Re: security (malware) issues in Linux bases OSes
On 2009-02-15_19:51:11, Tzafrir Cohen wrote:
> On Sun, Feb 15, 2009 at 04:33:53PM -0300, Eduardo M KALINOWSKI wrote:
> > Tzafrir Cohen wrote:
> > > A Debian user should not be expected to install just any .deb file.
> > >
> >
> > Ideally speaking, I'd say this holds for any OS: Users should not just
> > install (or click, or run) everything they see.
> >
> > In practice things happen differently, especially in the Windows world.
>
> As I have pointed out, there's no real reason for the user interface to
> make that operation too simple. After all, you're not really guaranteed
> that you'll actually be able to install that package, as you may not
> have its dependencies.
This discussion is kind of crazy. I wonder why a producer of malware,
would not make sure that his/her package depended only on packages
that are already available from official Debian repositories. Or,
perhaps, have the initial package patch the user's sources.list to
point to an extra special malware repository. Admittedly, most
malware producers are really incompetant, but there are also producers
of software that automate the production of malware. With these,
really stupid people can produce a piece of malware that is a well
crafted piece of evil.
Debian has already demonstrated initiative in automating package
signing, and, no doubt, other security measures of which I am
unaware. I suspect that the security is pretty good. Early on, there
were powerful organizations that would have benefitted handsomely if
Debian had been disrupted, and it wasn't disrupted. But there is
always the unknown unknown.
--
Paul E Condon
pecondon@mesanetworks.net
Reply to: