[svlug] Viruses (was: virus FUD)

Rick Moen rick at linuxmafia.com
Sat May 6 00:47:32 PDT 2000


Quoting Richard Jennings (Richard_Jennings at sandia.gov):

> Here's an article on current email vulnerablities:
> 
> http://www.linuxplanet.com/linuxplanet/reports/1800/1/

Close, but maddeningly wrong in a number of places.  Quotations
beyond this point (indented six chars) are from the referenced article.
(My own views on the matter are at http://linuxmafia.com/~rick/faq/#virus .)

      ...may I explain why Linux is just as vulnerable as Wintendo, 
      and why we should be thankful to Mr. Bill for being our stunt 
      double?

Naturally, he _may_, but the author (Scott Courtney) never does.  For
one thing, he completely fails to address key differences, in his haste
to rush to his desired conclusion.

      What's worse is that there is almost no way of avoiding opening
      HTML e-mail, at least in Netscape Messenger.... So HTML mail has
      some ugly side effects, and they are largely the same on Linux 
      as they are in Windows. 

I doubt that all X-based MUAs are that brain-dead, though I can't say
for certain because I don't use any.  But there are two points to make,
here:  (1) Nobody on Linux is obliged to use a badly designed MUA.
(2) If you're going to use such, or do risky things with it, you can
use it under a UID with few privileges.  Of course, you can also
run mutt or a similar _good_ MUA, and either throw away HTML mail as
99.9% dross, or read it as source.  And I'm sure free-software X-type
readers such as KMail can be set for sane behaviour.  And/or be 
recompiled for such.

      That's what protects most Linux users against malicious e-mail
      attachments: we're not dumb enough to open them unless we know 
      what they are.

Wrong:  We're not dumb enough to _run_ them without having a pretty
good idea what they'll do, and with what authority.

You see, that's the _one_ key point the author keeps flubbing, page
after page:  Users get into trouble with so-called "hostile" code
(trojan horses, worms, viruses, buggy apps, misbehaved apps) because
they _run them and shouldn't_, and/or run them with excessive authority.

      In Linux, unless you are running as root (a dumb thing to do), the
      worst you can do is to corrupt or delete all of your own files.
      The operating system, if properly configured, is mostly safe
      unless the attacker is very smart. Most of them aren't that good.
      This is the same situation in Windows NT or Windows 2000. 

I'm sorry, but that is simply not the case.  NT/Win2k _attempts_ to 
implement generally the same sort of user-privilege model, but between
initial design and implementation became riddled with a huge variety
of design compromises.  This is much too complex a topic to get into,
here, but many of those compromises involve user-level processes with
system privilege.

The mere fact that NT, in the author's words, "has file-level security"
does _not_ imply that it is "the same situation" as a Unix system.  

(The point is admittedly peripheral to the author's arguments, but
if he can't get such points right, he should omit them and focus on
his main point.)

      So Linux users have the right to be smug about security when
      compared to Windows 9x, but we still shouldn't feel 
      invulnerable. 

Isn't this straw man dead -=yet=-?  Enough, already.  Sheesh.

      Once the executable is running (under either Linux or Windows),
      the security features of the operating system can work to limit 
      its damage potential.

Unless, of course, you're on NT and it's an ActiveX control, which is
one of the aforementioned cases of excessive privilege.

      In Linux, unless you are running as root (a dumb thing to do), the
      worst you can do is to corrupt or delete all of your own files.... 
      So Linux users have the right to be smug about security when
      compared to Windows 9x, but we still shouldn't feel invulnerable.
      Losing all your personal files isn't as bad as trashing the
      operating system, but it's no fun either. And, as I have shown, we
      Linux users are protected from that situation by our typically
      greater knowledge and a paranoia that comes from years of server
      administration experience.

The implication is that this is _all_ that protects them in such cases.
And that is dead wrong.

We are also protected by the diversity of software, the diversity of 
system layout, (to a limited degree) the diversity of CPU architecture, 
and by our strong traditions of NOT auto-running programs and of 
carefully distinguishing between executable code and data.

Can idiot programmers and idiot users conspire to evade those cultural
traditons?  Of course they can -- and will.  

And what will teach them the error of their ways?  Disaster will,
combined with contact with the Linux community -- us.  We'll say,

  Here, now that _your_ (and I stress _your_) deleting your home 
  directory has gotten your attention, there are some fundamentals
  you'll want to learn:

  (1) To quote Ashleigh Brilliant, 'Due to circumstances beyond your
  control, you're captain of your fate, and master of your soul.'  In
  other words, you're in charge of what happens in your account.  So, if
  you do things and run things, you'd damned well better understanding
  what you're doing and what you're running.  If you don't, stop and
  learn.

  (2) Programs do things -- but only when _you_ execute them.  And when
  they do, they'll have exactly the power to carry out actions that you
  yourself do.   It's left up to _you_, and is strongly in your
  interest, to know what they're going to do, since nobody will protect
  you from (in effect) calling ruin down upon yourself.

  (3) If you find yourself being urged to execute something unfamiliar,
  and don't have reason to think you should, be suspicious.

No doubt, many will refuse to listen.  They will repeat the mistake
again, and lose their files again.  When they get tired of learning
the hard way, we'll still be there to point politely to the low-hanging
clues, and help the users master them.

The author does not agree:

      As Linux becomes more popular, and starts appealing to less
      skilled users, we are condemned to the same fate as the Windows
      community.

But we are not, specifically because we _are_ the Linux community.
That means we're the native guides.  It's our system and our culture:

  Welcome, MS Windows users.  Here's where you buy _Running Linux_
  and _Linux in a Nutshell_.  Here's the LDP.  By the way, there have
  been viruses on Unix since 1983, and hordes of trojan horses since
  day one.  Don't run them.  Cave canem.

We don't need to roll out the welcome wagon:  We need to parade around
the _reality wagon_ -- will will prove much more useful.

And when Ziff-Davis and CNet ignorantly report boneheaded user software
design as a Linux defect, we will gently correct them -- exactly the
same way when they claim there are "backdoors" in Linux because of 
a boneheaded Red Hat package default (e.g., Piranha).

      If Linux proves to have the same vulnerability as Windows, the
      novice users and the popular press won't care about all of that. 

But probably the author will not be among us issuing those gentle
corrections, because (per the above) he _himself_ cannot distinguish
between OS-level security and application design.

      Let's get together and define a standard library interface for
      scanning arbitrary content. Pass it a file handle or pointer to an
      in-memory buffer, plus a MIME type string, and it returns a status
      code indicating that the contents are intrinsically safe (such as
      plain text or JPEG), that they are a potential risk (such as a
      Java binary) or that they are high-risk (such as Java code that
      opens local files or does other out-of-the-sandbox things). 

Arrgh.  There _is_ no algorithmic way to distinguish safe from unsafe
files.  It doesn't work, and furthermore creates a false sense of 
security while masking the real problem:  the user taking responsibility
for what executable code does under his authority.

Now, if he had said "Have the display engine run all 'active code' under 
a _UID_ with no authority to do harm, including no network access", that
would have been sensible.  But, no, he wants magic system genies to
protect the user from the consequences of his own actions.

     We can see that actively protective e-mail clients are needed,
     because we cannot rely on users to protect themselves.

And I maintain that the only real protection that _can_ exist is 
aculturation and educating them on their part in our culture -- and 
patiently explaining to them, when they mess up, how to learn from 
the experience and not do it again.  And aggressively _promoting_
the principles of our culture, which have proven survival value
in their habitat.

--  
Cheers,        "Linux means never having to delete your love mail."
Rick Moen                                              -- Don Marti
rick (at) linuxmafia.com





More information about the svlug mailing list