security (malware) issues in Linux bases OSes
Hello,
In the last some weeks I recall reading in one of the mailing lists that it is just a matter of popularity that we are not seeing bad intentioned debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become sufficiently popular, the claim is that it would be just as easy and popular to infect these OSes by making a user install something like NakedBrittany.deb as is now the case with Windows users. I realize that a clueless user is always going to be weakest link in the fence against malware infection. Just wanted to throw this question out here to see what opinions various people have. What if such malicious deb or rpm is made available? How bad it would be for the same user as compared to similar malware in Windows case? Let us assume that the user has sudo access in Linux and has admin privileges in Windows. -- Please reply to this list only. I read this list on its corresponding newsgroup on gmane.org. Replies sent to my email address are just filtered to a folder in my mailbox and get periodically deleted without ever having been read. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote:
> In the last some weeks I recall reading in one of the mailing lists that > it is just a matter of popularity that we are not seeing bad intentioned > debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become > sufficiently popular, the claim is that it would be just as easy and > popular to infect these OSes by making a user install something like > NakedBrittany.deb as is now the case with Windows users. Don't know where you get it from, but seem to me the person who made such claims is a clueless Linux newbie himself. Debian have package signature signing and checking years ago, even for non-official repos. -- Tong (remove underscore(s) to reply) http://xpt.sourceforge.net/techdocs/ http://xpt.sourceforge.net/tools/ -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
T o n g wrote:
> On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote: > > >> In the last some weeks I recall reading in one of the mailing lists that >> it is just a matter of popularity that we are not seeing bad intentioned >> debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become >> sufficiently popular, the claim is that it would be just as easy and >> popular to infect these OSes by making a user install something like >> NakedBrittany.deb as is now the case with Windows users. >> > > Don't know where you get it from, but seem to me the person who made such claims is a clueless Linux > newbie himself. Debian have package signature signing and checking years ago, even for non-official repos. > But neither of these help in case a stupid user receives an e-mail saying: Run 'sudo dpkg -i FreePornPics.deb to see <insert celebrity name here>'s secret sex tape'. (Or some variation thereof.) I think, however, this will only become a problem if Linux gets really popular, especially along newbie users. And the variety of distributions will make this kind of attacks harder: a .deb virus will not work on RPM distros, and vice-versa. For now, I see no reason to worry. -- Out of sight is out of mind. -- Arthur Clough Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
On Sun, Feb 15, 2009 at 04:22:37PM -0300, Eduardo M KALINOWSKI wrote:
> T o n g wrote: > > On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote: > > > > > >> In the last some weeks I recall reading in one of the mailing lists that > >> it is just a matter of popularity that we are not seeing bad intentioned > >> debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become > >> sufficiently popular, the claim is that it would be just as easy and > >> popular to infect these OSes by making a user install something like > >> NakedBrittany.deb as is now the case with Windows users. > >> > > > > Don't know where you get it from, but seem to me the person who made such claims is a clueless Linux > > newbie himself. Debian have package signature signing and checking years ago, even for non-official repos. > > > > But neither of these help in case a stupid user receives an e-mail saying: > > Run 'sudo dpkg -i FreePornPics.deb to see <insert celebrity name here>'s > secret sex tape'. > > (Or some variation thereof.) A Debian user should not be expected to install just any .deb file. This why this procedure should be relatively complicated (and it is, IIRC). But you're missing the real fun: http://lwn.net/Articles/319072/ -- Tzafrir Cohen | tzafrir@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzafrir@cohens.org.il | | best ICQ# 16849754 | | friend -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
Tzafrir Cohen wrote:
> A Debian user should not be expected to install just any .deb file. > Ideally speaking, I'd say this holds for any OS: Users should not just install (or click, or run) everything they see. In practice things happen differently, especially in the Windows world. -- A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
