Thread split - Desktop reasonably secure/unsecure?

Science fiction, a movie called - paranormal activity.
Mrk

 

- Javascript exploits (not that common these days but possible)

- Exploits in browser plugins (much more common)

Come on guys, this stuff happens all the time in Windows.

 

I was actually referring to your remark: "look at Firefox's security record" - as if FF had a worse security record than other browsers which isn't the case.

 

It doesn't have to have a worse record than other browsers; a record of numerous vulnerabilities is enough.

 

No, it is not.
Mrk

 

I tend to agree with Mrk: No, it's not - at least if you're not using IE.

 

Exploits discovered in browser plugins or browser plugins actually being exploited is much more common?

 

Right - the attitude that a vulnerability only matters once exploited. That's fine but I think some people are going to disagree. I don't think anyone is going to have much to actually say other than baseless rhetoric.

 

Yes, it only matters if exploited.
Mrk

 

If numerous vulnerabilities is enough, then every browser out there has a poor security record. Heck, even the golden boy of secure browsers Chrome has had a hefty amount of ((quickly patched)) vulnerabilities. I mean, here: http://www.computerworld.com/s/arti...24_Chrome_bugs_pays_out_29K_to_bounty_hunters. That's 24 bugs found and killed in just one month out of the long existence of Chrome, 15 of which were rated "high". Neither they nor any other browser developer will ever be done patching bugs and vulnerabilities. Also, in my own opinion, unexploited vulnerabilities do matter. So, what, if a hacker doesn't exploit a glaring hole for another 10 years, do we wait 10 years to patch it? I don't really get the argument of holes not mattering until someone drives a truck through them, but that's not really an issue because it's a simple opinion, just like my thoughts are.

 

That attitude is fundamentally flawed. It assumes that we know when a vulnerability starts getting exploited. A vulnerability can be exploited on a small or targeted scale for an extended period of time without being discovered. We just saw this with some of the recent government malware. We live in a world where exploits are bought and sold. IMO, it's naive to think that known vulnerabilities aren't being exploited somewhere by someone.

 

Re: Keylogging on Linux as a limited user

NOOOOOOOOOOO. The user's aren't stupid. I'll quote myself here:

IMO the largest threat today comes from visiting compromised websites (as shown with some startling statistics here). That's not something that any given user can control. It can only be fixed by the developers of those crappy websites that keep getting owned. The only work-around for today's user is to use things like sandboxie and noscripts, but those have a high learning curve.

So my pessimistic outlook is that a user is left with two ultimate options: become a security expert or just forget about it & enjoy his system. I honestly see no hope for the casual security hobbyist.

 

OK. So only these 19,254 matter. Right?
http://www.exploit-db.com/

Or maybe these?
http://www.metasploit.com/modules/

The exploitable vulnerabilities do matter more, although we don't ignore the ones that haven't been exploited. That's why vulnerability scanners like nessus rank vulnerabilities based on the availability of known exploits. There are a lot of exploitable vulns so I don't really get your point.

 

Re: Keylogging on Linux as a limited user

We'll just have to agree to disagree regarding user stupidity. I'll only say that there is more than enough evidence to point to that conclusion. Are they to blame for everything? No, and that has already been discussed. But users still are the ones who will refuse to move to updated operating systems, browsers and programs. Users are still the ones who just have to have that Facebook game. Users are still the ones who open up attachments and follow links in their emails and so forth. The security industry is making a killing off of both lazy and stupid users and administrators, and who are milking the cash cow that is reactive security. Both sectors have some share of the blame and there is no way around that fact. There is also blame to be placed upon the site administrators as you mentioned, and a lack of oversight ((I know everyone immediately thinks oversight=Big Brother, but it doesn't need to be that way.)).

The infrastructure behind the Internet is the true problem though. Lazy and stupid users and administrators and an industry content to stay the same are just additions to the problem. If the infrastructure itself wasn't as worn down and leaky as an inner-city public housing basement, a lot of our problems with malware would either cease or slow down considerably in my opinion.

 

Supposing this X thing is really a issue.. this can be easily prevented running whatever you want through Selinux Sandbox with the "-X" flag I assume?

 

No, it cannot. Xephyr (the X part of the sandbox) provides no protection from this whatsoever. If you tell xinput (or any other keylogger) to watch the hardware keyboard (which is accessible through X as a limited user), it will log everything, including your root password if you run something as root.

And X is the windowing system, i.e. the platform upon which the entire graphical interface runs. This issue is not trivial to solve. Wayland (X's successor) may improve the situation; but until distros start using it, Linux users are basically in the same boat as Windows XP, i.e. "hope that nothing hostile ever executes." We do have a big advantage (for now) in OS obscurity, but OTOH we have no sandboxes available that work (properly) in X11.

Edit: One thing I can think of that could help (though it's more a workaround than a solution) is trusted path execution. Non-root-owned files can't execute -> keylogger programs can't run and won't work. That wouldn't help vs. keylogging code running in e.g. a browser though.

 

Re: Keylogging on Linux as a limited user

We are totally on opposite sides of the fence here. The true problem is with application developing companies that rush to put out software. If it compiles they're done. They see security as something that can get tacked on at the end, which it CAN'T. Security is seen as an obstacle instead of something that is vital to be built in to the beginning of the process. So of course security is going to be reactive, because that's how the architecture is created for 95% of the applications out there.

How to fix it? I would love for all developers to be held accountable for the security of their product. You'd see a lot more secure programs getting developed that way. It's not even funny how much easier it is to build a more secure app from the beginning as opposed to tacking it on at the end. With more secure software, there would be far fewer vulnerabilities for bad guys to exploit ==> we'd all be a hell of a lot more secure.

 

I do agree that software should be made more secure, though I'm not sure at all I'd agree with the argument that if it compiles it goes out the door security be damned. Besides, what good are more secure apps that use vulnerable technologies behind the Internet? App developers can't fix problems like that, they can only do their best to guard against exploits using those vulnerabilities they have no control over. You can't just toss the blame on one or even two parts of the overall problem. The infrastructure itself, user and developer carelessness and laziness, persistent criminals/malware authors and the reliance of outdated technologies in the software itself are all small pieces of the puzzle.

 

Developers are just as stupid as users. Holding them accountable won't solve much - it took years to get Adobe to shape up and it was only possible because of what MS provided. It's also not practical - developers can't be held accountable in a system where you're free to develop what you want and how you want.

Hate to disagree with you Brandi, though I agree with a lot of what you're saying. I think developers being forced to push out software without following regs is a big issue but I don't think it's the core issue.

 

The SELinux X sandbox does protect against the X "keylogging" flaw. That's one of the reasons it exists. Every app ran within the sandbox runs its own X server, thus there is no "cross-talk."

The problem is the window cannot be resized, you can't cut and paste, etc.

 

Yes, the -x SELinux sandbox works. It's the only solution currently available.

 

Thanks guys for the confirmation. when I started reading the thread that "-X" flag was the first thing that come to mind, since it start a new X server confined to the sandbox, with new /tmp and /home folders that is flushed when you close the application. With the "-i" (single file) or "-I" (list of files) flags I think that you can deal with suspicious archives/documents with more security.


EDIT: To resize the window, use the "-w" flag, specifying the resolution (If I remember the resolution should be informed in the format "1024x768".. format "0x317" not work).

Remembering that you can start a new sandboxed session too with "-S", like:

user$ sandbox -S -X -H SelinuxSandbox/home -T SelinuxSandbox/tmp

 

Oh... Sorry then, and thanks.

I wonder if one could make an AppArmor profile for Xephyr that did the same thing?

Edit: re copy and paste, couldn't that be handled with a clipboard application? (Like Klipper, parcellite, etc.)