[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
This thread spawned a bit of a discussion here. Rather inevitable when surrounded by virus analysts :-). Anyway, most of the points made are pretty representative of the situation. There is Linux malware/viruses/worms. Very few compared to the number on Windows and you are very unlikely to get one in a deb from a project website. You are far more likely to be attacked by an exploit or weak passwords. However, if you are successfully attacked you are quite likely to end up with a virus on your system since a large number of the malware dropped in such attacks is infected with Linux/RST-B. You can read about this here http://www.sophos.com/blogs/sophoslabs/v/post/1062. The person who wrote that article also pointed me at this link which is fairly interesting. It's pretty old now, being from 2003, but I didn't hear about it at the time. It's about someone who attempted to insert a root exploit into the kernel. It was spotted and I guess there are already enough local root exploits that it's hardly a big deal. http://kerneltrap.org/node/1584 I presume the switch to Git will have solved this particular problem too. On Mon, 2009-12-14 at 20:05 +0000, Simon Waters wrote: > Simon Robert wrote: > > > > All this stuff about how installing a .deb file from a projects website > > rather than from the ubuntu/debian repositories could be dangerous is > > frankly pants. > > Haven't really followed it but... > > http://www.omgubuntu.co.uk/2009/12/malware-found-in-screensaver-for-ubuntu.html > http://www.omgubuntu.co.uk/2009/12/yet-more-malware-found-on-gnome-look.html > > > Exactly what nasties could be inserted? (OK probably some), > > Anything. Since debs are installed with root privileges they can do > anything any software can. > > > but there > > has never been a linux virus malware example seen in the wild. > > There is plenty of GNU/Linux malware out there. Most of it spreads via > PHP vulnerabilities, uses known exploits to get root, and then installs > kernel modules to hide itself. So most of it is a web server problem. > Some spreads via SSH. Much of it is defeated by keeping things current, > and using sensible settings but that is the same as in Microsoft Windows. > > That you haven't seen it doesn't mean it doesn't exist. > > It is less of an issue than on Microsoft Windows (hardly a big claim to > fame), but last I looked there are 2.4 million hosts on the SSH DNS > blacklists, I'll bet a large proportion of these are running GNU/Linux > malware. > > > There has never been an example of a .deb file from a project website > > installing one of these non-existent nasties! > > See above > > > If there had been someone would have noticed fast! It would have been > > all over forums like this one and the perps well and truly outed. > > You are assuming malware gets spotted quickly. Depends what it is, say > it just modifies sshd, or puts a kernel module in that allows remote > shell access if a certain port sequence is tried, then it will probably > sit until someone starts exploiting it. > > Sure if it spews, or tries to spread like a virus someone with twig > fast. But there is different malware for different occasions. Almost all > of it has some sort of auto-update mechanisms. > > If you place your repository in sources.list.d the auto-update comes > free, I believe the Chromium package from Google takes this liberty with > your system. > > Does the phrase "bait and switch" mean anything? Given Google's > happiness to push their toolbar on people, would you want them having > root on your system? Install their 3rd party Chromium package and they > can update anything each time you run an "aptitude safe-upgrade". > > > So to > > tell someone all this stuff about non existing dangers is paranoid, > > irresponsible and hysterical. > > Neil's complaint was largely that badly formed deb files can mess up > your system accidentally. i.e. Without the distro quality control you'll > end up with Microsoft Windows quality package maintenance, with packages > touching other packages files, or name space clashes, or breaking > security updates, or leaving files behind that then mess up the official > version of the same or similar named software. > > > As for compiling from source, well unless you're going to inspect it > > line by line there could be anything in there! > > Indeed, but you won't mess up the dependencies of the deb files, and > most things built with the GNU configure/automake tools will install in > /usr/local and keep out of the way of packaged software. Just as risky > for malware, but less risky from a maintenance perspective. > > There is nothing stopping people making 3rd party debs correctly, but > basically if your 3rd party deb is well formed, and as good as a Debian > one, email a DD, and they'll probably sponsor it (I expect the same goes > for Ubuntu developers). Not as if Debian Developers are adverse to > others doing the hard work. > > > People who spread this kind of FUD are probably paid to do it by closed > > source copyrighted software organisations to scare people away from OSS! > > Yea right.... Better worry then because Neil is a DD, so his uploads end > up in the Debian (and thence Ubuntu) repositories - so he has root on > most of our systems (heck he also has the root password on mine!) - and > if he is paid to spread FUD wouldn't it be easier for him just to > install the malware centrally? > > Installation from the central repositories is no guarantee of freedom > from malware, or the well-formed nature of packages. But there is a > documented and maintained set of tests such packages must pass. These > tools are free software, and a third party could use them, but rarely > are third party repositories managed with that level of sophistication. > > I did use "dotdeb" for a while, which was reasonably well maintained, > but it still created issues for me, and one day the versions I was > interested "disappeared". Where as Debian repositories are archived, you > can always roll back to any point in time (binary backward compatibility > of software permitting). > > At the end of the day security is about keeping the systems running as > well as protecting the data and integrity. Using the official > repositories for the big distros will improve your chances on all of > these fronts. > > Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 348 3873 20. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html