On Sun, Feb 15, 2009 at 04:33:53PM -0300, Eduardo M KALINOWSKI wrote:
> Tzafrir Cohen wrote: > > A Debian user should not be expected to install just any .deb file. > > > > Ideally speaking, I'd say this holds for any OS: Users should not just > install (or click, or run) everything they see. > > In practice things happen differently, especially in the Windows world. As I have pointed out, there's no real reason for the user interface to make that operation too simple. After all, you're not really guaranteed that you'll actually be able to install that package, as you may not have its dependencies. The easy way to install packages is through apt. https://launchpad.net/apturl/ -- Tzafrir Cohen | tzafrir@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzafrir@cohens.org.il | | best ICQ# 16849754 | | friend -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
On 02/15/2009 01:11 PM, T o n g wrote:
On Sun, 15 Feb 2009 13:25:35 -0500, H.S. wrote: In the last some weeks I recall reading in one of the mailing lists that it is just a matter of popularity that we are not seeing bad intentioned debs or rpms on the internet. If Debian/Ubuntu/Fedora were to become sufficiently popular, the claim is that it would be just as easy and popular to infect these OSes by making a user install something like NakedBrittany.deb as is now the case with Windows users. Don't know where you get it from, but seem to me the person who > made such claims is a clueless Linux newbie himself. Debian have > package signature signing and checking years ago, even for > non-official repos. *Maybe* not on Debian, since Debian users *tend* to be more sophisticated, but what's to stop Joe Wannabe from doing this? $ sudo dpkg -i NakedBrittany.deb Anyway, twice in the past few years, Debian servers have been compromised. One time it was thru a weak DD user password, and the other thru a poorly-working (official) Debian patch to ssh. (Or was it SSL?) That last one caused more than a minor ruckus. -- Ron Johnson, Jr. Jefferson LA USA Supporting World Peace Through Nuclear Pacification -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
On Sunday 15 February 2009 15:48:37 Ron Johnson wrote:
> [W]hat's to stop Joe Wannabe from doing this? > > $ sudo dpkg -i NakedBrittany.deb What's to stop Joe Wannabe from doing this? sudo rm -rf The Great American Novell / Movie Neither is an actual security issue. > and the > other thru a poorly-working (official) Debian patch to ssh. (Or was > it SSL?) I don't recall this actually causing the Debian servers to be compromised. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/ |
security (malware) issues in Linux bases OSes
On 02/15/2009 05:26 PM, Boyd Stephen Smith Jr. wrote:
On Sunday 15 February 2009 15:48:37 Ron Johnson wrote: [W]hat's to stop Joe Wannabe from doing this? $ sudo dpkg -i NakedBrittany.deb What's to stop Joe Wannabe from doing this? sudo rm -rf The Great American Novell / Movie Neither is an actual security issue. Depends, I guess, on your definition of "security". Both require user interaction, and while the "sudo rm" certainly would be a disaster, installing NakedBrittany.deb would/could install a rootkit, keystroke logger, etc, etc. and the other thru a poorly-working (official) Debian patch to ssh. (Or was it SSL?) I don't recall this actually causing the Debian servers to be compromised. Ah, you're right. It was back in July 2006 that gluck got compromised. -- Ron Johnson, Jr. Jefferson LA USA Supporting World Peace Through Nuclear Pacification -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
security (malware) issues in Linux bases OSes
Ron Johnson wrote:
> > *Maybe* not on Debian, since Debian users *tend* to be more Yup, I agree. > sophisticated, but what's to stop Joe Wannabe from doing this? > > $ sudo dpkg -i NakedBrittany.deb This is more likely since some of the present day popular packages are commonly downloaded as debs and installed (Skype, brand new versions of Openoffice.org). To me, it looks like the only viable solution is to go for only open source stuff which is hosted on the distro's official mirrors (Debian, Ubuntu) where the packages are signed. Any departure from this is just inviting Average Joe to cause trouble. > > Anyway, twice in the past few years, Debian servers have been > compromised. One time it was thru a weak DD user password, and the > other thru a poorly-working (official) Debian patch to ssh. (Or was it > SSL?) That last one caused more than a minor ruckus. > It was SSL. I think it is described here: http://www.debian.org/security/2008/dsa-1571 -- Please reply to this list only. I read this list on its corresponding newsgroup on gmane.org. Replies sent to my email address are just filtered to a folder in my mailbox and get periodically deleted without ever having been read. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
| All times are GMT. The time now is 02:27 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.