Re: [PLUG] Microsoft's many eyes?

[Rich Freeman <r-plug@thefreemanclan.net>]

On Tue, May 24, 2011 at 3:21 PM, Chaz Meyers <plug@thechaz.net> wrote:
> Linux has a better model because usually people don't walk around as root
> and have to su/sudo to do dangerous things. However, if all Windows users
> suddenly switched to Linux, I'm confident that malware would be written for
> Linux that calls gksudo and enough people would blindly enter their password
> and click OK without reading or thinking about what they are doing. It's
> what they've been trained to do over the past 15 years when a scary dialog
> box comes up.

Why would a malware author bother to get root privs on the device?
99% of the stuff malware does works just fine with user privileges.

A user-owned process in linux can:

1.  Spy on any keystrokes in any window on any X Server anywhere that
the user has a valid cookie for.  That could potentially go beyond
user-owned processes.
2.  Send all the spam it wants to.
3.  Run any servers it wants to as long as they don't bind low ports.
4.  Access or modify any user-created file.
5.  Read the user's address book/etc.
6.  Install any browser plugins it wants to.
7.  Install itself in any of 47 different user-owned config files that
trigger programs to run so that it can be "always-on" - it just won't
be running until the user logs into the machine.

The only things that root gives it are:

1.  Better ability to evade detection - as if most users bothered to
look for malware.
2.  The ability to access other user's data - as if the typical
desktop linux box would even have more than one user account on it.
3.  The ability to listen on low ports, and send raw ethernet packets
and get interfaces into promiscuous mode.
4.  The ability to run on boot vs login, and the ability to infect
other executables.

The main advantages linux has are:

1.  Generally it is distro-backed which means that security patches
cover most of the installed applications and not just the core OS.
2.  Usually executable files are not mapped in such a way that simply
clicking on them will run them (but I've heard some distros map .exe
to wine).

That's really about it as far as I can see.  If somebody came out with
a zero-day thunderbird exploit that runs attached code, you could have
a linux-based worm spread like wildfire, if enough of the population
ran linux/thunderbird.

A potential game-changer here are things like android and SELinux
which have much more segmented security models.  Android runs on a
user-per-application basis so that arbitrary applications can't do
whatever they want.  SELinux doesn't do this, but it has a much more
granular security model.  You can give a user suid 0 on an SELinux box
and they won't be able to do just about anything if you configure it
right (I think).  I remember there was an SELinux demo box set up once
upon a time that had its root password posted on a website with telnet
access as a proof of concept.

An improvement in the linux security model just makes sense.  Why does
my browser need read/write access to my email client's address book?
Why does xterm need write access to every file I own?  The problem is
that until upstream and distros start supporting SELinux it will be
far too difficult to maintain.

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug