Simple question about Windows .......

Mathew P. · External Since: Feb 27, 2006 Posts: 277

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-09-29, Tim Smith spake thusly:
> In article <y5dfumy4qch1.dlg DeleteThis @funkenbusch.com>,
> Erik Funkenbusch <erik DeleteThis @despam-funkenbusch.com> wrote:
>> > And one major difference is, that in linux it would *only* corrupt the
>> > user's home partition & not the *whole* frekin' OS, unlike windows.
>>
>> That's not all it can do. For instance, it could send out spam to millions
>> of users, or it could replicate itself, or cause a DDoS. It can steal
>> passwords, harvest email addresses, and a whole host of other tasks... none
>> of which require one iota of special privilege.
>>
>> Of course, that's not taking into account that such viruses or trojans can
>> try to exploit any known local privilege elevation vulnerability as well.
>
> It's also not taking into account the fact that the user's home
> directory is the place where the items of value to the average user are
> kept.

Explain to me how viruses can execute without being able to infiltrate
or "attach" themselves to user files? They don't automatically get
set with that level of permissions even on intentional download.

Regards,

Mathew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFHI1IlkJ5K/IU2ToRAqvfAKC5hLr6TnBfolcalqWrsYHbM8H9agCeOpcU
tT9/ttvshtSqTZhEZ2yfsL0=
=cQKu
-----END PGP SIGNATURE-----

--
"Always do the right thing: It will delight / Aluminum Foil Deflector Beanies
some and astound the rest" - Mark Twain / Psychotronic protection, low prices

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2403

On Fri, 29 Sep 2006 03:04:40 GMT, Mathew P. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2006-09-29, Tim Smith spake thusly:
>> In article <y5dfumy4qch1.dlg.DeleteThis@funkenbusch.com>,
>> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> wrote:
>>> > And one major difference is, that in linux it would *only* corrupt the
>>> > user's home partition & not the *whole* frekin' OS, unlike windows.
>>>
>>> That's not all it can do. For instance, it could send out spam to millions
>>> of users, or it could replicate itself, or cause a DDoS. It can steal
>>> passwords, harvest email addresses, and a whole host of other tasks... none
>>> of which require one iota of special privilege.
>>>
>>> Of course, that's not taking into account that such viruses or trojans can
>>> try to exploit any known local privilege elevation vulnerability as well.
>>
>> It's also not taking into account the fact that the user's home
>> directory is the place where the items of value to the average user are
>> kept.
>
> Explain to me how viruses can execute without being able to infiltrate
> or "attach" themselves to user files? They don't automatically get
> set with that level of permissions even on intentional download.

Why can't a virus attach itself to a users files when running as that user?

How code executes is not a mystery. The user deliberately executes it, the
users is tricked into executing it, the code gets executed via a
vulnerability in some application the user is running (such as a web
browser or email program), etc.. there are all kinds of ways to get the
code to run.

Further, a file need not be "executable" to execute code. For example,
macro viruses have been around for years, and recently OpenOffice had some
problems with this area. Linux is not immune from poor applications.

Mathew P. · External Since: Feb 27, 2006 Posts: 277

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-09-29, Rick spake thusly:
> On Fri, 29 Sep 2006 01:32:26 +0200, Hadron Quark wrote:
> (snip)
>>
>> The nutjobs are forgetting that magic word "sudo" which accompanies just
>> every single "How to get Linux Working howto" out there.
>
> You're the freaking nut job. Sudo does NOT accompany
> just every single "How to get Linux Working howto" out there.

And it's not neccessary for installing most apps in userspace anyway.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFHI20lkJ5K/IU2ToRAsDaAKDSEa7ynU7JJfhCPtEiif3FxY5NSwCgywIP
HRKJ31xX6vZMKqchlu+XMNg=
=zrx8
-----END PGP SIGNATURE-----

--
"Always do the right thing: It will delight / Aluminum Foil Deflector Beanies
some and astound the rest" - Mark Twain / Psychotronic protection, low prices

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2403

On Fri, 29 Sep 2006 03:06:28 GMT, Mathew P. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2006-09-29, Rick spake thusly:
>> On Fri, 29 Sep 2006 01:32:26 +0200, Hadron Quark wrote:
>> (snip)
>>>
>>> The nutjobs are forgetting that magic word "sudo" which accompanies just
>>> every single "How to get Linux Working howto" out there.
>>
>> You're the freaking nut job. Sudo does NOT accompany
>> just every single "How to get Linux Working howto" out there.
>
> And it's not neccessary for installing most apps in userspace anyway.

Wait, didn't you just get done telling me that by default, you can't
install apps in userspace?

Yes, here it is:

> No it dosn't. A users home userspace (or folder as you put it) *is* automatically
> locked and non-executable

You flip-flop around like crazy. A sure sign you're making this up as you
go along, and can't seem to find a single argument that holds traction.

Mathew P. · External Since: Feb 27, 2006 Posts: 277

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2006-09-28, Oliver Wong spake thusly:
>
> "Gordon" <gbplinux DeleteThis @gmail.com.invalid> wrote in message
> news:4o270fFch1isU1@individual.net...
>> Hadron Quark wrote:
>>
>>
>>> Let me explain : if a user is *tricked* into executing a file as root or
>>> as administrator then that program can do *anything* it
>>> wants.
>>
>> But surely the point here is that the VAST majority of Windows users run
>> with an Administrator account - purely because they can't be fagged to log
>> out and log on as an Administrator - so there's no dialog box for a
>> password (in fact the numbers of Windows users in the MS Newsgroups who
>> keep asking how to auto log-on is frightening) whereas in Linux/Unix
>> almost
>> every user is NOT running as root, and so would be asked for a password
>> before being able to execute a potential system-damaging operation....
>
> Probably they would not need to enter in a password if the payload of
> the malicious program were to delete all files that the user has write
> access to. Personally, I think this latter payload is a bigger problem. If
> the program renders my system unbootable, but leaves my data file alone,
> then it's not a big deal, I can't just reinstall. But if they delete all my
> files, then I've lost everything since the previous backup (which for most
> users I'd assume was "never").
>
> - Oliver

I back up my home userspace to dvd at least once a month. (which reminds me,
I haven't done it yet for this month.) It's painless. Fire up K3B and have a
cup of coffee.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFFHI9KlkJ5K/IU2ToRAjErAKDCyCN7QT6GaLMIeCPGifXip+zp7QCgtM9f
xFNPOzFml64g7ZiPRfvU6Xc=
=Ag/1
-----END PGP SIGNATURE-----

--
"Always do the right thing: It will delight / Aluminum Foil Deflector Beanies
some and astound the rest" - Mark Twain / Psychotronic protection, low prices

thad01 · External Since: Apr 20, 2005 Posts: 812

Erik Funkenbusch <erik DeleteThis @despam-funkenbusch.com> wrote:
> On Thu, 28 Sep 2006 14:26:19 +0000 (UTC), thad01 DeleteThis @tux.glaci.remove-this.com
> wrote:
>
>> I'm not about to jump in on this argument... too difficult to get
>> objective measures to ever convince anyone one way or the other.
>> But this is an opportune time to mention a related anecdote:
>
> It was rather easy to prove. Note the date the CVE was created, then note
> the date of the released patch and security bulletin. Subtract one from
> the other. Of course that doesn't prove when the flaw was ACTUALLY
> discovered, but it does provide a minimum timeframe.

The point I'm not about to argue is the larger one about 'which
OS has better security' or 'who releases patches faster'. Each
vulnerability is unique and security issues so multifaceted that
its just not a question that can be answered concisely. Security
is a process, not a product, and it largely falls on the system
administrators, not the vendor. I have my reasons for believing
a linux system is easier to secure. My reasons come from my
personal experiences. You have different experiences and no
doubt different opinions. On another day I'd have a blast
arguing the issue, but its not a battle I'm going to jump into
today.

> Great. If you're capable of doing that, which most users aren't. And most
> users aren't following the mailing lists, or the daily builds. In fact,
> most users only update when their system tells them there's a new patch
> (and often times even then, they dont). How long before your patch makes
> it down to the Red Hat or SUSE or Debian automatic update? Several days at
> a minimum in most cases, often a week or more.

Sure, most people will wait for the official release, and that's
fine, but the point is the bleeding edge is there for those who
want it. It is typically not even an option in the closed source
world. Moreover, the bug still needs to be fixed before it can make
it into official patches and automatic updates, so the faster it is
turned around on the dev list, the faster it will make it into that
channel.

There is a Dilbert cartoon in which he wants to make a one line
bug fix, but the boss wants him to go through a lengthy justification
process first. I laughed when I read it because I've actually seen
it happen. I'm a big believer in process. It is certainly good
to define your requirements and design and have traceability. But
sometimes that can be taken too far; developers become handcuffed
to a CR tracking system that does not let them make a move without
filtering it through layers of management to assure coding time is
only being spent on tasks that trace back to funded requirements.

The five minute patch turn-around I described above cannot happen
in an environment like that. Maybe Microsoft is not that bad...
I don't know... but I KNOW that Linux doesn't suffer from that
problem because I have visibility and input into the process.
That is a big part of why I trust it more.

> What's more, doesn't this seem like the perfect opportunity for someone to
> sneak in a backdoor? With thousands of people compiling a patch with Zero
> due dilligence? A suitably subtle one might not be caught right away and
> might present yet another window of opportunity for attack.

Nope... not much chance of a backdoor sneaking in that way. Too
many eyes looking at it before it gets applied. This was a developers
list after all. I reviewed the patch myself before applying (it was
rather small) as I know others did from the discussion that occurred.

The only instance I know of where someone tried to sneak a backdoor
in that way was actually in the linux kernel. The trick was subtle
and sneaky; it involved a comparison in which a '=' was used instead
if a '==' causing the negative condition being 'tested' for to be
assigned instead. It was caught rather easily, but it did create
some lively debate on the LKML and helped underscore the importance
of attribution of all submissions.

>
> Who installs nightly builds?

In the open source world, anyone who wants to.

Cheers,

Thad

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2403

On Fri, 29 Sep 2006 04:40:21 +0000 (UTC), thad01 DeleteThis @tux.glaci.remove-this.com
wrote:

>> What's more, doesn't this seem like the perfect opportunity for someone to
>> sneak in a backdoor? With thousands of people compiling a patch with Zero
>> due dilligence? A suitably subtle one might not be caught right away and
>> might present yet another window of opportunity for attack.
>
> Nope... not much chance of a backdoor sneaking in that way. Too
> many eyes looking at it before it gets applied. This was a developers
> list after all. I reviewed the patch myself before applying (it was
> rather small) as I know others did from the discussion that occurred.

Like I said, a suitably subtle back door. I recall a fairly recent patch
in which the parenthesis were left off a function call, which created a
root vulnerability (i don't recall if it was local or remote). This
skipped through a lot of eyes before someone caught it, and even then it
was because a black had had noticed it first and was activvely using it.

So please spare me the "too many eyes" rhetoric, most eyes see the exact
same thing and can stare at subtle vulnerabilities and not see them.

> The only instance I know of where someone tried to sneak a backdoor
> in that way was actually in the linux kernel. The trick was subtle
> and sneaky; it involved a comparison in which a '=' was used instead
> if a '==' causing the negative condition being 'tested' for to be
> assigned instead. It was caught rather easily, but it did create
> some lively debate on the LKML and helped underscore the importance
> of attribution of all submissions.

I think we're talking about the same bug. I'm pretty sure it wasn't the =
vs ==, it was because of the lack of parens on a function call. And it
wasn't found right away, that was the problem.

>> Who installs nightly builds?
>
> In the open source world, anyone who wants to.

The point is, it's pretty rare.

Richard Rasker · External Since: Jul 27, 2005 Posts: 199

Op Thu, 28 Sep 2006 17:51:29 -0500, schreef Erik Funkenbusch:

> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
>
>> If he were right, we'd have seen at least a few hundred successful social
>> engineering Linux viruses by now.
>
> No we wouldn't. The kind of users that get exploited by social engineering
> don't really exist on Linux, and the attackers know that. Not only that,
> there is simply no reward for the risk.
>
>> We haven't. Not a single one. We haven't
>> even seen any jump-through-several-hoops Windows viruses postulated by
>> Erik.
>
> Yes, we have. Here's a few examples:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993
> http://news.zdnet.co.uk/hardware/emergingtech/0,39020357,2087838,00.htm

These are hoaxes, not automatically self-replicating viruses bearing an
arbitrary malicious payload. But OK, some people fall for it, so indeed
people will sometimes follow complex instructions when scared. For the
sake of the argument, let's say that you've got a point here. Next
question: why don't we see *actual* viruses and malware with these
characteristics on *all* platforms? I think that's because a) way less
people fall for these compared to the "one-click" types of malware, and b)
because the appalling security of Windows offers more than enough
opportunity for the aforementioned "one-click" types, contrary to other
OSes.

>> And why is that? No, not because Windows is the dominant OS, but
>> because it's largely trivial to infect a Windows machine, even with lots
>> of "defenses" in place. One wrong click, and you're buggered, period.
>> Linux isn't built like that. And because making things difficult *does*
>> deter most people from doing it.
>
> Bullshit. Linux has been largely immune because of it's relative obscurity
> and higher than average technical ability of its users. MacOS has been
> largely immune because the tools don't exist for hacking systems on PPC as
> much as they do on x86. I predict we'll see a few major attacks on MacOS
> in the next 2 years.

*Yawn* Yeah yeah. Microsoft adepts have been predicting this ever since
the number of Windows viruses ran into the tens of thousands, a decade
ago. "Wait until Linux becomes really successful" - well, it *is*, at
least in the server market, and increasingly on the desktop. Linux has
been around for over a decade now, with millions of installations in the
past few years. Yet I still have to come across the *first* Linux virus
that actually spreads widely under its own steam. Windows viruses, on the
other hand, popped up immediately as people started exchanging software.

And OK, PPC still is a relatively sterile platform as far as hacking tools
are concerned, but the first Linux rootkits were published almost
alongside the first Linux kernels. Still, Linux systems aren't compromised
on any significant scale. To the best of my knowledge, not even 0.5% of
Linux and Mac machines harbour malicious code. Compare this with over 50%
Windows PC's worldwide infected with some kind of malware or other, and
only idiots maintain that Linux and MacOS are just as insecure as Windows.

Sure, both MacOS and Linux are attacked constantly. It's just that
these attacks aren't anywhere near as successful as on the Windows
platform, where things are especially "easy". And sure, every year there
are a few attacks which make an impact of sorts - the Slapper worm comes
to mind. But for all intents and purposes, it appears that these things
are mere incidents.

But with a bit of luck, we'll see how this "biggest market share" theory
holds up in the next few years, as I predict that the Windows market share
will drop significantly with the introduction of Vista.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <87psdfpnxx.fsf DeleteThis @geemail.com> Hadron Quark wrote:

> The nutjobs are forgetting that magic word "sudo" which accompanies
> just every single "How to get Linux Working howto" out there.

Sudo isn't a substitute for the root password.

--

Peter

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <dcc2vmxysbfa$.dlg@funkenbusch.com> Erik Funkenbusch wrote:
> On 28 Sep 2006 15:27:25 GMT, Peter Hayes wrote:
>
>>> You're inability to follow Eriks explanation is frightening. And
>>> your last paragrpah made no sense. Maybe you're talking about
>>> something else?
>>
>> I'm talking about Erik's comment, quoted at the top of this post,
>> that " Hell, a few years back, there were these streams of very
>> complicated hoaxes going around that asked users to delete various
>> files from their hard drive, because they were claimed to be
>> viruses." And I responded that if viruses didn't exist these "delete
>> virus msvc60.dll" or whatever spoof e-mails wouldn't exist because
>> nobody would believe them, or even understand them. Now what's
>> simpler than that?
>
> The point was simply that complexity is no deterent.

I know what the point was. I made a slightly flippant observation that
got blown up out of all proportion.

> Suppose the list
> of instructions were to instead install a cool screen saver, or view
> naked pictures of paris hilton, or a great e-card from your grandson,
> or to show your patriotic support of the troops. Social engineering
> works because it convinces them to do things they normally wouldn't do.

It works in Windows because there's few if any road blocks in place to
stop the user following instructions.

It's less likely to work for Linux or OS X because these OSs include
road blocks like the sudo command. Without the appropriate password sudo
brings the exploit to a grinding halt no matter how desperate the user
is to view pictures of paris hilton naked.

Hopefully Vista will include similar safeguards, but not if RC1 is
anything to go by. It pops up boxes at every opportunity asking if I
really want to do x, y or z, but I've never been asked for a password
yet. Worrying, that.

--

Peter

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <v0vrqrst9bzr$.dlg@funkenbusch.com> Erik Funkenbusch wrote:
> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:
>
>> If he were right, we'd have seen at least a few hundred successful
>> social engineering Linux viruses by now.
>
> No we wouldn't. The kind of users that get exploited by social
> engineering don't really exist on Linux, and the attackers know that.
> Not only that, there is simply no reward for the risk.

That's a bit mean, suggesting Linux users are impoverished.

>> We haven't. Not a single one. We haven't
>> even seen any jump-through-several-hoops Windows viruses postulated
>> by Erik.
>
> Yes, we have. Here's a few examples:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q322993
> http://news.zdnet.co.uk/hardware/emergingtech/0,39020357,2087838,00.
> htm
>
>> And why is that? No, not because Windows is the dominant OS, but
>> because it's largely trivial to infect a Windows machine, even with
>> lots of "defenses" in place. One wrong click, and you're buggered,
>> period. Linux isn't built like that. And because making things
>> difficult *does* deter most people from doing it.
>
> Bullshit. Linux has been largely immune because of it's relative
> obscurity and higher than average technical ability of its users.
> MacOS has been largely immune because the tools don't exist for
> hacking systems on PPC as much as they do on x86. I predict we'll see
> a few major attacks on MacOS in the next 2 years.

The demography of Mac users is such that they should be an attractive
target for the criminal hacker community, yet we see no OSX exploits in
the wild whatsoever.

--

Peter

William Poaster · External Since: Sep 10, 2006 Posts: 125

On Fri, 29 Sep 2006 03:04:40 +0000, Mathew P. wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2006-09-29, Tim Smith spake thusly:
>> In article <y5dfumy4qch1.dlg.RemoveThis@funkenbusch.com>,
>> Erik Funkenbusch <erik.RemoveThis@despam-funkenbusch.com> wrote:
>>> > And one major difference is, that in linux it would *only* corrupt the
>>> > user's home partition & not the *whole* frekin' OS, unlike windows.
>>>
>>> That's not all it can do. For instance, it could send out spam to millions
>>> of users, or it could replicate itself, or cause a DDoS. It can steal
>>> passwords, harvest email addresses, and a whole host of other tasks... none
>>> of which require one iota of special privilege.
>>>
>>> Of course, that's not taking into account that such viruses or trojans can
>>> try to exploit any known local privilege elevation vulnerability as well.
>>
>> It's also not taking into account the fact that the user's home
>> directory is the place where the items of value to the average user are
>> kept.
>
> Explain to me how viruses can execute without being able to infiltrate
> or "attach" themselves to user files? They don't automatically get
> set with that level of permissions even on intentional download.
>

Exactly. I for one, will take advice from security experts rather than
arguments from a couple of M$ Apologists.

--
Never argue with a wintroll, they drag
you *down* to their level of stupidity,
then beat you with their experience.
-- Paraphrased, with acknowledgement to Dilbert --

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <zv7z7q2ui2ms.dlg.RemoveThis@funkenbusch.com> Erik Funkenbusch wrote:
> On 28 Sep 2006 12:51:29 GMT, Peter Hayes wrote:
>
>> To excuse Microsoft through historical baggage and a lack of
>> foresight isn't valid. They had two major opportunities to beef up
>> security, the release of Windows 95 and the release of NT4, or
>> perhaps even NT3.51.
>
> While I don't excuse Microsoft's lack of foresight in certain areas,
> It's now simply a fact that the situation exists and has to be dealt
> with.

Indeed, but it doesn't absolve them from liability.

To give back to the community some of the trillions lost through malware,
perhaps Gates & Co should offer a free version of Vista to all users. A
free version warranted as secure as reasonably possible, and stripped of
all their DRM/WGA scam baggage.

>> By 1990 viruses were becoming widespread, usually spread on floppies.
>> Five years later the release of Windows 95 was a pivotal moment - a
>> new OS with a new UI, a new kernel, and a new opportunity for
>> Microsoft to develop security policies and make a fresh start. They
>> didn't, and from that decision flows the trillions of $$$ lost to no
>> purpose.
>
> Windows 95 was hardly any such thing. In fact, it was a stopgap
> measure. It was never supposed to last as long as it did, it was a
> "bridge" to get people onto NT, wit a 3-5 year lifespan. It ended up
> being close to 8 years before a large portion of people had upgraded
> to NT based systems.

Helped along by Microsoft's greed in releasing WinME. Had they wanted to
move people to NT, Windows 2000 would have directly followed Win98, with
Win98 being the last of the DOS based OSs.

Since Microsoft didn't adopt a meaningful approach to malware even in
the original release of Windows XP it doesn't really matter if Windows
95 was a stopgap OS.

> NT provided significantly more security, but that didn't stop the
> attackers from getting more creative.

And Vista is likely to be more of the same, but raised to a higher level.
At least they've now stopped users writing to C:\Program Files.

>> The Linux/Unix security paradigm was well in place by 1995 and
>> Microsoft chose to ignore it, presumably for short term marketing
>> purposes. Social engineering exploits aside, they are fully liable
>> for financial losses greater than the GDP of several third world
>> nations. Yet they are allowed to get away with it. Sheesh...
>
> I prmoise you, some day, probably some day soon, your "Linux/Unix
> security paradigm" will be revealed for the ineffective charade it
> really is. It won't stop determined malware.

We've been waiting for this for at least ten years and it's yet to
materialise. I predict we'll still be waiting in 2016, and there'll
still be people promising it "real soon now".

--

Peter

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <87ac4inbtp.fsf.DeleteThis@geemail.com> Hadron Quark wrote:
> Richard Rasker <spamtrap.DeleteThis@linetec.nl> writes:
>
>> Op Thu, 28 Sep 2006 17:57:11 -0500, schreef Erik Funkenbusch:
>>
>>> On 28 Sep 2006 15:27:25 GMT, Peter Hayes wrote:
>>>
>>>>> You're inability to follow Eriks explanation is frightening. And
>>>>> your last paragrpah made no sense. Maybe you're talking about
>>>>> something else?
>>>>
>>>> I'm talking about Erik's comment, quoted at the top of this post,
>>>> that " Hell, a few years back, there were these streams of very
>>>> complicated hoaxes going around that asked users to delete
>>>> various files from their hard drive, because they were claimed to
>>>> be viruses." And I responded that if viruses didn't exist these
>>>> "delete virus msvc60.dll" or whatever spoof e-mails wouldn't exist
>>>> because nobody would believe them, or even understand them. Now
>>>> what's simpler than that?
>>>
>>> The point was simply that complexity is no deterrent.
>>
>> In my experience, it absolutely is. When users call me with
>> networking problems, I often have to make them enter CLI commands to
>> quickly figure out what's wrong (as I have no remote access an more
>> due to the networking trouble). And boy oh boy, you should see it.
>> It's more often than not like training a dog to jump through hoops,
>> requiring endless patience, several attempts at every command, often
>> rephrased in different ways. And with every error
>
> Shh. We are assured by the regulars here that CLI is obvious to all
> but the most "retarded" users.
>
> But most Linus users will have to use them at some time : a brief
> glance at the thousands of "how tos" to get sound, opengl, video,
> multiple desktops etc working will show you. All it needs is one hack
> of a "howto" script which is run using sudo or its equivalent and *
> bang*.

What distro are you running? RedHat 4.2?

The functions you quote usually work "out of the box" on a modern distro,
the exception that you *should* have quoted is DVD decryption, thanks to
the greed of Hollywood.

--

Peter

Peter Hayes · External Since: Oct 10, 2005 Posts: 202

In <87ejtunbyk.fsf.TakeThisOut@geemail.com> Hadron Quark wrote:
> Peter Hayes <not_in_use.TakeThisOut@btinternet.com> writes:
>
>> In <dcc2vmxysbfa$.dlg@funkenbusch.com> Erik Funkenbusch wrote:
>>> On 28 Sep 2006 15:27:25 GMT, Peter Hayes wrote:
>>>
>>>>> You're inability to follow Eriks explanation is frightening. And
>>>>> your last paragrpah made no sense. Maybe you're talking about
>>>>> something else?
>>>>
>>>> I'm talking about Erik's comment, quoted at the top of this post,
>>>> that " Hell, a few years back, there were these streams of very
>>>> complicated hoaxes going around that asked users to delete
>>>> various files from their hard drive, because they were claimed
>>>> to be viruses." And I responded that if viruses didn't exist
>>>> these "delete virus msvc60.dll" or whatever spoof e-mails
>>>> wouldn't exist because nobody would believe them, or even
>>>> understand them. Now what's simpler than that?
>>>
>>> The point was simply that complexity is no deterent.
>>
>> I know what the point was. I made a slightly flippant observation
>> that got blown up out of all proportion.
>>
>>> Suppose the list
>>> of instructions were to instead install a cool screen saver, or view
>>> naked pictures of paris hilton, or a great e-card from your grandson,
>>> or to show your patriotic support of the troops. Social engineering
>>> works because it convinces them to do things they normally wouldn't
>>> do.
>>
>> It works in Windows because there's few if any road blocks in place
>> to stop the user following instructions.
>>
>> It's less likely to work for Linux or OS X because these OSs include
>> road blocks like the sudo command. Without the appropriate password
>> sudo brings the exploit to a grinding halt no matter how desperate
>> the user is to view pictures of paris hilton naked.
>
> sudo generally shares the same password as the user in home
> installations.

