is different between the Linux world and the Windows world is that the Linux world is made up with a large percentage of very competent hackers. So it is the Linux users themselves who tend to be the ones who find and fix the vast majority of these flaws.
You can call it ‘security through obscurity’ if you want. But I don’t think it is all just a big accident that Linux has been so unscathed by viruses and spyware. I think it is easy to see how the Linux security model (even the bit where users are expected to actively contribute to their own security) is an inherently more robust security model.
It is very much harder to just move around in a Linux box, without the correct permissions set. I mean if even I can’t open certain critical files and folders without the correct authority, then just how easy exactly is someone else going to find this? No the reason Linux is not attacked nearly so much is because Windows is so much more open and easy to exploit – whereas Linux simply isn’t.
As I said, the level of effort required to seriously compromise a Linux machine is probably just not worthwhile or profitable enough for your average criminal to try. They tend to want a fast buck remember – and they also want maximum return. Linux users are unlikely to give them either of these.
GJ
That is a pretty dubious answer, you might well install something in your browser – but it will still have very limited privileges with regard to the rest of your system. Besides this does require some pretty wilful action on behalf of a user – I can’t imagine a Linux user doing this without being pretty sure about what they were doing. It is harder to make that kind of mistake in Linux – because Linux forces you to think a lot harder about these things.
I think most people who talk about this are referring to if the time ever comes when the current Windows masses stop using Windows and start using Linux. Currently Linux is used by Geeks who know better than to install spyware; but you get the current Windows users who love to have a purple ape on their desktop or an app that tells them the weather, on to Linux and they’ll install the same apps once the companies start producing it. So many current Linux users think there will be this utopian society where all software will be free and open source, all users will be able to type apt-get install photoshop, and install these apps; there will be no more spyware, trojans, etc. That’s all based on the current Linux user base; not the user base that currently uses Windows.
looncraz – wise up, anyone can write a script to remove a users files, or even a script that will allow the root to delete the system, that is not a virus you have wrote, kust a script, you need to find out how to activate and propogate it, also, like I said earlier, SELinux profiles when in use do not let root delete files either !
if it was so easy to write a virus to destroy linux, do you not think MS would have employed someone to covertly release one years ago ?
and what about some MS sponsored spyware what will bring linux into disrepute ?
Nah – if it was SO easy to exploit linux, no matter how many user linux has, it would have been exploited long ago.
btw – I was saying Thom Holwerda should not be a moderator at this site as he is an anti linux troll who mods things down to -5 if he disagrees with them, big fucking kid
“Nah – if it was SO easy to exploit linux, no matter how many user linux has, it would have been exploited long ago.”
Let’s see: Nah – if it was SO easy to exploit [blank], no matter how many user [blank] has, it would have been exploited long ago.
Am I the only one who has a problem with the above? How about: if flying was so easy, why didn’t mankind discover how sooner?*
*After all the basic principles upon which it’s based, are easy to understand…in hindsight.
But it’s easier to remove and doesn’t install itself as easily. On Windows machines I’ve had spyware that lurked inside Windows system folders and hid itself somehow so that the only way to remove it is delete dozen files by hand in recovery console.
In Unix/Linux, an admin can easily remove the executable option for user directories and prevent users from running downloaded software/spyware. In Windows this is much harder especially when ActiveX is enabled which so many web site insist on.
what OS was that evil stuff infesting? don’t tell me it’s Windows again…
I am a hard core BSD-Linux advocate who works with M$ on a daily basis. It’s a small segment of 10 servers and massive boatload of clients across our campus into labs, classrooms, smart classrooms, tech labs, mobile systems, and others. All but one server, insert appropriate smile here, run M$.
A good systems administrator, either M$ or BSD/Linux can secure the servers and clean or lock down the clients.
The whole spyware/malware/virus activity is basically a user activity issue. Granted, there are surf-by downloads, but this too sums up to user activity.
Changes in user activity are needed. The main reason I changed to Linux is I got bit in the @$$ with identity theft from someone in the family using a pre-2000 machine at someone else’s house for banking-related use.
While that family member still uses Xtra-Plump with the most latest service ‘pucks’ and all the patches, I guarantee she is more secure in her sensitive surfing. She doesn’t download “Mega Cool Awesome Web Browser” add-ons and “Smiley Hot-Hot Barred” crap. Lesson learned.
For me it forced me to move on to a completely new operating system based upon the POSIX model. I learned how secure ports, manage file system properties, monitor logs, etc., etc., etc., and etc.
Since going completely M$-free in Oct. 2003, my personal computer has had zero Mal-ware, Spy-ware, Key-loggers, Intrusions, Virii, Crashes, Lock-ups, and other annoyances that used to slowed down my productivity. Backups and restores are easy as hell. An ‘aware’ M$ user can do the same – even without paying a dime in cost.
I still get port scans on a daily basis from M$ zombies and compromised Linux systems (mostly in China) but I usually drop and reject them.
SO I’ll let you come to your own conclusions. But one thing is certain – user activity has to change.
For a linux or BSD advocate, your post was one of the most reasonable ones I have seen in OSnews in some time.
Bravo.
If I were the criminals involved in this scam, I’d have washed the dishes, wiped the fingerprints, and be long gone by now. Why not wait until the people are caught before advertising the fact you’ve discovered them?
Yup, that’s a good point. We certainly had no intention of going broad with this, but when we first contacted the FBI, there was no indication at all that they were going to jump on it (in fact, total and complete silence, but we now know that they were on the case).
So after waiting, we broke it on the company blog. Our fear was the opposite — that while this thing was still live, no authorities were going to do anything about it, and it sure seemed like that was the case at the time.
We’ve kept all the information on the whereabouts completely secret and the FBI has the data now.
Alex Eckelberry
Sunbelt
Well, I just wrote a full fledged virus for linux. In about seven minutes.
It completely erases all data on your system by utilizing the IPC system, after killing off x.
Of course, you have to be running as root, which I will fix soon enough.
This is the first time I ever wrote anything for Linux, hope y’all enjoy it if I ever decide spread (which it has no mechanism for.. on purpose).
Of course, I could have always just made a script rm -rf /* & and let it run in the background, very quickly destroying everything you have, that I can access.
Problem is, if your not root when I do this, then after I trash everything I can, Linux will likely still start perfectly fine, albeit with one entire user’s worth of data completely gone. And anything that the user has access to.
My next step is to hack my way into kernel space to get past the root password, make myself root, and wipe out everything nicely.
I also thought about a nice little porting (if even needed) of Haiku’s File System (i.e.openBFS) and slime my way into RAM, force off your data from memory.. followed by ALL partitions on your hard drive, replacing it with one large Haiku FS partition with a nice little boot loader that simply tells you that you got screwed.
It is all open. AND, having access to the source code will just allow me to import globs of code, and alow me to link against, and merge into, the kernel ‘live’. I have already done this with every version of BeOS, and also with Windows (the kernel-mode part) and OS/2 (which is far more secure than Linux appears to be). I doubt Linux could hold me out.
Of course, the years of O.S. programming experience sort of give me an advantage, sure. But I can always sell my talents.
Any offers? I will need about $40 million to start. Though if you want it on Windows.. well… we have enough crap slowing up my internet connection.
–The loon
Hey Loon.
How goes it. How about a PhOS? Seriously. A PhOS that erases Zeta installs. <joke>
I would love a PhOS that is a server.
Did anyone even read the article? All comments here are again why Linux is better or why it’s not, as if it’s the only thing that matters.
What’s really interesting is that this company or whatever is claiming this: “Right now, we’re sitting upon literally thousands of pages of stolen identities that are being used right now.” Also citing how they actually had access to all that data including some “pedophile fellow” and bank accounts. Let me ask – if the servers collecting data don’t belong to them, how was it possible for them to discover about that unlucky pedophile? Or is this “spyware” broadcasts the data to the internet choosing addresses at random? Eh?
i can’t remember if it was this article or another, but aparently the data was getting sent to a webserver that allowed anyone to read the data off it.
Hey loon (appropriate name BTW) you feel like spreading that virus feel free – really at the end of the day though there are a lot of very smart people working with and using Linux – and no matter how smart you think you are, there is always someone who is smarter than you. I am not personally looking for perfect security – as I don’t think such a thing exists – nor did anyone ever say that it was impossible to write a virus for Linux. It should as you say, be really quite easy. The issue of security comes with how you propogate that virus. How many Linux users for example do you really seriously think will be tempted to run some unsolicied script someone sends them as an attachment in an email? You will always get one or two dumb users, but not enough to cause serious impact to the wider community. Anyway, instead of wasting your time, why not work to improve security? If you have found a flaw as you say you have – why as you say ‘be a slime’ – why not do something positive and improve security in Linux (and other OS’) for the better? It seems more productive to me than risking potentially serving time in jail.
In any case I don’t think as someone mentioned, that Linux ever really will be for the masses. In Linux you won’t ever get away from the command line. Sooner or later you are going to need it. This always tends to throw new users – as they are so used to the ease and comfort of their point and click little Windows world that actually needing to think about anything is beyond them. Which – again like most Linux users – kind of suits me, because realistically I don’t want masses of n00bs moving to Linux and screwing things up for the rest of us. Make it too easy – and almost certainly the n00bs will come. And if and when they do maybe then peeps like Mr Loon may well have their day.
Anyway back on topic, Sunbelt are a good company. Their anti-spyware app beats the pants off of everything else out there. (Which includes SSD and Adaware). So if they say they have found a major leak, they are probably worth listening to.
GJ
Agreed. Alex is a good guy. Although he will have issues with Microsoft for a long time to come.
You can just as easily sneak in spyware with a piece of legit software (or any software that is to be installed) as in Windows.
In IE, the ActiveX controls will NOT install unless you say that it is ok to. This is NO different than running any installer yourself (on any platform).
This is what you zealots fair to realize (or admit, as the case may be).
I thought the DMCA was specifically designed to help corporations do stuff like this and screw everyone’s life over for more profit?
One day it will be well known that Windows itself is one giant spyware system. And no one will be surprised.
“You can just as easily sneak in spyware with a piece of legit software (or any software that is to be installed) as in Windows.”
Says a guy who has obviously never used Linux – and probably doesn’t even know what it is.
In Linux ‘installing spyware’ would require you downloading a script (not an ‘installer’) opening that script, reading it, then assigning permissions to it, then executing the script as root. This is not the same ‘click, click, click process that takes place in windows – you have to think about it and it takes you much longer to do than it does in Windows. Yoiu are certainly not going to catch many Linux users going through this entire proccess, simply to execute some script when have no idea where it came from, or what it’s real function is. Slipping these things past Linux users is harder, if simply due to the level of effort required to do so.
Linux users don’t tend to just click on things randomly (even in web pages) so again one of the weak points is the user. But in the case of Linux, more often than not, due to the savvy nature of the Linux user base, the user is actually one of the strong points. And for those who are not strong the OS tends to shield them from a lot of harm anyway.
GJ
Comeing from someone who has messed around with Linux since Redhat 5.1…. actually.
You DO NOT have to be root for a program to spy on you. Now for it to mess up your system, yeah, you do. Same with Windows, actually, it’s just everyone runs as administrator.
You are basically arguing that Linux can resist spyware better because the users are smarter.
No, not just that, – also because ‘spyware’ would have a very limited scope in the kind of data it could acquire. If you are talking about cookies – well maybe – but cookies are something we all deal with – I don’t think they really qualify as ‘spyware’.
We don’t have actibveX in Linux, remember? Things can’t just randomly install themselves without the correct permissions set. And to set these permissions requires some really quite detailed user interaction. It is by no means click, click, click as I have said.
Besides if I am an ‘average’ linux user – which I think I am – then I know only too well how to configure my IP tables and my router and I know pretty much exactly what traffic to allow and what to refuse.
These sort of things interest me – oddly to you perhaps – but I regularly monitor my Web trafic looking for anything out of the ordinary – and I even have software that will point anything unusual out to me.
This is what I mean about average Linux users being more ‘security aware’ – although I wouldn’t say smarter, as that would just be arrogant.
However it is not as you imply just down to the user. It is also because the system forces users to behave more responsibly. It doesn’t as windows does, expect the user to change their behaviour, it tries by design to force them to actively think about security. If you can suggest some scheme whereby you sneak some kind of spyware past a properly configured Linux or Unix machine, feel free to try. I think you will find that it is not as easy as you seem to think.
GJ
ActiveX controls can not install themselves without user permission. This has ALWAYS been true. And now it is actually easy to disable the pesky ones.
You are either incredibly daft, or just plain ignorant. A properly set up Windows system can not be compromised in the same way either.
You are basing your idea that Linux is more secure because it’s user’s are more savvy. This is NOT a valid argument.
“In Linux ‘installing spyware’ would require you downloading a script (not an ‘installer’) opening that script, reading it, then assigning permissions to it, then executing the script as root.”
As a Linux user, why would I do that?
If I wanted to install software – I would get it using my package manager from a Debian repository.
How is a person like loon going to get his malicious scripts on to my system?
I hate it when people think that windows only run in admin mode. Did you guys ever use XP? XP runs perfectly well as a normal user, for installing software, you can use fast user switching and switch to Administrator, install the software and get back to normal user.
I wish i could shoot the person at Microsoft who thought it would be a good idea to make all users admin by default on Windows Home Edition. Stupid dumbass.
So now all you Linux fanboys, repeat after me:
“Windows OS by design has all security features than Linux has and even more in terms of fine-grained ACL but it is some stupid losers in Microsoft which decided to make everyone admin by default on the name of easy user experience. The same way Linspire makes everyone Root user by default.”
Did you repeat it? Good.
“I wish i could shoot the person at Microsoft who thought it would be a good idea to make all users admin by default on Windows Home Edition. Stupid dumbass.”
Careful. Billy may not like what you have to say. <joke>
Seriously. How many users beyond system administrators, who have been doing this a while and doing it properly, as-well-as advanced power users know how to properly set up a ‘proper’ M$-based system. Most users just run the default OEM install.
This whole issue boils down to user activity and criminal business.
How would you know for sure that you are indeed getting software from debian repository? Also what if there is a good app that doesn’t exist in opensource. How would you stop users from clicking links and executing binaries which says you can win 1000$.
Nope, you can’t avoid these kinds of attack. They can be mitigated with certain technologies but frankly Linux doesn’t have any.
In fact, Microsoft is taking initiative with signed binaries etc such that when you execute something on a system. you know for sure that its genuine.
Linux doesn’t have spyware because most linux users are technology savvy and have on an average more technical knowledge than average windows users. And the reason is because windows has 90% people and Linux has 5%. If Linux ever reaches 90%, problems will happen in Linux too.
you know you are getting from a debian repository from the fact that your package manager like apt or synaptic use a file called /etc/sources.list
this list tells you where the repositories are pointing to, whether they are debain or ubuntu or whatever… now no-one outside of your pc can edit this file, and you even have to be root to edit it yourself… THEREFORE your packages will be coming from an official repository, your first point is moot.
secondly, even if a user does click a link to offer them $1000, the “executable” code will not run on your PC.
I see from previous post you simply have no idea of what linux is and how it works, but I will give you a quick idea….
to run a program, you first have to install the program onto a “part” of your filesystem that supports binaries, like /usr/bin for example, now the first hurdle is that only root can write in /usr/bin
next the file has to be “made” into an executable by changing permissions into an executable file.
only now can the program run. In fact, this one one of the stumbling blocks that was slowing the adoption of linux in the first place !
but it also stops browsers/email clients/messenger programs.. in fact ANY user mode program from installing and running spyware.
So you see, it does not matter how many noobs linux has, the underlying security model will stop the spread of malware.
Also, what you all seem to forget is linux already has the majority of legal users in far eastern countries… so where is the spyware ?
where are the virus’s ?
where are the trojans ?
“to run a program, you first have to install the program onto a “part” of your filesystem that supports binaries, like /usr/bin for example, now the first hurdle is that only root can write in /usr/bin”
Name one Linux distribution that mounts /home, /var/tmp, /tmp and all other user-writable areas noexec by default.
“next the file has to be “made” into an executable by changing permissions into an executable file.”
Of course, a browser or other program bug giving shellcode capabilities would easily defeat this.
Not to mention the perhaps most important aspect of spyware and other malware: the social engineering.
Your linux-targetting spyware could simply instructs the downloading user to change the permissions manually.
“Your linux-targetting spyware could simply instructs the downloading user to change the permissions manually.”
Very funny. You are kidding, right?
We are talking Linux users here.
Either: they are clued up or they are not.
If they are clued up, they might have root password (it might be their own system) – but then they would recognise the value of a policy such as “only install open-source applications fro a repository”.
If they are not clued up – they are “Joe average users” – you expect them to know how to open a shell and chmod a download file to grant execute priveleges? Even if given crystal-clear instructions – which can’t be done anyway since every Linux distor is different.
You gotta be kidding me, right?
This is perhaps the lamest arguement I ever heard.
Are you from Team99 or whatever it is called? I call troll. Astroturfer.
“Very funny. You are kidding, right?”
No.
“We are talking Linux users here.”
We’re talking about wether it’s possible to create spyware/malware that runs on Linux, not about wether it’s current users will fall for it or not.
“If they are not clued up – they are “Joe average users” – you expect them to know how to open a shell and chmod a download file to grant execute priveleges?”
This is exactly how spyware and other malware works, pretending to be one thing but they are in fact something else. The more untrained people that uses Linux the wider the audience for these kind of applications. Simple instructions for changing the executable bit and launching the app in either Nautilus or Konquerer arent hard to write.
Spyware/malware is a social problem that can’t be properly solved by technical means, be it Linux, Windows or any other OS. The only viable long-term solution is educated users.
“Are you from Team99 or whatever it is called?”
No.
“I call troll.”
You want the truth? You cant handle the truth!
“Astroturfer.”
I’m sure that’s a really insulting term in your little part of the world.
>>”If they are not clued up – they are “Joe average users” – you expect them to know how to open a shell and chmod a download file to grant execute priveleges?”
This is exactly how spyware and other malware works, pretending to be one thing but they are in fact something else. The more untrained people that uses Linux the wider the audience for these kind of applications. Simple instructions for changing the executable bit and launching the app in either Nautilus or Konquerer arent hard to write.
Spyware/malware is a social problem that can’t be properly solved by technical means, be it Linux, Windows or any other OS. The only viable long-term solution is educated users. <<
Sigh.
You really don’t understand, do you.
If you were patient enough and wrote a really convincing spiel, it is just within the bounds of possibility that one could “social engineer” a clueless user on a Linux system into opening a shell and chmod a file that had just been downloaded to give it execute priveleges, then executing that file.
The problem is, it won’t get you very far. It would cause problems only for that user. Word about these “instructions” would spread across the net. The real system administrators could locate and remove any such stuff very easily indeed.
But most administrators would take the easiest approach – create a “clued-in” group and allow only members of that group to run chmod. That way, clueless “Joe averages” would not be allowed to make anything executable – and they could not then follow the “social engineering” instructions even if they tried.
“You really don’t understand, do you.”
I understand what spyware does perfectly well.
“The problem is, it won’t get you very far. It would cause problems only for that user.”
It appears you dont understand what spyware does. Spyware does not compromise your system, it compromises your personal information, something that is readily available to any program running with your users privilieges. Causing problem for that user *IS* the problem.
“But most administrators would take the easiest approach – create a “clued-in” group and allow only members of that group to run chmod. That way, clueless “Joe averages” would not be allowed to make anything executable – and they could not then follow the “social engineering” instructions even if they tried.”
That’s all nice and well for strictly controlled environments but when the system is used by a homeuser there is no responsible admin, only the one person (or persons, maybe) using it.
“It appears you dont understand what spyware does. Spyware does not compromise your system, it compromises your personal information, something that is readily available to any program running with your users privilieges. Causing problem for that user *IS* the problem.”
Yes, I do understand perfectly well.
What you fail to understand is that there is precious little incentive on a Linux system to “social engineer” people by. It is not like you can save a fortune by downloading the latest l33t application or anything.
“That’s all nice and well for strictly controlled environments but when the system is used by a homeuser there is no responsible admin, only the one person (or persons, maybe) using it.”
So we get back to the fundamentals – we are talking about a person motivated enough, brave enough, to partition his system and create a dual-boot – or destroy the Windows partition – and run a Linux CD and install the new OS (note: Linux live CDs cannot be corrupted by any wares at all).
Such a person probably has a security motive for doing that in the first place.
So – spread the word – you want to keep your new Linux system clean and secure? Then only install open-source applications from a repository. Do not install or run anything else. BEWARE THE CHMOD!
People who are keen for security and follow that advice – will have zero problems.
People who do not – might get a problem (very unlikely but it is possible).
Which gets back to exactly what I said in the first place.
“Such a person probably has a security motive for doing that in the first place.”
(…)
“People who are keen for security and follow that advice – will have zero problems.”
This is, as much as I hate to say it, the same on Windows. If you’re security aware you will not get hit by Spyware.
“People who do not – might get a problem (very unlikely but it is possible).”
These people are the problem. Since Linux penetration on the desktop market is still, in comparison with Windows, relatively small there is not incentive for the spyware makers to target Linux right now. If/when (depending on who you talk to) Linux get a seriously big market share this *will* be a problem since there will be many more users who aren’t security aware and ripe for targetting.
“So – spread the word – you want to keep your new Linux system clean and secure? Then only install open-source applications from a repository.”
OSS is not a solution to the spyware problem. Everyone who is security aware knows what applications are spyware and wich are not. The problem is that “Joe User” don’t know and dont care to know. The percentage of Joe Users that know or care wont’ go up just because the application is OSS’ed.
The solution is to make users security aware and make them care.
“OSS is not a solution to the spyware problem.”
Yes, it is. This solution has no equivalent in Windows.
There is no such thing as OSS malware. So use just OSS. This is easily identifiable – it is that set of software which you can get using your package manager.
“Everyone who is security aware knows what applications are spyware and wich are not. The problem is that “Joe User” don’t know and dont care to know. The percentage of Joe Users that know or care wont’ go up just because the application is OSS’ed.”
Begs the point. If a Joe user has Windows – he will cop all sorts of malware.
If he has Linux – far, far less likely to happen.
If he has Linux and pays heed to one simple rule – it won’t happen.
“The solution is to make users security aware and make them care”
That is one solution – change the world & improve all the people in it.
Or we could do it the actually achieveable way.
“Yes, it is. This solution has no equivalent in Windows.”
Perhaps you have been living under a rock for the last 10 years but there is OSS software on Windows.
And there is non-OSS software on Linux.
Again, OSS is NOT a solution to the spyware problem. Just because there is no OSS malware at the moment does not mean there couldnt be or that there never will be.
The problem is not that spyware cant be identified, the problem is to make users aware of it and how it works. It helps little if the computing elite knows something is spyware if the big majority doesnt know and doesnt care.
“That is one solution – change the world & improve all the people in it.”
“Or we could do it the actually achieveable way.”
Because switching the entire planet to OSS and Linux is achieveable in the short term….
It’s not a technical problem, it cant be solved by technical means.
“How would you know for sure that you are indeed getting software from debian repository?”
GPG (GNU Privacy Guard – or something like that – a PGP work-alike). Repositories are signed.
“Also what if there is a good app that doesn’t exist in opensource.”
Name one. Especially, name one which might have spyware and which I could not find a better alternative amongst the 17000+ packages in the Debian repositories.
Oh, BTW, if you name a good commercial application – how is that any different from a good commercial application on Windows?
“How would you stop users from clicking links and executing binaries which says you can win 1000$.”
If they did, then you have two further things to get past: (1) Tell me how an external binary can get execute priveledges under Linux without user approval, and (2) tell me how such an act would do anything other than harm that user – it would not affect MY system. For once and for all – users do not have the root password and they cannot install applications which would have elevated access to the system.
“Nope, you can’t avoid these kinds of attack.”
Yes I can. I do it by not running Windows, and by using only open source applications from a Debian repository.
This approach works perfectly.
“They can be mitigated with certain technologies but frankly Linux doesn’t have any.”
Yes it does. e.g Clamav. This is not necessary however if one uses only open source applications.
I think you a mired in Windows-think here.
“In fact, Microsoft is taking initiative with signed binaries etc such that when you execute something on a system. you know for sure that its genuine.”
See above – binaries in Debian repositories are already signed. If Microsoft is only getting there now, it is years behind. Further, I can’t see how this could work for closed-source applications which are not from Microsoft.
“Linux doesn’t have spyware because most linux users are technology savvy and have on an average more technical knowledge than average windows users. And the reason is because windows has 90% people and Linux has 5%. If Linux ever reaches 90%, problems will happen in Linux too.”
Linux will have problems if it is used the way Windows is now.
However, if people do stick to the very simple policy – “use only open-source applications from the distribution repositories” then Linux will not have problems. This policy is very easy to stick to and is guaranteed to keep a system clean.
Malware authors will not be able to insert source with malware embedded into repositories – it would be impossible to disguise and it would be removed pronto if it ever was successfully disguised. I can’t see how it could be done.
Again, EXACTLY the same is true in Windows.
Unless there is a remote execute hole, NO application can be installed w/o user permission (not even ActiveX controls). And if you are using the system properly, not running as Admin, then the malware can not do anything except mess up that user’s personal settings.
I say this, probably to you, again and again, everytime this comes up. If you stick to open source on Windows, then the same will be true.
“Again, EXACTLY the same is true in Windows.”
No it is not. Why do you even try to pretend that is so?
“Unless there is a remote execute hole, NO application can be installed w/o user permission (not even ActiveX controls). And if you are using the system properly, not running as Admin, then the malware can not do anything except mess up that user’s personal settings.”
As far as I know, there is no way to secure Windows and run everything as a non-Admin.
That is just not feasible in a “Joe user on his own machine” setting.
“I say this, probably to you, again and again, everytime this comes up. If you stick to open source on Windows, then the same will be true.”
Again, not true. The OS itself and all of its internet access is closed source. You cannot “stick to open source” on Windows, and as soon as you have Windows you have spyware right there.
Spyware would not be as easy to install on linux, for one. Two making open source spyware is a very stupid idea. Three desktop linux based spyware would be discovered if any particular package became popular.
Spyware is just not a reality on the Linux platform right now or in the near future. Neither are viruses, worms, and the like. Linux users are not immune to phishing though, for as you said, the human is the weakest link and i’ll add, unless you are building a chaing out of sand (read windows).
“Neither are viruses, worms, and the like.”
Sure there are. The Morris Worm is a classic but there has been many since (such as Lion and Ramen).
Or did you mean ones that targets desktop users in particular?
Look, this is easily settled. How many spyware apps is there for Linux? Where really are all these clueless users? And where are these Linux systems that are all left open by default to allow such clueless users to do such things? The answer is they don’t exist.
Some years ago I know that Linspire (or Lindows as it was known then) did log the user on with full root privlidges – but they recieved so much derision and criticism from the wider Linux community that they changed this policy pretty pronto. The truth is the were an aboration in this regard – because this is not common practice among 99% of the distros out there.
“That’s all nice and well for strictly controlled environments but when the system is used by a homeuser there is no responsible admin, only the one person (or persons, maybe) using it.”
Well that is the thing. Because unlike Windows Linux forces new users to behave like responsible administrators from the start. Why do you think so many new users complain that ‘Linux is too hard’? This is because a large percentage of the time they simply do not have permisions set to do things in Linux that would be almost second nature for them to do in Windows. Nor is it quite so easy for them to change these permsssions In Linux as it is in Windows. There are several significant hoops they must jump through first.
I am not worried about ‘new clueless users’. It might be possible to use social engineering to force them to do things – but you have to realise that the majority of new users will not even know what the chmod command is, or how to use it to properly set permissions, or how to log on as root and so on.
Really once they do undestand all of these things, the mere fact that they have to interact with the Linux security model in this way (and also often with other Linux users – who will warn them routinely about the evils of root access) forces them to actively think about security anyway, so just using this model forces users to learn more about security and to behave more responsibly. Which I think is something MS could certainly learn from.
Call it ‘reverse social engineering’ if you want. But it is certainly possible to control a users behaviour much more effectively by forcing them to interact with the security model in this way. But Microsoft have opted to neglect this fact in favour of ‘ease of use.’ Still, that is their choice I guess.
GJ
My parent’s use linux. Neither of them are geeks. Also they don’t really know better than to install spyware either. They happen to have a window’s laptop (XP), and since they got it maybe 6 months ago, it has began to perform worse and worse. The other day, my mother even said she wanted to get linux on it (it would dual boot because we still need windows to update my dad’s PDA).
Now this is not saying that having linux spyware is not possible, but the effect is much less. Infections will be restricted to one account. Linux is much eaiser to patch with updates than windows is (especially the debian variety). Any such “spyware” programs would be examined by linux users, “geeks” as you call them, and found to be harmful. Mass warnings on sites such as these would then be issued, and users would be warned to stay away from certain software.
To sum it up, the spyware threat on linux today is non-existant, not to say that it could not become a small problem in the distant future, but our resistance does not come from the lack of linux systems. It instead stems somewhat from our more technical userbase, but more so from the secure design of the system we use.
I know plenty of highly technical windows users infected with spyware, why? Because it is hard to get clean and hard to stay clean. Any way, I feel like I am wasting my time here…
“Perhaps you have been living under a rock for the last 10 years but there is OSS software on Windows. And there is non-OSS software on Linux.”
Are you intentionally thick? Where did I say anything contrary to that?
However – there is no way to have only OSS on Windows (since Windows itself is not OSS). There is no one place where only OSS for Windows is found – it is not at all easy to identify the OSS for Windows from the rest. There is – pure and simple – not anything on Windows which comes within light years of a Linux repository.
I repeat – this solution is not available for Windows systems.
“Again, OSS is NOT a solution to the spyware problem.”
Yes, it is. It is a perfectly viable solution. It works perfectly. You have not said one thing that even comes close to making it not work. Your saying something doesn’t make it so.
“Just because there is no OSS malware at the moment does not mean there couldnt be or that there never will be.”
Yes, it does. OSS software is Open Source – people all over the world who might use the software can examine the source. One can’t put spyware in it because the people who you would be spying on will see your spy camera.
>>”Or we could do it the actually achieveable way.”<<
“Because switching the entire planet to OSS and Linux is achieveable in the short term”.
Is it? I wouldn’t have thought so. But then I didn’t say “entire planet” – you did. I’m not at all impressed with you strawman, you know.
What is achieveable is this – anyone who wants a perfectly useable functional capable computer chock full of modern free and fully capable applications with no spyware or malware guaranteed – then install Linux and stick to only software that you can install using your package manager.
Anyone who doesn’t want that – don’t bother.
“However – there is no way to have only OSS on Windows”
I hope you’re not using the nVidia Linux video drivers since they’re, you know, closed source and that would make your Linux installation not OSS.
“One can’t put spyware in it because the people who you would be spying on will see your spy camera.”
Are you intentionally thick? The problem is not identifying spyware and and not everyone will be able to download the code and understand what it does, unless you plan on educating all computer users in every language in use.
The problem is that people dont know enough to make an informed choice about what to use and how to use it.
“I’m not at all impressed with you strawman, you know.”
I’m not impressed with your solution of burying your head in the sand and ignore the real problem.
“What is achieveable is this – anyone who wants a perfectly useable functional capable computer chock full of modern free and fully capable applications with no spyware or malware guaranteed – then install Linux and stick to only software that you can install using your package manager.”
Right, and how do you achieve this? By *educating* people about what to do and how to be a responsible computer user.
“Anyone who doesn’t want that – don’t bother.”
Yeah, just ignore the problem and it will go away. Spyware is everyone’s problem and pretending it cant exist on your platform of choice doesnt solve anything.
>>”One can’t put spyware in it because the people who you would be spying on will see your spy camera.”<<
“Are you intentionally thick? The problem is not identifying spyware and and not everyone will be able to download the code and understand what it does, unless you plan on educating all computer users in every language in use.”
Now you are being really stupid.
We are talking about OSS software which has been put into repositories. It is open source – people who might want to use that code can see it and vet it. The fact that it has been vetted by some who are not the authors and who put it into the repositories and who use it themselves is guarantee that it contains no malware.
It does not require every end user to read and understand the code in order to benefit from the fact that it is vetted.
“We are talking about OSS software which has been put into repositories. It is open source – people who might want to use that code can see it and vet it. The fact that it has been vetted by some who are not the authors and who put it into the repositories and who use it themselves is guarantee that it contains no malware.”
You seem to think that there is no other way to easily install a simple application on any Linux distribution than by using the official repositories. Unfortunately, that’s not true. Heard of shar archives? Or static binaries?
Spyway doesnt even have to be a compiled binary, it could just be a shell script that downloads and executes the real spyware app.
>>”You seem to think that there is no other way to easily install a simple application on any Linux distribution than by using the official repositories. Unfortunately, that’s not true. Heard of shar archives? Or static binaries?
Spyway doesnt even have to be a compiled binary, it could just be a shell script that downloads and executes the real spyware app.”<<
Once again the point here has been utterly missed.
The point is – “if one adopts a policy of only installing open source software form repositories using a package manager – then there will be no spyware or malware on your system”.
The point is NOT – “there is no way to get spyware on to a Linux system”.
The point is – “use the repositories only (and don’t run unknown scripts from wherever), and you won’t get spyware or malware”.
Now please go back to arguing the actual point.
“The point is – “use the repositories only (and don’t run unknown scripts from wherever), and you won’t get spyware or malware”.”
That’s common sense, not something inherent in Linux’ design. Dont install software from random sites and dont run unknown applications from wherever and you wont get spyware or malware on your Windows/OSX/Whatever box.
Besides, not all Linux distributons has central package repositories.
>>That’s common sense, not something inherent in Linux’ design. <<
Being open source is inherent in Linux design. The only bit that makes it true that “repositories are guaranteed not to contain spyware or malware” is the fact that they are open source repositories.
>>Dont install software from random sites and dont run unknown applications from wherever and you wont get spyware or malware on your Windows/OSX/Whatever box. <<
Sorry, but that is just not so. Windows itself is spyware. Even Windows “anti-spyware” application deliberately allows in a certain “approved” third party spyware application. There is all sorts of Windows software that requires “on-line registration” which is really just a disguised way of saying “give me your e-mail address so I can sell it to spammers”. Go to the CNet Windows “Download.com” site and the heavy majority of applications listed there are adware. And so on.
“Besides, not all Linux distributons has central package repositories.”
Most of them do – use one of those that do.
I recommend one that is based on Debian – I used to use MEPIS but recently I switched to KANOTIX.
However: SuSe, Fedora, Mandriva, Ubuntu, Gentoo, Slackware, PCLinuxOS, Yoper – there are many, many alternatives that do provide repositories.
Choose something from the top 20 or so of the “page hit ranking” list on this site: http://distrowatch.com/
“ActiveX controls can not install themselves without user permission. This has ALWAYS been true. And now it is actually easy to disable the pesky ones.
You are either incredibly daft, or just plain ignorant. A properly set up Windows system can not be compromised in the same way either.
You are basing your idea that Linux is more secure because it’s user’s are more savvy. This is NOT a valid argument.”
I think you are making the mistake of assuming that you are an average Windows user. You are not. As has been said many times – the vast majority of Windows users use their Windows machines with only the very minimum of security settings enabled.
I have watched with my own eyes as users clicked away on porn popups and activex installer scripts – ansd also how they ‘couldn’t work out why the task bar notification kept telling them that there were updates avaiable.’ I have been called out on jobs specifically just to make that stop, because the user found it ‘annoying.’
When you are dealing with that level of ignorance, how can you ever hope to have a secure system? Surely the only way to have a secure system is to force the user (as Linux does) to actively think about security – and to behave in a responsible and secure way?
Personally, I’d take security over ease of use any day.
GJ
Yeah, and guess what, you just proved my point. They still had to click “Yes” to install the ActiveX control.
The average user is going to be just as ignorant on Linux as he/she would on Windows.
“Yeah, just ignore the problem and it will go away. Spyware is everyone’s problem and pretending it cant exist on your platform of choice doesnt solve anything.”
Again the proof of the pudding is in the eating. It doesn’t exist. It genuinely doesn’t.
So end of argument.
The other thing worth noting that of all of the supposed security breaches found over the years in Linux – the vast majority of these were found and patched by Linux users. How often do you see Windows users patching their own security holes? Doesn’t that tell you that there is at least something different about the Linux user base?
GJ
I’ll compare Linux to an airline pilot, and Windows to an airline passenger.
If you were to ask an equal number of both “Hey, how many of you own and fly your own personal plane?” What do you think the results will be? I’m thinking that more of the pilots may have their own plane than the passengers.
In comparison, of course it makes sense that Linux users, with a large part of them very interested in development (like pilots to private planes) will be able to write their own patches. Why would you compare someone with a specialty to someone withoug (coding, in this example) if this is not what they do?
Nobody ever said there is a difference in the user base. The popularity of computers to the home is a huge thing, but with popularity (maybe even the necessity) of the internet for any descent computer experience, it is no wonder that we have all these problems. Yes, Windows does cater to the user to try and bring a fun and simplified computing experience to the masses, but this is also it’s achilles heel.
You can’t let your guard down on security, no matter what OS you use. Don’t feel comforted that by not using Windows you are OK. This is foolish. The risks are just different, but they are there.
Again, you are basing the security of a platform on the users who use it, and that just is NOT how it works.
How easy is it to run a non-executable file in linux? Like so:
sh <insert binary here>
For those that think the execute bit is a huge security bonus, you are mistaken. It is very easy (as in the example) to ask someone to type in a command after they have d/l’d a binary or script. Or even this one:
“Please run these commands and follow the prompts to play your new free game:
su –
sh <insert binary game here>”
So, big deal, same as in Windows, if the user does not know what the implications are of what they are doing, they are *OWNED*.
Also, on the topic of having secured repositories, these can get fooled with DNS poisoning, a hosts file modification, or some other techniques to redirect any app to a malware site.
Linux (and any OS, probably) can be OWNED if the operator is not security conscious and just blindly follows commands, which many computer users are more than happy to do because THEY DON’T KNOW the outcome of each action they take.
Even those of us who try to keep up will at some point have to TRUST something. Maybe those in the know trust less, but still, at some point, you trust the distro you just installed is clean and the package maintainer did not put in some goodies.
Think about it.
Firstly – one must put an execute bit AFAIK on anything to make it executable.
>>Even those of us who try to keep up will at some point have to TRUST something. Maybe those in the know trust less, but still, at some point, you trust the distro you just installed is clean and the package maintainer did not put in some goodies. <<
Not this is a half decent point – if we were not talking about open source.
But we are talking about OPEN SOURCE repositories.
The TRUST bit comes about because Open Source says “SHOW ME THE CODE” !!!!
Everybody who might want to use the repositories can see the code if they want to. Many who do use the code (including those who maintain the repositories) and who did not write the code are nevertheless perfectly capable of seeing how it works. This is the very heart and soul of Open Source.
Those who have the skills to know what they are examining have seen the code and they use it themselves – therefore it contains no malware.
That is the guarantee of Open Source.
That is never going to happen. This is one of the main reason why Windows is so successful. It has the biggest software collection known to mankind.
Linux is good system for geeks and software professionals who want power tools but not for average users. As we mostly develop software for average users, i think as a software developer we have to use Windows. And frankly, i hated windows in Windows 98 days but since i moved to XP, i like it. It has all the features that Linux gives me + ease of use.
And once again, i mostly run in “NORMAL USER” account and all the applications world in “NORMAL USER” account. so a spyware infection only stays in one user account. I can delete user’s home directory which is “documents and settingsusername” on windows and go happy on my way.
“Think about it.”
I did – and it just does not seem credible that Linux users en mass could be fooled into doing this. Maybe one or two of the dumbest of the dumb – but any large scale attack would still be improbable.
What you are talking about is asking a bunch of people to jump through a whole bunch of hoops just to install some trival piece of Lord knows what.
If users install from only trusted repositories, then why exactly would they need to do this? What is the motivation?
The thing that you miss is the actual idea of community. Linux is a community in the way that Windows can never be. If someone did try this kind of spoofing tactic, they would be quickly exposed and warnings would be sent out almost immediately – and no doubtt patches would be quickly built and released too.
In the absence of any real commecial interest, there is simply no motivation for developers to breach trust in this way.
It simply makes no sense at all for them to do it – and even if they did, what would be the point if all their effort could only reach a few systems and have a minimal impact?
But still you persist in your delusion that Linux is somehow riddled with spyware.
Again I ask you, if this is true, where is it? Where?
I have never seen any, never heard of any and never encountered any.
So just point me to even one company that specifically targets Linux?
You obviously have no real idea what you are talking about.
I never said “en masse”, so quit changing the point. I was merely pointing out that Linux, if people want to, can be owned, and pointed out some simple ways of doing it.
Whether you think Windows has a community or not is irrelevant to my point.
Let me repeat…don’t get too cozy thinking Linux is “secure”. Obviously, Windows has some serious flaws that Linux does not have, but as the level of integration goes up, so too do the security exposures.
The final word is that you must always keep your guard up, no matter what OS.
Oh, and to reply to my own post, let’s assume we are not just talking “linux, the kernel”, but GNU/Linux, the OS.
There have been quite a few Linux security problems with all sorts of apps…SSH, zlib, MySQL, PHPBB, etc (oh, Firefox too).
I use Windows and Linux, and I take the time to analyze each one’s config and try to lock it down as best as possible. Each one is different, but many of the concepts are the same.
You have to be vigilant, my friend, and not take the emotionaly approach you seem to be taking with the Windows VS Linux thing.
I’m not judging the OSS development model, so please don’t bring up that vs the closed source debate, umK?
“There have been quite a few Linux security problems with all sorts of apps…SSH, zlib, MySQL, PHPBB, etc (oh, Firefox too).”
Again these vulnerabilities were in general found and fixed by users. If that doesn’t tell you about the difference in attitude to security beween Windows users and Linux users, then I guess nothing ever will.
GJ
“Once again people, security comes down to people, not technological solutions.”
That is just you being an MS appologist. If as Linux does, you can build a system that forces users to consider security, then clearly a large part of the answer can be technological. As I said,you can take a leaf from the spyware writer’s book and call it ‘reverse social engineering’if you want. You can alter a users behaviour and re-educate them by putting a strict security regime in practice from the minute the turn on their machines to the minute they switch them off.
All you need to do is build your system in such a way that users always need to consider the issue of security in almost all of the things they do – which due to individual permissions on individual applications and directories is already true of Linux. Just having some lame popup box that reminds people that ‘they might be at risk’ if they don’t install this or that commercial app – as does Microsoft’s so called security centre – isn’t nearly enough.
You need your regime to have a lot of restrictions in place so that you can *make* your users have to deal with them – and in so doing actively teach them the value and the meaning of security.
That isn’t something Windows does at all – as clearly whether a non admin account is more secure or not, the vast majority of Windows users do NOT run non admin accounts. Nor have they any real idea about the level of risk that their lack of understanding exposes them to.
Technology very much can alter this behaviour, if those designing that technology are prepared to try.
GJ
Not to be contrary, but it does (and does it MUCH better than Linux).
You can restrict so much with simple group policies, so much more than you can with Linux, especially since Linux doesn’t have a set shell or UI.
You are comparing a fully administered Linux/Unix system with a Windows system that belongs to some dumbass.
The vast majority of Windows users ARE technologically illiterate.
GJ
“Technology very much can alter this behaviour, if those designing that technology are prepared to try.”
Try to your hearts content. It still doesn’t change the fact that security and “ease of use” are at odds with each other. The more hoops you make people jump through to use your OS. The less inclined they are to use it. Educating people about security while not so “gee whiz” in any geeks book, is more effective over the long run. And less breakable than any technological solution.
“Try to your hearts content. It still doesn’t change the fact that security and “ease of use” are at odds with each other. The more hoops you make people jump through to use your OS. The less inclined they are to use it. Educating people about security while not so “gee whiz” in any geeks book, is more effective over the long run. And less breakable than any technological solution.”
Well you see that is the problem. Because what you are saying is that security is really just a geeks concern. That is a very common attitude which has led to the current state of affairs. You appear to imagine that all Windows users have their machines routinely locked down in a similar way that you do (if indeed you do)- but as I actually work in a support centre I can very much assure you that this is NOT the case.
Indeed something like 60% of the calls we get are to do with Viruses and syware. Why else could this be – and why could such massive numbers of systems such as in the above story be compromised – if indeed it were not true that most Windows users were simply clueless about security?
You say ‘educate them’ – and on that score I agree – but I think the education has to come in the way people use an OS. Ease of use is all that much use if you risk having your identity stolen and your bank accounts emptied. By not making users think about secuity – by not forcing them to consider these issues you are effectively preventing them from learning the real value of security.
I say use the technology to educate them – whereas you say – well I’m not clear what you are saying. You want to educate them how? Do you imagine that the vast majority of computer users regularly (or even ever) read sites like this? Because I assure you they don’t. They epect their computer to work like a washing machine. They expect to turn it on and for it ‘just to work’. There is certainly no expectation at all that their computer might pose any significant danger to their personal or financial security. No one ever really thinks that their computer is seriously capable of doing them any harm. But of course as we know, the truth is it can. So again how exactly are you going to reach into people’s homes and change their behaviour by your method of education? Technology can do this it can reach into people’s homes it can teach them the value of security over ease of use. The two are not as has been implied ‘incompatable’ – but you must certainly educate people about the value in surrendering at least a little of that ease of use to ensure their own personal security and to teach them how to behave responsibly.
If they are like most switchers who have swiched from Windows to a more secure OS, they will (as I did) quickly come to value the increased security and will be happy to surrender that little bit of extra ease of use for the added peace of mind that this will give them.
Indeed my own experience is that it really IS like being re-educated – because quite soon typing a password to do most things on your PC things does become second nature. So in time you forget what you ever found difficult about it to begin with.
GJ
you windows fanboys have had the facts in black and white for years…
linux is infinately more secure than windows
but you still cannot see the wood for the trees
stop making excuses, there is none !
“you windows fanboys have had the facts in black and white for years…”
I havent used Windows for years so no, i’m not a Windows fanboi. In case you really wonder, I’ve been using OpenBSD as my primary desktop OS for ~4 years with the occasional flirt with BeOS. Both of these could also be used as spyware vehicles the same way as Linux, btw.
“linux is infinately more secure than windows”
Yes, but that’s not the point of this discussion.
“linux is infinately more secure than windows”
Yes, but that’s not the point of this discussion.
I agree with you there, it is just that almost every discussion on here reverts to the same old argument
“You seem to think that there is no other way to easily install a simple application on any Linux distribution than by using the official repositories. Unfortunately, that’s not true. Heard of shar archives? Or static binaries?
Spyway doesnt even have to be a compiled binary, it could just be a shell script that downloads and executes the real spyware app.”
Again, one problem – and one that you seem to have a great deal of difficulty grasping – and that is that they don’t exist. Also those methods you mentioned are not popular ways to install applications. I have been a Linux user for 5 years and have never encountered them. Most repositories are either official or are community based – which means in both instances that they a) HAVE to be open source (and thius open to scrutiny) and b) any malicious code is likely to last very long before it is reported and stamped on by the wider community. The only way this would ever happen is if some company wrote some closed source app and tried to trick users into installing it – but realistcally how many people who use Linux go around installing closed source apps? The answer is really not very many. I guess some might use Wine to install some Windows apps – but then some habits are harder to break.
Anyway you are obviously convinced that the world of Linux is full of spyware – even though you can’t point to a single instance of this in reality.
What you point to may be possible in theory – but really it is clear that theory and what is true in the real world in this instance bare very little relation.
GJ
He’s just trying to get you to even admit to the fact that there is NOTHING protecting Linux from spyware anymore than Windows is protected from spyware.
“He’s just trying to get you to even admit to the fact that there is NOTHING protecting Linux from spyware anymore than Windows is protected from spyware.”
But that is not the point.
The point is that there does exist in Linux repositories a method by which a vast array of software can be installed without any risk of spyware or malware.
The method is: install software using only the package manager and open source repositories. OK – so if you don’t want spyware or malware – just use that method.
The other point is: this method does not exist for Windows.
“Again, one problem – and one that you seem to have a great deal of difficulty grasping – and that is that they don’t exist”
The fact that they dont exist right now is entirely irrelevant. The only reason there isnt any is because Linux isn’t a big enough target for it to be financially viable to write spyware for it. If/when Linux get enough momentum and market share for it to be a target for spyware there will most certainly be spyware for it. The success and penetration of such spyware will depend not on how Linux the operating system is designed but how well informed it’s userbase will be.
“Also those methods you mentioned are not popular ways to install applications.”
So? They still work and could be used for the purpose of spyware delivery.
“Anyway you are obviously convinced that the world of Linux is full of spyware – even though you can’t point to a single instance of this in reality.”
Not all all. I’m convinced that there isnt any Linux spyware right now but that is no guarantee that there could not and never will be spyware for Linux.
“What you point to may be possible in theory”
Discussing the future usually is a bit theoretic since it hasnt happened yet.
That announcment from Sunbelt Software seems pretty amature to me, scare mongering for their own benfit?
Back on topic the point is that these kind of mass infestations are unlikely in Linux due to the enhanced security model that Linux enjoys. Whether you can trick the occasional very stupid user into installing some script or other hardly really matters – because clearly the impact this would have would be likely to be limited to only a few idividuals before word got out about it. I mean surely a spyware app would have to be closed source? And if it were closed source this would certainly begin to ring some alarm bells for many people – as it really fundamentally goes against the entire principal of what open source is supposed to be. Very frequent warnings are also given out about ‘not using official repositories’ – indeed this is almost a Linux mantra – and one that most people tend to learn very early on.
Also every app I have ever installed that has not come from an official repository – has come from at least an offically sanctioned community site like sourceforge – or other similar places where large communities exists. For example, Freevo is like TIVO for Linux (except as the name implies, it’s fee). This sounds like a very cool app – and it is. But it also has a very large community of developers and users who regularly communicate with each other through forums and mailing lists. This is very typical of almost ALL Linux software. So do you think Sourceforge, or the Freevo developers – or any similar development site would tollerate spyware on their servers for very long? The answer is clearly not! Why? Well exactly because it is open source – thus open to scrutiny and because there is a lot of very smart people in the Linux world who would quickly find out about any such spyware and discredit the author.
Also you talk about ‘clueless Linux users’. But that is the thing about Linux, in that it does not allow you to be clueless – if you want to use it it forces you to educate yourself – otherwise you quite simply just won’t be able to use it. Linux is intentionally harder to use than Windows – because really that is the only way you can make new users understand the real implications of what and enhanced understanding of security can really mean for them. Who would care too much about ‘ease of use’ if they knew ease of use meant they might risk having their bank accounts emptied?
I don’t buy the ‘security through obscurity’ argument at all. Linux is largely untroubled by spyware because the security model itself IS more secure. The users play a part too, for sure – but as I have said this is because the system largely forces (or trains them) them to deal directly with the inbuilt security features with and actively consider the issue of security in their day to day computing experience.
Anyway the argument is possibly quite moot. The last thing I heard was that MS were planning on intergrating a large part of the Unix security model into Longhorn/Vista. They will be using Unix style permissions on applications and so on – although as I understand it, actually using these features will be optional from the start (they will not be enabled by default) so really the value of them on a Windows system for the large number of clueless Windows users will be seriously depleted. Nonetheless clearly MS sees some value in the Unix security model – otherwise why would they be looking to adopt it for their own OS?
End of debate I think.
GJ
“The success and penetration of such spyware will depend not on how Linux the operating system is designed but how well informed it’s userbase will be.”
Exactly, and how well informed do you think the average Linux user base is? We don’t tend to make too many allowances for clueless users, remember?
However I disagree with your statement – because clearly the OS played a part (as it did in my case) in turning largely clueless users, really quite quickly into non clueless users. Moving from Windows to Linux involves a steep learning curve – which tends to start first with unlearning all the bad habits one has learned in Windows. A lot of people just can’t hack it.
GJ
it does not matter how many users linux has, there will not be a viable spread of malware on it.
someone said (as usual anonymously) that it is not commercially viable to release spyware on linux.. how is it not, if the job of spyware is to collect data. collecting data from only 1 person could be enough for the spyware author to hit the jackpot.
one thing that you all seem to have missed is this;
even if someone did install malware onto his own machine and activated it, how is that piece of malware supposed to get installed onto other PCs ? you know, like in Windows, when one person gets it, all his mates end up with a copy too… not in the least bit likely with linux.
also,
sh <somefile.exe> will not work as somefile.exe still has to be made executable, even though it is induced by sh
btw – why did thom get so much abuse here, he is not an anti-linx troll, that job is taken by cpuguy
hahaha