NewScientist has an interesting look back at the birth of the Conficker worm and how this sophisticated monster quickly grew to such power and infamy. "Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time. It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes."
hasn't there been multiple worms for openssl and apache?
i'm suprised i have to make this point yet again, but there are more machines infected than the whole linux marketshare. until linux is really in the hands of the common newb you won't have an apples and apples comparison.
There are more than you think. Old home computers are quickly becoming Linux computers.
There are a lot of independent techs out there who service the lion's share of home computers. Yes, Best Buy and the like get a lot, too. But they can't compete on quality service with the little guy (due to overhead), so they have to keep themselves going through quantity.
I know a handful "home computer techs" - people who work out of their house or have a small one-room office somewhere. They're making ends meet and keeping their families going by doing this while at the same time putting linux on computers that are only mildly useful for anything beyond XP (and sometimes even XP, eg. 256Mb RAM).
More often than not, the system is in need of a reinstall anyway due to some combination of users messing them up and malware. It's like scoring a 3-pointer at the buzzer, in terms of removing an infection vector.
I'm one such person, while I'm unemployed. I'd say maybe one out of 5 of the computers that come to me leave with Linux installed. Those satisfied customers then refer their friends and family. Not much repeat service, but quite a few referrals. It would also appear that people are oddly appreciative for preventing them from installing all that crap as well - "it just works nice and fast and there are no pop-ups".
Not only that, but when someone upgrades their computer (and they've got the proclivity to tinker) they'll do something with the old one. Linux has picked up a lot of mindshare, and I know many of the so called "tech savvy" types (who still need someone who knows what they're doing on occasion when they can't recover or get stuck) are doing this.
i understand there are lots of pc's out there with linux on them, but that is just a drop in the ocean compared to what's sold with windows on it, and most of the linux systems out there are maintained by professionals and don't get uncle joe on them installing that bit of software to get his free porn.
sure linux has mindshare, but that hasn't translated into market share. The year of the linux desktop will also be the year of the linux virus.
All the linux systems floating around for years and years and years, and no one has gotten a proper linux virus to propagate. You know why that is? Uncle joe can install his porno software (not really aware of what that would be, but for the argument), and still have relatively secure computing because of the WAY LINUX IS DESIGNED, USED, AND MAINTAINED!!!!
If a Linux based distribution was the dominant desktop OS the morons who run a PC would be infected within minutes. They'll click on, suck up, snort or fk anything presented to them. I've had intelligent people click on, install or follow complex instructions that disable all security on a PC so they could install 'that cool looking game' and then lie about it even when I had logging software logging to a remote server.
Because in theory it's impossible to solve the halting problem.
In theory users have to figure out whether a program is safe (analogous to "halt") even though 1) They don't have the actual true description of the program 2) They don't know the full inputs of the program
And that's a harder problem than the halting problem;).
While you could say - nobody should install anything that's "Not Expert or Vendor Approved", to me that's a rather dismal state of things.
Things could be so much better. Really.
For instance if you had an O/S that will require applications/applets to list out the type of access they require.
Then the O/S can provide a meaningful and TRUE description to the user of what the application might do. And the O/S can also enforce the limits of the access.
So if something says it's a screensaver, it's only going to get screensaver access. It's not going to be able to make recordings from your microphone and webcam, and send them to Elbonia behind your back. It's not going to be able to write to anywhere other than it's own designated scratchpad area, not even your USB drives.
And that would be a secure modern O/S.
Then you can tell your "morons" - "You can install whatever stuff you like, unless the O/S gives you that red warning dialog box about the program requiring full user or system privileges".
In terms of security, most current O/Ses aren't even better than what was available 40 years ago. Heck, Unix is a watered down Multics.
They're just decorated with fancy graphics and animations so most people think they're advanced.
Yes, Vista does have some sandboxing, but the way MS has implemented stuff makes many people turn off many of the protections. So they'll become the next hosts for the next Conficker.
As for Linux, Apparmor and SELinux don't appear "Desktop Ready" yet.
For instance if you had an O/S that will require applications/applets to list out the type of access they require.
Then the O/S can provide a meaningful and TRUE description to the user of what the application might do. And the O/S can also enforce the limits of the access.
When I read this part, I thought you would mention Symbian. At least it looks like it does what you suggest. I am not a Symbian specialist, but when you write something that needs access to more than simple GUI stuff, you need to sign the app (tied to a specific phone IMEI, at least with the free online signing process), and in the process request what you want to allow the app to access (GPS data, user data, comms etc). Then when installing the app, Symbian will warn you that the app requires access to spe
The thing about worms like Conficker is that they absolutely do not rely on user interactivity with some sort of trojan interface. No, "CLICK HERE FOR FREE PORN!" or, "DOWNLOAD THIS APP AND GET GREAT WAREZ!" apps.
Conficker spreads site to site silently through vulnerabilities in Windows.
Yes, it's possible to own *NIX boxen via trojan horse deployments, but for home users who aren't running apache, mysql, openssl, ssh, ftp, gopher, BIND, etc. the non-user infection vectors dry up. This is because Windows *sucks* for system security. While it's possible to pull privilege escalation on *NIX machines, and other OSes, often, they're a pain in the ass and usually require specialized setups(certain version of MySQL running with certain version of Apache, with... etc). Home users really don't have to worry about Samba file/print sharing owning their machine like NetBIOS on Windows users have to worry about their machines being similarly owned.
Sure, disabling autorun, running firewalls, virus scanners, etc. is great computing practice, I think it's more to expect from a typical home user who just wants the damned thing to work regardless. Lots of people use a computer thinking it's, well, a computer. Not a car, or a fax machine or a rifle that every so often needs to be broken down and maintained. Nor should it be. Modern file systems are virtually self-optimizing and aside from system updates and making sure there's room on your disk, which NO OS can really claim to do for you, unless you count Apple's MobileMe/.Mac service, even then it's only 20 gigs, most modern OSes can just be used on end with out much worry. Except most machines aren't running with components designed in this decade, they're often running Windows.
> If software gets patched quickly, that can stop a lot of infections,
Uh, if those windows machines actually ran "windows update" there would be no conficker.
So if Desktop Linux had the same users, they may not run "ubuntu update". Why? Because the last time they updated their machine stopped working properly
Think that will never happen? See: https://answers.launchpad.net/ubuntu/+question/24523
Notice that user actually understands "grub" and "kernels" and knows where to find help. Other users might just never update. If the O/S ever has millions of users, these users start to add up.
> the fact that unix and unix-like operating systems were designed to be secure.
Incorrect. Unix is a watered down Multics.
Linux and most Unix OSes don't provide much security by default.
By default, any program the user runs, can do everything that user can do. There is no sandboxing.
And whatever a unix/linux normal user can do is more than enough for the conficker worm to make money for its masters.
So all the bad guys need to do is get the user to run their program.
If Ubuntu ever has "windows class" users I doubt it'll be hard to get them to download a file and type:
perl conficker
Then it's pwnage time.
If desktop linux ever has the market share that windows has, it'll start to have lots more "dancing pigs" applets that people want to run.
Some will actually be OK. And some will be malware.
An O/S whose security depends on people being able to tell whether something is safe or not, without the people actually being able to see and understand the source code, or know the entire inputs, is an O/S that expects people to solve something harder than the halting problem.
Thus in my opinion Windows and most Unixlike OS have poor security.
There are ways to give users better info on whether something is safe or not before they run it.
For instance say an O/S requires a program to list out what sort of access it requires ("guest applet access", or "full system privileges").
Then the O/S can provide the user more meaningful AND true information, and the O/S can also enforce those limits if the user decides to actually run the program.
So if a "dancing pig" applet claims to not want network access, it will NOT get network access, even if it tries to later.
That's far more secure than what the current O/Ses do.
Uh, if those windows machines actually ran "windows update" there would be no conficker.
So if Desktop Linux had the same users, they may not run "ubuntu update". Why? Because the last time they updated their machine stopped working properly
Think that will never happen? See: https://answers.launchpad.net/ubuntu/+question/24523 [launchpad.net]
Notice that user actually understands "grub" and "kernels" and knows where to find help. Other users might just never update. If the O/S ever has millions of users, these users start to add up.
This is why I run a stable distro that doesn't break everything all the time. Debian stable for example, I think it would be highly unlikely for anything to break during an update.
> Do you have even the faintest idea what you're talking about? Didn't think so.
That's not a nice thing to say. Why did you say that? Did I hurt you somehow before?
> The worst they can do is to nuke their own files.
Nah. As I've been saying - they could run the wrong program and then the bad bad things could happen.
While having their own data destroyed is typically far worse than losing their entire operating system, that's NOT the worst that could happen when a user runs the wrong program.
1) Their data could get silently corrupted. Silent corruption is often far far worse than complete data loss. When you have complete data loss, it's obvious. So you restore from backups, or deal with it in other ways. When something tampers with the data, you could be screwed so badly and not know why. By the time you realize something is wrong, all your backups could be of the corrupted data.
2) Their secrets could get exposed and abused.
3) Their computer could get taken over and used for illegal stuff. While they might eventually be exonerated, the pain and damage involved is likely to be more than mere data loss.
Plus it's probably easier to live if people think you're some incompetent loser who went out of business because of massive data loss, than if people think you really downloaded, stored and shared all those illegal and _disgusting_ porn.
I'm sure others can think of many other things worse than "nuking their own files".
e.g. they could unknowingly help Skynet survive and grow in strength;).
I'm one such person, while I'm unemployed. I'd say maybe one out of 5 of the computers that come to me leave with Linux installed. Those satisfied customers then refer their friends and family. Not much repeat service, but quite a few referrals.
What percentage of those users are still using Linux in 1 month? In 6 months? After 1 year? Per usual, something about your allegedly genuine pro-Linux story just begs more questions. How many users later dump the machine and end up just getting a new Windows machine instead? How many gain a new found appreciation for Windows after having used Linux for any length of time? How many users ever come back complaining that their X server is crashing or sound latency problems make watching YouTube unbearab
In my experience 100% of the people I have volunteered to install Linux on their systems not only continue to use linux for years afterwords, bring me their new computers they buy with windows installed and ask me to remove it.
Among others:
dozens of first time to almost completely computer illiterate people. Lots of people that have been using windows for years and are fed up with the crap, especially after most linux distros had more in common with windows xp than vista had in common with windows xp. At least half dozen people over 60. Lots and lots of teenagers. Not to mention everyone that works in my office never seen a linux computer before they walked through the door, and now have them at home.
So, these arguments are for the ignorant that have not used a major distro in the last couple years.
You are talking about servers which have these things called Linux administrators, or Guru if you will, that actually read security bulletins, patch on time, have IT experience, etc. This makes them a lot harder target than Velma.
Everybody, meet Velma. Say hi Velma-(Hi Y'all!)
Working in PC repair and sales since the days of Win3.xx, when dinosaurs roamed the earth as my oldest puts it, I have found Velma to be a VERY typical Windows user. She rarely if ever patches because it scares her that it might "break" something, if it wasn't for me should would be running the Norton that expired in 2004 for an AV, and worst of all, like WAY too many of my customers, she has a serious weakness. In Velma's case it is her BFF Kim. You see, her BFF Kim is what some of us in the biz call a "click whore", in that she will click on ANYTHING. Spam attachments, chain letters, you name it. And Velma will ALWAYS trust her BFF Kim no matter what to tell her. Now please enjoy an ACTUAL account of my working with Velma-
/Me/Velma, that is a password protected zip file. It is even telling you to turn off the AV before opening! It is a Virus, do NOT open that! (Velma) Ohh...You worry too much. It is from my BFF Kim! She wouldn't send me anything bad! See, it says "happy puppy pics!" Isn't that nice?
/Me/ Velma, it isn't pics. Pics end with.jpg. That is Happ_Pup.exe! That is a virus! Do NOT run that! (Velma) Oohhh...drink decaf, it'll be fine! See it has Kim's name on it and everything!/Velma turns off and ignores AV warnings, runs.exe, popups start sprouting everywhere and the network crashes from all the activity/
(Velma) Whoops. But it MUST be a trick, because my BFF Kim wouldn't do that!/Me/..... [roflposters.com]
NOW do you see why Linux "security" wouldn't be worth a bucket of warm spit if Linux got all the Velmas of this world? If you ever do manage to get Velma and Kim and all their little buddies onto Linux your good friends at the Russian Business Network and their friends in China and Nigeria would be sending "Happ_Pup.sh" along with easy to follow instructions on how to run it. And Velma and Kim WOULD run it, no matter how many times you told them not to. It is simply the dancing bunnies problem [codinghorror.com] and short of forcing Velma and all her kind to run locked down thin clients with no rights at all to their own machines Linux will NEVER fix it. Sorry.
The problem with Linux on the desktop is that it's not very compelling.
Linux shines when the people around you are using it. That is, on your LAN or within telnet's reach. X is amazing, when used remotely. Why download and install a program when you can just telnet over to where its installed? Assuming the bandwidth is there (and it's a hell of a lot more there each year), the program will run. And it will be a lot faster than doing it the newfangled way, which is to make it a web service.
Linux makes a great desktop, if by "desktop" you mean network terminal. But we don't have a network. We have the web, which is a single graphical application (the "browser") that runs best on Windows. Just like a video game.
Linux won't, and probably can't, catch on until the network is there to support it. That includes small and large businesses, which have networks that would benefit from it, and are still using Windows. Businesses can use Linux the way it is intended, right now. But the "home desktop" is designed to deliver applications, not services.
Let's put it this way: The day some 14-year-old kid installs IIS for XP and hosts a webpage from his bedroom will be the first day of Linux's life. To my knowledge, nobody is hosting squat. Except on bittorrent, which doesn't quite count, because although BT is a protocol, people use it like just another Windows app.
hasn't there been multiple worms for openssl and apache?
i'm suprised i have to make this point yet again, but there are more machines infected than the whole linux marketshare. until linux is really in the hands of the common newb you won't have an apples and apples comparison.
Silence, in this context, really is golden.
The absence of data actually does signify, as far as this argument is concerned. In effective terms, users can find a secure haven in non-Windows systems. There is, admittedly, some truth to the assertion that there's a myth of invulnerability surrounding FOSS systems. Amusingly, black hats seem to buy into it [imagicity.com] as much as anyone else.
Want effective protection from malware right now? Don't run Windows.
Will that protection exist tomorrow? Will it exist even after everyone and their dog has flocked to FOSS? These are, for the moment, academic questions. Developers, however, deal with such academic questions all the time. My personal feeling is that FOSS developers are up to the task of securing their systems even in the face of concerted attacks.
So what about that famously touted malware vector, 'stupid user tricks'? Ignorance and naivete are vulnerabilities in any system, technical or human. One doesn't have to look far for proof of that. But there's a fundamental logical flaw in this argument when applied to FOSS systems: The argument essentially says, "Once FOSS is just like Windows, it will be just as insecure as Windows."
This assumes that a mass movement to FOSS won't be accompanied by a cultural change, and I can't see how that's possible. The culture of the incurious, uninvolved and too-trusting Windows user is exactly what keeps Linux (and much of FOSS) off the desktop. FOSS punishes each of those tendencies. In effect, it pushes back against the very behaviour that remains Windows' last, greatest vulnerability.
I'm not trying to make the case for cultural change. Frankly, I'm getting jaded enough that I'm not so sure there will ever be a year of Linux on the desktop. But here's the thing: I don't care. Linux (and FOSS systems generally) work for me and my customers now. That's enough for today. I'll continue looking ahead with caution, but today, at least, I'm safe, and most of the rest of the world is not.
i'm suprised i have to make this point yet again, but there are more machines infected than the whole linux marketshare. until linux is really in the hands of the common newb you won't have an apples and apples comparison.
I know. It's typical isn't it? I've been waiting for a Linux version of Conficker for some months now. That's why I still have to dual boot: I just can't get the same experience using Linux as with Windows.
And before you suggest it, I'm not about to take the trouble to manually downoad and install some other academically written virus as a substitute. Also, typically, deficiencies in WINE stop me from running the Windows virus.
I know there is the whole marketshare thing, but I think there's just more the developers could be doing on a variety of fronts to address what is really a critical problem with Linux.
It may not be popular on/., but Windows isn't the main problem here. The core of the problem is people not giving a shit about the security of their system. Whether that system is Windows, Linux or Mac is irrelevant.
Windows has reached a point where it can be considered "fairly secure". There are few known security holes, and none that can't be fixed with a little system tweaking and putting a router in front of the machine. But what can the system do if the user is the main point of failure, when he grants everyone any kind of privileges?
Take a look at the Dancing pig problem [wikipedia.org]. In a nutshell: "Given a choice between dancing pigs and security, users will pick dancing pigs every time."
A webpage promises the user what he wants to see or do. Firewalls and security systems ring alarms because what the page actually will do is install malware. But the user clicks it away and allows it in. Because he wants to see the dancing pigs (or install a crack, or see some pron, or...).
What system could avert that? Only one that does not allow its owner to do what he pleases. Do we want machines that we don't own but that only install what's "good for us"? I wouldn't want to go there...
As long as people don't give a shit about their security, this problem will not end. Be it with Windows, Mac, Linux or FantasyOS. And people will not give a shit about their system's security and whether their system is a threat to the rest of the internet as long as they are not held responsible for their system's actions.
If your ISP provided a free service where it would text or phone you and offer to help clean up your systems if it detected malware-ish behavior coming from your computer or network, would you sign up?
The only gotcha is that you would be inviting the ISP to watch your traffic.
OK, this is slashdot, so most people would say "no," but how many regular people would say "yes" and would that make much of a difference?
Regular people just care that whatever is on their computer isn't directly costing them money or causing it to visibly malfunction. From experience, I know most would ignore any offers to help, sadly. Guess the trick is to find a way to make them want to disinfect their computers.
Exactly, other than adware or software that directly and immediately causes identity theft, most people don't care, after all computers are supposed to be slow after about a year because all the hardware goes obsolete right?
I never really got what made SSDs less reliable than HDs, I mean having bought cheap flash drives, used them extensively and the only ones that I have had break were broken from physically breaking them in some way. On the other hand, I've had several "name-brand" drives either fail for no reason or give me the "click of death", along with an EEE with moderate use with an early SSD that hasn't failed yet.
Yes, but what happens if this leads to more filtering? Such as "Your computer has been using a lot of P2P, install this to scan for any unwanted programs" and it sends all the data to the RIAA/MPAA?
Guess the trick is to find a way to make them want to disinfect their computers.
Or make them want something that Linux has but Windows doesn't. Unfortunately, users tend to have weird priorities. They won't budge over the seemingly intangible factor known as 'security', but they might switch in a heartbeat for Gnometris.
Regular people just care that whatever is on their computer isn't directly costing them money or causing it to visibly malfunction. From experience, I know most would ignore any offers to help, sadly. Guess the trick is to find a way to make them want to disinfect their computers.
How likely is that to happen? Almost zero? Fffft. And when it happens? My bank will cover the loss so I shut up and don't make a stink about it, so does Visa, so? Ffffft."
That's how this is perceived. It's no biggie. The money that may be lost will be covered by the financial institutions that don't want people to lose faith in online transactions. And that's about all people care about when it comes to identity theft.
by Anonymous Coward
on Friday June 12 2009, @08:47PM (#28316545)
OpenDNS already have a system set up where, if you use their DNS servers, it will tell you if it detects any Confiker-type activity on your network. Non-intrusive, transparent to the end-user, and quite effective.
Then most, if not all, ISP's could use this strategy too. Seeing as to how a very high percentage of users (my guess) would use the automatically obtained dns servers (from their ISP). And it would be just as "non-intrusive, transparent to the end-user, and quite effective." The ISP where I live - Shaw - offers free Anti-Virus based upon F-Secure. Based upon this link it does protect against Cornficker and tools are provided to remove it. http://www.f-secure.com/v-descs/worm_w32_downadup_gen.shtml (non c
And more specifically the sort of people who would install stuff just because a pop up tells them they are infected and they should install "Antivirus 2009".
And those who would type in passwords for encrypted zipfiles to decrypt them and install the stuff inside them...
Just make it opt-out and the 10% of us (or whatever) that might not be comfortable can continue to use the service happily.
The problem with bot-nets is not that people don't care (exactly) but that they are ignorant, literally, they don't know. Everyone wouldn't fix it or know how or who to turn to but the net result would still be X percentage less infected computers. Probably even an X percent increase in awareness/interest (personal information accessible/business information-secrets accessible/illici
Another point, would we prefer the ISP implement this in a subpoenable fashion or wait for the government to implement a national security system that would need essentially the same level of access to your information? Personally I like an audible paper trail from a non-governmental organization.
I ran an ISP only a few years ago. The number one source of identifying hacked PC's was abuse messages coming to our admin accounts. It didn't take our support staff long to lock out and call the customer. Many would say, "yes, the computer has been running slow lately", and thanked us for fixing their virus.
We also monitored our MRTG graphs. If we noticed strange spikes in traffic, our network people would investigate. One time we had to shut down a chess server at a high school. I will say this was in a r
Probably because ISPs tend to have deeper pockets than customers and are thusly more apt to be shoehorned into a booby trap if they try to be a good samaratin.
We now have Windows Defender. MS should know every nook and cranny in MS Window. What is so special about Conficker that the best software company in the world can't protect it's user against a well known and defined threat. I realize that dumb users will often just go back and reinfect the computer, but then we would expect defender to block the reinstall.
If you read the article, the problem isn't Microsoft failing to offer patches and fixes, it's the failure of users to install them. Conficker was detected in the wild *after* the patch to remove the vulnerability became available, but people didn't install it. I suspect a few of the monthly malware removal updates deal with it as well (though I don't know for certain). What do you want MS to do, deploy goon squads to forcibly patch people's computers?
What I thought was interesting was the internet telescope [caida.org] mentioned in the article. No wonder we're running out of IPv4 addresses, someone's wasting millions of them!
I routinely encounter people who have disabled windows update because they believe Microsoft is out to get them. They worry that the updates their computer nags them about are filled with unnecessary crap. Crap that will spy on them, display advertisements, install toolbars and hijack their machine. I think this is largely due to some weird cultural concept that Windows is both evil and necessary. In truth, it's neither.
That's just because they learned that everytime they installed something that announced itself as "critical update" and "warning, machine infection possible if you don't do this" they got bombarded with advertisments and had strange new toolbars in their browsers...
As a computer consultant that (has to) advocate Windows, allow me to answer this.
The average computer user in a company doesn't know jack about his machine. Fortunately, he's not required to do administrative tasks, but he's required to work with it. And he's required to produce. Trying to convince management that they should toss out all Windows machines and install Linux everywhere is something you should only try if you always wanted to take over bolder duty from Sisyphos.
Hate to say it... (Score:3, Insightful)
Correction (Score:3, Informative)
The security community will continue to fight them, but as long as the worm remains embedded in any Windows computer there can be no quick fixes.
Fixed that for ya.
Re:Correction (Score:5, Funny)
But its hard to tell... care to elaborate?
Parent
Re: (Score:2)
hasn't there been multiple worms for openssl and apache?
i'm suprised i have to make this point yet again, but there are more machines infected than the whole linux marketshare. until linux is really in the hands of the common newb you won't have an apples and apples comparison.
Re:Correction (Score:5, Interesting)
There are more than you think. Old home computers are quickly becoming Linux computers.
There are a lot of independent techs out there who service the lion's share of home computers. Yes, Best Buy and the like get a lot, too. But they can't compete on quality service with the little guy (due to overhead), so they have to keep themselves going through quantity.
I know a handful "home computer techs" - people who work out of their house or have a small one-room office somewhere. They're making ends meet and keeping their families going by doing this while at the same time putting linux on computers that are only mildly useful for anything beyond XP (and sometimes even XP, eg. 256Mb RAM).
More often than not, the system is in need of a reinstall anyway due to some combination of users messing them up and malware. It's like scoring a 3-pointer at the buzzer, in terms of removing an infection vector.
I'm one such person, while I'm unemployed. I'd say maybe one out of 5 of the computers that come to me leave with Linux installed. Those satisfied customers then refer their friends and family. Not much repeat service, but quite a few referrals. It would also appear that people are oddly appreciative for preventing them from installing all that crap as well - "it just works nice and fast and there are no pop-ups".
Not only that, but when someone upgrades their computer (and they've got the proclivity to tinker) they'll do something with the old one. Linux has picked up a lot of mindshare, and I know many of the so called "tech savvy" types (who still need someone who knows what they're doing on occasion when they can't recover or get stuck) are doing this.
Parent
Re:Correction (Score:5, Interesting)
sure linux has mindshare, but that hasn't translated into market share. The year of the linux desktop will also be the year of the linux virus.
Parent
Re:Correction (Score:5, Insightful)
Really?
All the linux systems floating around for years and years and years, and no one has gotten a proper linux virus to propagate. You know why that is? Uncle joe can install his porno software (not really aware of what that would be, but for the argument), and still have relatively secure computing because of the WAY LINUX IS DESIGNED, USED, AND MAINTAINED!!!!
Parent
Re:Correction (Score:5, Insightful)
If a Linux based distribution was the dominant desktop OS the morons who run a PC would be infected within minutes. They'll click on, suck up, snort or fk anything presented to them. I've had intelligent people click on, install or follow complex instructions that disable all security on a PC so they could install 'that cool looking game' and then lie about it even when I had logging software logging to a remote server.
Parent
They're not morons (Score:5, Insightful)
Because in theory it's impossible to solve the halting problem.
In theory users have to figure out whether a program is safe (analogous to "halt") even though
1) They don't have the actual true description of the program
2) They don't know the full inputs of the program
And that's a harder problem than the halting problem
While you could say - nobody should install anything that's "Not Expert or Vendor Approved", to me that's a rather dismal state of things.
Things could be so much better. Really.
For instance if you had an O/S that will require applications/applets to list out the type of access they require.
Then the O/S can provide a meaningful and TRUE description to the user of what the application might do.
And the O/S can also enforce the limits of the access.
So if something says it's a screensaver, it's only going to get screensaver access. It's not going to be able to make recordings from your microphone and webcam, and send them to Elbonia behind your back. It's not going to be able to write to anywhere other than it's own designated scratchpad area, not even your USB drives.
And that would be a secure modern O/S.
Then you can tell your "morons" - "You can install whatever stuff you like, unless the O/S gives you that red warning dialog box about the program requiring full user or system privileges".
In terms of security, most current O/Ses aren't even better than what was available 40 years ago. Heck, Unix is a watered down Multics.
They're just decorated with fancy graphics and animations so most people think they're advanced.
Yes, Vista does have some sandboxing, but the way MS has implemented stuff makes many people turn off many of the protections. So they'll become the next hosts for the next Conficker.
As for Linux, Apparmor and SELinux don't appear "Desktop Ready" yet.
Parent
Re: (Score:3, Insightful)
For instance if you had an O/S that will require applications/applets to list out the type of access they require.
Then the O/S can provide a meaningful and TRUE description to the user of what the application might do.
And the O/S can also enforce the limits of the access.
When I read this part, I thought you would mention Symbian. At least it looks like it does what you suggest. I am not a Symbian specialist, but when you write something that needs access to more than simple GUI stuff, you need to sign the app (tied to a specific phone IMEI, at least with the free online signing process), and in the process request what you want to allow the app to access (GPS data, user data, comms etc). Then when installing the app, Symbian will warn you that the app requires access to spe
Re:Correction (Score:5, Insightful)
I'm tired of this meme.
The thing about worms like Conficker is that they absolutely do not rely on user interactivity with some sort of trojan interface. No, "CLICK HERE FOR FREE PORN!" or, "DOWNLOAD THIS APP AND GET GREAT WAREZ!" apps.
Conficker spreads site to site silently through vulnerabilities in Windows.
Yes, it's possible to own *NIX boxen via trojan horse deployments, but for home users who aren't running apache, mysql, openssl, ssh, ftp, gopher, BIND, etc. the non-user infection vectors dry up. This is because Windows *sucks* for system security. While it's possible to pull privilege escalation on *NIX machines, and other OSes, often, they're a pain in the ass and usually require specialized setups(certain version of MySQL running with certain version of Apache, with... etc). Home users really don't have to worry about Samba file/print sharing owning their machine like NetBIOS on Windows users have to worry about their machines being similarly owned.
Sure, disabling autorun, running firewalls, virus scanners, etc. is great computing practice, I think it's more to expect from a typical home user who just wants the damned thing to work regardless. Lots of people use a computer thinking it's, well, a computer. Not a car, or a fax machine or a rifle that every so often needs to be broken down and maintained. Nor should it be. Modern file systems are virtually self-optimizing and aside from system updates and making sure there's room on your disk, which NO OS can really claim to do for you, unless you count Apple's MobileMe/.Mac service, even then it's only 20 gigs, most modern OSes can just be used on end with out much worry. Except most machines aren't running with components designed in this decade, they're often running Windows.
Parent
Re:Correction (Score:5, Insightful)
Uh, if those windows machines actually ran "windows update" there would be no conficker.
So if Desktop Linux had the same users, they may not run "ubuntu update". Why? Because the last time they updated their machine stopped working properly
Think that will never happen? See: https://answers.launchpad.net/ubuntu/+question/24523
Notice that user actually understands "grub" and "kernels" and knows where to find help. Other users might just never update. If the O/S ever has millions of users, these users start to add up.
> the fact that unix and unix-like operating systems were designed to be secure.
Incorrect. Unix is a watered down Multics.
Linux and most Unix OSes don't provide much security by default.
By default, any program the user runs, can do everything that user can do. There is no sandboxing.
And whatever a unix/linux normal user can do is more than enough for the conficker worm to make money for its masters.
So all the bad guys need to do is get the user to run their program.
If Ubuntu ever has "windows class" users I doubt it'll be hard to get them to download a file and type:
perl conficker
Then it's pwnage time.
If desktop linux ever has the market share that windows has, it'll start to have lots more "dancing pigs" applets that people want to run.
Some will actually be OK. And some will be malware.
An O/S whose security depends on people being able to tell whether something is safe or not, without the people actually being able to see and understand the source code, or know the entire inputs, is an O/S that expects people to solve something harder than the halting problem.
Thus in my opinion Windows and most Unixlike OS have poor security.
There are ways to give users better info on whether something is safe or not before they run it.
For instance say an O/S requires a program to list out what sort of access it requires ("guest applet access", or "full system privileges").
Then the O/S can provide the user more meaningful AND true information, and the O/S can also enforce those limits if the user decides to actually run the program.
So if a "dancing pig" applet claims to not want network access, it will NOT get network access, even if it tries to later.
That's far more secure than what the current O/Ses do.
Parent
Re: (Score:3, Informative)
Uh, if those windows machines actually ran "windows update" there would be no conficker. So if Desktop Linux had the same users, they may not run "ubuntu update". Why? Because the last time they updated their machine stopped working properly Think that will never happen? See: https://answers.launchpad.net/ubuntu/+question/24523 [launchpad.net] Notice that user actually understands "grub" and "kernels" and knows where to find help. Other users might just never update. If the O/S ever has millions of users, these users start to add up.
This is why I run a stable distro that doesn't break everything all the time. Debian stable for example, I think it would be highly unlikely for anything to break during an update.
That's not the worst they could do (Score:5, Insightful)
That's not a nice thing to say. Why did you say that? Did I hurt you somehow before?
> The worst they can do is to nuke their own files.
Nah. As I've been saying - they could run the wrong program and then the bad bad things could happen.
While having their own data destroyed is typically far worse than losing their entire operating system, that's NOT the worst that could happen when a user runs the wrong program.
1) Their data could get silently corrupted. Silent corruption is often far far worse than complete data loss. When you have complete data loss, it's obvious. So you restore from backups, or deal with it in other ways. When something tampers with the data, you could be screwed so badly and not know why. By the time you realize something is wrong, all your backups could be of the corrupted data.
2) Their secrets could get exposed and abused.
3) Their computer could get taken over and used for illegal stuff. While they might eventually be exonerated, the pain and damage involved is likely to be more than mere data loss.
Plus it's probably easier to live if people think you're some incompetent loser who went out of business because of massive data loss, than if people think you really downloaded, stored and shared all those illegal and _disgusting_ porn.
I'm sure others can think of many other things worse than "nuking their own files".
e.g. they could unknowingly help Skynet survive and grow in strength
Parent
Re: (Score:2, Interesting)
I'm one such person, while I'm unemployed. I'd say maybe one out of 5 of the computers that come to me leave with Linux installed. Those satisfied customers then refer their friends and family. Not much repeat service, but quite a few referrals.
What percentage of those users are still using Linux in 1 month? In 6 months? After 1 year? Per usual, something about your allegedly genuine pro-Linux story just begs more questions. How many users later dump the machine and end up just getting a new Windows machine instead? How many gain a new found appreciation for Windows after having used Linux for any length of time? How many users ever come back complaining that their X server is crashing or sound latency problems make watching YouTube unbearab
Re:Correction (Score:5, Interesting)
In my experience 100% of the people I have volunteered to install Linux on their systems not only continue to use linux for years afterwords, bring me their new computers they buy with windows installed and ask me to remove it.
Among others:
dozens of first time to almost completely computer illiterate people.
Lots of people that have been using windows for years and are fed up with the crap, especially after most linux distros had more in common with windows xp than vista had in common with windows xp.
At least half dozen people over 60.
Lots and lots of teenagers.
Not to mention everyone that works in my office never seen a linux computer before they walked through the door, and now have them at home.
So, these arguments are for the ignorant that have not used a major distro in the last couple years.
Parent
Re:Correction (Score:5, Insightful)
You are talking about servers which have these things called Linux administrators, or Guru if you will, that actually read security bulletins, patch on time, have IT experience, etc. This makes them a lot harder target than Velma.
Everybody, meet Velma. Say hi Velma-(Hi Y'all!)
Working in PC repair and sales since the days of Win3.xx, when dinosaurs roamed the earth as my oldest puts it, I have found Velma to be a VERY typical Windows user. She rarely if ever patches because it scares her that it might "break" something, if it wasn't for me should would be running the Norton that expired in 2004 for an AV, and worst of all, like WAY too many of my customers, she has a serious weakness. In Velma's case it is her BFF Kim. You see, her BFF Kim is what some of us in the biz call a "click whore", in that she will click on ANYTHING. Spam attachments, chain letters, you name it. And Velma will ALWAYS trust her BFF Kim no matter what to tell her. Now please enjoy an ACTUAL account of my working with Velma-
/Me/Velma, that is a password protected zip file. It is even telling you to turn off the AV before opening! It is a Virus, do NOT open that!
(Velma) Ohh...You worry too much. It is from my BFF Kim! She wouldn't send me anything bad! See, it says "happy puppy pics!" Isn't that nice?
/Me/ Velma, it isn't pics. Pics end with .jpg. That is Happ_Pup.exe! That is a virus! Do NOT run that! (Velma) Oohhh...drink decaf, it'll be fine! See it has Kim's name on it and everything! /Velma turns off and ignores AV warnings, runs .exe, popups start sprouting everywhere and the network crashes from all the activity/
(Velma) Whoops. But it MUST be a trick, because my BFF Kim wouldn't do that! /Me/..... [roflposters.com]
NOW do you see why Linux "security" wouldn't be worth a bucket of warm spit if Linux got all the Velmas of this world? If you ever do manage to get Velma and Kim and all their little buddies onto Linux your good friends at the Russian Business Network and their friends in China and Nigeria would be sending "Happ_Pup.sh" along with easy to follow instructions on how to run it. And Velma and Kim WOULD run it, no matter how many times you told them not to. It is simply the dancing bunnies problem [codinghorror.com] and short of forcing Velma and all her kind to run locked down thin clients with no rights at all to their own machines Linux will NEVER fix it. Sorry.
Parent
Re:Correction (Score:5, Insightful)
>Linux has picked up a lot of mindshare
The problem with Linux on the desktop is that it's not very compelling.
Linux shines when the people around you are using it. That is, on your LAN or within telnet's reach. X is amazing, when used remotely. Why download and install a program when you can just telnet over to where its installed? Assuming the bandwidth is there (and it's a hell of a lot more there each year), the program will run. And it will be a lot faster than doing it the newfangled way, which is to make it a web service.
Linux makes a great desktop, if by "desktop" you mean network terminal. But we don't have a network. We have the web, which is a single graphical application (the "browser") that runs best on Windows. Just like a video game.
Linux won't, and probably can't, catch on until the network is there to support it. That includes small and large businesses, which have networks that would benefit from it, and are still using Windows. Businesses can use Linux the way it is intended, right now. But the "home desktop" is designed to deliver applications, not services.
Let's put it this way: The day some 14-year-old kid installs IIS for XP and hosts a webpage from his bedroom will be the first day of Linux's life. To my knowledge, nobody is hosting squat. Except on bittorrent, which doesn't quite count, because although BT is a protocol, people use it like just another Windows app.
Parent
Re:Correction (Score:5, Insightful)
hasn't there been multiple worms for openssl and apache?
i'm suprised i have to make this point yet again, but there are more machines infected than the whole linux marketshare. until linux is really in the hands of the common newb you won't have an apples and apples comparison.
Silence, in this context, really is golden.
The absence of data actually does signify, as far as this argument is concerned. In effective terms, users can find a secure haven in non-Windows systems. There is, admittedly, some truth to the assertion that there's a myth of invulnerability surrounding FOSS systems. Amusingly, black hats seem to buy into it [imagicity.com] as much as anyone else.
Want effective protection from malware right now? Don't run Windows.
Will that protection exist tomorrow? Will it exist even after everyone and their dog has flocked to FOSS? These are, for the moment, academic questions. Developers, however, deal with such academic questions all the time. My personal feeling is that FOSS developers are up to the task of securing their systems even in the face of concerted attacks.
So what about that famously touted malware vector, 'stupid user tricks'? Ignorance and naivete are vulnerabilities in any system, technical or human. One doesn't have to look far for proof of that. But there's a fundamental logical flaw in this argument when applied to FOSS systems: The argument essentially says, "Once FOSS is just like Windows, it will be just as insecure as Windows."
This assumes that a mass movement to FOSS won't be accompanied by a cultural change, and I can't see how that's possible. The culture of the incurious, uninvolved and too-trusting Windows user is exactly what keeps Linux (and much of FOSS) off the desktop. FOSS punishes each of those tendencies. In effect, it pushes back against the very behaviour that remains Windows' last, greatest vulnerability.
I'm not trying to make the case for cultural change. Frankly, I'm getting jaded enough that I'm not so sure there will ever be a year of Linux on the desktop. But here's the thing: I don't care. Linux (and FOSS systems generally) work for me and my customers now. That's enough for today. I'll continue looking ahead with caution, but today, at least, I'm safe, and most of the rest of the world is not.
Parent
Re:Correction (Score:4, Funny)
i'm suprised i have to make this point yet again, but there are more machines infected than the whole linux marketshare. until linux is really in the hands of the common newb you won't have an apples and apples comparison.
I know. It's typical isn't it? I've been waiting for a Linux version of Conficker for some months now. That's why I still have to dual boot: I just can't get the same experience using Linux as with Windows.
And before you suggest it, I'm not about to take the trouble to manually downoad and install some other academically written virus as a substitute. Also, typically, deficiencies in WINE stop me from running the Windows virus.
I know there is the whole marketshare thing, but I think there's just more the developers could be doing on a variety of fronts to address what is really a critical problem with Linux.
Parent
Re:Correction (Score:5, Insightful)
It may not be popular on /., but Windows isn't the main problem here. The core of the problem is people not giving a shit about the security of their system. Whether that system is Windows, Linux or Mac is irrelevant.
Windows has reached a point where it can be considered "fairly secure". There are few known security holes, and none that can't be fixed with a little system tweaking and putting a router in front of the machine. But what can the system do if the user is the main point of failure, when he grants everyone any kind of privileges?
Take a look at the Dancing pig problem [wikipedia.org]. In a nutshell: "Given a choice between dancing pigs and security, users will pick dancing pigs every time."
A webpage promises the user what he wants to see or do. Firewalls and security systems ring alarms because what the page actually will do is install malware. But the user clicks it away and allows it in. Because he wants to see the dancing pigs (or install a crack, or see some pron, or ...).
What system could avert that? Only one that does not allow its owner to do what he pleases. Do we want machines that we don't own but that only install what's "good for us"? I wouldn't want to go there...
As long as people don't give a shit about their security, this problem will not end. Be it with Windows, Mac, Linux or FantasyOS. And people will not give a shit about their system's security and whether their system is a threat to the rest of the internet as long as they are not held responsible for their system's actions.
Parent
Time to reconsider "anti-worms":? (Score:2)
n/t
Re: (Score:2, Interesting)
My God! It's full of anti-worms [distrowatch.com].
"Watch me" service (Score:5, Interesting)
If your ISP provided a free service where it would text or phone you and offer to help clean up your systems if it detected malware-ish behavior coming from your computer or network, would you sign up?
The only gotcha is that you would be inviting the ISP to watch your traffic.
OK, this is slashdot, so most people would say "no," but how many regular people would say "yes" and would that make much of a difference?
Re:"Watch me" service (Score:4, Insightful)
Regular people just care that whatever is on their computer isn't directly costing them money or causing it to visibly malfunction. From experience, I know most would ignore any offers to help, sadly. Guess the trick is to find a way to make them want to disinfect their computers.
Parent
Re:"Watch me" service (Score:4, Insightful)
Parent
Re: (Score:2)
after all computers are supposed to be slow after about a year because all the hardware goes obsolete right?
that; or they're running SSD's.
Re: (Score:2)
Re:"Watch me" service (Score:4, Insightful)
Parent
Re: (Score:3, Funny)
Guess the trick is to find a way to make them want to disinfect their computers.
"Every time you don't update your antivirus, a kitten is struck by lightning."
Re: (Score:3, Funny)
Re:"Watch me" service (Score:4, Insightful)
Guess the trick is to find a way to make them want to disinfect their computers.
Or make them want something that Linux has but Windows doesn't. Unfortunately, users tend to have weird priorities. They won't budge over the seemingly intangible factor known as 'security', but they might switch in a heartbeat for Gnometris.
Parent
Re: (Score:3, Insightful)
Regular people just care that whatever is on their computer isn't directly costing them money or causing it to visibly malfunction. From experience, I know most would ignore any offers to help, sadly. Guess the trick is to find a way to make them want to disinfect their computers.
Easy, do what the government does... fearmonger.
"ZOMG Identity theft!!#!"
They'll be begging for free help.
Re: (Score:3, Informative)
"So? Ffffft.
How likely is that to happen? Almost zero? Fffft. And when it happens? My bank will cover the loss so I shut up and don't make a stink about it, so does Visa, so? Ffffft."
That's how this is perceived. It's no biggie. The money that may be lost will be covered by the financial institutions that don't want people to lose faith in online transactions. And that's about all people care about when it comes to identity theft.
Re: (Score:3, Interesting)
Except that government is vulnerable to pressure from lobbyists.
"Bot traffic" could easily be written up in legalese to mean anything special interests don't like, such as bit torrent.
Which may be even easier than expected if ACTA remains classified to the bitter end.
Re:"Watch me" service (Score:5, Informative)
OpenDNS already have a system set up where, if you use their DNS servers, it will tell you if it detects any Confiker-type activity on your network. Non-intrusive, transparent to the end-user, and quite effective.
Parent
Re: (Score:2)
The ISP where I live - Shaw - offers free Anti-Virus based upon F-Secure. Based upon this link it does protect against Cornficker and tools are provided to remove it.
http://www.f-secure.com/v-descs/worm_w32_downadup_gen.shtml (non c
If we look carefully at these Windows worms... (Score:5, Funny)
If only we consider more thoroughly what single thing they all have in common, we might be able to find a cure.
Parent
I've got it... (Score:4, Insightful)
And more specifically the sort of people who would install stuff just because a pop up tells them they are infected and they should install "Antivirus 2009".
And those who would type in passwords for encrypted zipfiles to decrypt them and install the stuff inside them...
Parent
Sure.. (Score:2)
The problem with bot-nets is not that people don't care (exactly) but that they are ignorant, literally, they don't know. Everyone wouldn't fix it or know how or who to turn to but the net result would still be X percentage less infected computers. Probably even an X percent increase in awareness/interest (personal information accessible/business information-secrets accessible/illici
Re: (Score:2)
Re: (Score:2, Informative)
I ran an ISP only a few years ago. The number one source of identifying hacked PC's was abuse messages coming to our admin accounts. It didn't take our support staff long to lock out and call the customer. Many would say, "yes, the computer has been running slow lately", and thanked us for fixing their virus.
We also monitored our MRTG graphs. If we noticed strange spikes in traffic, our network people would investigate. One time we had to shut down a chess server at a high school. I will say this was in a r
Re: (Score:3, Interesting)
Probably because ISPs tend to have deeper pockets than customers and are thusly more apt to be shoehorned into a booby trap if they try to be a good samaratin.
Why can't we remove it? (Score:2, Interesting)
Re:Why can't we remove it? (Score:4, Insightful)
Parent
We ALL know the words to this one by now! (Score:5, Insightful)
Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, H.P., Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets,
All running Windows! Foo!
Internet Telescope (Score:2, Interesting)
User education! (Score:5, Insightful)
Re:User education! (Score:4, Insightful)
That's just because they learned that everytime they installed something that announced itself as "critical update" and "warning, machine infection possible if you don't do this" they got bombarded with advertisments and had strange new toolbars in their browsers...
Parent
Re: (Score:3, Interesting)
As a computer consultant that (has to) advocate Windows, allow me to answer this.
The average computer user in a company doesn't know jack about his machine. Fortunately, he's not required to do administrative tasks, but he's required to work with it. And he's required to produce. Trying to convince management that they should toss out all Windows machines and install Linux everywhere is something you should only try if you always wanted to take over bolder duty from Sisyphos.
Second, the average computer adm