[oclug] Re: I donated money to OCLUG ...

[Bill Strosberg]

Brad Barnett wrote:

> Ah, the serene sense of security that even a seasoned/experienced Linux
> admin can fall into. ;)
> 
> There is nothing to prevent a browser vulnerability from allowing spyware
> to be installed into the user's account.  Things just have to be done a
> little differently, that's all.
> 
> Heck, with a little bash script, I could alter the user's Mozilla settings
> so that it uses a proxy on my site.  How's that for spyware?  I could also
> write a more sophisticated plugin that is installed for the mozilla user,
> under /home/username/.mozilla/plugins/.  All I need is a browser
> vulnerability of sufficient scope.. and that certainly isn't a M$ only
> market.
> 
> Of course, we do _tend_ to get security issues fixed a little faster in
> the open sauce world, but that isn't always a given either.  Some
> vulnerabilities exist for years in the wild, before being discovered by
> anyone but a black hat...
> 
> Heck, why don't I hook into the X protocol, and use a keylogger to record
> all of the su this, ssh that, and secret whispers that the single user
> Linux box has?  Typically, if Mozilla has access to X, so does a
> keylogger...

Brad, my response was to a new user of Linux, with the intention of
providing a clear and specific answer to a specific question - not
disseminating the possibility of problems, however remote and obscure.

Without the auto-install/auto-render Active-X/ActiveScripting "features"
of IE enabled, and an operating system that allows unrestricted user
access to system-wide configuration files, the user has to specifically
and intentionally execute downloaded web content to enable your scenario
in Linux.  Under normal, default user conditions, the damage a user can
accomplish is limited to the priviledge level they have been allocated
by the superuser.

OCLUG's purpose is to advocate Linux and open source technologies, not
to scare new users with the extremely remote possibility of application
of expert knowledge, combined with bad policies and bonehead users.
Experienced admins set default user/tmp directories to noexec -
eliminating your scenario completely.

--
Bill Strosberg