[smolloy]

Linux is just as vulnerable to the Bonzi Buddy problem as any other operating system.

Website: "Hey! Download this cool little toolbar/video/application/virus scanner! It's really neat -- you'll love it!"
Idiot: "Sure. Looks legit."
Website: "Cool! OK, now I need your admin/root password to install."
Idiot: "Here you go."

And, hey presto, the idiot is now a spam/porn server & part of a botnet.

Only education can protect against that attack.

[ozar]

Quote:

What would it REALLY be like if more people used Linux?

It might be good that Linux remains in the user minority.

If the majority of computer users ran Linux, you'd see a huge amount of effort by companies trying to find ways to make money off of it. I'm sure we'd lose a great deal of the "free and freedom" concept now being enjoyed by most Linux users.

[bigtomrodney]

Quote:

Originally Posted by smolloy

Linux is just as vulnerable to the Bonzi Buddy problem as any other operating system...Only education can protect against that attack.

I agree with this alright. This is a social engineering attack and any operating system can be vulnerable to this as long as the end user can grant access to the system. I just don't think you'll see free spreading worms like we have in the past with Windows...if the day ever comes that we see big malware problems on Linux it will require the user to be the one pushing the button that causes the problems.

[Santa's little helper]

Quote:

Originally Posted by SagaciousKJB

The biggest problem is that there are not a lot of malicious attacks geared toward Linux. I think that there are a lot of possible exploits, but given the type that generally use Linux and the earnest attempts of developers, these possible exploits typically don't make much headway. However, the first time someone hacks into a Ubuntu repository, replaces a Linux kernel with their own custom write, and then changes the checksum, who knows how many people could be effected by that.

Don't the checksums reside in a different server than the packages ? At least this is the case when I download stuff "manually" from Ubuntu -- Ubuntu Packages Search , I don't know how it works for automatic downloading using apt-get.

[Santa's little helper]

Quote:

Originally Posted by SagaciousKJB

Changing the ownership to root is a little meddlesome if you don't add write permissions for the group. A lot of programs like FireFox won't function correctly otherwise, so it does get kind of bothersome after a while actually. Although, a simple fix would be to just fix the permissions to .firefox in your home directory, or only applying these permissions to special files. I do it to my whole home directory and just run trusted programs with root.

Another solution is to create an "unsafe" user account and become that user before running any untrusted programmes. Obviously you won't store anything valuable under the untrusted user's home directory and the untrusted user won't have reading or writing access to any of the other home directories.

But for all this to work you must have access to the root password on the computer so that you can create the appropriate account(s). In a multi-user system where most people won't have the root password , I don't see any obvious answer.

It would be nice if Linux offered more levels of access rather than just user , group and others. Imagine for example that it offered 4 levels , user-weak , user-strong , group and others. Then all binaries could be made to run at the user-weak level as a default but any user would have the option to make an executable run as user-strong. Then you would have some directories under your home directory with user-weak reading and writing permissions so that a typical executable could use those but you would put all valuable or sensitive data under directories with user-strong permissions so an executable would not have access to those unless you trust it and you explicitly run it with user-strong privileges.

As far as I can see this would work but would need a lot of work with the kernel and a lot of the standard utilities would need to be enhanced too. If more levels of permissions were added then even better.

[techieMoe]

Quote:

Originally Posted by SagaciousKJB

Well, the problem I forsee with GNU and Linux being open source is that, as more and more malicious intent focuses in on Linux, the contributors that do a good job to address all of this simply wont be able to keep up. In the mean time, while they are well intentioned in making everything open source, they're basically providing a catalog of possible exploits and weaknesses to anyone paying attention.

I very strongly disagree with this theory. Do you have any evidence that keeping the source code to a program secret actually helps its security? Microsoft Windows has certainly not shown any lack of software bugs from keeping their code closed. Nor has any one of the many programs that have been exploited in the past (Adobe for instance). What evidence is there that what you say will happen?

I also take issue that you think open-source developers will not be able to keep up with the demand for software patches. The very nature of open-source software makes it infinitely more agile in fixing things than a monolithic corporation. There is no red tape for a fix. Sure, if there was an issue with the kernel it would need approval by the kernel team, but if it's an important bug it would be given priority. Try and tell that to a team lead at Microsoft when his tin-horn dictator of a boss wants to make a name for himself.

Quote:

This is often what happens now, but in an environment where there are far more users, and far more attacks, I'm not exactly sure that it will fare that well.

You also make the fallacious assumption that the reason Linux has less viruses is a lack of users. What evidence do you have to support this? Apache is arguably one of the most widely-used servers in the world and by your logic it should be swimming in malware by now.

Quote:

I think after a while, the developers that contribute code to it now may not be enthused to do so.

Why not? You seem to be throwing ideas out of the air with nothing to back them up. What makes you think this will happen? Have you noticed a trend that no one else picked up on? If so, do tell. With details.

Quote:

Even more dismaying to think of, what if Linus Torvalds himself decided that Linux would no longer be licensed under the GPL. Sure, the current contributors could continue developing the current kernel and maybe make a branch, but if the Linux brand was a house-hold name, then wouldn't that basically just create another obscure offspring of the *nix family. I don't know how likely that is to really happen, but it would really suck.

This is a useless worry. Even in the very unlikely event that Linus decided to go completely closed-source with a new version of Linux, Linus does not have the rights to all the code anymore. The developers who do could pull every single line of theirs out of Linus's kernel. It would be self-defeating. Linus would in effect have to start from scratch with a closed-source version that would be supplanted and overshadowed by his own previously-released GPL code. Once code is released under the GPL that license cannot be revoked, even by the original author. What's out there is out there for posterity.

[SagaciousKJB]

Quote:

Originally Posted by techieMoe

I very strongly disagree with this theory. Do you have any evidence that keeping the source code to a program secret actually helps its security? Microsoft Windows has certainly not shown any lack of software bugs from keeping their code closed. Nor has any one of the many programs that have been exploited in the past (Adobe for instance). What evidence is there that what you say will happen?

I also take issue that you think open-source developers will not be able to keep up with the demand for software patches. The very nature of open-source software makes it infinitely more agile in fixing things than a monolithic corporation. There is no red tape for a fix. Sure, if there was an issue with the kernel it would need approval by the kernel team, but if it's an important bug it would be given priority. Try and tell that to a team lead at Microsoft when his tin-horn dictator of a boss wants to make a name for himself.



You also make the fallacious assumption that the reason Linux has less viruses is a lack of users. What evidence do you have to support this? Apache is arguably one of the most widely-used servers in the world and by your logic it should be swimming in malware by now.



Why not? You seem to be throwing ideas out of the air with nothing to back them up. What makes you think this will happen? Have you noticed a trend that no one else picked up on? If so, do tell. With details.



This is a useless worry. Even in the very unlikely event that Linus decided to go completely closed-source with a new version of Linux, Linus does not have the rights to all the code anymore. The developers who do could pull every single line of theirs out of Linus's kernel. It would be self-defeating. Linus would in effect have to start from scratch with a closed-source version that would be supplanted and overshadowed by his own previously-released GPL code. Once code is released under the GPL that license cannot be revoked, even by the original author. What's out there is out there for posterity.

Yeah, admittedly I don't understand the full nuances of the GPL.

Also, my posts makes a lot more sense when you don't cut it up and address each individual part of it.

I don't think that software with closed sources is more secure, I think that there is just a bit of a security issue in having everything so open that the Linux community really hasn't had to deal with. I clearly don't base it off of anything seeing as there's been nothing that demonstrates it will happen, but it's still a fear in the back of my mind. I'm not trying to say that closed-source is more secure, I just think that if Linux existed in a world where even half as many people that are trying to crack Windows focused their intention on Linux, that you would probably see more vulnerabilities uncovered and patched by the result of the hackers. That sort of seems to be advantageous, but in the end, it then makes me have to wonder what would happen about 1. The ones that were missed 2. The vulnerabilities that didn't get "out there" and were being exploited secretly 3. How many Linux users can be affected by a security issue like this in the same amount of time it would take them to patch a security flaw now.

