Linux Users: Welcome to the World of Malware

by Preston Gralla

Linux users are often smug about the state of their computer security, rightly criticizing Windows for its numerous security holes, but overlooking their own vulnerabilities.



Now it's their turn to suffer.



Over the last several days, Linux users have been targeted by a phony email claiming to be from the Red Hat Security Team, claiming that a vulnerability in fileutils-1.0.6 could "allow a remote attacker to execute arbitrary code with root privileges." The email tells people to download a patch to fix the problem.



The patch, of course, contains malicious code that compromises the system it's run on.



Linux users: Welcome to my world.



This kind of thing is old hat to PC users. Just this morning, for example, I received four phony emails purporting to be from eBay and PayPal, but which were really phishing exploits.



Linux users are going to have to get used to this kind of thing. They'll have to learn to be suspicious of any email they receive, and pay as much attention as possible to keeping their system patched - using only legitimate patches, of course.



In a way, this security exploit may be a backhand compliment to those who use Linux. They should figure that if malware writers have finally taken notice of them, it means that they've finally arrived.


What do you think about Linux (and Windows) security? Let me know.


31 Comments

greenfly
2004-10-27 13:26:03
Old hat to Linux users too
Of course, many Linux users are Windows expatriates, or still use Windows in some capacity, so they are already accustomed to seeing malware sent via email.


I would say one thing on the average Linux user's side is the number of hoops this kind of malware would have to jump through to be installed. First they have to untar the package, possibly build it or run a script, and unless they are foolish enough to run the script as root, they still only will see damage within /home.


This proves that proper security procedures (such as "Don't run random programs that are emailed to you as root") have their place in any OS.

spaceman
2004-10-27 14:31:35
This is going to sound -really- smug, but...
I spotted this one right away. I don't recall what exactly it was about it, oh yeah the crap URL, but I didn't get close to this.


Alas, Windows made me a better malware sniffer.

bairdcarr1
2004-10-27 15:16:03
Not Quite
I'm sorry, but attacks like this are just not going to work very well. Most Linux users are not going to be installing software like this at all. I feel like I am already spoiled by the ease with which I can install software or updates. So if I am the average Linux user, I wait for my distro to release updates, and with one click or one command all software updates or security releases are downloaded and installed automatically. This is the future of Linux, and the one reason why no other OS can compete. There is just more available for Linux, and it's easier to install. Your thinking just has to change from what you could purchase or pirate under windows to what you can apt-get under Linux.



Now... The vulnerability inherent in this whole thing is the update sites and mirrors. With any apt or urpmi system you can add your own sources, without any verification that the files on the source have not been tampered with. At least none that the average user is going to bother with.





This is also part of the reason why there will NEVER be the security problems under Linux that there ARE under Windows. There are almost 400 distros of Linux, each doing things either slightly different or drastically different. There are hundreds and thousands of mirror sites for downloads of software or distros. I have 3 different Linux distros running at home. The systems that DO have the same distros are not the same, even if they have the same software installed. The versions are different among other things.





Microsoft is a huge, single, nearly stationary target. Linux will be a huge, fast-moving herd, with thousands of targets in all shapes and sizes. One shot will not take down the whole herd. It will barely register in the whole scheme of things.

jwenting
2004-10-28 01:47:18
Not Quite
Completely bogus arguments as usual from the linux priests :)


The 400 (I think it's closer to 4000, but say 400 major ones (right...)) distributions is in fact a major weakness as they divide the codebase and make fixing holes (and there are aplenty) almost impossible.
You'd have to fix the hole in 400 separate copies of the codebase, something version control was designed to prevent the need for but which linux groups seem to have abandoned...


And while you might be relatively safe from this type of malware attack (I don't think you are, most of you think you're so safe that you implicitly trust anything coming from someone claiming to be an authority...) you're still wide open to fishing scams which you by proxy claim to be invulnerable to.


