Linux = Windows anti-virus? Not!

That's why I always recommend a LUA/SRP combo.

 

Are you really sure you need examples? I mean, there are PPAs for just about everything.

Personally, I use them for: Pidgin, Google Chrome, Transmission, Wine, Firefox, Docky, Medibuntu repos, Virtualbox, QtOctave.

It's not a matter of trust, it's that you still need to install and use non-default repos to get what you need. From a security standpoint, there's little difference between downloading an external binary and installing a non-default repository.

I do believe that Windows comes with a very good image viewer by default, and it receives updates from Windows Update as well.

Do you have any other examples?

 

If developer PPA can be hacked, so can entire Ubuntu server and be corrupted, in that case in Win world we are constantly installing 3rd party drivers and programs. The ppa's are digitally signed and any breach would get you out of launchpad in a flash, till now none has happened and I don't foresee anything in the future either. Its just pure speculation at this point. On another note, Ubuntu comes with everything in its own repo, installing via PPA is choice of the user who wishes to stay current or install a particular program, most of the ppa I add are from Ubuntu developer team only. As for PPAs from Pidgin, Transmission etc, if they put malware, that means it would go out for others using their program as well and that includes Windows and Mac.

Windows update may have improved but it still needs a lot to be desired, for instance when it does background updates, there is no intimidation apart from the small icon on the taskbar, if you give the shutdown command during updates, your machine is stuck indicating updates in progress and you are trapped but I must say that Windows update has certainly come a long way. However in Windows world, that update only covers Windows software and that too distro related, most Windows program apart from MS Office etc and drivers are from 3rd party vendors and they have no ppa system so for that sound driver, printer driver, video driver, you have to physically go and search them and install them. Software like SUMO are trying to bridge that gap and bring Linux like simplicity but its still a long way to go before it comes to that. As for Windows carrying a very good default image viewers, well if that was the case, we won't have brilliant programs like XNViewer, Irfan View, Farstone etc., would we.

Lastly if the thousands of varieties of programs in Ubuntu's repositories are not comprehensive enough, I guess the entire earth won't be either, btw, Ubuntu adds new stuff after testing and with every version, new stuff is added.

 

Yep, but do you really need them? Many of these apps are included in the official repos although not necessarily in their newest versions. You don't really need them - you want then. That's a big difference. If that makes really sense to always install the newest versions has been discussed here many times. In any case it's your choice, and you have to bear the risk.

Of course it's a matter of trust. It makes a big difference if I add a digitally signed ppa from the Ubuntu Mozilla Team or if I install an app from an unknown website.

Nevertheless many Windows users prefer. e.g., Irfanview as it offers more features.

There are thousands of them on many popular websites like http://www.nonags.com/

 

Also every ppa comes with enough caveat and warnings, said and done, none of the LTS I have installed at the univ have needed any ppa and I just updated them from Hardy to Lucid after running them from three trouble free years.

 

I think I do. I need the latest versions of Chrome and Firefox for their speed and features. I need the latest version of Transmission because the newer versions solved some connection speed problems, Wine for its better compatibility (solves some problems with WoW), and so on and so forth.

It's absurd to expect that installing the latest stable versions of legit programs would cause problems. And besides, that's not the point here either. The point is that Linux is not a closed platform a la Apple. It's no different from Windows in that you need (and want) external software sources as well, making it possible to redirect and/or trick users into installing malicious software from malicious sources.

Again, that's not the point.

To reiterate: users need software not found in the default repos. Users need to search for external sources for those software. Ergo, it's possible to trick/mislead users to download from malicious repos, just like the situation is with Windows.

 

By this definition any OS - be it Windows, Linux, Solaris etc. - is insecure by default because it allows to install 3rd party software.

Contrary to your belief I think that most users do not need software not found in the default repos and are therefore safe. And if some of them do (like in your case) in specific cases I insist that it makes a huge difference if a source is trustworthy and if you only get an update from the developer's site for a package that is already in the repos (which would not be the case if the developer would not be trustworthy). This is not a 100% guaranty but still minimizes the risk compared to installing an unknown app in Windows.

 

Again, you're mistaken. Nowhere am I trying to claim that any operating system is insecure. All I'm saying is that the facts indicate that, all other things being equal (market share, user savvy, etc), they're more or less equally secure.

Of course it does. That's the very reason you download your Windows software from reputable sources as well if you want to remain malware-free.

Correct me if I'm wrong, but there seems to be little to stop malware writers from creating a signed PPA filled with malicious packages with the same names as in the official repos.

 

Regarding Windows at least, worrying even one iota about the integrity of 3rd party software is, imo, a complete waste of time based on my years of never once being burned by a download I've obtained and installed from a known, trusted site, usually the developer's, and including those like Softpedia, CNET and Beta News. I've never bothered scanning these downloads first for viruses, I've had that much faith in their integrity. Now if I were to download through a torrent (the only time years ago I've been burned looking for a five finger discount), that would be a different story.

 

I wholeheartedly agree. Although this contradicts what you said in post #32:

Sure, I never denied that. In post #16 I mentioned "discipline in installing software" - this includes reputable sources, of course. Quite obviously, many Windows users don't follow this advice.

See linuxforall's post #29. Besides, that's why I wrote that there is no 100% guaranty. And that's why I differentiate between ppas maintained by respected Ubuntu team members and others unknown to me. Again, it's a matter of trust.

 

Well for every legit 3rd party apps for Windows, there are those myriads of rogue anti virus, cleaners etc. that pop up and lure gullible users into their trap. Most run in admin account so all you do is point and click and wham! you are infected. In that sense, to claim that PPA from developers and distro team would carry rogue stuff is more than preposterous.

 

I don't see how I'm contradicting myself. I do agree with what you said, but knowledgeable users keeping themselves safe by downloading from trusted sources is besides the point: it's that, like any other operating system, Linux users need and want software from external sources. The earlier claim that Linux users get everything from default repositories is not true.

As will Linux users, if Linux ever goes mainstream. Stupid users are stupid users, regardless of which OS they use.

He's on my ignore list for trolling behavior, unfortunately. But out of curiosity I did temporarily unblock him. Unless I'm mistaken, he seems to be talking about legit repos hacked to host malware, which has nothing to do with neither what I'm saying, nor reality.

 

Legit repos are all you need for getting latest version of the program, rest of the discussion is a moot point here about infected PPA. Also majority of those write for ppa are accomplished developers or linux veterans who can be found on Ubuntu forums. Said and done, with a comprehensive repository of thousands of tested and Canonical approved programs via ubuntu partner repos and medibuntu repos, there is no need at all to add a PPA and in case one needs it, they have the program developer's ppa which is as safe as the program installed. Now if one goes out and with all the warnings, deliberately installs an unknown PPA, thats not Linux or Ubuntu's flaw or weaknesses in any sense. Also till now, not a single case of rogue ppa has been discovered, OTOH, plenty of rogue cleaners, registry optimizers, anti virus, anti-spyware etc. for Windows world, some so called legit programs also come from sources whose past record doesn't really look that sterling.

You are on my Troll+FUD+devil's advocate list as well, I just had to unblock to see whats going on and now its back to business as usual

 

Just a thought...

Recently, when I was using an Ubuntu machine, the Update Manager decided to pop up while I was browsing. And it struck me: if you could create a fake update manager for Ubuntu, and automatically download and execute it through a browser exploit, you could get root on a Linux machine pretty easily - if the user wasn't experienced enough to tell the fake update manager from the real one, they'd probably type in their password at the sudo prompt instead of cancelling. Bam.

Of course, that's for root access. Many crooks don't care about root, they care about your data, which is perfectly accessible as user (unless you take care to store it as root). And hell, a crook targetting Linux wouldn't necessarily even have to hide their malware from top and whatnot, since a *novice* Linux user probably wouldn't be bothered to look at their task manager that often.

For browser exploits there are a couple answers...

1. Noscript. A bit inconvenient but it protects against most driveby attacks.
2. Chromium, which uses a policy sandbox on Linux even without AppArmor or SELinux. Less inconvenient.

But that's only driveby attacks on browsers. How about an exploit in, say, OpenOffice? You could have a .doc file for instance containing an embedded script that would download and install a keylogger in userspace, leaving the unfortunate user pwned - and clueless about it.

For that stuff, I'm starting to think the only answer is AppArmor/SMACK/SELinux/Tomoyo/what have you. You have to have some way of isolating any exploitable app from the rest of the system, so that when the evil keylogger or whatever executes, it can't carry out its intended purpose.

Fortunately Linux comes with this stuff built in. Unfortunately, it's really underutilized in most distros IMO. Hopefully we'll see more of it in the future.

 

Oh one other thing you could do... On non-dpkg-based distros, you could make separate partitions for /tmp, /var, and /home and mount them all noexec. That way evil malware gets downloaded to one of those partitions -> can't execute, because it the filesystem doesn't allow it. Kind of like a poor man's SRP.

(IIRC the Slackware people have advised this for a while.)

 

Jones, what you suggest is not so simple. I disagree about system hardening for desktop, it does more harm than good, just like Windows HIPS, even if you get a ton less prompts and such.

Security is all about what ticks in your head. Then you can download porn 24/7 using p2p in an admin account in Windows and nothing will happen. It's that simple.

Mrk

 

Personally I've never had any problems with sandboxed Firefox on Ubuntu, or even with SELinux on distros like CentOS and Fedora.

Umm no. Like it or not, there are exploits that need user interaction, and ones that don't. Good security practice educates users about the former, but also has to reduce the possibility of the latter as much as possible.

Many vulnerabilities of the latter type are a reality in Windows, even in Vista/7. Linux is gaining ground on Windows in both features and popularity, and some day it will face the same problems. Better that they be nipped in the bud now.

 

You can't say no when I have ~dozen examples that say otherwise.
Besides, malware thingie is soooo overplayed. And SELinux is a nuisance.
Mrk

 

You have a dozen examples? Well, what are you waiting for then? Show us!

 

Actually, it's entirely possible that those dozen examples exist.

On the flip side, what Mrk conveniently fails to mention is that there are just as many - if not hundreds of times more - other examples proving the opposite in the real world.

 

Were they binary files? If not, merely clicking them wont work. If they are .debs, clicking them will likely prompt for the root password (at least on Ubuntu -- other distros might be different). I'm not sure how .rpm distros handle that. Ubuntu makes installing .debs too easy, imo.

Bottom line: if you are determined to execute a program, nothing will stop you if you have the will and the root password. Linux just typically makes you jump through a few more hoops is all. This makes it harder to accidentally execute something.

You are in essentially the same situation, yes. But with 30,000 apps in the repos, why would you *need* to go anywhere else? If you need a newer version of an app, there are usually official PPA's set-up for that (PPA's do need to be vetted initially but once you do that, they are just like all other repos -- signed by the maintainer. And it would be difficult for a malicious PPA to exist for very long).

In theory they *could*, but in practice they don't because there is no Linux malware for them to scan for.

Keyloggers can't work from userland in Linux. A keylogger requires access to /dev and /dev is a privileged root owned directory. There have been people that have disputed this, and I have asked them to send me sample code of a keylogger that does not need access to /dev and they remain mysteriously silent. Every keylogger I have looked at (Google and you can find numerous Linux keyloggers) all require root access to get them installed.

.

I can see this happening, yes. There will be Windows-like malware websites pop-up saying "install this .deb for a cool screensaver." And of course, the dumb user wont know that screensavers do NOT need root access to install. (This is actually how the gnome-look screensaver trojan was discovered). This is why education about using the repos is important.

 

Noexec partitions are helpful when they are actually possible. Some distros require that /tmp be executable (gentoo for instance due to the fact it comples code from /tmp before a package is installed). I think you can safely get by on any distro with /var being noexec, so we can agree there. However, mounting /home as noexec is a very bad idea. There are scripts there that must be executed if you want to have any sort of functionality on the box at all (scripts such as those in ./kde/autostart or in the ./gnome directories as well as things like browser plugins, etc.

Besides, according to the Gentoo security handbook, noexec partitions can be "overcome easily by executing from a non-direct path). The Gentoo handbook does recommend setting /tmp to noexec when possible.

 

SE Linux in desktop is a nuisance, even most veteran Fedora users disable it for better compatibility. Scripts like Easy Life also allow one to disable it easily.

 

Re: Linux = Windows anolti-virus? Not!

Okay thanks. BTW Debian doesn't like /var to be noexec either. Stupid but true.

(Out of curiosity is there any Linux equivalent of a Windows LUA/SRP policy? I could see where that would be handy.)

As for Linux keyloggers needing root... I did not know that. Actually I just tried to access my keyboad device as nonroot, and it didn't work. Pretty cool.

 

Re: Linux = Windows anolti-virus? Not!

Doesn't LINUX run LUA by default needing sudo privileges for any install etc?

http://linuxcommando.blogspot.com/2007/12/basic-linux-permission-model-lets-you.html

Check that link for acl.