[oclug] Re: I donated money to OCLUG ...

Sat Sep 17 11:20:32 EDT 2005

On Sat, 17 Sep 2005 11:06:28 -0400
Bill Strosberg <oclug_mail at strosberg.com> wrote:

> Brad Barnett wrote:
> 
> > Ah, the serene sense of security that even a seasoned/experienced
> > Linux admin can fall into. ;)
> > 
> > There is nothing to prevent a browser vulnerability from allowing
> > spyware to be installed into the user's account.  Things just have to
> > be done a little differently, that's all.
> > 
> > Heck, with a little bash script, I could alter the user's Mozilla
> > settings so that it uses a proxy on my site.  How's that for spyware? 
> > I could also write a more sophisticated plugin that is installed for
> > the mozilla user, under /home/username/.mozilla/plugins/.  All I need
> > is a browser vulnerability of sufficient scope.. and that certainly
> > isn't a M$ only market.
> > 
> > Of course, we do _tend_ to get security issues fixed a little faster
> > in the open sauce world, but that isn't always a given either.  Some
> > vulnerabilities exist for years in the wild, before being discovered
> > by anyone but a black hat...
> > 
> > Heck, why don't I hook into the X protocol, and use a keylogger to
> > record all of the su this, ssh that, and secret whispers that the
> > single user Linux box has?  Typically, if Mozilla has access to X, so
> > does a keylogger...
> 
> Brad, my response was to a new user of Linux, with the intention of
> providing a clear and specific answer to a specific question - not
> disseminating the possibility of problems, however remote and obscure.

I don't like to see false information spread about, regardless of the
reason.  You made a claim that "it can not happen", yet it can.

Your reasons are certainly innocent of malign intent, but that does not
change the fact that an untruth was spread upon the wind.

> 
> Without the auto-install/auto-render Active-X/ActiveScripting "features"
> of IE enabled, and an operating system that allows unrestricted user
> access to system-wide configuration files, the user has to specifically
> and intentionally execute downloaded web content to enable your scenario
> in Linux.  

Or visit a website that takes advantage of a browser vulnerability that
allows the same.

> Under normal, default user conditions, the damage a user can
> accomplish is limited to the priviledge level they have been allocated
> by the superuser.

The damage, certainly.  However, one of the important aspects of this
discussion, is deciding what is harmful to the end user.

If this machine is a Linux box used by a single user (as many are at
times), then tainting the web browser with spyware for that single user,
is precisely the same result as one would get in the MS world.

Does it matter that the system is not compromised, but that the user's
browser is?  Does it matter if I can only read the keypresses that the
user types in their X11 session?

Not really.  The end result is the same.  I can spy on you.

> 
> OCLUG's purpose is to advocate Linux and open source technologies, not
> to scare new users with the extremely remote possibility of application
> of expert knowledge, combined with bad policies and bonehead users.

We must take care to advocate from more than one view.  We need to make
users understand, that while Linux is typically more secure, it isn't
definitely more secure.

> Experienced admins set default user/tmp directories to noexec -
> eliminating your scenario completely.
> 

Your complaint about Windows was a complaint about the default install
setup of a windows system... including IE as the browser.  If you are
about to start "locking down" a Linux box, then you must do the same for
a Windows box as well.. and compare those two in that state.

There are many things you can do to a WindowsXP box to mitigate the
horrors of that OS... so if you are about to correct a few problems that
many default Linux installs have, best you do the same for XP.

Anyhow, noexec will certainly not resolve all of the issues I spoke of,
just some of the issues.