Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The Linux operating system is designed to have high level of security. However, this year a few attempts to attack Web servers by backdoors redirecting traffic or malicious apache modules have been discovered. The aim of this Trojan is to compromise user desktop systems. With features designed to abuse sensitive browser information, it could advance Linux users a step forward in this specific environment. The same threatening environment in which Windows users have existed for years. The statement that the Linux platform is absolutely secure now seems even more illusive.

Once you have the ability to run code on a system (as someone dropping this trojan would), all bets are off. This has nothing to do with "security" and it's quite misleading to say that it does. I'm no fan of Linux from a security perspective, but this story has no impact on the security posture of a Linux system, period.



Bets aren't off. Look at what Chrome, NaCL does, or how iOS and Symbian (yeah) and Android (eh Linux there actually) isolate.

Privilege escalation bugs are getting rarer.

If Ubuntu put the browser in a LXC etc things could move forward.

Bets not off! We should carry on trying!


Even in these cases, they're still allowing full access to that sandbox. This trojan doesn't escalate -- it doesn't need to. It just has to drop other payloads, which could be done on any system without hard code signing requirements.


Please correct me if I am wrong, but I think all the OS's that you referred run apps on sandboxes with strong limitations on the file system access. If that is the case then the compromises might not worth it on desktops


Why should code downloaded in the browser context read your CD drive? Seperation is good. Even cut paste can go via a trusted intemediary.


If I'm not mistaken, Ubuntu ships Firefox with an AppArmor profile that restricts it by default.

(Question for those in the know: what exactly does it prevent firefox from doing?)


Yes it does. But I want defense in depth: I want it contained, I want OpenBSD-style randomisations and so on.


Why couldn't the browser run itself in a VM instead of relying on the OS to do it? There's some file size overhead, sure, but it seems like a custom VM would be the best way to ensure maximum compatibility, and avoids the potential for a tangle of mutual workarounds.


Or we could say: security is a practice.

Usually the design of an O.S. has certain weight, but not half of the weight that the operators (and users) have.

A keylogger for linux takes less than 30 lines of C... a payload for a root shell takes less... but to certify that they will work on every Linux out there... is more hard... it's hard even with constructive software, it shouldn't be less hard with malware.

The concept of malware may vary too much from one person to other, from one company to other, from one project to other.

It's not always a trojan, and software is a changing scenario. And it's not isolated, it's an ecosystem.

First viruses did travel on floppy disks. Nowadays they use websockets, sql, or render themselves as a (web) image or font.

Even the low latency 8.8.8.8 DNS, maybe considered malware if we go philosophical.

Internet, as the real world, is something wonderful. And as the real world, may turn hostile. So even if wonderful, each one should take care on what to trust, and what not, and how.

Update: remove all "quoting" as I was told once that I use them too much.


>I'm no fan of Linux from a security perspective

What OS's are you a fan of from a security perspective?


IBM RS/6000


No offense, but I'd rather hear from a noted security expert than an adman.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: