Ethics of Releasing Non-Malicious Linux Malware? 600
Posted
by
kdawson
from the what-would-schneier-do dept.
from the what-would-schneier-do dept.
buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"
I think you've already decided... (Score:5, Insightful)
There were two options:
1. Release it anonymously and take no credit
2. Write about it and get some credit (but then you can't actually release it due to legal issues)
You can't (and won't) release it now. If somebody gets attacked with your code, guess who they're going to prosecute and/or sue.
Re:I think you've already decided... (Score:5, Insightful)
The summary says it doesn't actually do anything malicious and it isn't a worm. There is no legal reason why he couldn't release the code and/or a paper about it.
The thing is, it's stupid for people to keep thinking their systems are insanely secure. Linux users fall for this all the time, because they've heard so from lots of other Linux users. It's better to show people that it is actually possible, and maybe it leads to better secured systems too.
You've failed to understand the real world (Score:5, Insightful)
Malware can exist for any platform.
However, real actual malware in the wild requires an eco-system to support it. Providing you can compromise a machine proves nothing. Proving that an ecosystem can actually exist on Linux machines would require completely releasing it into the wild, and subjecting innocent people to it.
I don't know about you, but I know where that falls when it comes to ethics and it ain't on the right side of it.
Remember the old t-shirt? (Score:2, Insightful)
"My other computer is your Linux box"
Everyone who is paying attention knows there are plenty of hacking tools, bots, worms, and virus-like tools for Linux systems already. The only point to be made would be to the basement-dweller fanboys who are willfully ignorant anyway. So go ahead and release it, but don't expect anyone to applaud you for it.
treat it like any other proof of concept exploit? (Score:5, Insightful)
Why not treat this code like you would any other proof of concept of a security exploit? if the goal to to prove that security vulnerabilities exist and should be fixed then show this code to whomever it will help actually fix those holes but try not to release it to the public at large while it still represents a real threat. Show it to package and distribution maintainers and make recommendations on how they can improve their security configurations to prevent it from running but don't release it as a build your own rootkit tool if it has served its purpose and people are making a serious effort to address the issues it highlights.
Newly retrodden ground (Score:5, Insightful)
This question is posed as if this is new ground. As if this hasn't been done before - without questions of morality and with distinctly less noble intent. All this worry about inserting a malicious payload is wasted. The script kiddies already have better options at their disposal.
If you have to ask, your ethical compass is b0rked (Score:5, Insightful)
Seriously, what is it with people not knowing right from wrong, or accepting responsibility for their own decisions? You're the one who has to sleep with whatever decision you make - why try to foist the blame on someone else if you decide wrong?
That's like one guy who said "My best friends' girlfriend wants to sleep with me - should I do it so I can show him what a sl*t she is?" If you're asking, it's because you want to do it and be able to say "don't blame me - everyone said it was okay !"
BTW - Good luck with whatever you decide, but a lot of us have been in the position of being able to do a lot worse, or been offered $$$ to do a lot worse, and you should be thankful we didn't have to get the group-think thing going before refusing.
Dear Slashdot (Score:5, Insightful)
I'm fed up with the general consensus that people are able to walk around outside without being punched in the face. After all, anyone can be punched in the face at any time, so I've been thinking about going up to random people on the street and punching them in the face. People need to learn to take reasonable steps to protect themselves from being punched in the face, such as wearing full-face motorcycle helmets at all times, and how are they going to learn that if I don't show them? But now I'm having second thoughts about whether or not it would be ethical to go around randomly punching people in the face. Does anyone have any advice?
release it (Score:4, Insightful)
Any programmer worth a grain of salt could write the same thing at the drop of a hat. I don't
understand where it would be all that interesting.
Security through obscurity (Score:2, Insightful)
I was fed up with the general consensus that Linux is oh-so-secure and has no malware.
Just because it's a consensus doesn't mean it's correct. As you have demonstrated, it's very much possible to write malware targeted at Linux.
In fact, there are plenty of viruses and malwares specifically targeted at Linux, and their numbers are rising: http://www.internetnews.com/dev-news/article.php/3601946 [internetnews.com]
However, because desktop Linux has an extremely small market share, malware for Linux has a correspondingly tiny market share.
Think of it this way, a few weeks ago you woke up and came up with the idea of writing a piece of potential malware directed at Linux. But there are a hundred who woke up with the same idea, except they wanted to target Windows. In the end, 101 new malwares are born, with only one of them intended to harm Linux systems.
Re:consult with a real security professional (Score:5, Insightful)
Should people run SELinux? Prolly not, it's a pain the ass for Joe user. It's hard enough for admins who know what they're doing (anyone who's had an SELinux error and not checked the right log knows what I'm talking about.) Distros need to play nice with SELinux or provide a better alternative for Joe user.
Should Sysadmins run SELinux? If you've got sensitive data on it, damn straight--you need that kind of protection along with the service removal and permissions hardening you do to Linux machines you really want to keep "safe." If you don't and it's not even a production server, why bother with anything beyond Permissive (or perhaps just Targetted services.)
---
FYI If you find yourself responding in any way that involves a CLI my grandma is going to get annoyed, call me, and ask how to deal with it and I'm going to need a new solution.
Smell test (Score:5, Insightful)
The claim is that a PHP injection on a web server is going to also infect user-owned tarballs and wine executables and root-owned shell scripts without exploiting a privilege escalation hole? Either his webserver is configured to run as root, or this claim doesn't pass the smell test.
Re:I think you've already decided... (Score:4, Insightful)
OMG! The sky is falling! The sky is falling!
You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!
Nevermind Trojans. A buggy apps could destroy all of my data and it doesn't even need an author with a cheesy villan laugh.
This doesn't prove anything except that Windows losers desperately want some shadenfruede.
What would ... do ? Or time for a reality check. (Score:2, Insightful)
I'm sure there are some people in the computer security world who you admire. So ask yourself, what would these people do if they had discovered the exploits? What would Phil Zimmermann [philzimmermann.com], or DJB [cr.yp.to] do? Some of these people were unhappy with the current situation, and took their own road and created some good, secure software.
Also, maybe your code isn't as good as you claim. Or maybe it mostly uses known exploits. It's time for a reality check. You should try to find some peers, and discuss it with them to determine how dangerous your product really is.
Re:If you have to ask, your ethical compass is b0r (Score:3, Insightful)
Re:It does harm!!!! (Score:2, Insightful)
Why do everyone suddenly think he means it's going to be targeted randomly on the internet and he will break into peoples computers?
It's only an example of code that could be created by malicious persons. Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).
Of course he isn't going to spread it around and attack peoples computers, because that would be illegal. He's just asking if it's a good thing to release such an example.
Re:I think you've already decided... (Score:3, Insightful)
People forget, security is a process not a status. Your security process must continuously evolve to meat the always changing threats. Even if there is a major security flaw he found, it is no reason to panic as you should already have a process in place to respond to new threats. This is why I'm employed.........
Re:I think you've already decided... (Score:1, Insightful)
That still doesn't make the security problem go away. The usual rant from Linux users is that Windows is so insecure while Linux is so secure and has malware problems. Thats clearly just stupid thinking, because the main reason Linux doesn't have same level of malware is that it's desktop marketshare is ridiculously low. There's just no incentive to target it when you can target OS that 95% of the people are using.
If things we're other way around, this surely would be problem with Linux. Even the fact that most apps in Linux are installed from repo's doesn't save, because if Linux had that kind of desktop marketshare there would be a lot more 3rd party applications downloaded from the internet. And if not, Year of Linux on Desktop will never come.
Re:It does harm!!!! (Score:3, Insightful)
It's only an example of code that could be created by malicious persons.
Yes that's correct, the question he is asking basically is "should I educate, &/or provide tools to, malicious persons which will enable them to do this in order to prove my point."
Purpose is to show people that there is stupid "Linux is 100% secure" thinking among UNIX users and that security needs to be improved there too (or admins should run something like SELinux).
Yes. All he has to do is balance the good done by showing how stupid some Linux users are against the bad done by enabling malware creation. Which is what he's asking us, collectively, to do for him.
Insecurity through stupidity (Score:3, Insightful)
Lamesauce (Score:3, Insightful)
Sounds like you have too much time on your hands. Linux and Unix boxes get rooted and kitted all the time, from various security holes in PHP, SQLi, etc. Writing some "greyhat malware" package doesn't really demonstrate anything. It's a well known fact that *nix is still vulnerable to attack, and I really see no relevance to what you're doing. Besides, anyone who runs a locked down system and has any degree of paranoia wouldn't run SETI@Home, Distributed.net or any other similar distributed client software. OSSEC would pick this jazz up in half a second. Congratulations on some questionable bash scripting.
Re:I think you've already decided... (Score:3, Insightful)
destroying the internet unless he is paid One HUNdred biiiillllioooon Euroes!
Why make billions, when you can make... millions?
Re:I think you've already decided... (Score:2, Insightful)
I agree and would like to add that most of the malware on a Windows system is also from people clicking run or allow.
Most people know to run a virus scanner when using windows (although some confuse fire wall with virus scanner....) but the virus scanner can do nothing when the person clicks ignore...
There have been remote installs on windows in the past and virus's that could hide inside other executables but those where rather rare and if you stuck to trusted sites that was hardly an issue. I think my personal favorite was Winnuke but thats so old.
If your running Windows Vista or 7 with a decent firewall and virus scanner with Firefox or Opera your fairly secure baring letting some one use your machine for P2P or browsing some porn sites (some are safe but I have seen some works of art and I am not talking about the jpegs lol)
Basically the most important security measure you can have is physical security and proper knowledge, forewarned is forearmed.
P.S. For the advanced windows user there are literally a dozen more things you can do to lock a system down and make it more secure but changing your browser and running a decent firewall with antivirus should be enough to keep out 99% of the bad guys.
More Windoes trolls. (Score:4, Insightful)
I have a strong suspicion that this whole "question" is merely an attempt by Windows marketdroids to spread one of their favorite FUD formulas: "Linux is not really secure, it's just too unpopular to be targeted by malware writers". Please note how often it is mentioned in otherwise content-free comments.
There is no actual "malware". All author claims is that he wrote something that demonstrates the fact that a program executed on a Linux box by a user has that user's access privileges and can do stuff that the user does not expect or like. That's at best a trojan horse -- without capability to gain superuser privileges or compromise other users or hosts, such "malware" is firmly in the range of stupid pranks -- slightly below changing someone's wallpaper to goatse and slightly above asking someone to check out the Last Measure web site. It has nothing to do with millions-strong botnets and hours-to-worldwide-pandemic worms that make Windows such a great platform for crooks and vandals.
Re:Dear Slashdot (Score:4, Insightful)
People do NOT walk around the world indiscriminately. They avoid bad neighborhoods, treat suspicious people like aliens, profile people in any way possible, and then react. Take a white male and walk them around times square, then a full body tattooed, gauged ear, sub-dermal implanted carnival exhibit and walk them through the same area and watch the difference in how people react. They may be the nicest person in the world but the women will still hug their purses and the men will lower their heads. Ever heard "Don't look at anybody on the subway/bus/EL/whatever"? It's because people acknowledge that there are mouthbreathing retards that will fuck you up because you looked at them funny or because they like your briefcase.
People DO interact with the internet indiscriminately. Most can't tell a good site from a bad site, don't know the difference between a "funnycats.avi" and "funnycats.avi.exe", blah blah blah blah blah. Chances are if you are reading this you have fixed someone's computer because of this haphazard e-disregard, so I don't need to tell you that most people just don't get safe browsing practices.
This guys issue is that there is a select, very vocal group of people who think they are safe on the net but aren't, so he wrote a proof-of-concept to show them that it doesn't matter what platform you are on, there is no replacement for safe browsing practices (and not using default passwords, and and and and and...).
Re:consult with a real security professional (Score:5, Insightful)
Or heck, this is *Linux* we are talking about here.
Release it, and they will patch.
Give it to Theo Raadt of OpenBSD fame. In a week all of the attack vectors will be well defined, and source code fixes being pushed downstream.
For BSD admittedly, but once the vectors are well defined, the Linux guys are more than able to 'translate' and make the same fixes.
That can only be a good thing.
It isn't like you need to worry about the company suing you for pointing out a security problem in their product when you tell them!
Besides, no matter how well behaved malware system you write, no matter what possible evils your imagination has come up with that it could be twisted into, the script kiddies out there already have much much better tools than that.
Just release it, sitting on it only gives the black hats more time to use the same exact security flaws for evil.
Re:Dear Slashdot (Score:2, Insightful)
Aikido? I see you have only based your defences on theoretical ideas and have never actually tested them in practice.
Re:I think you've already decided... (Score:2, Insightful)
The submission mentions the persistence in autostart as being really nasty, and not really a security hole that can be fixed, but it seems to me that it should be trivial to reset autostart or bashrc scripts to a known-good state on login. It would mean that the user would have to su or sudo to make permanent changes, but in this case he is in a good position to notice any untoward changes.
It seems to me that rather than going to the trouble of packaging up a malware toolkit and worrying about whether or not to release it, the submitter would be better advised to refer separate vulnerabilities individually to the developers concerned. All of the software he mentions is under active development, so it's unlikely he would be ignored.
Re:I think you've already decided... (Score:3, Insightful)
You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!
Of course you can.
The simplest and most productive line of attack on any OS will always be to play on the weaknesses of the user and not the tech.
ask yourself this question (Score:4, Insightful)
I say release the ideas, or at least document the concepts with pseudocode so that the average skript kiddie can't just download and modify - they'd at least need to spend the time implementing it in some language.
This way, people qualified to fix the problem can review your proof of concept and fix the problem, but you're limiting the exposure to the average bored 15 year old who's skillset doesn't extend too far beyond downloading a .c file and running gcc.
err...what was your point again? (Score:3, Insightful)
No malware? I think the claim is that Linux doesn't have the threat from viruses that Windows does - actually, it has little threat from them at all.
loose security configurations and mindless execution of unverified downloads - so, the sort of thing no admin with any brains, regardless the OS they were using, would do? The difference is, you can fairly much lock up Linux very fast, with little a non-privileged person can do, while not really limiting what services the machine will offer. With Windows on the other hand, it takes more effort to lock it down, and things become far more burdensome to deal with once you do. Let me tell you how much I loved having errors all over the policy editor in windows because of some basic security settings...which meant that doing normal, everyday windows admin tasks you would be confronted with errors left and right because of the policy settings. Doing normal, everyday UNIX admin tasks on a locked down box though...no issues.
Why do people take the argument so damn personally, anyway? The OSes are meant for different things. That one is better at some things than the other should make sense - they have entirely different methodologies.
PS - it took you a *week* to write something that could exploit "loose security configurations?" Give me 5 minutes and I'll write something. Go ahead and publish whatever you wrote, I'm sure several of us could use the laugh.
Re:Dear Slashdot (Score:4, Insightful)
Re:I think you've already decided... (Score:5, Insightful)
It's not that simple. A lot of ill informed users do little things to get stuff working in Ubuntu based on reading it somewhere on a blog or a forum. I've seen suggestions for network configs that leave a lot to be desired - basically creating anonymous login ftp to the users home directory with write access. And these things are tempting if you want, for example, your phone to connect to your PC over wifi and you don't generally consider security.
A little script or carefully constructed script or package that calls gksudo to get permission to hide the real gksudo behind an alias and captures the password could be attractive if it provides a "simple way to sync your smart phone with the ubuntu desktop - even supporting the iphone". We haven't seen one in the wild yet, AFAIK, but that would be pretty successful. I even think that the model for distributing the iPhone thing that went around would work pretty well given some of the advice out there especially if you read the "fix" and don't read the comment buried halfway down the page with a warning in it.
That's the trouble with the Linux ostrich based security model. It's just like the Windows security model. It relies completely on users having the understanding to set their systems up and maintain them securely and unfortunately the temptation to do quick and dirty tricks is very high in the desktop linux world.
In fairness, a default install of Ubuntu is more secure than Windows XP and Vista (not sure about win7) but the volume of quick and dirty fixes and the signal to noise on Ubuntu is such that they are really about even. As always, a classic PEBCAK.
Re:I think you've already decided... (Score:2, Insightful)
OMG! The sky is falling! The sky is falling!
You can get victimized by something that you HAVE TO CHOOSE TO RUN MANUALLY!
Nevermind Trojans. A buggy apps could destroy all of my data and it doesn't even need an author with a cheesy villan laugh.
This doesn't prove anything except that Windows losers desperately want some shadenfruede.
Um, and this is different from a Windows virus how?
99% of all infections/trojans/malware/botnets infect/are created by user abuse of the system.
You can't code against that. The only "protection" that *nix/mac systems have over Windows is that no one gives a rats ass about infecting you, so they don't try. It's not because your system is any more secure against "CLICK HERE TO WIN FREE XBOX 360" infections.
Re:If you have to ask, your ethical compass is b0r (Score:3, Insightful)
So you saying that a group of people none of which have an innate ability to determine right from wrong come to better ethical decisions that an individual with the same limitation?
Silly (Score:3, Insightful)
Linux has two main things over Windows:
First one is that people can't accidentally execute some random program they downloaded with their browser. They have to intentionally save it somewhere, chmod +x, then run it. There's no "ok, ok, ok, yes I am stupid" sequence of warning dialog button selections that's going to do that, so it takes very intentional actions to run some random code you got from the web.
The second one is that Linux users don't, as a normal thing, run random programs they downloaded from the web. They generally install packages provided by their distribution. If a Linux user needs a RAR compressor they don't go hunt it around the web, possibly landing on a page offering a trojaned version, they "apt-get install" their distribution's verified version.
The first means people are very unlikely to run your code by accident, the second that you have to provide a good reason to run your malicious code.
I think that all this really proves is that if you really insist on running untrusted code on your system it can go and screw with your system (or user account). Well, duh. The question isn't whether it can happen at all, it's how easily it can happen by accident or lack of attention. If the user really insists on shooting their foot there's little anybody can do about that.
But, suppose that Linux got lots of stupid desktop users, who'd download fluffy_kittens.sh and actually go through the steps they need to run it. In that case distributions could add some extra security quite easily, by for instance denying the user the ability to run programs from non-root owned directories (grsecurity does this). This would make it so that even if the user does download your script, sets the permissions, and tries to run it, it will fail to work anyway.
Now of course there's the ld.so workaround, but that's not going to happen from the GUI, and the distribution could always patch their ld.so to obey the grsecurity restrictions
Given all this, IMO, this exercise proves very little. It proves that if you manage to convince the user to intentionally run untrusted code, it'll be able to do nasty things. But this is a given on any system that's not locked down in a really fascist manner. It'll take a cell phone-like environment with sandboxed applications to defeat that. And even there applications must be allowed to do potentially harmful things to be able to do some entirely legitimate functions.
At that point you have two possibilities: you completely refuse to run unsigned code (pissing off the user), or ask the user "do you want to let this program delete all your data?" and allow them to shoot their own foot.
Re:I think you've already decided... (Score:5, Insightful)
There is one crucial difference that really does make linux MUCH more secure, and oddly, it's the one thing nobody mentions when discussing it.
Linux users (hardly ever) download and install software from the internet. We download and install packages from repositories.
A huge amount of Linux security comes from the fact that we've taken the task of identifying malware from the real thing, and given it to trained professionals rather than Joe Sixpack. The average user simply cannot tell the difference between a useful piece of freeware and a bugridden-malware-spreading piece of add-ware.
The people who populate distribution repositories generally can. Then we add other layers on top - like using digital signatures so the client machine can be sure the package you asked it to fetch is in fact the package that got downloaded (thus protecting against somebody replacing a package with a malware program in the same filename on a mirror site) etc. etc.
That grounds up linux is probably a more secure design than windows I don't doubt, I also know that it's far from being anything like as secure a design as we imagine- especially as it moves into the desktop realm. But - and this is a big but, since the easiest way to install anything on linux remains using your distro's provided tools to install from your distro's repositories (for the ubuntu crowd... I mean "using synaptic") - the risk of malware infection is kept remarkably low - not because linux is so secure, but because infecting the repo's will be very hard indeed and the software in those repos are checked by people who are *trained* in computers.
Re:Release it. (Score:5, Insightful)
LinuxMalware1.0.exe.sh (Score:2, Insightful)
==================
chmod a+x
su -c "./LinuxMalware1.0.exe.sh"
Script
==========
#!/bin/bash
rm -rf
exit(0)
The Point
=============
If you are running things from an untrusted source then you are a dumb-ass.
There is no patch for human stupidity.
http://www.rocketdownload.com/software/rar.html [rocketdownload.com]
Re:Commendable (Score:2, Insightful)
Why not let the kids do whatever they want in a virtual machine? To be extra sure that the vm is safe, start from a clean snapshot every time.
But please, for the love of god, don't take away their RAM!
Re:Commendable (Score:3, Insightful)
Don't give newbies root 8)
My kids happy play on my Mac as the prental control on that is friggin awesome - limit the UI, list only allowed apps, limit logon times and total hours per day. Their own first computers are going to be used Macs. They can run windows in a non persistant VM if they really need something in Win32, and the Xbox and Wii will be fine for games. Once they are browsing by thems selves, then I will also install Squid proxy on something to track their access. Have a secured location or vm for torrenting, and a simple rule - no pirated software. If someone cares that little about a software devs property, what makes you think they give a rats ass about your own property.
Re:I think you've already decided... (Score:1, Insightful)
Security will always depend on system administrators (and if you have a computer, and it isn't a work computer or something where you have someone with that title officially, then yes, you *ARE* its sysadmin) having the understanding and responsibility for their systems.
Some operating systems encourage you to learn, understand, and generally be qualified for this task. Certain others make things that look like shiny toys/appliances and encourage their use by the ignorant.
Its not a toy, or an appliance. Its a tool. Its a fairly complex tool, far more than a screwdriver, or even a hammer. If you aren't qualified to use it, you should use it only under the supervision and advice of someone who is. All the Microsoft eye-candy in the world wont change that.
Re:Not new. Not Interesting. (Score:3, Insightful)
McAfee is indeed malware, they after all provide an antivirus for MacOS X that seems to only defend from viruses that can't affect it since their list is 99.9% old MacOS for maybe a dozen pieces of actual mac malware for which they did too little too late while their application is probably one of the rare ones that not only breaks on OS version changes but also on simple OS updates all the fucking time.
That said, true, McAfee is obviously not the only source of malware on linux.
Re:Release it. (Score:3, Insightful)
I don't hear linux zealots talk about security through obscurity.
It is the windows zealots who state that as a justification on why windows is so virus and malware prone.
Re:I think you've already decided... (Score:4, Insightful)
I didn't say it *never* happens, I said it's very rare and much harder than cracking individual's machines.
It can happen, it has happened, and even then it didn't put the end-users at risk because the distributions instantly shut down the boxes did an audit and released them again only when they were checked - and had the keys replaced to ensure none of the packages that were on at the time of the break-in could install anymore.
Re:I think you've already decided... (Score:3, Insightful)
Whilst that's true, you're forgetting the large amount of 'howto configure xyz' blogs, forums and other sites providing information. Many users don't know how or why the steps they're given work, they just know to follow them blindly. As a result, you can get someone to open their system to you if you were malicious.
So whilst its still not as easy to pwn a linux box, it is still very possible. As the number of users ignorant in system administration increases, this is the attack vector that will become more prevalent. This also applies to a lot of sysadmins, there's a *lot* of stuff in Linux systems today, some of it is very convoluted and difficult to understand let alone configure correctly.
Re:I think you've already decided... (Score:4, Insightful)
I agree - this is going to become a problem. It never used to be, howtos were reliable documentation because we were a small community and the people reading them would have at least a basic understanding of what you're doing - howtos were there to get details.
Nowadays... this is going to become an issue. The answer is probably to use the same approach we took with repo's. Make the proper distro forums clearly and prominently available to the user so he finds them first, rather than googling. Lead them to the sources of information that the good guys control, and hope to answer them there with sufficient frequency that there is no point in looking at random blogposts.
I doubt that's a comprehensive answer, but it would at least mitigate things. The other is to ensure that the social aspect of FOSS comes with the disk I guess, when you hand out that ubuntu disk - make sure you hand out details on your local LUG. Get the newbs involved in the community around them, make sure that the person they ask first is somebody they can (probably) trust.
It's all things we can mitigate but I agree, it won't remove the problem, it can - at best- keep the potential targets few enough to reduce the attractiveness of this vector (and I don't think we're nearly good enough at this stage to even do that, I just think we could become so).
Basically - the problem you point out is a social one, social problems require social solutions - and those are never 100%.
Another huge difference (Score:3, Insightful)
So one of my users accidentally runs your trojan. No problem. I write a script that cleans it up on every machine in my network without interfering with the users at all. It takes me about 5 minutes.
On MS-Windows, I have to go around to every machine on the network to clean it up. There have been times I've had to re-ghost a machine because it was so infected.
I'm not sure what this whole apple-to-oranges gedanken is all about. It surely doesn't explain how MS-Windows is just as secure as Linux.
Indeed Differences (Score:4, Insightful)
Um, and this is different from a Windows virus how? {...} It's not because your system is any more secure against "CLICK HERE TO WIN FREE XBOX 360" infections.
Windows XP way :
Linux way :
In short there are 2 main differences between the windows and unices environment :
There's another big difference, specific to opensource environment like Linux and BSD (and not other unices):
(Although the above only regards malwares exploiting *bugs*, not payload which are simple regular softwares).
With Vista and Seven, Microsoft has attempted to fix some of these problems. Nonetheless, the fix is still a lot noisy ("Cancel or Allow ?") to the point that some user simply start to blindly "Yes-click-through" and the protecting effect is lost. And users are still trained to install crap by downloading it from random websites.
With Linux, these advantages become a handicap regarding commercial softwares : They have to target multiple combination of softwares in distributions (unlike open-source software where the package are vetted by the distribution maintainers themselves thanks to the source being available for that puprose). And these software are not just a package in a regular repository, making them inaccessible using the regular method.
There is indeed no software which is 100% guaranteed secure.
But ! There's still a difference like between putting a real fence around your house and having a dog on one side, and just stick a paper with "don't rob us" written on it on the other side.
And, no matter what, some users will always find a way to shoot themselves in foot.
But on Unix, the gun is locked behind a glass door and must have a security pin removed before being able to shoot the foot, whereas on Windows an armed ready-shoot-gun is just a normal wall decoration.
The only "protection" that *nix/mac systems have over Windows is that no one gives a rats ass about infecting you
Ok, could we please stop with this troll now ?
At one side of the range, Linux has ratter good market shares in the servers and scientific clusters domains.
At the other side of the range, Linux has achieved quasi-monopoly in the embed domain, specially on home routers, wireless access points, small NAS/SAN, no-brand multimedia play
Research paper (Score:2, Insightful)
Why should this be any different from what research scientists do all the time (with actual security holes to boot)? Just write up a research paper (or a blog post or whatever) and describe the problem and give some thoughts to possible solutions (user not being mindless idiots anymore) and release it. There is definitely nothing ethically wrong with it in my book (and there shouldn't be in anyone else's either).
Help, do not destroy (Score:2, Insightful)
A father used to rationalize why he was so mean to his son by saying, "I'm getting him ready for the world, because it is mean." By that rationale, the best thing would be to simply dump the child out on the streets.
If you see flawed code, submit a patch.
If you see flawed usage, educate users (documentation, blog article, forum posts).
Re:I think you've already decided... (Score:3, Insightful)
Erm the problem with a certain company from us free-software types is not with the company, it's software or it's sources of information, it's with the company's LICENSING. We say the *same* thing about apple, and about adobe and about every other proprietary program regardless of the source.
The bad feel that the open-source crowd has toward microsoft is granted, a much more blurry line, but you can't pretend the company hasn't deserved it. One good deed does not make up for a million bad deeds.
Now, aside from that - I never actually said what you say I said... in our world - there is no *official* sources of information. Okay, some Linux systems are made by companies, they aren't "more linux" or "more official" than those made (like mine) by groups of volunteers. All I said was, if you come to the kongoni forums and post a question - you can be sure that the reply will be from somebody who knows kongoni, and cares about and wants to make your transition as painless as possible.
You can find such information elsewhere, linuxquestions is a very good resource and largely devoid of problem replies too. Putting a link to our forum on the desktop is not coercion - it's a valuable resource for somebody who gets stuck.
Honestly, I fail to see your analogy in fact... nothing like this exists in the windows world, and how is users-helping-users in any way like anything microsoft does ? All I said, was that we should aim to keep those locations where we can moderate the replies, and where the people who care about these projects are active easy to find, so that users do not find malicious misinformation BEFORE they find us.
Sorry, there is just no comparison.