Apache is a good example of how popular software holds up, but I think there's still a possibility for what I'm saying to happen if the popularity of Linux software explodes like Windows has, and especially if Windows software falls out of style. The big difference between the Linux community scouring the code for vulnerabilities and malicious hackers doing the same is that the Linux community will make it known, and patch it within a few hours, and the hackers will write a code to exploit it within a few hours. This still happens all the time, but if there were more users on Linux, I'm not too confident that the speediness at which they will patch it would be the same. For an example, the vmsplice vulnerability recently where a user could gain root access by running the code. If there were the same amount of hackers and users for Linux out there, I'm not so sure that the vulnerability would have gone unexploited before the community patched it. Then, atop of all of this, the users of Apache tend to be more security-cautious than your average users; more non-nonchalant users were attacked with flaws that are more common to Windows boxes, I bet it would spread like wild-fire in a Linux environment, where most users typically don't run malware-checks because they don't think they need to.

Anyway, I'm trying to think of a way that it would be bad if more people used Linux, so I blame that for the flimsy pretexts of all these ideas. :P

[techieMoe]

Quote:

Originally Posted by SagaciousKJB

Yeah, admittedly I don't understand the full nuances of the GPL.

I'm not a lawyer either. My interpretations are just what I've gleaned off the internet and the few court cases that have upheld the GPL.

Quote:

I'm not trying to say that closed-source is more secure, I just think that if Linux existed in a world where even half as many people that are trying to crack Windows focused their intention on Linux, that you would probably see more vulnerabilities uncovered and patched by the result of the hackers.

Oh absolutely. I look forward to this. Recently at a security conference there were several bugs uncovered and patched for Mac OS X and Windows Vista (or rather an Adobe product running on them), but the Linux box that was also available for cracking wasn't even really touched. I would like to see more security competitions to root out more bugs in Linux. The more we root out, the less there will be. I think perhaps our difference in opinion is that you think more exposure to crackers is a bad thing, whereas I see it as something that will improve the OS.

Quote:

3. How many Linux users can be affected by a security issue like this in the same amount of time it would take them to patch a security flaw now.

There's one thing that can only work in favor of Linux users when it comes to a wide-spread exploit: unless the exploit is in the kernel itself, no two Linux installations in the wild are exactly the same. If there's a bug found in CUPS for instance, it won't affect those without that package installed. There are also slight differences in the way some distributions lay out their system files. In this case, inconsistencies like this are a good thing; they keep the likelihood of a widespread attack down to a much smaller number.

Quote:

This still happens all the time, but if there were more users on Linux, I'm not too confident that the speediness at which they will patch it would be the same. For an example, the vmsplice vulnerability recently where a user could gain root access by running the code. If there were the same amount of hackers and users for Linux out there, I'm not so sure that the vulnerability would have gone unexploited before the community patched it.

I still don't understand this argument. Regardless of the number of users, there will still be just as many developers (if not more) working on bug fixes. The number of end-users has little to do with how speedy a patch is issued, aside from the fact that more users means more press, which means more exposure when a bug is found. If anything, the more users there are, the quicker the bugs will be found.

Quote:

Then, atop of all of this, the users of Apache tend to be more security-cautious than your average users; more non-nonchalant users were attacked with flaws that are more common to Windows boxes, I bet it would spread like wild-fire in a Linux environment, where most users typically don't run malware-checks because they don't think they need to.

I don't buy it. You're assuming a lot here. First: that there are widespread exploits that could be used en masse to take over large numbers of Linux installs (see my point above regarding how each is different). You're also assuming that Linux users won't keep up with protecting their systems the same way they did in MS Windows. The reason most Linux users don't use malware checking software is that there simply is no malware out there right now.

When (and if) that situation changes, most Linux users will simply install an antivirus the same as a Windows user and that would be that. The only vector for attack that I can see right now is social engineering attacks, such as we've seen on Mac OS X. If you can trick the user into downloading your virus (say, through a zipped file that claims to have screenshots of an upcoming hot product) then there's little an antivirus program can do to prevent that.

Quote:

Anyway, I'm trying to think of a way that it would be bad if more people used Linux, so I blame that for the flimsy pretexts of all these ideas. :P

I understand. You're playing the Devil's Advocate here. It's hard to do sometimes.

[daark.child]

If more people used Linux, the OS snobs would probably use OpenBSD or some obscure OS.

In addition to some of the things already mentioned, if more people used Linux, I suspect we would have more decent desktops apps and driver support because the big vendors would have no excuse for not catering to the needs of Linux users.

[Hansophobia]

I kinda like being the only kid who has linux in my school, although I recommend it to everybody. They are too scared to even dare just testing it out.