Hypothetical Linux Malware Question.

[1clue]

If you see a prompt that says you need to give your password to install software, and it looks exactly like the one in Ubuntu because it's a screen shot of the original, then you just gave your password to malware. So the malware can run sudo, which means it can become root.

This is a classic trojan horse. You disguise yourself to look like a friend in order to trick the gate keeper to let you in, then wait for them to fall asleep before you attack. There is no computer system which is not vulnerable to this.

[mike_smith2]

I have lots of software on my *buntu systems that isn't in the repository. Oracle Java, grails, Oracle database, X-plane, Sublime Text 2, VMware, GGTS, the list goes on. Basically if it's non-free then it's not in the repo, or at least not directly.

To flip that idea over on its other side, if *buntu decided to limit all software to be what's in the repository, all of my *buntu systems would suddenly become some other distro. There would not be a single one left.

To go a little step closer to home, how do you think software which is not in the repo gets into the repo? Somebody downloads it from a source that's not in the repository, compiles it or installs a binary, and then puts it in the repo.

Point taken, Ubuntu does seem to be aimed at less technically minded users (Windows refugees), perhaps the main Ubuntu should have restrictions like I proposed (non repository software cannot use root privileges, except to resolve dependencies). And a derivative could be released without any restrictions. Like I said, if it went mainstream something would have to be done to save Windows users from themselves.

[1clue]

That's not true. If non repository software could never become root (except for resolving dependencies using packages from official repositories) that would stop that.

So could (not necessarily) a real time malware scanner/software blacklist. I far prefer the above idea but perhaps some sort of minimal blacklist could be implemented

You really, REALLY, need to read this: https://wiki.ubuntu.com/BasicSecurity

You should also look here: http://www.ubuntu.com/usn/

That last link is the known, published list of vulnerabilities in Ubuntu. Yes, Ubuntu has vulnerabilities.

What's on this list is not nearly as important as what's not on this list.

Most of the time, everything on this list has an update to close the vulnerability. They don't generally publish the vulnerability until they can stop it. Sometimes they do, if it's a serious problem and there's no fix available.

But here's what's NOT on that list:

1. Vulnerabilities known to white-hats which are not yet tested.
2. Vulnerabilities known to white-hats which have been tested but not yet solved.
3. Vulnerabilities known to black-hats which have not been discovered by white-hats.
4. Vulnerabilities unknown by anyone which may be bugs that transmit data in an unsuspected way.
5. You can probably figure out a few more ways, I'm not going to write a book.

If you haven't figured it out yet, white hats in this case are the good guys: Developers, Ubuntu staff, well-intentioned users, organizations like CERT. Black hats are the bad guys.

Now, there's a whole lot of people who believe that if you keep your system updated you don't have anything to worry about. That's untrue. There may be days, weeks or months between the time a black hat discovers a vulnerability and the time it's blocked by a security update, and the time you actually install that update.

If you're one of the unlucky ones and had an exploit on your system, the update might fix the problem but chances are your system already has malware on it or somebody knows your passwords, and you probably will not know it unless you actively look for it and know what to look for.

There's no magical restriction that only lets repository software through, and trying to add one would make a whole lot of users go find a different distro. Me included. I use commercial software, and I will continue to do so.

[mike_smith2]

You really, REALLY, need to read this: https://wiki.ubuntu.com/BasicSecurity

You should also look here: http://www.ubuntu.com/usn/

That last link is the known, published list of vulnerabilities in Ubuntu. Yes, Ubuntu has vulnerabilities.

What's on this list is not nearly as important as what's not on this list.

Most of the time, everything on this list has an update to close the vulnerability. They don't generally publish the vulnerability until they can stop it. Sometimes they do, if it's a serious problem and there's no fix available.

But here's what's NOT on that list:

1. Vulnerabilities known to white-hats which are not yet tested.
2. Vulnerabilities known to white-hats which have been tested but not yet solved.
3. Vulnerabilities known to black-hats which have not been discovered by white-hats.
4. Vulnerabilities unknown by anyone which may be bugs that transmit data in an unsuspected way.
5. You can probably figure out a few more ways, I'm not going to write a book.

If you haven't figured it out yet, white hats in this case are the good guys: Developers, Ubuntu staff, well-intentioned users, organizations like CERT. Black hats are the bad guys.

Now, there's a whole lot of people who believe that if you keep your system updated you don't have anything to worry about. That's untrue. There may be days, weeks or months between the time a black hat discovers a vulnerability and the time it's blocked by a security update, and the time you actually install that update.

If you're one of the unlucky ones and had an exploit on your system, the update might fix the problem but chances are your system already has malware on it or somebody knows your passwords, and you probably will not know it unless you actively look for it and know what to look for.

Cheers for the links interesting stuff. The thread is more discussing (seemingly invincible) malware that convinces you to use your sudo password.

There's no magical restriction that only lets repository software through, and trying to add one would make a whole lot of users go find a different distro. Me included. I use commercial software, and I will continue to do so.

