Linked by Thom Holwerda on Mon 11th Sep 2006 17:56 UTC
Windows A few days ago we reported on the fact that applications which have administrative rights in Vista (given by the user, of course) can disable User Account Protection altogether. This was seen as a security flaw; Ars, however, begs to differ: "When UAC is disabled, Vista gripes loudly about it. The Windows Security Center immediately notes that UAC has been turned off, and it prompts you to turn it back on using a system tray notification. From our own testing, it appears impossible to disable UAC without the Security Center noticing it, which makes it rather unlikely that a user is end up in a less secure state."
Order by: Score:
Well...
by PJBonoVox on Mon 11th Sep 2006 18:35 UTC
PJBonoVox
Member since:
2006-08-14

I posted yesterday that an application (Windows or Linux) could ask for the root password. Say in KDE surely it could create a 'kdesu' like box telling you it needs administrative privileges. Then it uses the provided password to do something as root.

If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?

Understand-- I use Linux and Windows and I like them both, but this article just got me thinking.

Edited 2006-09-11 18:36

Reply Score: 5

RE: Well...
by sbenitezb on Mon 11th Sep 2006 18:53 UTC in reply to "Well..."
sbenitezb Member since:
2005-07-22

"If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?"

I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan.

Reply Score: 2

RE[2]: Well...
by PowerMacX on Mon 11th Sep 2006 19:00 UTC in reply to "RE: Well..."
PowerMacX Member since:
2005-11-06

I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan.


Do you personally check every line of code?
Otherwise...
http://www.osnews.com/story.php?news_id=15170

(Still safer than downloading random stuff in a Windows box of course ;) )

Reply Score: 5

RE[3]: Well...
by sbenitezb on Mon 11th Sep 2006 19:02 UTC in reply to "RE[2]: Well..."
sbenitezb Member since:
2005-07-22

"Do you personally check every line of code?
Otherwise... "

Hopefully, there's CVS to the rescue. And no, I don't personally check every line of code. Others do. At least, a bit more than with closed source.

Reply Score: 1

RE[4]: Well...
by MollyC on Tue 12th Sep 2006 02:41 UTC in reply to "RE[3]: Well..."
MollyC Member since:
2006-07-04

"I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan."

...
...
"Hopefully, there's CVS to the rescue. And no, I don't personally check every line of code. Others do. At least, a bit more than with closed source."

----------------------------------

Of course, one could download only open source software for Windows too. And one could download closed source software for Linux. So your argument isn't related to the underlying platform.

Regardless of whether a project is open source, if you're downloading the binary, there's a risk. There's no guarantee that the binary corresponds with the provided open source code. It could be that the developer himself compiled spyware (or whatever) into the binary. There's also a risk that some third party tampered with the binary. I've downloaded apps from SourceForge. When doing so, I'm directed to a dozen or so mirror sites, most of which I've never heard of, and am directed to choose one of them from which to download the app. And after doing so, I find that the app isn't digitally signed. So there is a risk I must take when running the app because since the app isn't digitally signed and it came from some mirror that I never heard of, there's no guarantee that the app hasn't been tampered with (injected with malware).

To be *really* safe, I have to download the code and compile it myself (which I have NO desire to do). And even this isn't a guarantee if I don't check the code myself (see below).


Regarding your comment, "I don't personally check every line of code. Others do." What "others"? The vast majority of projects on SourceForge are code reviewed only by the developers themselves, not by their "peers". The idea that there's massive code review going on guaranteeing security is a fallacy. So even if you don't download binaries and only download code that you compile yourself, it's most likely that that code hasn't been reviewed at all (or possibly underwent merely cursory "reviews"), so again, there's no guarantee that the code itself doesn't contain malware.

So, regarding downloading binaries, I think downloading a digitally signed app from a well-known commercial company (the liklihood of such an app being a trojan is practically zero) is safer than downloading unsigned OSS app from devs I never heard of from a mirror that I never heard of. As for downloading the code and compiling it myself, this is safe in theory, but it's really only safe if the code has indeed been vigorously reviewed, and no, this not the case for the vast majority of OSS projects.

Edited 2006-09-12 02:52

Reply Score: 4

RE[5]: Well...
by hobgoblin on Tue 12th Sep 2006 06:03 UTC in reply to "RE[4]: Well..."
hobgoblin Member since:
2005-07-06

thats why one downloads signed binarys from the distros main server, or a official mirror.

Reply Score: 2

RE[3]: Well...
by ma_d on Mon 11th Sep 2006 19:35 UTC in reply to "RE[2]: Well..."
ma_d Member since:
2005-06-29

It's usually installers which people distribute junk in. For two reasons:
1.) It needs system privs anyway, so it doesn't look odd to ask for them.
2.) It's easier, because what you want to do is copy files and change system settings which you're already doing with the legitimate application.

While Debian's security problems could pose a threat to users, as could any distribution which has been hacked into, I think the centralization of security to the repo host sysadmin is probably a better solution than decentralizing security to asking every single user if the file they're using as an installer is safe.
When you install something from a box at a store you have one level of trust, and that's fine. It's freeware/shareware/tryitware where you have no trust.

Some people also download straight from the developer for FOSS. However, I'd say the number of programs and the community ties make it much more difficult to distribute blatantly malicious code this way: It'd be on OSNews, and right now, most Linux users read sites like this.
A quick comparison of Download.com to say gnomefiles.org should give you an idea of how much freeware there is compared to FOSS.
Warning: You can't compare to SF, most of the projects on it are dead and never actually shipped.

Reply Score: 4

RE: Well...
by bob8 on Mon 11th Sep 2006 18:59 UTC in reply to "Well..."
bob8 Member since:
2006-07-13

"If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?"

The fact that it's trivial to turn off UAC completely in Windows. In Linux it is much harder and on a properly configured system it cannot be done.

Reply Score: 1

RE[2]: Well...
by evad on Mon 11th Sep 2006 19:23 UTC in reply to "RE: Well..."
evad Member since:
2005-09-10

GNU/Linux doesn't have "UAC" so yes, you can't turn it off.



Or on.

Reply Score: 2

RE[3]: Well...
by bob8 on Mon 11th Sep 2006 19:40 UTC in reply to "RE[2]: Well..."
bob8 Member since:
2006-07-13

"GNU/Linux doesn't have "UAC" so yes, you can't turn it off."

Sudo can be setup to function exactly like UAC. Try looking at Ubuntu, it works that way by default. So yes Linux does have a UAC like layer.

Edited 2006-09-11 19:41

Reply Score: 1

RE[4]: Well...
by sbenitezb on Mon 11th Sep 2006 20:12 UTC in reply to "RE[3]: Well..."
sbenitezb Member since:
2005-07-22

"Sudo can be setup to function exactly like UAC. Try looking at Ubuntu, it works that way by default. So yes Linux does have a UAC like layer"

Not like Vista's! I can actually create an item in the desktop without being asked my password.

Reply Score: 2

RE[5]: Well...
by n4cer on Tue 12th Sep 2006 05:49 UTC in reply to "RE[4]: Well..."
n4cer Member since:
2005-07-06

Not like Vista's! I can actually create an item in the desktop without being asked my password.

If you're saying you can't do this on Vista, you are wrong.

Reply Score: 1

RE[6]: Well...
by linux-it on Tue 12th Sep 2006 08:47 UTC in reply to "RE[4]: Well..."
linux-it Member since:
2006-07-13

and if you don't want to be able to create an item on linux' desktop, it can be locked down without any problems.

Reply Score: 1

RE[3]: Well...
by tomcat on Mon 11th Sep 2006 20:36 UTC in reply to "RE[2]: Well..."
tomcat Member since:
2006-01-06

GNU/Linux doesn't have "UAC" so yes, you can't turn it off. Or on.

Yeah, that's technically true. But once a malicious app (see my previous post) gets a privileged process running, it doesn't need to care about logging in. It can use the privileged process as a proxy to do its bidding. So, bottom line, once a user lets a privileged process run -- regardless of whether it's Windows or 'nix -- no OS is secure.

Reply Score: 4

RE[4]: Well...
by t3RRa on Mon 11th Sep 2006 21:24 UTC in reply to "RE[3]: Well..."
t3RRa Member since:
2005-11-22

But you see, most users of alternative OSes(I mean non-Windows users) basically have more skills and knowledgements on computers in general I rekon. They could figure out whether it is some kind of trojan or not.

Also there are a lot of window managers which look totally different from each others. If I use Enligntenment R17 for DE, a GNOME/KDE app pops up and asks for root password, I think I could figure out easily even without much knowledge! ;) As there are so many choices for DE/window manager in open source world, it is hard to guess users environment. I know I know that most users use GNOME or KDE. But..

Anyway, because there is no way to turn off privilege thing in *nix world, it is impossible a malicious app gets a privileged process running or at least a lot harder than Windows. period.

I don't mean *nix is perfect but at least a lot more secure than Windows. And I feel comfortable on *nix because of it. ;)

Reply Score: 3

RE[5]: Well...
by tomcat on Mon 11th Sep 2006 22:05 UTC in reply to "RE[4]: Well..."
tomcat Member since:
2006-01-06

But you see, most users of alternative OSes(I mean non-Windows users) basically have more skills and knowledgements on computers in general I rekon. They could figure out whether it is some kind of trojan or not.

Yeah, that's probably true. But even experienced users can be tricked.

Also there are a lot of window managers which look totally different from each others. If I use Enligntenment R17 for DE, a GNOME/KDE app pops up and asks for root password, I think I could figure out easily even without much knowledge!

Sure, but it might be more difficult to ascertain if you're running an app for which the differences aren't so stark.

Anyway, because there is no way to turn off privilege thing in *nix world, it is impossible a malicious app gets a privileged process running or at least a lot harder than Windows. period.

It's not impossible. It's simply slightly harder. See my previous post regarding how to do that.

I don't mean *nix is perfect but at least a lot more secure than Windows. And I feel comfortable on *nix because of it. ;)

I understand, but I think that too many people have a false sense of security about 'nix and fail to understand how easily they can be rooted by a malicious app.

Reply Score: 3

RE[6]: Well...
by tomcat on Mon 11th Sep 2006 22:38 UTC in reply to "RE[5]: Well..."
tomcat Member since:
2006-01-06

Why was this modded down? Are people that immature that they can't discuss the issues honestly and need to actively promote censorship?

http://osnews.com/permalink.php?news_id=15801&comment_id=161409

Reply Score: 1

RE[5]: Well...
by tomcat on Tue 12th Sep 2006 00:15 UTC in reply to "RE[4]: Well..."
tomcat Member since:
2006-01-06

Why was this modded down? Are people that immature that they can't discuss the issues honestly and need to actively promote censorship?

http://osnews.com/permalink.php?news_id=15801&comment_id=161409

Reply Score: 3

RE: Well...
by ma_d on Mon 11th Sep 2006 19:37 UTC in reply to "Well..."
ma_d Member since:
2005-06-29

I think that sudo doesn't allow any programmatic entering of the password into its terminal dialogs or its graphical dialogs. I can't confirm this because I don't have it setup to test, but I imagine that'd be a basic feature to make the system truly useful.

If anyone knows of a source on doing this I'd love to hear about it, I'm a little curious now.

Reply Score: 1

RE[2]: Well...
by tomcat on Mon 11th Sep 2006 20:22 UTC in reply to "RE: Well..."
tomcat Member since:
2006-01-06

Use a little imagination. A malicious app puts up a dialog to collect the username/password, user enters it, malicious program spawns sudo with cmdline of target process with elevated privileges, sudo puts up a login dialog, user thinks that he/she mistyped the password in the original dialog and enters it again, sudo'd process does whatever it wants. Game over. You're owned.

Reply Score: 4

RE[3]: Well...
by hobgoblin on Tue 12th Sep 2006 06:07 UTC in reply to "RE[2]: Well..."
hobgoblin Member since:
2005-07-06

true, social engineering will never be overcome...

Reply Score: 2

RE[2]: Well...
by WorknMan on Mon 11th Sep 2006 20:00 UTC in reply to "Well..."
WorknMan Member since:
2005-11-13

I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.

You cannot be so sure about that in the Windows world. You could end downloading a trojan.


I see a lot of people saying that since most users run without root access, malware on Linux couldn't do as much damage as it could on a Windows system. However, when someone points out a senario where this may not be the case (such as the above), the standard response is 'Well, most Linux apps are open source anyway, so you don't have to worry about it.' This seems to me like sort of backwards logic. Either it is vunerable or it is not. If it is, then somebody will eventually exploit it.

BTW: I think it should be possible to turn off UAC in Vista, but make it not-so-obvious so that only power users (or people looking for the option) would actually find it.

Reply Score: 5

RE[3]: Well...
by sbenitezb on Mon 11th Sep 2006 20:20 UTC in reply to "RE[2]: Well..."
sbenitezb Member since:
2005-07-22

"I see a lot of people saying that since most users run without root access, malware on Linux couldn't do as much damage as it could on a Windows system. However, when someone points out a senario where this may not be the case (such as the above), the standard response is 'Well, most Linux apps are open source anyway, so you don't have to worry about it.' This seems to me like sort of backwards logic. Either it is vunerable or it is not. If it is, then somebody will eventually exploit it."

There is no secure method to prevent an application from opening a sudo dialog to get your password to own your system. But that application needs your credentials to temporarily change to root. It's not a vulnerability, it's how things works. You may have the most secure safe in the world, but if you trust the thief into your home and give him the password you are done. It's your mistake.

Trust is everything here. You cannot trust closed source applications. Most of internet downloadable applications are, by nature, not to be trusted. You make the final decission. When I download from a trusted repository, I'm inherently trusting the packager and the developers. Mostly because the project is open source and auditable. If you download from download.com, you are not certain that the programs don't contain any trojan or spyware. In a lot of circumstances, they do. I'm using Linux since 1996, and I yet have to be infected with some spyware or trojan or virus or, you name it.

Reply Score: 5

RE[4]: Well...
by Obscurus on Tue 12th Sep 2006 02:14 UTC in reply to "RE[3]: Well..."
Obscurus Member since:
2006-04-20

"Trust is everything here. You cannot trust closed source applications."

That may be true, but again there are plenty of open source applications out there that only one or two people in the world (maybe) have ever bothered to examine the source code of (just take a look at how many open source apps have not had their code updated in years, and are unmaintained), and if you are downloading binaries of an open source app, you can't be sure that the source code provided is the same as was used to compile the binary, so unless you use a source based OS, eg Gentoo, and vet the code personally, you are going to have to trust other people.

In my experience, spyware usually only comes "bundled" with supposedly freeware programs. Very few commercial software apps are going to contain anything nasty, as doing so would open them to having to refund lots of money to disgruntled customers if they are caught.

So if you either pay for quality closed source software, or use open source softwar your risk is pretty low.


"I'm using Linux since 1996, and I yet have to be infected with some spyware or trojan or virus or, you name it."

I've been using Windows for longer, and I've never been infected with anything nasty either. It comes down to being careful about what you download, being mindful of the risks of various activities, and avoiding dodgy websites. Keeping your antivirus software up to date is important. I don't let computer illiterate people use my main machine. Maybe a bit of luck is also invovled?

I like Linux too, and I do feel a bit more comfortable about using it for web surfing, but since a lot of my most commonly used software simply doesn't run on linux (even under Wine), I usually find it more convenient to just use windows. I keep all my important data backed up regularly, so it isn't that big a drama to wipe my hard drives and start again should the worst happen. Fortunately, it has never come to that - never received anything nasty that my antivirus software didn't catch.

I think the whole security thing is a bit overhyped anyway - the idea is to make people paranoid to attract them to products that supposedly increase their security.

Edited 2006-09-12 02:16

Reply Score: 3

RE[4]: Well...
by WorknMan on Wed 13th Sep 2006 02:09 UTC in reply to "RE[2]: Well..."
WorknMan Member since:
2005-11-13

If you download from download.com, you are not certain that the programs don't contain any trojan or spyware. In a lot of circumstances, they do.

Are you sure about that?
http://cnet.custhelp.com/cgi-bin/cnet.cfg/php/enduser/std_adp.php?p...

Reply Score: 1

RE: Well...
by ValiantSoul on Tue 12th Sep 2006 01:27 UTC in reply to "Well..."
ValiantSoul Member since:
2005-07-20

Typically the linux user is a little smarter than the Windows user. For example if you try to fire up a game, a linux user will be suspicious if it asks for root password. If a Windows user was in the same situation, they would probably quickly enter their password in order to play the game.

Reply Score: 2

RE[2]: Well...
by jessta on Tue 12th Sep 2006 14:43 UTC in reply to "Well..."
jessta Member since:
2005-08-17

No one can design a system that will protect a user from themselves.
With great power comes great responsibility.
Idiots will be owned until the end of time.

Reply Score: 1

That epends on if it is an server or client
by riha on Mon 11th Sep 2006 18:37 UTC
riha
Member since:
2006-01-24

If it is an server it is often locked into an server room and it could take days before someone notices it.

But, of course, that depends on how loud windows will give notice about the reduced security. Will it only be through visible notifications or will emails be sent to administrators and so on, if not, then the server could be compromised quickly.

Reply Score: 1

Square Member since:
2005-10-01

If it's a server chances are the admin isn't going to install questionable software on it that would disable such things. ( At least any good admin wont installthings without researching it)

Even on the desktop it is still a minor thing, once software is run localy, doesn't matter if its windows, linux, beos, MacOS, ect. Rogue software can still do all sorts of "evil" things even without admin/root access including deleting user files, running spyware/adware finding ways of getting root password from the user via fake dialogs, ect.

Reply Score: 3

I don't think that's a problem.
by Invincible Cow on Mon 11th Sep 2006 18:50 UTC
Invincible Cow
Member since:
2006-06-24

If UAC is disabled I'm sure it would be easy to disable the security center as well... But in all cases, the user has to give the admin password to a program.

Reply Score: 1

RE: I don't think that's a problem.
by n4cer on Tue 12th Sep 2006 05:43 UTC in reply to "I don't think that's a problem."
n4cer Member since:
2005-07-06

If UAC is disabled I'm sure it would be easy to disable the security center as well... But in all cases, the user has to give the admin password to a program.

The Security Center can only be disabled in a domain environment via policy.

Reply Score: 1

UAC
by Buck on Mon 11th Sep 2006 19:19 UTC
Buck
Member since:
2005-06-29

hmm... this sounds a bit like Doom3...
anyway, I bet the notification in Security Center can be disabled with just as little effort. In XP you can disable warnings for the Firewall and other stuff, so knowing Microsoft they've probably provided a hidden registry key somewhere to tweak this one as well.

Reply Score: 2

RE: UAC
by petera on Mon 11th Sep 2006 23:45 UTC in reply to "UAC"
petera Member since:
2006-04-22

In Vista RC1, UAC is listed under "Other security" (or something like that) and has no option to ignore the fact that it's off.

There probabaly is a reg key somewhere, but as so much has changed in Vista's registry (with all the new stuff they have tagged in) it might be a while before someone finds it.

Reply Score: 1

aent
Member since:
2006-01-25

Usually you don't just enter your password whenever you're running any program, its for a specific task. In Vista, its pretty clear, you want to run install.exe, you are going to after to enter a password in Windows. In Linux, the equivalent of install.exe is a deb or rpm file, which open with another program that you KNOW can be trusted. It can't go messing with your sudoers file or anything like that, and everything it does will be recorded by the package manager.

The problem is the fact that Windows has individual programs that people make requesting the rights rather then a very small set of predfined programs asking for it.

Reply Score: 1

n4cer Member since:
2005-07-06

The problem is the fact that Windows has individual programs that people make requesting the rights rather then a very small set of predfined programs asking for it.

The majority of third-party installers on Windows are just value-adds for MSI, Microsoft's installation engine.

Reply Score: 2

A couple of points
by tristan on Tue 12th Sep 2006 10:31 UTC
tristan
Member since:
2006-02-01

With regard to apps popping up password dialogues in order to gain enhanced privileges. I haven't used Vista, but in Ubuntu and OS X the standard password dialogue includes the full path of the application which is making the request. If this isn't what you expect, then something is amiss. Of course, that doesn't stop a malicious app from creating its own password request box, identical to the "official" one, but with a fictitious path, but this raises the point about user education.

Users should be aware of what the password dialogue does, i.e. allows system-wide changes to be made. They should be immediately suspicious of any programme unexpectedly requesting enhanced privileges: "why does this new music player I've just installed need root access?" for example.

Unfortunately this is rather more difficult in Windows than OS X or Linux, since an enormous number of pre-Vista programmes -- including virtually every game I've ever come across -- will assume that they have global write access, leading to a large number of authorisation requests, and possible/likely "password fatigue" on the part of the user. (NB. As I say, I haven't used Vista. It's possible Microsoft have thought of a clever way round this that hasn't occurred to me.)

The second point that "open-source software is only safer if you check every line of code yourself" is nonsense. This is one of the fundamental points about OSS. Whereas closed-source software is written, in the end, for the benefit of the company that produces it, the shared nature of OSS means that there is far more emphasis placed on it being for the benefit of the users. For example, if a company did decide to include some spyware in an OSS programme, you can bet there would be a non-spyware fork available in very short order. (See Limewire and Frostwire for a non-spyware example of the kind of thing I'm talking about.)

Furthermore, signed packages and official repositories mean that I can be confident that any package I install is exactly what the Ubuntu developers intended me to have. The code checking systems mean that the chances of any malware being included in something like Gnome, KDE, X or the Linux kernel are vanishingly small. It's possible that smaller, less well-known applications might have something unpleasant within them, but one would think that inclusion in the Debian (and thus Ubuntu) repositories would mean someone other than the author trying it out. I'm sure other distros have similar procedures.

Reply Score: 1

RE: A couple of points
by niklasb on Tue 12th Sep 2006 21:00 UTC in reply to "A couple of points"
niklasb Member since:
2006-09-12

>> an enormous number of pre-Vista programmes [...] will assume that they have global write access,

Yes, this is the root problem that LUA attempts to solve. Microsoft (my employer) might have just suggested that everyone run as a standard (non-admin) user, but unfortunately this is a tough sell if it means peopleís apps wonít work!

LUA enables such apps to work but still provides some of the security benefit one would get from running under a standard user account because a user has to explicitly grant permission before an app can do admin things.

>> leading to a large number of authorisation requests, and possible/likely "password fatigue" on the part of the user.

There seems to be a mistaken assumption that the LUA elevation prompt includes a password box. It does not. It just asks whether to Continue (i.e., run in a more privileged mode) or Cancel (i.e., fail the operation).

The important thing is that this decision come from the user so an app canít grant itself permissions. For this reason the prompt runs on the secure desktop so you canít send mouse clicks or other input to it. A nice thing about this is that a malicious app gains nothing by spoofing the prompt, neither higher permissions nor your password.

Reply Score: 1