water cooler :: Security and the Zen of dodging malware
While it's true that Windows XP is more "vulerable" to spyware and virii - due, and lets admit it, mostly to its prevalence - Linux will eventually be a target as well.
I mean, there's already Spyware for Mac OS X. A boon to interoperability?
Now, in terms of keeping your browser secure, Linux is pretty hard (meaning solid, rather than difficult). You have to manually execute software. Basically, if you run a virus, or a maliciously written script, or anything of that nature, it's your own damn fault.
But wait... Why not give the browser the ability to run arbitrary code anyway?
*ducks under the large number of tomatos incoming from the audience*
No, seriously.
What if you could have a user and a bit of disk set aside for a "Downloaded software jail". A quarantine, if you will. The user has no rights outside the quarantine, and the browser chroots into the quarantine and su's to the user. The quarantine has the symlinked libs and bins of a "basic" x-enabled distro (like, less stuff than DSL - just xdm), an emulated /dev (everything's /dev/null, regardless of its name) and no /proc (no letting it get at the kernel). The q-user's CPU time is limited to 10%.
Meanwhile, the quarantine control daemon watches what this program's doing, looking for warning signs. Is it poking at /proc? why's it trying to write data to /etc/rcS.d/S00Alpha? It just changed its own .xinitrc!
And, if after toying with the program for a few minutes, you like it, and the q-daemon hasn't complained about anything, just type a single command and have it installed properly.
Easy peasy? No. That daemon would be a bear to code. Finding a suitable "Quarantine" distribution might be tricky. Tweaking the browser code to behave in this way wouldn't be much fun either.
Anyway, just an idea for the implementation of the "ease of install" that Windows enjoys without sacrificing security.Ever notice Mac OSX has a copy of Internet Explorer in it?
There's the leak....
Quote (kaplah @ Mar. 09 2005,22:59)
Ever notice Mac OSX has a copy of Internet Explorer in it?
There's the leak....
OOOH...that would be classified as a BUUUUURRRRN!
I understand the prinicpal of what you are saying, kinda like a dummy account to check for rootkits and whatnot, kinda like a honeypot user..this way if the program is malicious..it cant get anywhere, cant damage any main users, and is trapped inside a "quarantine" zone...good call but might be difficult to impliment...
Brian AwPhuchA good "test zone" is another PC, or another partition on the same PC, or better yet..... another OS running in emulation on your local box (Qemu is good for this)
Make a hard copy of the image to another drive (I like to use an externally connected USB drive to do this) Run your test- make sure things are A-OK and then resotre the perfect image back to start from square one again.My preferred method of using "safe" software relies heavily on trust. I tend not install any programs that seemed to have appeared out of nowhere. Just about everything I have is open source and already has a large user base...large enough so that if there was any malicious code included it probably would have been found already (and essentially killed the developer's reputation). Since my programming knowledge is limited, this is where the trust comes in.
I disagree that prevalence is the main reason Linux is unaffected by malware...i'm sure it's A reason, but we will never be sure how influential it is until the popularity of Linux increases immensely. I could claim that it's mainly because Windows is insecure by default, and making it secure requires more time, effort, and knowledge than is required to secure a Linux system, which is already fairly secure as long as you're not an IDIOT running as root most of the time.Next Page...
original here.