I'm not saying there's magic line of code that can enforce what I suggested, I'm sure it would be a lot of work.

[1clue]

The only thing that can save Windows users, Mac users or Linux users from themselves is education. It's just like raising children: If you shelter them from every evil when they're young, they'll just fall twice as hard for it later in life. There is no foolproof system. Not even the US government can keep their enemies out of their computer systems, how do you think you can do it with arbitrary restrictions on what software can be privileged?

The reason Linux is so powerful is because it doesn't have a lot of arbitrary restrictions. Apple wants you to run only their approved software on their phones, which is why I no longer have an iPhone. I do not see an iPhone in my future at all, even though I have had two in the past, each the latest greatest biggest baddest model that was available at the time.

Apple has no right to control what software I want to use. Neither does Canonical. Or any government or whatever. I'm not doing anything even slightly illegal, so there should be no restriction.

*buntu is popular because it's easy to install, easy to use and pretty secure right out of the box, in that order. For systems I just want to work, that's what I use. Almost every one of them has some sort of non-free software. Generally speaking that non-free software is the reason for me to have the box.

Back to the arbitrary restrictions and root: You don't need root to look in your home directory for a file with numbers in it that might be credit cards. Or usernames and passwords and websites. Or files containing 'bank' or 'credit union'. You don't have to be root to email that file back to somebody.

[1clue]

Cheers for the links interesting stuff. The thread is more discussing (seemingly invincible) malware that convinces you to use your sudo password.

Yes, and I'm saying that that pretty much your only defense is to not automatically type your password unless you know what you're doing. To make sure you know where your software is coming from, and that it's not modified by a black hat before you get it.

I'm also saying that boiling security down into a small number of simple scenarios is guaranteed to make you ignore most of the vulnerabilities.

[mike_smith2]

The only thing that can save Windows users, Mac users or Linux users from themselves is education. It's just like raising children: If you shelter them from every evil when they're young, they'll just fall twice as hard for it later in life. There is no foolproof system. Not even the US government can keep their enemies out of their computer systems, how do you think you can do it with arbitrary restrictions on what software can be privileged?

The reason Linux is so powerful is because it doesn't have a lot of arbitrary restrictions. Apple wants you to run only their approved software on their phones, which is why I no longer have an iPhone. I do not see an iPhone in my future at all, even though I have had two in the past, each the latest greatest biggest baddest model that was available at the time.

Apple has no right to control what software I want to use. Neither does Canonical. Or any government or whatever. I'm not doing anything even slightly illegal, so there should be no restriction.

*buntu is popular because it's easy to install, easy to use and pretty secure right out of the box, in that order. For systems I just want to work, that's what I use. Almost every one of them has some sort of non-free software. Generally speaking that non-free software is the reason for me to have the box.

Back to the arbitrary restrictions and root: You don't need root to look in your home directory for a file with numbers in it that might be credit cards. Or usernames and passwords and websites. Or files containing 'bank' or 'credit union'. You don't have to be root to email that file back to somebody.

Point taken I can totally see where your coming from in terms of using whatever software you desire.

The success of iPhone and iPad proves that there is a huge market of people that do want and need to be saved from themselves. If hundreds of millions of Windows users did decide to come to Linux, the restrictions I proposed would indeed save them from themselves and make there time on Linux much happier. Hypothetically anyway, to the same extent as it has for iOS anyway.

[mike_smith2]

the restrictions I proposed would indeed save them from themselves and make there time on Linux much happier. Hypothetically anyway, to the same extent as it has for iOS anyway.

That sounded a bit narcissistic, I realise this is all theoretical and would involve a huge amount of work. Far beyond anything I can do.

[1clue]

I really hate to disagree with EVERYTHING you say, but IMO the iPhone and iPad is hugely popular because it's stylish and easy to use, not because people need to be saved from themselves. It's extremely polished, extremely consistent and extremely intuitive. Apple's gestures and overall human interface are unbeatably better than Android. Apple is one of America's most successful companies, they have more free cash than the US government and their products are perceived to be visual art. People either love them or hate them.

If it were not for one thing, I would probably still be an iPhone user and so would my wife. They try to limit my use of the phone to only software they approve. Game over. No rematch.

I've now gone through 2 Android phones, looking for the third. And of course that's twice, because my wife gets the new phones too. Software availability is much better, the feature count is higher and nerd factor is better too.

[mike_smith2]

Back to the arbitrary restrictions and root: You don't need root to look in your home directory for a file with numbers in it that might be credit cards. Or usernames and passwords and websites. Or files containing 'bank' or 'credit union'. You don't have to be root to email that file back to somebody.

True it would just mean that it can't damage system/application files. That's a big start though. I guess the next step would mean to not let any executables that haven't been signed and confirmed to be from the repository run at all. You can do it using software restriction/group policy rules using Windows Server. Is there a similar app for Linux? Are Ubuntu repository files "signed" in any way?