Oli Warner About Contact Oli on Twitter Subscribe

Linux isn’t invulnerable. Don’t say it is.

Thursday, 1 April 2010

Every month or so, I find some blog or forum post telling the world that because Linux is so hardcore, there’s very little chance of it getting any malware. As you can probably tell from the title, I disagree and want these people to recognise why their arrogance is dangerous.

The prompt for this entry was a post on Linux Journal: Linux, Where Crapware Goes to Die. You can condense the whole thing into three sentences:

  1. Linux is harder to infect than Windows because you run as a non-privileged user.

  2. Linux makes it more simple to disinfect due to a more transparent install process and no significant binary registry.

  3. Repositories (that, for example, apt-get uses) are free from scummy apps thanks to everything being vetted through testers and maintainers.

Linux on its own might be secure but users are idiots.

End users introduce all sorts of crap and when they have the ability to install things, every single benefit above evaporates instantly. We all want things and when a website offers us a chance to see Britney on her honeymoon or a super-cute screensaver of kittens, some of us are going to download it.

Let’s assume we’ve downloaded an untrusted .deb installer. Conveniently double click it and click install. We’re asked for our password (as would normally happen) and suddenly… POOF There goes the first point. POOF And the third.

By running the installer and giving it permission to run, we’re running untrusted code as root. Installer scripts can and will do anything they damned well want to and chances are if you have a dodgy installer, you’re about to enter into a whole world of pain.

Point 2 hardly counts now, either. As soon as this thing has root, all bets are off. It has full access to your disks, your profile and your net connection… and it can action all brands of bad shit. Unless you have some pretty hardcore auditing tools installed (that it hasn’t disabled), how would you fix it? Windows might look like a joke with it needing all those AV packages but they do disinfect.

If you don’t think a user would be stupid enough to install something from a random site, you’re just plain naive. There’s always going to be load of horny men who want nothing more than to install a… err… cute kitten screensaver.

Seriously, though… Most of us are happy to install from a PPA or download a deb. But why? They are untrusted sources that put our computers at risk. One day our luck is going to run out.

And because a large set of Linux users --even writers for large Linux publications-- believe Linux to be so autonomically secure from malware and preach about it, we’re breeding a whole generation of idiots who assume they can do anything and not destroy their computer.

It will only take one malware writer to create the first maldeb and make it attractive to users. History has taught us that baiting stupid users is the easy bit.

We need to tackle both sides of this:

  1. Stop spreading misinformation and educating people both through what we say and warnings at installer level that their package isn’t from a repo and could be evil.

  2. Technology to detect/block bad installers (script introspection, blacklists, signed packages, etc). There are a lot of holes that need to be plugged.

So next time you want to talk about end-user security, leave out the usual Linux is awesome rhetoric BS, analyse what has happened to Windows, how people work, how installers work and consider how you can improve things for Linux.