As to waiting for updates to be released, this email claimed to be an update from Redhat and therefore exactly the stuff you claim to be waiting for :)
Most Windows users will not trust such messages, instead relying on Windows Update (a mechanism still unheard of for many linux distros).

dscotson
2004-10-28 02:28:31
Linux and Phishing
Why would Linux (or Mac etc.) users be immune to Phishing emails asking for bank details or account passwords? It just doesn't make sense.


Linux users also get bombarded with virus emails and have their email addresses stolen from other peoples outlook address books and faked so we get bounces telling us we have a virus. We don't actually get viruses but still, when your network is clogged with thousands of such virus emails you still can't work on the internet in peace.


Not to mention the time spent cleaning up family members' machines.


Don't think that just by moving to a sane platform you can totally escape having your day ruined by Microsoft's mistakes every once in a while.

DaveCross
2004-10-28 03:07:04
Missing the Point
Point 1: Linux users are "PC users". It really annoys me when Windows users fail to realise that.


Point 2: Linux users have been getting phishing attacks for just as long as anyone else on the internet. The difference is that we're generally clued up enough to ignore them.


Point 3: I didn't see the email but I assume it was HTML email that contained a link to download the "fix". That link would not have been to the Red Hat web site which would have aroused my suspicion and I would have investigated further before clicking it.


Linux users don't claim to have some inherent immunity to phishing attacks like this, but generally they do come from a culture where you are far less likely to click on random links in email or install random pieces of software.

Anonymous_Coward
2004-10-28 07:37:36
Argument from ignorance is frustrating
A battle of wits and my opponent is unarmed. Oh, well.


There are not 400[0] copies of the codebase, there is typically one, sometimes 2, rarely 3. That's not how it works. Perhaps your distro has a small collection of favourite patches for large items like the kernel or OpenOffice, perhaps not, but it's all built from and folded into one set of sources.


We do not claim to be invulnerable to phishing scams. We just claim that installing the kinds of malware which plagues MS-Windows is orders of magnitude harder. As in this case. You'd have to have the root password to install the malware, and we generally don't give the users that because unlike MS-Windows we don;t need to run, for example, accounting programs as Administrator.


Anyone with the root password is going to know that their updates arrive on the canonical file server and are automatically picked up and installed by their package manager (apt, URPMI, yum, yast, pkg, whatever) provided that the crypto keys match.


How much else don't you know?

bairdcarr1
2004-10-28 07:50:21
Not Quite, jwenting
Perhaps you haven't used Linux in a while...


Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros. Apt, urpmi, up2date ring a bell? Not only for updates, but for upgrading your entire OS and all the software over the internet (at least with Apt, which comes with debian based systems, and is installable on rpm based systems). Very impressive, and very cool. There is just no comparison with Windows. Forget all your commercial and pirated CDs, Linux/Open Source is just plain easier.

Microsoft only occasionally provides updates to its own software. Windows Update is vital, and at one time I thought it was even cool. But it is only good for MS products, and with the possible exception of SP2, has utterly failed to provide any solution to the desperate onslaught of attacks on their products.


SP2 is a step in the right direction for home users, but I imagine the benefits to many companies like mine are negligible due to the fact that we have to turn off some of the new features in order to continue using several pieces of software unique to us. All is FAR from perfect in the Windows world, as if it weren't obvious to everyone.


OSX even has a better update "mechanism" than Windows Update. And OSX is stable, has superior security, and is very easy to use. Being a Linux user, it is still very limiting for me, but at least I enjoy the sound it makes when you turn the computer on.


I realize I am a Linux zealot, but who is more trustworthy in promoting a product, someone who has a financial stake in the product, or someone who loves it? That love has been earned. There was noone talking to me about Linux when I first started using it. I was on my own. It proved itself by just working, not with cool sounds, pretty pictures, or promotional videos.


I have been a Windows/Amiga/Mac/Unix/Linux admin for 11 years at the same company. The vast majority of machines run Windows. It was my experiences with Windows that led/drove me to Linux, and I am continually in awe of the power and resources available to me with this one OS.


I am constantly running to keep up with problems on our Windows workstations. I have only touched our Linux workstations (constantly used, multiple users) once in 2 years, and then only to start a network upgrade of the system. Simply amazing. The same is true with our various Unix/Linux servers. They just continue to work, I almost forget they are there. A few haven't been rebooted in a couple of years or more.


That is in stark contrast to any Windows workstation/server at work, home, at a friends home, or at another client's office. Whereever you go, the story is the same. People write articles about "The Linux Hype", but ignore "The Windows Hype". The windows hype is that Microsoft makes a useable OS that is easy to use, requires less administration, has a lower TCO.


Let me clear that up for you. If my network were all Linux, I could be the only Admin at my company, sitting at home in my boxers, eating cheetos, connected in via secure shell, working on systems without the users having to leave their chairs or know I am there. Such a peaceful network that would be... sigh...


Sure, we would save a lot of money and not require the constant workstation upgrades to keep up with the Windows world, etc, etc...


But then again, most admins like me are just leeches living off all the problems people have with Windows. I wouldn't enjoy all the extra work, job security, etc if we lived in a Linux world. So you see, I am dependent upon Windows sucking.


--- end of rant

einheit
2004-10-28 21:16:47
Missing the Point
Point 1: Linux users are "PC users". It really annoys me when Windows users fail to realise that.


Not really, Linux is not a traditional "pc operating system", but is rather a member of the unix family fo operating systems. The OS environment and the culture of linux and windows differ violently. Linux has much more in common with Solaris than it does with ms windows.

jwenting
2004-10-28 23:01:36
Not Quite, jwenting
I've used Debian earlier this year and apt works nicely indeed.


But as to your "Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros" that's simply not true.
It works as least as well as does apt.


"Microsoft only occasionally provides updates to its own software."
Microsoft releases updates every week, more often if needed.
I'd hardly call that "only occasionally". They just don't issue major press releases when going from version 0.0.3.1.5.2.5.43b3 rc1 to 0.0.3.1.5.2.5.43b3 rc2 like Linux groups are wont to.


"someone who has a financial stake in the product, or someone who loves it?"
Neither. That would be someone who has the capability of looking at that product from a distance without emotional or financial attachment.
Your love for Linux clouds your vision so you don't see the shortcomings of the platform (or as I've seen by many Linux zealots actually call those shortcomings strong points).


" I wouldn't enjoy all the extra work, job security, etc if we lived in a Linux world."
You'd have even more work to do as every cracker in the world would use the availability of the source code to find and exploit the holes.
At the moment you get only a few hardcore ones interested at breaking in to juicy corporate LANs and hold them ransom or steal information, but in your ideal world you'd have to deal with script kiddies using hacking kits written by others which is exactly what most attacks on Windows platforms are today (attacks which would almost invariably fail if people weren't listening to anti-Microsoft propaganda and failing to keep their machines up to date be they "don't trust Microsoft".

RichardJC
2004-10-28 23:42:03
Not Quite
``You'd have to fix the hole in 400 separate copies of the codebase, something version control was designed to prevent the need for but which linux groups seem to have abandoned...''


Its somewhat better on Linux. Consider the recent flaw in a JPeg rendering library that hit both Microsoft and Linux systems. Because the Linux shared library system works so well, Linux users just update the one copy of the library on their systems. Tools like aptitude, a nice wrapper around apt, make that easy. Aptitude will even automatically remove the library if it is no longer needed. The end result - the library is fixed once; all applications benefit.


Conversly, on Windows, every application has its own copy or is statically linked to the library. Its a workaround to DLL-Hell. Dot-Net promises a Linux like fix for it, but is not here enough yet, so Windows user have to get updates for every application on their system that uses the JPeg code.


Windows Update only benefits Microsoft's own applications. Does it even benefit Office, or is it Windows System only? Whatever - it doesn't help that non-Microsoft photo viewer you got with your camera. Did you remember to update all of the programs on your system that use JPegs?


The Linux Shared Library system was designed as a multi user system. Unlike Windows which, in the past was always single user to the core, and even now I think would load a seperate copy of each application and all its libraries into memory for every instance running, Linux shares library and even application code between running instances.


Thats how applications can be quoted as "10M RAM plus 2M per additional user". The JPeg library need only be on the system in one place, and need only be loaded into RAM once, no matter how many applications or even distinct users are using it.

TWD
2004-10-28 23:55:00
Missing the Point
No, 'PC' refers to a hardware platform, anything that runs on that platform is by definition a 'PC Operating System', regardless of it's origins (Vax, or Unix in this case).


So Linux users are just as much PC users as are FreeBSD users, BeOS users and OS2 users

blackhole
2004-10-29 05:55:33
What a yawn
The comments were somewhat interesting but the article was really a yawn. I would be interested to know what the malware actually did (I have seen a partial analysis) and any realistic assessment of how much damage it did (how many fools were there). The author claims to be a "technology expert," but it sounds like he may not have much knowledge beyond things that have been personally "blessed" by Bill Gates.


And I would like to second what others have said about the fact that phishing schemes affect everybody and always have. Using a decent browser may make life a little harder for the phishermen, but they schemes certainly are not OS dependant.

unoengborg
2004-10-29 07:53:06
Missing the Point
As far as I know PC stands for Personal Computer, so if they are PC users or not would depend on how they use the intel hardware. After all Linux, FreeBSD, and even late versions of windows have multi user capabilities.
unoengborg
2004-10-29 08:10:24
Not Quite
You get it slightly wrong. Bugs are usually fixed in one codebase, the one that the maintainer of the broken program holds. The role of the distributers is quality assurance. They make sure the fix doesn't break anything in their distro. (As it normally shouldn't). So its more like the bug is fixed in one codbase and tested in 400.


True, windows update is unheard of in the Linux world, instead we have aptget, yum, and some distibution dependent update mechanisms that work just as well as windows update, with the exeption that they update all programns not just the OS.
As a further precasion most Linux distros use digital signatures to ensure the validity of the source of the update.

unoengborg
2004-10-29 08:35:19
Not Quite, jwenting

But as to your "Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros" that's simply not true.
It works as least as well as does apt.


Perhaps it is me that knows too little about windows but what I miss in Windows update is some way to get information about installed files.
So far I havn't been able to find some place in windows where you can get information on what progaram a certain file or dll belongs to, o r a description of what it does or what other programs that depend on it. I have also failed to find some way to list all files that is installed with a certain peace of software.




emacsuser
2004-10-29 09:17:49
this kind of thing is old hat to nix users
These rootkits have been available in the Unix world for years. Being used to repeatedly test systems permanently connected to the Internet years before the advent of Windows servers. Nothing new here. Just a scare thought up by the AV companies to sell more product.


'A "root kit" is a series of modified programs all centered around the idea of helping you to keep access to a Unix system once you have gained root priveleges there. It might path 'ls' not to show your files and directories. It might patch 'ps' now to show your processes. It might patch 'login' to always allow you in if you enter a special "magic" password. The possibilities are nearly unlimited.' Date: Apr 28 1996


msg: #1/1


"the root kit comes to mind .." Date: May 22 1995


msg: <1995May22.183618.26824@sei.cmu.edu>#1/1

alucinor@mail.com
2004-10-29 11:01:15
Not Quite, jwenting
"It works as least as well as does apt"


Except it only updates products from Microsoft.


-


"I'd hardly call that "only occasionally". They just don't issue major press releases when going from version 0.0.3.1.5.2.5.43b3 rc1 to 0.0.3.1.5.2.5.43b3 rc2 like Linux groups are wont to."


"Major Press Releases" = update noted on their sourceforge homepage.


-


"Your love for Linux clouds your vision so you don't see the shortcomings of the platform (or as I've seen by many Linux zealots actually call those shortcomings strong points)"


He said that he loves it for several reasons. And in this case, "love" is likely a synecdoche for "approves of", "endorses", or "strongly recommends".


-


"You'd have even more work to do as every cracker in the world would use the availability of the source code to find and exploit the holes."


The NSA doesn't seem to think so.


Access to source code actually speeds fixes, not breaks, since the "white hats" in the hacker community greatly outnumber the "black hats" (it's just that the latter get far more publicity).

rcrelia
2004-10-29 15:51:31
I'm sorry, but you're a bit confused

Just because someone sends out a phishing email doesn't mean that an operating system is suddenly more exposed or vulnerable. You can't really believe that, can you? If so, you better stick to writing your cute little "Windows Hacks" books there, my friend. :-)


Most GNU/Linux users are versed enough in security issues to know how to spot phishing attacks. If not (there are more and more new users daily), then at least they have some reassurance by the fact that GNU/Linux, BY DESIGN and OUT OF THE BOX, is a heckuva lot more resistant to compromise than any product ever to come out of Redmond.


I love how all these Windows users and proponents are saying "If Linux were as widespread as Windows, it'd have the same problems". Such attitudes really reflect a lack of understanding of basic operating system design and computer security issues. Time will tell I'm sure. I, for one, am looking forward to the show. Popcorn anyone? ;-)


--rc



riplin
2004-10-29 16:30:13
Not Quite
> 400 major ones (right...)) distributions is in fact a major weakness


No, it is a major strength. For example buffer overflows rely on the overwriting code to be in the exact right place for it to work at all. With Windows all copies of a program are identical, for a particular version.


For Linux the compilation may have different CPU target (386,486,586,etc) and different options and different optimizations which mean that there are 400 different 'right places' to overwrite with a buffer overflow vulnerability, and that does count the variations that may occur if the user has recompiled.


This means that a particular attack that is targetted at, say, RedHat 8, misses the target on Mandrake, SUSE, and all the other hundreds.


The buffer overflow (given one exists) may crash the program, but it most likely won't cause execution of malicious code.


As there is still only one actual source tree the problem may be fixed just once and then each distro, or the user, recompiles. Generally this makes it pointless for the malware writer to even bother trying.


Think of it as shooting a gun randomly in a Zoo. In the Windows Zoo any bullet fired randomly will kill anything it hits. In a Linux Zoo each bullet has to tailored to a particular animal such that a Lion bullet won't kill a chimpanzee, though it may knock him off the tree.

riplin
2004-10-29 16:37:13
Linux and Phishing
> Why would Linux (or Mac etc.) users be immune to Phishing emails


They aren't immune to the EMails, but Windows has a flaw in that the real URL in a link may be hidden so that it appears to be going to one site but in fact goes to another.


Browsers on Linux don't hide this fake link and so the user is less likely to believe that it is a real request.


For example using Outlook and IE a phishing EMail may appear to go to:


http://www.mybank.com


when in fact the link is:


http://www.mybank.com!@www.stealme.ru/phoney


and it goes to stealme.ru while showing mybank.com as the address in IE. The '!' indicates where a special character exists which stops IE and OE showing the actual address.


Linux shows the whole URL and makes it obvious that the link is fake.

bairdcarr1
2004-10-29 21:05:53
Not Quite, jwenting, Continued...
Sorry, man, you missed the point again. Windows Update only updates Windows and few other things. Apt (and a few others like it) updates the OS and everything else you have installed. My "Pale by Comparison" remark is more than accurate, as there is nothing even possible of being comparable in the Windows world. Not a criticism, just a point of fact.


Perhaps my loving Linux comment wasn't quite accurate, however. I am in awe of it. Not meritless, blind adoration as you suppose. I am utterly amazed by the resources that come in even your most basic distro. It's amazing how many Windows applications can be replaced by simple shell scripts.


If you count machines and time spent working on a particular OS, I am primarily a Windows admin. My disgust with Windows is rooted in fact. Documented by the hour, machine, and problem.


I'm glad you tried Debian. Not the most polished distro, but for some reason my personal favorite. Maybe you should try Suse or Mandrake until you get your feet wet. Any Windows admin would feel comfortable with them, they have pretty good gui admin features from what I have seen.


Anyway, keep at it, you will eventually see what everyone likes about Linux.

b0xii
2004-10-30 07:20:47
hmmm....
"Preston Gralla is a well-known technology expert".


Wow.

Dan_Bercell
2004-10-31 16:55:27
I'm sorry, but you're a bit confused
"If not (there are more and more new users daily), then at least they have some reassurance by the fact that GNU/Linux, BY DESIGN and OUT OF THE BOX, is a heckuva lot more resistant to compromise than any product ever to come out of Redmond"


I think its safe to say that you have never worked in a Linux/Windows mixed enviroment.
Redmond recongnizes that NO SOFTWARE can be bug free (yes, do some research and see all the bugs in GNU software), and they have and are currently trying to make patching easier.


I have recently had to restructure a mixed network of Linux and Windows systems, I am now converted and understand why Windows is winning the battle.

simon_hibbs
2004-11-01 08:08:29
Malware pretty much orriginated on unix systems
Preston does refer to the fact that Linux is pretty resistant to attacks, but it's instructive to not why this is so.


It's because Unix grew up in accademic environments, where hacking by hughly educated and motivated students with too much time on their hands is par for the course. Unix security was forged in the midst of the most hostile user environments on earth - college campus networks. The very first worms and viruses were essentialy unix software.


By comparrison, the environment in which MS Windows grew up - the ordered world of the company office, often without a network - was a cosy and relatively safe environment. It's only when the internet connected Windows PCs on cosy corporate and home networks to the wider world that they became vulnerable. I remember reading about unix viruses long before I encountered my first MS-DOS virus on a PC.


Unix and unix-like systems have much better in-built security because it's in their genetic heritage, and it got there through a ruthlessly Darwinian process.



Simon Hibbs

Jimmy_King
2004-11-01 11:12:56
This article is stupid
Perhaps if it had gone into detail about the nature of the "attack", it would have been interesting, but as it stands, big deal. Linux users get phishing scams on a daily basis, too. The people that send those don't research what OS you use and only send them to Windows users. As others have said, it's just that the majority of Linux users know how to recognize that stuff and so aren't fooled by it.


This "new" thing is no different, as far as I can tell from the little bit of detail here. Someone sends an e-mail with a link to a file claiming to be from Redhat, hoping people are stupid enough to download and run it. So? It's a file to run as opposed to a website to enter your credit card information, who care? The concept is the same and nothing new.


Let me know when they start distributing something that could run without me having to download something without looking at a URL, especially if it manages to do some damage without me logging in as root and then running it. Now don't get me wrong, I'm not saying it's impossible... the likelihood of executing automatically is not high, but if it happens, it could execute some sort of buffer overflow against something that runs as root, so it's possible, it's just unlikely unless someone makes a linux web browser which will allow a script on a website to download a file without my knowing, chmod it to be executeable, and then run it. At that point, it's still making the assumption that I have that program running, which I may or may not, and even if I do, my specific distro may or may not be susceptible to it.

RickMoen
2004-11-03 13:13:52
Acute disappointment
I'm woefully disappointed by this article, having come here in expectation that it would meet O'Reilly's generally high standards and allow me to learn something new on the subject. Instead, I find a piece that I can only hope reflects profound and embarrassing ignorance.



  • The e-mail purported to be from Red Hat's Security Team, yet it wasn't GPG-signed. All such alerts are GPG-signed.
  • It purported to be a company security alert, but wasn't on the alerts mailing list. All RH alerts go to that list.
  • It purported to direct users to the Stanford University Red Hat mirror -- yet the cited directory wasn't that mirror, but rather (very obviously) the shell account tree of some individual. (It turned out to be, predictably, a compromised account, after I alerted Stanford Security to the problem and they immediately removed the file, hours after this scame was launched.) All RH security packages are issued from the company's official updates directories.
  • Leaving aside the obvious dodginess of expecting people to believe that Red Hat would issue security updates from unrelated university servers, let alone some individual's shell account on that server.
  • The file pointed to wasn't GPG-signed, either. All RH security packages are GPG-signed.
  • The file pointed to wasn't an RPM. (It was a tarball of a shell-script trojan, rendered into C-code format using Francisco Rosales's Generic Script Compiler in an effort to obscure its purpose.) All RH security packages are issued as RPMs.


In order for some gullible Linux user to be fooled by this, he would not only have had to ignored all of those extremely blatant warning signs, but also have retrieved the tarball, unpacked it, figured out (from the Makefile) without a README that he had to do "make inst" (because the miscreant botched the Makefile, omitting any default "make" target) then become the root user, and last type "./inst" to "apply the patch" [sic].


So, you're assumping a Linux user who's simultaneously sophisticated enough to download badly bungled source-code tarballs and compile them, and also mind-bogglingly stupid enough to run flagrantly untrustworthy code from an unverified source with root-user authority. This probably describes the empty set.


We of the Linux community are well aware that epic levels of stupidity do occur, and are prepared to help such users by saying "Wow, that's a really big hole you just shot in your foot. Would you like to learn how to aim elsewhere, next time? We're glad to teach you."


Meanwhile, an alleged security expert claiming this is something new and shows that Linux users must newly "be suspicious of any e-mail they receive" is either extremely ignorant or is shading the truth. I'll be polite and assume ignorance.


Mr. Gralla, not a single one of the 123 MUAs available for Linux can run escalate to root authority by itself. Not a single one unpacks and builds dodgy malware from source by itself, su's to root, and runs it with root authority. To the best of my ability to tell, not one of the 123 even saves received files with the executable bit set. If any ever did -- even the last of those -- the community would have at the author with the Clue-by-Four of Enlightenment until he fixed it or the entire world knew that the software was reckless as, well, Outlook Express or Internet Explorer, and thus to be eschewed by all.


O'Reilly can surely do better than this.


Best Regards,
Rick Moen
rick@linuxmafia.com

RickMoen
2004-11-03 14:26:14
Multiple trojan variants, but same story
This is just a follow-up in case people were wondering what I was talking about, in referring to the trojan being distributed from a shell account at Stanford U.: I was speaking of the instance of this code I came across, a bit over a week ago, discussed on a user group thread (note followup discussion). After itemising some of the obvious tip-offs, I advised the Stanford security office, and got the file removed and the patsy user informed of his account's compromise.


Researching news stories on this matter since my earlier posting here, I learned that another instance of the same idiot-bait trojan had been briefly offered from phony domain "fedora-redhat.com".


Additional tips that I failed to mention, last time:



  • The "alert" e-mail was in very brain-dead Microsoft-tinged HTML. Real RH security alerts are in GPG-signed ASCII.
  • The e-mail was also in very badly botched English. None of the real ones are.
  • The e-mail referred to the company as "RedHat". All of the real alerts correctly refer to it as Red Hat (Inc.).
  • The bogus distribution site referred to was claimed to be a "Fedora mirror site", but wasn't on the Fedora mirror list.


So, to reiterate, we of the Linux community would be at least a tiny bit sympathetic to new users who killed their systems on account of a clever forgery -- even though the sympathy would be tinged with pity that we would try to conceal, over the ineptitude entailed in short-circuiting all the measures in place to protect even the hapless -- but neither variant of this trojan was even clever.


Hey, even a TiVo (which is likewise a Linux computer, in case our feckless columnist doesn't realise that) can be shot in the foot by any sufficiently inept owner: Break into its root account and install some rootkit, and it's in trouble. But that would be willfully stupid on an epic scale -- same as with the discussed trojan.


Best Regards,
Rick Moen
rick@linuxmafia.com

sgk284@gmail.com
2004-11-28 14:27:34
I'm sorry, but you're a bit confused
Err Windows is winning the battle? Linux has had ExecShield for years, it also now has SELinux (devleoped by the NSA). All major linux distributions enforce at least one user who isn't root as the default login because you only need to be root for very few things.
All major distributions (in particular Red Hat/Fedora) have programs that automatically will update every piece of software on your computer. In windows, this is unheard of. It'd be like saying that if Macromedia Flash Player had a vulnerability then Windows Update would download the fix for it and apply it. Also, software installation is far easier under linux and you have over 10,000 applications ready to be installed with one command, i.e. yum install webmin. It automatically does everything else for you to install it.
In addition to this, there are no enforced upgrades, like saying if you don't upgrade to Service Pack 2 then you won't get upgrades for your web browser anymore. This leaves the millions of Windows 2000 users in the dark with a very insecure web browser. Which leads to me to another point, linux is modular and because of this anything can be added or taken out. Windows has its web browser integrated with it's kernel. That is the worst operating system design issue ever. Its ridiculous that an application for viewing web pages is integrated with the OS and you can't do anything about it.
Linux (and unix in general) was designed with multiusers, hostile environments,and access to large networks in mind. Windows on the other hand was designed from the complete opposite end of the spectrum. The two architectures are completely different, I've built simple operating systems before and just from my limited understanding of OS design and architecture, Linux is clearly superior. Building on that, when something is found to be broken in the Linux world, it is patched immediately and usually fixes are sent out within two days. However, I can still infect windows users with IE vulnerabilites from June. Not to mention that Linux has had a default firewall that is loaded at boot since the early 90's and unix has had one even longer. This firewall is the same one that most ISP's and network equipment use, its industrial strength. Windows on the other hand, has a very crappy firewall and only until recently was it activated at boot rather then after most ervices already loaded.
Anyone who would still use windows that is in a position to use linux has got to be nuts. Yes Linux's learning curve is slightly higher, but its mainly because of the many possibilities and capabilities offered to you that are just non-existant in Windows. Yes you'll use the command line and most people complain about that, but the command line is your friend, its just pixels. I can think of 10 things right now that are nearly impossible to do with a gui that you can do in a few characters with a command line. Also, judging by Microsoft's and Red Hat's numbers, it is clear that linux is winning, and for obvious reasons.
Regards,
Steve
JustthefactsPlease
2005-01-21 12:13:20
Remember
Remember that statistically Red Hat has hundreds more security holes than does Microsoft software, there are some very good research articles out there on this, and most show that everyone has more bugs than Microsoft, but have problems getting their fixes out the door, as well as it takes them longer to fix their holes. To me this says MS still has the best security. Get some research from independent research firms like Gartner and others and you will see quite a big difference from opinion vs fact.
RickMoen
2005-02-17 13:24:50
Remember
JustthefactsPlease wrote:


Remember that statistically Red Hat has hundreds more security holes than does Microsoft software


(I note in passing, without objection, that you changed the subject.)


"Software" is defined as several thousand bundled productivity suites, network daemons, and other applications in the typical Linux distribution being discussed, versus roughly nothing bundled with the Microsoft OS.


"Hole" is typically defined as anything that has been the subject of any sort of security advisory on the Linux side, whether it is remotely exploitable, locally exploitable, potentially exploitable only in highly unlikely configurations, probably will never be exploitable in any way but we might as well fix it, simply a DoS with potential impact ranging from feeble to strong (but not an actual vulnerability in any event), or a cross-site scripting opening (which likewise isn't any sort of site vulnerability). On the Microsoft side, it typically is defined to mean something Microsoft Corp. admits to -- which excludes some pretty severe problems -- which more often than not is already exploitable when the MS announcement comes out, rather than being fixed in anticipation problem as is typical on *ix.


As long as such "studies" do nothing more intelligent than count announcements, with no attempt to seriously gauge seriousness or exploitability, or to put the matter in context of a cornucopia of thousands of codebases on one side and almost nothing on the other, nobody with a grain of common sense will take them seriously.


there are some very good research articles out there on this


As suggested above, there are some laughably bad "research" articles on this. Gartner Group, Forrester Research? Notorious paid shills, and inept, to boot.


Get some research from independent research firms like Gartner and others....


Gartner became independent? When did that happen? Up until now, they've always been flacks producing "white papers" to flog to gullible members of the public the interests of whoever cuts them a sponsorship check. Did they suddenly transform themselves into something else, when I wasn't looking?


Rick Moen

rick@linuxmafia.com