Mailinglist Archive: opensuse (3031 mails)

[Randall R Schulz <rschulz@xxxxxxxxx>]

On Thursday 07 February 2008 12:34, Benji Weber wrote:
> ...
>
> This is not the case. A browser running as a user can do anything the
> user is allowed to do.

A browser is just a browser. I can do only the things browsers do. It is 
not a compiler or a general-purpose computational agent. (JavaScript, 
while technically Turing-complete, is, when embedded in a browser, 
extremely limited in what it can do and that amounts to nothing outside 
the browser itself.)


> For example an exploit in the browser or image 
> viewing library which can be exploited through malicious javascript
> or crafted image could potentially delete all your user files.

Such things do exist. And as I said before, when found, they're fixed, 
and they're actively sought out by the community of developers and 
users.

No software is free of bugs, but when you have a diligent work force 
that stays on top of the detection and removal of such defects, you're 
reasonably safe. (Assuming you apply the fixes as they're made 
available.)


> It 
> could be used to launch a denial of service attack or spam from your
> machine (no need for root for this). If combined with a local root
> exploit (which are not uncommon) it could potentially even get root
> and have full control over the system. Same applies to your mail
> client, irc client, and other such applications.

Not true. Mail clients can only do what mail clients do. Send and 
receive mail. IRC clients can only send and receive short text messages 
via IRC servers. "Other such applications" are likewise limited to 
doing what they do.

Do you know of any attack servers included in any Linux distribution?



> This is why it is important to both keep the software up to date, and
> still not run untrusted code. If you completely ignore security by
> blindly visiting pages with possible malware on, or running all email
> attachments etc, even on openSUSE/GNU/Linux you are vulnerable.

Running email attachments? No one is stupid enough to run a binary sent 
through email from an unknown user, and there's no way on any Linux 
mail client I know of to have that happen within the mail client itself 
(unlike Outlook, which can execute certain scripts attached to email 
messages.)


> There are technologies which can help, like apparmor/selinux etc, but
> these are not yet user friendly enough for desktop users to use.
>
> If you have an ssh server listening on the internet and you watch
> your logs I would be surprised if you have not noticed brute force
> attacks. Precautions such as strong passwords and fail2ban are
> important even for home machines if you run sshd.

Yes. We all do. Many times each week. And unless you're very stupid 
about how you choose passwords, it's nothing but a minor annoyance.


> GNU/Linux systems are no less exploitable than windows. In some
> respects they are more exploitable due to the more powerful tools
> they have installed. Windows tends to be fairly locked down by
> default now.

GNU/Linux systems are FAR less exploitable than windows.


> The only reason you have a false sense of security now is that you
> are not a significant enough target for malware authors. When that
> changes if too many people have the same attitude then there will be
> a problem.

What is an appropriate attitude? Either one's computer is connected to a 
network so its user can avail themselves of the resources of the 
Internet and, to listen to you, expose one's self to horrors around 
every corner, or it's not connected, and is then safe, though nearly 
worthless.


> --
> Benjamin Weber


Randall Schulz
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx