Re: thoughts on "how to write a linux virus in 5 easy steps"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 4 Apr 2009 18:49:54 -0700 (PDT)
Globe Trotter <itsme_410@xxxxxxxxx> wrote:

> 
> Hi,
> 
> The following article has created quite some discussion, so I wanted to hear what all the real experts (here) thought about it.
> 
>  http://www.geekzone.co.nz/foobar/6229
> 
> The article raises quite a few good points. Whether they have merit, and whether remedies are in-built is what I am wondering.

Firstly a properly written desktop environment shouldn't be trying to run
saved files not marked as executable (and Unix has had the execute bit
for good reason since the 1970s). Secondly you can use SELinux labelling
to control the execution of stuff saved on disk. In a business
environment stopping people downloading and running stuff they downloaded
is of course a very important and powerful tool.

So it was basically a problem created by poorly written desktop software
not using even basic security models.

There are nastier variants of this problem too. Some file formats people
think of as just data contain instructions and these can do stuff like
create files. Postscript is one example. Postscript supports a "safe"
mode but people are forever creating apps that don't run in safe mode
when you view a file on your desktop (because it is trusted right....)
despite the fact that todays world is the other way up. Another example
needing care is handling of saved web pages containing javascript etc.

Historically your filestore consisted of *your* content and a few
carefully saved files obtained by other means. In todays internet world
your filestore usually consists of vast amounts of material shared
between users, mixed from bits of other users and the like.

And at that point the desktop defaults of "local content should be
trusted" are just plain wrong.

Alan

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux