Feeling Paranoid

Convergence · 2011-04-22 09:02:55

I've always taken for granted that as long as I wasn't running any servers like sshd or something that the possibility of getting hacked for a normal single user linux computer were virtually nil. However, I'm kind of in a paranoid mood, so I'd like to run this by the people on the forum. What brought this all on is the fact that ID has not yet upgraded their quakelive software to run on firefox 4 (at least for Linux), and I was considering downloading this file: http://www.mediafire.com/?slfqwjilxwtolr8

Someone took the quakelive xpi and hacked it to get it to work for firefox 4 in Linux. Most likely this is some trustworthy fellow that wants to help his fellow gamers out, but this would be a pretty good attack vector wouldn't it? It would be a simple matter for him to attach something like a backdoor/rootkit/keylogger. For that matter, there were some videos that I wanted to download off the internet and I installed the "download helper" for firefox. This is proprietary software, and what bugs me is that I can't figure out how the developers are making money with it. Their FAQ claims that no data is collected and reported, but companies have lied before.

My last little concern is that since I've installed wine (in order to play LoTRO with my dad), and since then, thunar and firefox occasionally try to open things up with wine software. I've even landed on an attack site (you know, the kind that claims that it has scanned your computer found a virus on drive:C [LOL, drive:C]), and firefox offered to open up the .exe file with a wine program! I think that if I hadn't been careful, I could have possibly been infected! (although I'm sure the damage would have been minimal)

So I guess the reason that I'm posting this is to see if other people are concerned about things like this. Firefox extensions and Windows emulation seem like possible attack vectors to me, and I don't really hear much about it. Am I the only paranoid one?

gtklocker · 2011-04-22 09:12:35

I am kind of paranoid myself like you but not at a really large scale and believe me, I have good reasons not to.

I use Parabola GNU/Linux-libre so I know that every package that is on the repos is free software, which means open source. For opensource programs there is a kind of "quality check" if requested. Also, I try taking a look on program's code that I'm going to install. Many times I find myself writing patches for these programs which is rather good. Also, in *any* browser I don't install addons. I never trusted them. As far as Quake is concerned there is a Windows 7 machine around (not mine :X) where I can play III Arena when I feel like it.

How are you so sure that your beloved X doesn't have a backdoor, sir?

Convergence · 2011-04-22 09:26:23

I didn't know about Parabola. Thanks for pointing that out. I was considering trying out Debian for this very reason. I am however very attached to my nvidia drivers. I would feel like I wasted a big hunk of cash if I wasn't getting the most out of my shiny new graphics card. I guess I can choose to trust a couple of major companies. For instance, I trust nvidia, sun, and some major game developers. I don't really trust small companies giving away free proprietary software on the internet though.

Convergence · 2011-04-22 09:29:49

What do you mean by my "beloved X"? Do you mean my x server? I use xorg, and it's open source.

gtklocker · 2011-04-22 09:56:09

Convergence wrote:

What do you mean by my "beloved X"? Do you mean my x server? I use xorg, and it's open source.

I know.

[quite_paranoid_mode]
Have you checked its source code?
[/quite_paranoid_mode]

Convergence · 2011-04-22 10:02:45

You're right! I can't trust any of this stuff until I check every line of code! I'm gonna need a lot more coffee!

Maybe we can team up on it, divide up the labour. Wait, how do I know that I can trust you?!

lolilolicon · 2011-04-22 10:35:06

Even if you can read every line of the source code, and understand every line of it, you are still not digging deep enough: Reflections on Trusting Trust

I never trust computers

Convergence · 2011-04-22 16:28:15

A self trojanizing trojanized compiler? My god! I think I had an argument about the possibility of such a thing a long time ago.

R00KIE · 2011-04-22 19:47:20

I've seen much better than that, you can have perfectly legal code which calls absolutely safe/secure functions and said code can seem safe/secure, however if there is something in the idea itself that is meant to leak data it will be very hard to catch, specially if when reviewing the code the emphasis is on finding the "most common" errors or obvious security flaws, oh and it doesn't even need to be a huge amount of code, a dozen lines of code is enough to demonstrate this.

jocom · 2011-04-22 20:06:50

R00KIE wrote:

..., oh and it doesn't even need to be a huge amount of code, a dozen lines of code is enough to demonstrate this.

That sounds like a really interesting programming challenge... [but we might probably better start a new thread for that.]

Arch Linux

#1 2011-04-22 09:02:55

Feeling Paranoid

#2 2011-04-22 09:12:35

Re: Feeling Paranoid

#3 2011-04-22 09:26:23

Re: Feeling Paranoid

#4 2011-04-22 09:29:49

Re: Feeling Paranoid

#5 2011-04-22 09:56:09

Re: Feeling Paranoid

#6 2011-04-22 10:02:45

Re: Feeling Paranoid

#7 2011-04-22 10:35:06

Re: Feeling Paranoid

#8 2011-04-22 16:28:15

Re: Feeling Paranoid

#9 2011-04-22 19:47:20

Re: Feeling Paranoid

#10 2011-04-22 20:06:50

Re: Feeling Paranoid

Board footer