A few days ago we reported on the fact that applications which have administrative rights in Vista (given by the user, of course) can disable User Account Protection altogether. This was seen as a security flaw; Ars, however, begs to differ: "When UAC is disabled, Vista gripes loudly about it. The Windows Security Center immediately notes that UAC has been turned off, and it prompts you to turn it back on using a system tray notification. From our own testing, it appears impossible to disable UAC without the Security Center noticing it, which makes it rather unlikely that a user is end up in a less secure state."
To read all comments associated with this story, please click here.
Member since:2005-07-22
"If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?"
I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.
You cannot be so sure about that in the Windows world. You could end downloading a trojan.
Member since:2005-11-06
I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.
You cannot be so sure about that in the Windows world. You could end downloading a trojan.
Do you personally check every line of code?
Otherwise...
http://www.osnews.com/story.php?news_id=15170
(Still safer than downloading random stuff in a Windows box of course 
)
Member since:2006-07-13
"If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?"
The fact that it's trivial to turn off UAC completely in Windows. In Linux it is much harder and on a properly configured system it cannot be done.
Member since:2005-09-10
Member since:2005-06-29
I think that sudo doesn't allow any programmatic entering of the password into its terminal dialogs or its graphical dialogs. I can't confirm this because I don't have it setup to test, but I imagine that'd be a basic feature to make the system truly useful.
If anyone knows of a source on doing this I'd love to hear about it, I'm a little curious now.
Member since:2006-01-06
Use a little imagination. A malicious app puts up a dialog to collect the username/password, user enters it, malicious program spawns sudo with cmdline of target process with elevated privileges, sudo puts up a login dialog, user thinks that he/she mistyped the password in the original dialog and enters it again, sudo'd process does whatever it wants. Game over. You're owned.
Member since:2005-11-13
I can guarantee non of my Kubuntu installed-from-repos applications owned my system. There's this confidence because these applications are open source and maintained by a well known group of developers.
You cannot be so sure about that in the Windows world. You could end downloading a trojan.
I see a lot of people saying that since most users run without root access, malware on Linux couldn't do as much damage as it could on a Windows system. However, when someone points out a senario where this may not be the case (such as the above), the standard response is 'Well, most Linux apps are open source anyway, so you don't have to worry about it.' This seems to me like sort of backwards logic. Either it is vunerable or it is not. If it is, then somebody will eventually exploit it.
BTW: I think it should be possible to turn off UAC in Vista, but make it not-so-obvious so that only power users (or people looking for the option) would actually find it.
Member since:2005-07-22
"I see a lot of people saying that since most users run without root access, malware on Linux couldn't do as much damage as it could on a Windows system. However, when someone points out a senario where this may not be the case (such as the above), the standard response is 'Well, most Linux apps are open source anyway, so you don't have to worry about it.' This seems to me like sort of backwards logic. Either it is vunerable or it is not. If it is, then somebody will eventually exploit it."
There is no secure method to prevent an application from opening a sudo dialog to get your password to own your system. But that application needs your credentials to temporarily change to root. It's not a vulnerability, it's how things works. You may have the most secure safe in the world, but if you trust the thief into your home and give him the password you are done. It's your mistake.
Trust is everything here. You cannot trust closed source applications. Most of internet downloadable applications are, by nature, not to be trusted. You make the final decission. When I download from a trusted repository, I'm inherently trusting the packager and the developers. Mostly because the project is open source and auditable. If you download from download.com, you are not certain that the programs don't contain any trojan or spyware. In a lot of circumstances, they do. I'm using Linux since 1996, and I yet have to be infected with some spyware or trojan or virus or, you name it.
Member since:2005-11-13
If you download from download.com, you are not certain that the programs don't contain any trojan or spyware. In a lot of circumstances, they do.
Are you sure about that?
http://cnet.custhelp.com/cgi-bin/cnet.cfg/php/enduser/std_adp.php?p...
Member since:2005-07-20
Typically the linux user is a little smarter than the Windows user. For example if you try to fire up a game, a linux user will be suspicious if it asks for root password. If a Windows user was in the same situation, they would probably quickly enter their password in order to play the game.
Member since:2005-08-17
Official Apple statement on PRISM and privacy: "Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it." This is basically Apple re-publishing their earlier statement in a more official manner. You either believe it, or you don't.
The open source Contiki operating system and its commercial Thingsquare distribution are making strides towards the connected home. According to a Computerworld article, a new LED light bulb manufacturer is putting small computers into their light bulbs. Each computer runs the Contiki OS, which gives each bulb an IP address and allows them to be controlled with a smartphone application. To connect the bulbs to the application, the bulbs use both Wi-Fi and the much lower power IEEE 802.15.4 mesh technology.
"Google asked the secretive Foreign Intelligence Surveillance Court on Tuesday to ease long-standing gag orders over data requests it makes, arguing that the company has a constitutional right to speak about information it's forced to give the government. The legal filing, which cites the First Amendment's guarantee of free speech, is the latest move by the California-based tech giant to protect its reputation in the aftermath of news reports about sweeping National Security Agency surveillance of Internet traffic." Draining the ditch after the cow has drowned in it."I can't find one person who has been using the Nexus 7 for an extended period of time, and hasn't seen a massive downgrade in performance. Just what kind of downgrade are we talking here? I cannot pick up my Nexus 7 without experiencing problems like a lag of ten seconds, or more, just to rotate the display; touches refusing to acknowledged; stuttering notification panel actions; and unresponsive apps." Fully and utterly agreed. My Nexus 7 was blazing-fast and awesome for a few months, and at some point, it just started sucking. Just like that. I've tried loads of ROMs, and nothing helps.A new release of the hobby operating system MenuetOS! The release notes are a bit non-descript, but you'll have to take what you can get: "updates and improvements (picview, httpc, ehci, ...)"."The Internet is one of the most transformative technologies of our lifetimes. But for 2 out of every 3 people on earth, a fast, affordable Internet connection is still out of reach. And this is far from being a solved problem. There are many terrestrial challenges to Internet connectivity - jungles, archipelagos, mountains. There are also major cost challenges. Right now, for example, in most of the countries in the southern hemisphere, the cost of an Internet connection is more than a month's income. Solving these problems isn't simply a question of time: it requires looking at the problem of access from new angles. So today we're unveiling our latest moonshot from Google[x]: balloon-powered Internet access." Insane.
"MineAssemble is a tiny bootable Minecraft clone written partly in x86 assembly. I made it first and foremost because a university assignment required me to implement a game in assembly for a computer systems course. Because I had never implemented anything more complex than a 'Hello World' bootloader before, I decided I wanted to learn about writing my own kernel code at the same time. Note that the goal of this project was not to write highly efficient hand-optimized assembly code, but rather to have fun and write code that balances readability and speed. This is primarily accomplished by proper commenting and consistent code structuring." Just cool.
Jon Rubinstein, former CEO of Palm: "Well, I'm not sure I would have sold the company to HP. That's for sure. Talk about a waste. Not that I had any choice because when you sell a company you don't get to decide that. Obviously, the board and shareholders decide that. If we had known they were just going to shut it down and never really give it a chance to flourish, what would have been the point of selling the company? I think the deal we had with Verizon really hurt us, but who knew that at the time? These things are all hindsight.""And so it is with Dell's Alienware X51 R2, a small form factor gaming PC in console digs. It's shaped similar to Microsoft's Xbox 360 Slim, and though it's slightly larger than either a 360 or PlayStation 3, the X51 R2 would be right at home in a living room setting nestled next to a large screen TV. Indeed, it's adept at running Steam's Big Picture mode, and if your primary objective is to play games in the living room, go ahead and consider the X51 R2 a hybrid game console." This is obviously not the only machine like this - still, these are very valid console alternatives even for those that don't like being hunched over with a cramped WASD-claw. Also, PC gamers among us: could you get away with the $699 model for gaming?
From Bloomberg: "Microsoft, the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes." The lid has officially been blown off.
Member since:
2006-08-14
I posted yesterday that an application (Windows or Linux) could ask for the root password. Say in KDE surely it could create a 'kdesu' like box telling you it needs administrative privileges. Then it uses the provided password to do something as root.
If this is possible, and I'm sure it is, what is stopping Linux from being 'owned' the same way that the Vista hating article from yesterday said Vista could?
Understand-- I use Linux and Windows and I like them both, but this article just got me thinking.
Edited 2006-09-11 18:36