[plug] security of linux desktops re mail viri

[Anthony Jones]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 11 December 2001 16:32, craig at postnewspapers.com.au wrote:
> hi all
>
> A bit of a rave following. It was intended to be a bit more coherent. I
> don't intend trolling or flamebait here, I'm asking a question and
> looking for opinions on something that's bothered me for some time now.
>
> People trumpet about linux being more secure than
> windows, less prone to worms, etc. So far, it has been so beyond any
> reasonable argument.
>
> Fine. However, many of the most destructive
> windows exploits come down to a few factors:
>
> 	1) stupid, stupid users (ooh, anna_naked.jpg.vbs, I'll open
> 	that, it's a JPEG...!)
>
> 	2) programs that are too fond of being "smart" and "doing things
> 	for you" (this eMail tells me to run the attatchment w/o even
> 	asking the user, I'll do that because some dumb git might've
> 	sent me an executable christmas card...)
>
> 	3) INSECURE DEFAULTS allowing (2) to happen. (1) is, alas, not
> 	preventable without a shotgun. Sure, it helps the idiots use the
> 	PC. A bit. Maybe. Until they get a virus that nukes their pc.
> 	But is it worth it?
>
> 	4) Powerful scripting and inter-app communication capabilities,
> 	as provided by windows scripting host, vbs, etc.
>
> 	5) Lack of user education and desire to understand what the
> 	f**ck they're doing
>
> most distros have (4) in abundance. Look at bash, dcop, bonobo,
> etc. Not to mention perl and python! I love these features and would find
> linux much less nice to use without them, but similar reasons probably
> governed
> the incusion of visual basic in windows.
>
> Nobody is proof against (1) or (5)
> unless someone comes up with an instant remote IQ test combined
> with lockdown (I've never found an electrified ZIP drive
> labelled "floppy" to be good enough *grin*).

This is not true.  Linux user accounts are sandboxed to some extent.  I don't 
have to worry about what my girlfriend downloads or runs because she doesn't 
have write access outside her home directory and doesn't have any private 
information accessible from her account.

> (3) and (2) are becoming more and more popular in the quest for "easy to
> use" programs and environments.

You are assuming here that you don't have a choice.  It's easy for a Windoze 
user to think that you can't choose what applications you run.  There are so 
many mail clients available for Linux and **most** of them are pretty secure. 
Lets not forget that 95% of people who use Windows all use the same mail 
client.  If you find a security flaw in Pine mail reader it is only going to 
affect a small proportion of Linux users.

This choice also addresses your concern for option 4 above.

Linux also uses peer review and security audits to improve security.  If you 
find a security bug then you get the kudos for being the person who found it. 
If you find a bug in Windoze then Microsoft will get angry if you publish it. 
The only enjoyment you might get out of finding a bug in Win-doze is if you 
exploit it.

> And sadly, (1) is becoming more and more common even on linux, as
> companies start to deploy linux for workstations etc.
>
> So, what is to stop a linux email virus, when it can be as simple as
> 	#!/bin/bash
> 	mutt nobody at nowhere.com -a this_script \
> 	-b
> list_of_targets_grabbed_by_perlscript_from_common_mail_client_addressbooks
> \ -s "open me stupid 13 year olds (if only they were the only
> 	ones), naked pictures"
> 	rm -rf $HOME
> 	# because a fair number of people have sudoers including me
> 	# ALL(ALL) for desktops and may have used sudo recently
> 	sudo rm -rf /
>
> Name something like that (ok, more sophisticated but dammit I don't
> write viri, never have, never will, and would like to find and kill
> slowly and painfully those who do), called "anna_naked.jpg.sh"... face
> it, a fair number of users are going to run it. In many mail clients,
> you could just double-click on it to run it, I fear. (3) strikes again.
>
> Currently the danger isn't large because most linux users don't fit
> number (1) and (5) but the number is growing, esp. with corprate
> installs, etc. The linux user base is also small enough that the chance
> of more than a couple of people in a gathered addressbook also running
> linux are still quite small. However, nothing stops the virus having a
> vbscript and a shell script, and attatching both in the hope the user will
> either open the relevant one first or, having opened one and got gibberish,
> open the other. And the desktop linux user-base is growing.
>
> Now linux mail clients, etc, tend to be more security aware than, say,
> outlook express. But outlook express isn't the only windows mail client
> spreading viri - it just does it better. Nothing is to stop auto-execute
> vulnrabilities in MUAs for linux, and even if there are none...
>
> You can NEVER stop a stupid user.

You can sandbox a stupid user.  You can also make them operate their mail 
software and browser in a separate account to the one which has access to 
corporate information.  If you have really stupid users then you should 
probably do this.

> OK, you can kill them. But the boss won't let me do that to the users
> here - and anyway we'd have about 3 staff left *grin*
>
> So what is to prevent linux desktops from becoming just as bad as
> non-outlook-using windows PCs - or even, *gasp*, as bad as windows PCs
> with outlook express, due to an auto-execute vulnrability in some MUA?

A good system administrator who is very careful about what "setuid root" 
software he allows to be installed on the box.

> So, thoughts anybody? And I'd appreciate it if nobody tries to kill me
> for my questions and opinions here...
>
> -----------
> Craig Ringer
> IT Manager
> POST Newspapers
> http://www.postnewspapers.com.au/
> Key Fingerprint: AF1C ABFE 7E64 E9C8 FC27  C16E D3CE CDC0 0E93 380D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8FdZDhwVaoilFPn0RAqdOAKCitu3xhghUxmjLAromsmGe1bPO1QCaAloZ
xf2wYFiIwj0JaCtB/hYBkhA=
=xS01
-----END PGP SIGNATURE-----