You are not logged in.
- Topics: Active | Unanswered
#26 2010-08-16 18:58:28
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: A major obstacle facing widespread Linux adoption... And a proposal.
To elaborate further on the whitelisting thing, here's an example...
Scenario 1.
You're running Skype in a limited account. Someone has figured out an exploit that makes Skype download and execute a file without your permission. A bot sends you the file, and Skype dutifully downloads and runs it. The file in turn exploits a privilege elevation vulnerability to get root, and installs a keylogger. By the time you've noticed anything unusual, your credit card PIN has been stolen and your email account hijacked.
Scenario 2.
You run as a limited user, and use ACLs or somesuch to prevent that user from executing any file that isn't owned by root. So no local applications and no custom shell profile... But when the Skype exploit hits you, the downloaded file fails to execute, because it isn't owned by root; and your passwords stay safe.
Scenario 3:
You have some means - don't ask what, I'm not sure anything like this exists on Linux - of restricting what applications can launch what. Skype, for instance, is only allowed to launch Firefox. When the exploit comes along, Skype does download the evil file, but fails to run it, because only Firefox is whitelisted for it.
Scenarios 2 and 3 are (from what I understand) more a Windows way of doing things than Linux, and more workstation than desktop. But (again, from what I understand) they can be very effective, even against zero-day exploits, because malicious payloads simply never get to execute - and that covers probably 99% of malware on Windows.
Edit: And one other thing...
There is something on Windows that I don't think has an analog on Linux - exploits that bypass firewalls. The conficker worm, for instance, can make use of a port on a vulnerable machine even if that port is firewalled - the machine is only safe if the File and Printer Sharing service is turned off, firewall or no firewall.
I honestly have no idea how that works, but I've only heard of it happening in Windows, never with Linux and iptables. If I had to take a wild guess it would be that Windows NT just isn't designed for remote security.
Last edited by Gullible Jones (2010-08-16 19:06:28)
Offline
#27 2010-08-16 19:03:08
- Spacenick
- Member
- From: Germany
- Registered: 2010-04-02
- Posts: 168
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Well it has stable APIs why else will applications from over 10 years back compile on it (with some changes due to more pedantic C compiler but I'm sure with the right compiler they'll work without changes). As far as I know tyhe basic X Server protocol and API has been stable for at least 15 years and would think that even binary X clients from back then should work even with high end compositing X installations. Also think about POSIX
Offline
#28 2010-08-16 19:11:51
- KimTjik
- Member
- From: Sweden
- Registered: 2007-08-22
- Posts: 715
Re: A major obstacle facing widespread Linux adoption... And a proposal.
That's fine for a niche OS like Arch. It's not fine for Granny's desktop.
Do we need more than one, maybe two, hacked up OS just to make granny happy? I'm not ironic, but I've never understood this argument. We already see that plenty of pretty average users run Linux, and some way below average thanks to a little help by a relative or friend. Must Linux undergo further compromises just for the sake of getting all together hugging their Linux computers? Isn't it good that we've at least have some systems for the desktop offering something else?
This wasn't a technical response, just me wondering about the underlying arguments for why.
Offline
#29 2010-08-16 19:38:29
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Hmm. I guess part of the deal for me is that Linux can (theoretically anyway) run on old machines that would be too slow with Windows XP. (Win2k not being an option due to its lack of SRP or available HIPS software, and 95/98/Me for reasons obvious to anyone who's used them.)
But you do have a good point. 
Offline
#30 2010-08-16 20:25:39
- yejun
- Member
- Registered: 2009-10-21
- Posts: 66
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Working on anything can't even run xp is just wasting of time.
Offline
#31 2010-08-16 20:33:41
- Awebb
- Member
- Registered: 2010-05-06
- Posts: 6,311
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Let's have a look at my Windows 7 box. There is this funny folder "C:\Windows\winsxs", eating up 3 GiB right after the first time I boot into my desktop. After a week and a bunch of games and tools installed, it allready uses 6,4 GiB. The first time I installed win7 on this box, it ended up devouring 70 GiB (!!!) after two months.
What does this folder do? Winsxs stores the common libraries (.dll), so every piece of software installed can use the version of the library it is compiled against. If you care about this folder, try your favorite crawler, this goes beyond the scope of my post. However, removing those files is usually handled by the uninstaller of the respective piece of software. I once installed a speech to text software (forgot the name), it ate ~500 MiB in winsxs. After uninstalling the tool, the dll folder was still there. I was unable to delete those files, I had to boot a linux live system to kill them. I heard other windows users complain about this, so it's not just me.
Let's say 5% (just an assumption) of all updates on a linux box with a decent package manager and good repos create conflicts between two applications needing different versions of the same library. That means for 5% of all updates you need to fiddle around a bit to make it run.
On a Windows box, you need to find and kill all auto-updaters (since they eat performance, imagine 50 tools checking for updates once an hour... giving you popups) and from time to time go to the dev's website and get a new version. You also need to care about security updates in an active way.
Both ways, the Linux way and the Windows way, consume time, and I bet it's the same ammount of time allocated to different intervals.
Offline
#32 2010-08-16 20:34:55
- falconindy
- Developer
- From: New York, USA
- Registered: 2009-10-22
- Posts: 4,111
- Website
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Scenario 3:
You have some means - don't ask what, I'm not sure anything like this exists on Linux - of restricting what applications can launch what. Skype, for instance, is only allowed to launch Firefox. When the exploit comes along, Skype does download the evil file, but fails to run it, because only Firefox is whitelisted for it.
You're describining a capability of AppArmor. Canonical uses it, and it's going mainline (some or all of it) in 2.6.36.
my .02: There doesn't seem to be anything new, interesting, or evocative in this thread.
Offline
#33 2010-08-16 20:40:23
- Acecero
- Member
- Registered: 2008-06-21
- Posts: 1,373
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Instead of just focusing on granny here, lets try to see how these methods would be of benefit to the Linux power-user/developer. This is the Arch Linux forums, trying to propose end-user Linux solutions is not going to motivate members much to provide ideas.
Offline
#34 2010-08-17 00:13:28
- ngoonee
- Forum Fellow
- From: Between Thailand and Singapore
- Registered: 2009-03-17
- Posts: 7,356
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Correct me if I'm wrong, but isn't the fabled windows 'stable API' partly to blame for the profusion of malware?
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
#35 2010-08-17 02:26:01
- falconindy
- Developer
- From: New York, USA
- Registered: 2009-10-22
- Posts: 4,111
- Website
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Correct me if I'm wrong, but isn't the fabled windows 'stable API' partly to blame for the profusion of malware?
Technologies such as VBScript and ActiveX with their disregard for security (somewhat fixed now) are more appropriate to blame than the API itself. The Melissa virus was written entirely in VBScript and was capable of fairly malicious things, as well as propagation via crawling your Address Book in Outlook{, Express}. I also recall a web demo from many years ago of how ActiveX could be used to gracefully shut down a computer simply by visiting a web page.
Offline
#36 2010-08-17 02:40:41
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Can't Javascript do basically the same thing though, on any platform? If not, a Java applet definitely can, and Flash can be subverted very easily... Seems to me that there's not much safety short of Noscript or a browser sandbox.
(In theory anyway. In practice nobody targets Linux with desktop malware because it's got 2% of the desktop market share.)
And d'oh, I just realized my SRP-type strategy wouldn't work at all against a malicious Java applet. Ah well.
Offline
#37 2010-08-17 03:06:26
- falconindy
- Developer
- From: New York, USA
- Registered: 2009-10-22
- Posts: 4,111
- Website
Re: A major obstacle facing widespread Linux adoption... And a proposal.
I know first hand that Java applets are sandboxed. Their file system level access is extremely limited. Read up on the doc, there's tons of it regarding the restrictions placed on web applets.
Flash and JS have restrictions as well, but I'm not intimately familiar with them.
Offline
#38 2010-08-17 04:41:13
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: A major obstacle facing widespread Linux adoption... And a proposal.
How do online virus scanners such as Kaspersky's work then? Does stuff like that always require the user's permission, or something?
Offline
#39 2010-08-17 04:44:12
- some-guy94
- Member
- Registered: 2009-08-15
- Posts: 360
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Can't Javascript do basically the same thing though, on any platform? If not, a Java applet definitely can, and Flash can be subverted very easily... Seems to me that there's not much safety short of Noscript or a browser sandbox.
AFAIK, javascript can only manipulate the browser window and html, and with html5, have limited local data storage and do things with <canvas>.
Offline
#40 2010-08-17 06:45:43
- fsckd
- Forum Fellow
- Registered: 2009-06-15
- Posts: 4,173
Re: A major obstacle facing widespread Linux adoption... And a proposal.
How do online virus scanners such as Kaspersky's work then? Does stuff like that always require the user's permission, or something?
i'm not sure what they do, i think this is it: http://java.sun.com/developer/onlineTra … igned.html
Last edited by fsckd (2010-08-17 06:49:04)
aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies
Offline
#41 2010-08-17 13:24:16
- Gullible Jones
- Member
- Registered: 2004-12-29
- Posts: 4,863
Re: A major obstacle facing widespread Linux adoption... And a proposal.
Oh okay digital signatures. That makes sense. Thanks.
Offline
#42 2010-08-19 02:05:14
- sokuban
- Member
- Registered: 2006-11-11
- Posts: 412
Re: A major obstacle facing widespread Linux adoption... And a proposal.
I also notice that Windows backwards compatibility is much better than Linux's. It's gotten to the point that often it's easier to run an old app's windows version through wine than to try and get the Linux version working with your current system. I think that's pretty sad, because it means that if wine was perfect it would be better to develop user apps for windows and forget about Linux.
I had never known BSD worked like that, it sound really cool.
Package management in Linux's main strong point is that it's all automatic though; you don't need to go find 3rd party packages for everything and they don't need track updates by themselves and tell you when a new version is available. It also helps security as most apps you run are from a (hopefully) trusted source, and the few apps that aren't are compiled from source are (in an idealistic world) checked for security vulnerabilities as you do so. There are no foreign binaries in the equation.
Of course that works only if you want to keep up with everything, and it can honestly be very tiring, especially for Arch Linux which has lots of updates. Using another distro simply isn't an option because then you'll have /only/ old software and release cycles.
Being able to have up to date userspace software to get the latest features on stuff like firefox but not having to update your core system every day would be nice. Heck, even userspace apps that you just use but don't care about getting the latest features & bugs don't need to be updated either. As far as I know you can't really do this on Linux. (You've got the choice of "all up to date" or "all out of date") Perhaps LFS or Gentoo might be able to, but the former is an administration nightmare, and both require compiling everything from source.
Offline
#43 2010-08-20 00:21:42
- Wintervenom
- Member
- Registered: 2008-08-20
- Posts: 1,011
Re: A major obstacle facing widespread Linux adoption... And a proposal.
You might like [NixOS].
Offline