[conspire] People failing to learn about package gatekeeping, part 1
Rick Moen
rick at linuxmafia.com
Sun Apr 17 15:00:44 PDT 2022
Quoting Paul Zander (paulz at ieee.org):
> Like many people, there are some things not available on Linux. This
> season TurboTax and HRBlock TaxCut come to mind.
Of course.
Some things are better done in a virtual machine, or on a separate
Windows box. One advantage of a either is that you confine the
proprietary misconduct in an isolated space.
> So I somehow got a subscription to McAffe Security. Lately it's
> efforts at self promotion are becoming very annoying.
Self-promotion is a core specialty of the antimalware / retail
computer security industry. But, also, be incredibly wary of a
supposed subscription to a proprietary-software service that suddenly
just pops up out of nowhere and you have no clear understanding of how
that happened. E.g., crooks run scams by claiming to be such companies
_all the time_.
Are you _sure_ it's even McAfee, LLC d/b/a McAfee Security? Do you have
a functioning customer login at https://www.mcafee.com/ , showing you
(after login) as a customer for listed products/services?
It would be prudent to deal with the company -- if for some bizarre
reason you actually want their products and service -- _only_ via a
login to https://www.mcafee.com/ initated by you in the normal, orthodox
way (e.g., from bookmark or typing the URL into your browser), never by,
e.g., clicking on links received in e-mails, especially e-mails you have
not strongly authenticated -- and _definitely_ not by entering your
customer credentials into a Web dialogue that just pops up and you're
not clear on why or how that happened (because that's a tiresome
Javascript trick used endlessly by criminals).
At the risk of being too literal, BTW, I find no product or service
called "McAfee Security". However, there is a product called "McAfee
Security Scan Plus", the modern incarnation of (the late) John McAfee's
malware-patterns scanning program originating in MS-DOS days.
> I download a PDF from a source, it pops up a notice that it is checking
> the file "just to be safe".
So, presumably on whatever OS platform this is, you've agreed to run
McAfee Security Scan Plus as a background process (a daemon, in Unix
terms) that watches and second-guesses user activity, chewing up RAM and
CPU and making your computer more prone to encountering software bugs
(which is what background malware scanning always does), just so it can
pattern-check just about everything you touch.
A few words about the PDF file format.
1 of 2. Adobe invented PDF as a patent-royalty-free minor subvariant of
PostScript -- in that it's basically just a slightly modified PostScript
file, compressed. PostScript is a Real Interpreted Language[tm] (i.e.,
it is Turing-complete) that, in its full form, includes functions that
could indeed be used to implement malware, e.g., reaching out and
modifying other files.
This is why (if I remember correctly) the Ghostscript, xpdf, and similar
open source programs that read PostScript and/or PDF files typically
implement only a subset of PostScript/PDF's functionality, sometimes via
a "--safer" command switch.
The thing is, though, I haven't heard about credible attacks carried out
_against Linux content-handlers_ of PS/PDF in a long time (I won't speak
to other platforms), except for cases of deliberately misbehaving
("malicious") PostScript hurled about in hopes people will print them on
printers whose PS interpreters can be induced to twiddle severe bugs in
other software such as the antique Unix print engine "lpd" that nobody
with any common sense has used in decades. Example from 2017:
https://www.securityweek.com/printer-vulnerabilities-expose-organizations-attacks
2 of 2: In contrast to PD/PDF _itself_, a much more credible threat is
PDFs that have Javascript embedded in them for forms automation. When
I say "forms outmation", I mean something like you're filling out a PDF
for online uploading, you tab into the Zip Code field, and instead of
"94025", you fumble-finger and type "92025z". You try to tab to the
next field, not noticing your typo, and the PDF blocks your leaving the
field and displays a message like "Zip Codes must be numeric".
That is done using JavaScript. JavaScript is _not_ a feature of PDF
format, but rather an elaboration. To the best of my knowledge, there
is exactly one and only PDF reader program on Linux that includes a
Javascript interpreter, and that is Adobe's Acrobat Reader ("Acroread")
for Linux proprietary, binary-only app that must be retrofitted to a
Linux machine by downloading it from adobe.com (because Adobe is a bunch
of control freaks).
Need I mention, Javascript is dangerous as all hell, and the perfect
vehicle for malware? If reckless enough to install Acroread (which is
overfeatured and buggy) for Linux, don't even _dream_ of letting it
handle public files unless you uncheck the checkbox in Preferences for
Javascript support. Better (on _any_ OS), have a well-written PDF
handler that _cannot_ do Javascript as the format handler registered in
your Web browser(s). Do _not_ let Acroread be the default system-wide
PDF-handler. (One of many decent, small, open source PDF readers for
MS-Windows is MuPDF, https://en.wikipedia.org/wiki/MuPDF.)
> Obviously this also wastes a few seconds.
It also chews up RAM and CPU, and makes everything you do more likely to
crash.
Make up your own mind, but one of the very instructive experiments I
conducted back in the 1980s, when I was IT guy (or "MIS", as we then
said) at Blyth Software, was as follows:
I thought, hypothesis: Maybe I'd be better off _not_ running the
corporate copies of McAfee ViruScan on my company-issued MacOS System 7
and Windows for Workgrouns 3.11a boxen. Maybe it is sufficient to just
learn a tiny bit about security, making sure I had timely offsystem
backups and the ability and skill to rebuild my machine quickly from
trusted media, avoid doing dumb things, and not be hurt by malware
through the simple expedient of never executing any.
I turned off the background scanning. Stability and performance went
way up. Once every month or two, I would briefly install the corporate
antimalware crap and do a total system scan, to cross-test my perception
that I'd successfully avoided malware by just not running any.
It worked perfectly -- even though MacOS System 7 and Windows for
Workgroups had the user, in effect, running as the root user 24x7,
thus, with full rights to destroy the system with one command or mistake
or blunder, all the time.
I considered the experiment a roaring success. And I remembered that
extremely well when I wrote http://linuxmafia.com/~rick/faq/ , many
years later.
Q: Should I get anti-virus software for my Linux box?
A: The problem with answering this question is that those asking it
know only OSes where viruses, trojan-horse programs, worms, nasty
Javascripts, ActiveX controls with destructive payloads, and ordinary
misbehaved applications are a constant threat to their computing.
Therefore, they _refuse to believe_ Linux could be different, no matter
what they hear.
And yet it is.
Here's the short version of the answer: No. [...]
> Other times, I am busy typing something into a file and a message pops
> up telling me this or that about security. Naturally this window also
> means a sentence or two that I typed didn't get into my file.
See? Even without the alleged antimalware background scanner _being_ a
forged copy that actually _is_ malware (quite a risk, too), the
background scanners' activity is a continual problem -- even when it's
a genuine package and working as designed.
As mentioned, I found myself better off without them _even_ on
1980s proprietary platforms continually infested with malware, where I
was always the root user (for lack of privilege separation). And, also,
something I mention in passing on my Linux virus essay page: _Why_
do you imagine that the antimalware firms are trustworthy to begin with?
Their record is terrible, with many of them backstabbing their users in
a large variety of ways. This is especially likely with "free"
antimalware programs, because you inherently aren't the customer, but
rather the product. Yet, such a user entrusts the security of their
systems to such an _unpaid_ bunch of strangers, whom you know little
about except that they're _definitely_ not working for you? Madness.
Utter madness.
More information about the conspire
mailing list