[ubuntu-studio-devel] How wide spread is Linux spyware?

lukefromdc at hushmail.com lukefromdc at hushmail.com
Fri Jul 17 19:13:43 UTC 2015

I think we are looking at two different attack models here. I am looking at 
user tracking both by law enforcement and by commerical entities, as 
opposed to efforts to break root and take over a computer. The latter mode
of attack, even by law enforcement, usually delivers a windows-only payload
even when a cross-platform exploit is used to deliver it. I will use an actual 
attack on torbrowser by the FBI as an example here:

Last summer, the FBI managed to attack a .onion webserver owned by Freedom
Roads hosting and insert code exploiting a browser vulnerability affecting what
even then was an out of date version of Torbrowser. If and only if javascript was
enabled, the exploit would run over any OS. It delivered a spyware payload known
generically as a "CIPAV" or Computer Internet Protocal Address Verifier. It caused
infected machines to phone home to the FBI over a non-Tor connection-but the 
payload code was Windows only.  Anyone running the then current Torbrowser was
not vulnerable, neither was anyone not enabling JS, nor anyone not running Windows.

Now we have the Flash zero-days found by freedom fighters breaking into machines
used by a European corporation that sold spyware to mutliple governments. This 
forced Adobe to hurredly patch Flash and Firefox in default builds at least for Windows
to blacklist unpatched versions. Flash, Javascript, and Java are the three main ways
payloads get in, and all three are cross-platform. It is the popularity of Windows more
than anything else that has kept most of the payloads Windows-only. Thus, Windows is 
a high-crime neighborhood and for that reason alone uniquely difficult to secure against
random opponents.

For years I have warned that Windows must never be trusted for encryption or Tor, 
not even to open encrypted emails.  That same CIPAV for Linux would have been
several times harder to write, harder yet to conceal (where do you hide the startup
job for next boot?) and all that extra work to hit only 1% of the user base. 

With the growth of smarphones, however, we will be looking at enemies who code
this kind of exploit for three operating systems, namely Windows, iOS, and Android.
We will have to be careful to watch for those Android payloads that by chance and 
lack of Android-specific code will also run on traditional Linux distros.

On 7/17/2015 at 2:31 PM, "Ralf Mardorf" <ralf.mardorf at alice-dsl.net> wrote:
>On Fri, 17 Jul 2015 13:46:50 -0400, lukefromdc at hushmail.com wrote:
>>When it really counts, I bring out the big guns by firing up
>2 humans = 2² opinions
>Regarding TOR a message from the Arch general mailing list from 
>and regarding browser security in general, 2 mails from the Kubuntu
>users mailing list, also from today.
>Begin forwarded message:
>Date: Fri, 17 Jul 2015 13:00:30 -0400
>To: arch-general at archlinux.org
>Subject: Re: [arch-general] current flash vulnerabilities - what 
>to do?
>On 17/07/15 12:35 PM, Ralf Mardorf wrote:
>> On Fri, 17 Jul 2015 11:30:05 -0400, Daniel Micay wrote:
>>> The Tor browser is quite insecure. It's nearly the same thing as
>>> Firefox, so it falls near the bottom of the list when it comes 
>>> browser security, i.e. below even Internet Explorer, which has a
>>> basic sandbox (but not nearly on par with Chromium, especially 
>>> Linux) and other JIT / allocator hardening features not present 
>>> all in Firefox. What the Tor browser *does* have that's unique 
>>> tweaks to significantly reduce the browser's unique fingerprint.
>>> https://blog.torproject.org/blog/isec-partners-conducts-tor-
>>> Tor would be a fork of Chromium if they were starting again 
>>> with a large team. They don't have the resources to switch 
>>> That would only change if they can get Google to implement most 
>>> the features they need.
>> Vivaldi is based on Chromium. How does Vivaldi compare regarding
>> security and privacy to IceCat, Pale Moon, Firefox, QupZilla, 
>> https://aur4.archlinux.org/packages/?O=0&K=vivaldi
>> https://aur.archlinux.org/packages/?O=0&K=vivaldi
>It's a proprietary browser built on Chromium. It's not interesting 
>a security / privacy perspective.
>If you want Chromium without Google integration then you can use
>Iridium. It doesn't remove any tracking / spying code though. There
>wasn't any to remove. Their redefinition of tracking just means 
>for any service hosted by Google (like adding a warning message 
>when a
>dictionary would be downloaded from them). Most of what it does is
>changing the the default settings to be more privacy conscious.
>Begin forwarded message:
>Date: Fri, 17 Jul 2015 14:49:01 +0200
>To: Kubuntu user technical support <kubuntu-users at lists.ubuntu.com>
>Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash
>Hi all,
>On Fri, Jul 17, 2015 at 12:21 AM, Ralf Mardorf 
><kde.lists at yahoo.com>
>> On Thu, 16 Jul 2015 21:06:09 +0200, Bas G. Roufs wrote:
>>>However, for WIndows users, this problem might be far more 
>> Why should it be more dangerous for Windows users?
>For the very obvious reason that a 0-day exploit is inherently more
>dangerous on a less secure system, and Windows is by design less
>secure compared to the *nix-based systems like Mac OS or Linux. 0-
>exploits can very very diverse, and the most obvious risk is 
>malware through such an exploit.
>Regards, Myriam
>Begin forwarded message:
>Date: Fri, 17 Jul 2015 18:13:28 +0200
>From: Ralf Mardorf
>To: kubuntu-users at lists.ubuntu.com
>Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash
>On Fri, 17 Jul 2015 14:49:01 +0200, Myriam Schweingruber wrote:
>>For the very obvious reason that a 0-day exploit is inherently 
>>dangerous on a less secure system, and Windows is by design less
>>secure compared to the *nix-based systems like Mac OS or Linux. 0-
>>exploits can very very diverse, and the most obvious risk is 
>>malware through such an exploit.
>The main issue with bloated browsers and crappy extensions such as 
>one from Adobe is unrelated to the operating system. Most people
>already offend their own privacy by simply typing something into 
>e.g. a
>Google search, already without confirming the search by pressing 
>enter key.
>They should start Firefox with e.g. Google, then launch Wireshark. 
>soon as Wireshark hopefully only displays "Keep-Alive", they 
>should type
>and watch what Wireshark shows.
>As soon as very risky extensions are used or very risky features
>provided by a web browser and/or add-ons, the operating system 
>much involved. The risk is more on a level compared to the risk of 
>phishing website. I guess everybody understands that it doesn't 
>what operating system is used, when sending your banking password 
>to a
>phishing website. This is similar for a lot of security and privacy
>issues caused by web browsers and their extensions.
>ubuntu-studio-devel mailing list
>ubuntu-studio-devel at lists.ubuntu.com
>Modify settings or unsubscribe at: 

More information about the ubuntu-studio-devel mailing list