sudo without password

[Florian Diesch]

ubuntu at rio.vg wrote:

> Florian Diesch wrote:
>> Alan McKinnon <alan at linuxholdings.co.za> wrote:
>>>
>>> Which raises the question: what _will_ work? I believe this question 
>>> needs some attention and a solution now, before the malware problem 
>>> hits Linux in a big way (which it surely will).
>> 
>> As long as windows is such an easy target I don't think this will
>> happen.  
>> 
>> And malware needs critical bugs that aren't fixed for some time or a bad
>> user interface design that makes it easy to fool the user about what's
>> happening or make him ignore warnings. In both cases Ubuntu is much
>> better than windows
>
> Not at all.  All you need is to convince the user to run it.  You could
> have a completely bug free system, but if the user executes the malware,
> it's over.  

The user doesn't want to execute malware. To make him so you need to
make him believe that he's doing something different like opening a picture.

> No one here, however, is suggesting that Linux is in any way
> as vulnerable as Microsoft.  But there are still potential threats to
> Linux that we can glean from the current state of Windows.




>> If your system is infected by malware it's to late. The way to go is to
>> prevent the infection.
>
> That's not enough for many users.  The users will run the malware.

If he will run the malware chances are good he will click "Yes" if
asked for permission to open a network connection.

I don't think there are much users who'll not grant access if
"ubuntu-update-mgr" ask for it. And for most of the others you'll need
just some more social engineering.


>>> are easy to ignore. We know that Ubuntu can easily install a 
>>> well-configured system suitable for a desktop, but the Achilles heel 
>>> is stuff installed afterwards.
>> 
>> People should know that it may be dangerous to install stuff from
>> obscure sources. They should know that most of the software they want
>> is available from their distribution.
>
> But people don't know.  As we've pointed out in this thread, take a look
> at half the windows machines out there, they're filled with stupid
> toolbars and adware and all kinds of trash that people download and
> install just to see the dancing baby that somebody forwarded to them
> from someone else.
>
> Most of the adware out there doesn't come from viruses or trojans, but
> are installed right alongside these stupid little programs and toolbars.
>  It's not from gaping security holes.  (The more malicious stuff gets
> into windows from security holes.)  

AFAIK most of today's windows malware either uses some IE bugs or makes
the user clicking on things like queen-mom-naked.jpg.exe

> Linux has no magical immunity to users that will run anything they
> download off the net.

It has at least the advantage that most users aren't doing it with
administrator privileges.

But the way to go is to tell them not to run anything they download off
the net. Ubuntu has about 12 GB of trustworthy software, so one goal is
IMHO to tell them to search there first before they try Google.


> Being secure from network attacks alone isn't enough for the threats
> Linux will face in the future.  Consider: What do you see when you
> install a deb or rpm?  How would you know that it isn't just installing
> Mozilla Thunderbird, but also a trojan right along with it?  Right now,
> sophisticated users are smart enough to only install signed packages.
> But that won't be enough when the average user wants to see the dancing
> baby animation and will override it because the website told him to.
> It's not enough to say "Well, that's his own damn fault!"  You could say
> the same thing for many of windows' problems.

Well, you can't do more than warning the user that he's about doing
something dangerous. It's his computer after all.
The problems with windows are that often there is no warning and that
there are so many annoying questions that most users have clicked
the OK button before they could read the message.



   Florian
-- 
<http://www.florian-diesch.de/>