The home user will have had to install Linux, thanks to the heavy hand
of the Microsoft Monopoly, meaning they're technically aware.

--

Peter

William Poaster · External Since: Sep 10, 2006 Posts: 125

On Fri, 29 Sep 2006 10:54:42 +0000, Peter Hayes wrote:

> In <v0vrqrst9bzr$.dlg@funkenbusch.com> Erik Funkenbusch wrote:
>> On Thu, 28 Sep 2006 16:42:50 +0200, Richard Rasker wrote:

<snip>
>>Linux has been largely immune because of it's relative obscurity and
>>higher than average technical ability of its users.

Hmm...so as there are more linux servers running the internet, than M$
ones, they're obscure. So *this* is why they haven't been attacked to the
same extent that windows has.

Spot the flaw....

> The demography of Mac users is such that they should be an attractive
> target for the criminal hacker community, yet we see no OSX exploits in
> the wild whatsoever.

--
Never argue with a wintroll, they drag
you *down* to their level of stupidity,
then beat you with their experience.
-- Paraphrased, with acknowledgement to Dilbert --

Hadron Quark · External Since: Sep 10, 2006 Posts: 1621

Gregory Shearman <ZekeGregory RemoveThis @netscape.net> writes:

> Hadron Quark wrote:
>
>> JDS <jeffrey RemoveThis @invalid.address> writes:
>>
>>> On Thu, 28 Sep 2006 13:51:11 +0200, Hadron Quark wrote:
>>>
>>>> You can be sure as hell that *if* Linux ever gets more than 2% of the
>>>> desktop share then the virus writers will turn their gaze towards it.
>>>
>>> How about the server market share? Most of the websites on the WWW
>>> run on Apache on Linux. That's a pretty big market share. Where are the
>>> viruses for those systems?
>>
>> They are hacked on a routine basis.
>
> Routine?
>
> How about you define what you mean about "routine" and supply evidence to
> support your claims.

Greg, you seem competent enough.

Let me turn this around:

Are web servers running apache and Linux hacked? Yes or no.

Its the denial that freaks me out.

--
Mistress, n.:
Something between a mister and a mattress.

Richard Rasker · External Since: Jul 27, 2005 Posts: 199

Op Thu, 28 Sep 2006 17:57:11 -0500, schreef Erik Funkenbusch:

> On 28 Sep 2006 15:27:25 GMT, Peter Hayes wrote:
>
>>> You're inability to follow Eriks explanation is frightening. And your
>>> last paragrpah made no sense. Maybe you're talking about something
>>> else?
>>
>> I'm talking about Erik's comment, quoted at the top of this post, that "
>> Hell, a few years back, there were these streams of very complicated
>> hoaxes going around that asked users to delete various files from their
>> hard drive, because they were claimed to be viruses." And I responded
>> that if viruses didn't exist these "delete virus msvc60.dll" or whatever
>> spoof e-mails wouldn't exist because nobody would believe them, or even
>> understand them. Now what's simpler than that?
>
> The point was simply that complexity is no deterrent.

In my experience, it absolutely is. When users call me with networking
problems, I often have to make them enter CLI commands to quickly figure
out what's wrong (as I have no remote access an more due to the networking
trouble).
And boy oh boy, you should see it. It's more often than not like training
a dog to jump through hoops, requiring endless patience, several attempts
at every command, often rephrased in different ways. And with every error
message, they get more uncertain too, ready to give up totally. Most are
very glad when this "geeky stuff" is over. And those who are competent
enough to carry out the instructions, wouldn't dream of doing it if I
wasn't explicitly instructing them over the phone.

> Suppose the list of instructions were to instead install a cool screen
> saver, or view naked pictures of paris hilton, or a great e-card from
> your grandson, or to show your patriotic support of the troops. Social
> engineering works because it convinces them to do things they normally
> wouldn't do.

I don't say it's impossible that people actually fall for these schemes.
But complexity still is a very good deterrent - and with Linux, there is a
rather nice gap between the normal, super-easy GUI stuff which offers
relatively little opportunity to do harm, and the deeper mechanisms which
*can* cause trouble. People are used to just click on stuff to see *any*
kind of pictures, or visit a web site displaying e-cards. They click a
package manager or desktop setup option to install stuff or select a
screensaver. In Linux, there simply isn't a culture of sending executables
by mail, as there is/was with Windows. And why is that? Indeed: because
executing mailed files is rather bothersome. And because there's no need
at all.
Add to that the fact that unasked-for stuff is always regarded with more
suspicion, and no, I don't see your social engineering viruses taking off
under Linux. Even on bug-infested Windows, the hoaxes of this style are
few and far between, and to my knowledge, there hasn't been even one
succesful self-replicating virus of this kind.

Again: it's not impossible to get people to hose their machines, but it's
tricky all the same. And also as long as Windows doesn't get any better
than "one click from hell", the malware you describe simply won't come
into existence on any significant scale. There are vastly more and easier
ways to crack Windows machines; it's by far the softest target around. And
that's why Windows will remain the platform of choice for hackers, script
kiddies and criminals.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Richard Rasker belched out this bit o' wisdom:

> In my experience, it absolutely is. When users call me with networking
> problems, I often have to make them enter CLI commands to quickly figure
> out what's wrong (as I have no remote access an more due to the networking
> trouble).
> And boy oh boy, you should see it. It's more often than not like training
> a dog to jump through hoops, requiring endless patience, several attempts
> at every command, often rephrased in different ways. And with every error
> message, they get more uncertain too, ready to give up totally. Most are
> very glad when this "geeky stuff" is over. And those who are competent
> enough to carry out the instructions, wouldn't dream of doing it if I
> wasn't explicitly instructing them over the phone.

Actually, I have had similar experiences trying to get people to
configure stuff on Windows, using a GUI.

Talking them through text is actually easier, as they can just read what
they see.

Try telling a Windows user to "go to the drop down list". Or "right
click on the C drive and select properties." It is amazing how hard
that can be for some people. You often have to start from Start.

--
:read ~/.signature

Hadron Quark · External Since: Sep 10, 2006 Posts: 1621

William Poaster <wp.DeleteThis@suseoss101.eu> writes:

> On Fri, 29 Sep 2006 03:04:40 +0000, Mathew P. wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 2006-09-29, Tim Smith spake thusly:
>>> In article <y5dfumy4qch1.dlg.DeleteThis@funkenbusch.com>,
>>> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> wrote:
>>>> > And one major difference is, that in linux it would *only* corrupt the
>>>> > user's home partition & not the *whole* frekin' OS, unlike windows.
>>>>
>>>> That's not all it can do. For instance, it could send out spam to millions
>>>> of users, or it could replicate itself, or cause a DDoS. It can steal
>>>> passwords, harvest email addresses, and a whole host of other tasks... none
>>>> of which require one iota of special privilege.
>>>>
>>>> Of course, that's not taking into account that such viruses or trojans can
>>>> try to exploit any known local privilege elevation vulnerability as well.
>>>
>>> It's also not taking into account the fact that the user's home
>>> directory is the place where the items of value to the average user are
>>> kept.
>>
>> Explain to me how viruses can execute without being able to infiltrate
>> or "attach" themselves to user files? They don't automatically get
>> set with that level of permissions even on intentional download.
>>
>
> Exactly. I for one, will take advice from security experts rather than
> arguments from a couple of M$ Apologists.

Which "experts" Willy?

You know the problem with most experts don't you? They're not.

--
perfect woman, n.:
Four feet tall, no teeth and a flat head so you can rest
your drink.

[Pistol-grip ears? Ed.]