[conspire] Autodowload a Virus

Rick Moen rick at linuxmafia.com
Tue Jan 5 15:52:59 PST 2010 

Quoting Carl Myers (cmyers at cmyers.org):

> This is the argument which is always made that computer security isn't a
> technical problem (anymore), but a social one.  As long as users can't
> or won't learn about permissions and what it means to run something as
> root, it will be difficult or impossible to prevent this sort of
> thing.

But it can be made to be easy and natural to Do the Right Thing -- and
this is where Unixes have always had a big advantage.

So, for example, if you e-mail someone an executable, the recipient can
save it to disk, but it will no longer have its executable bit set.
(Elaborate ways _do_ exist to get a file to a user with its executable bit 
intact, such as wrapping it in a compressed archive.)  So, even if we
get idiotic users who double-click on arbitrary files and don't bother
to think about what they're doing, it's really difficult for people to
hurt themselves.

In the cited case, there was an alleged screensaver module at a
file-sharing site.  So, users should realise:  These are files from
nowhere in particular, that they have no reason to trust (and especially
no reason to want to run as processes).  One of those was -- for no
rational reason -- provided in .deb format.  The gnome-look.org
file-sharing site has no reason to have screensaver modules in a
_software package_ format.  So, that, too, should have stuck out as
suspicious.

Last, once the user fetches the .deb, he/she would need to run a
software installer, and manually approve system-level (root/sudo) access
for the operation.  At that point, if his/her alarm bells aren't
ringing, there is no hope.  We're talking Darwin's clients, at that
point.

Yes, you're right that there will always be people willing to do stupid
things to their system _even if_ you make it really obvious that they
shouldn't.  My view is that it's always worthwhile to make really
obvious that common ways of shooting at one's own feet are hazardous.
Beyond that, we should just help people understand where the holes in
their feet came from, how to recover, and how to not do that again.

"Viruses" are not the problem.  Willingness to shoot at one's feet is
the problem.  Anyone who's willing to install a .deb from nowhere in
particular with root authority is certainly going to be willing to carry
out any of the countless variations on "rm -rf /", and that is a much
bigger and more real threat.

More information about the conspire mailing list