[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MDs & Dentists

On Wed, 21 Jul 2021 18:38:30 +0300
Reco <recoverym4n@enotuniq.net> wrote:

> On Wed, Jul 21, 2021 at 10:51:40AM -0400, Celejar wrote:
> > On Wed, 21 Jul 2021 11:16:46 +0300
> > Reco <recoverym4n@enotuniq.net> wrote:
> > 
> > > 	Hi.
> > > 
> > > On Tue, Jul 20, 2021 at 11:32:26AM -0400, Celejar wrote:
> > > > On Thu, 15 Jul 2021 09:46:59 +0300
> > > > Reco <recoverym4n@enotuniq.net> wrote:

...

> > > > https://hacked.com/linux-ransomware-notorious-cases-and-ways-to-protect/
> > > 
> > > Requires Java to be installed. A rare case on a Linux *desktop*.
> > 
> > Rare? I don't have statistics, but on one of my Linux desktops, I do
> > some development work for Android, using IntelliJ IDEA / Android Studio,
> > which depend on at least some Java components.
> 
> Numbers show that I was incorrect. Let's call it "unlikely" instead of
> "rare". Let the popcon graphs speak for themselves:
> 
> https://qa.debian.org/popcon.php?package=firefox-esr
> vs
> https://qa.debian.org/popcon.php?package=openjdk-11

I'm not sure I'm reading the numbers correctly, but the openjdk-11-jre
figures are 26-29% (as opposed to firefox-esr's 42%) - hardly "unlikely."

> I agree with you that one should uninstall Java unless it's needed.
> After all, they at Oracle always find something to fix in Java security
> every three months, and this goes on for last ten years.
> 
> > I don't know if I have
> > enough Java installed to be susceptible to the malware in question ;)
> 
> Famous Java's slogan "you write it once and run it everywhere" is an
> exaggeration, to put it lightly. Chances are, you don't have that exact
> minor update of Oracle JRE that this malware actually needs.

Well, I suppose that's a relief ;)

> > Fair enough - but I see no reason why in principle desktop Linux will
> > remain immune from ransomware.
> 
> It won't by itself, of course. One sure way to beat ransomware is to
> take immutable backups (i.e. unmodifiable by host during and after the
> backup is taken), and as recent history shows us - ransomware victims
> apparently do not use this approach.
> 
> Another sure way is to forbid running executables downloaded from random
> Internet sites, but no thanks to appimage, flatpak, snap, and Go Linux
> desktop goes straight into Windows desktop direction.
> And again, as recent history shows us - ransomware victims apparently do
> not use this approach too.

Good points.

> Currently a Linux desktop is better in this regard, but I agree that it
> may not remain the same.
> 
> 
> > Even if Linux word processors are safer than their Windows counterparts,
> 
> Last time I ran Libreoffice I had that distinct feeling I'm running a
> Java program. You know - long startup, eating memory like no tomorrow,
> trying to write useless junk at least to four different places at my
> filesystems, and eating the unhealthy amounts of CPU time in the
> process.

Funny - I always have that feeling and most of those experiences with
Firefox, (even) these days ;)

> I know that Libreoffice is written in C++, but the code quality of it is
> definitely left to be desired. At least then the thing crashes (it did,
> several times) it produces a standard core dump, not some unreadable
> stack trace and a heapdump.
> 
> In retrospect, maybe feeding Libreoffice Draw that 800-pages PDF was not
> the best of ideas, but no free software tool comes close to the
> capabilities of Libreoffice in editing PDFs, and I really needed that
> PDF to be modified (mass-replacing embedded fonts, to be specific).
> 
> 
> On the other hand, Windows counterparts are typical enterprisey software
> written by generations of overseas workers with the code quality (or
> rather the lack of) that's expected from enterprisey software.
> 
> My opinion on this - both are bad. Lireoffice is better being free
> software, of course, but that does not make it secure by definition.
> 
> 
> > browsers are just full of vulnerabilities,
> 
> True. Every version of Chromium and Firefox fixes at least one.
> Most of said vulnerabilities do cannot be used to get Remote Code
> Execution (RCE) though. Which leaves us with "random download" scenario,
> which I've discussed above.

Most, yes. But the pwn2own hackers, for example, seem to pretty
routinely get RCE on the major browsers, so I wouldn't bet my data that
ransomware authors won't as well:

https://www.zerodayinitiative.com/blog/2019/3/21/pwn2own-vancouver-2019-day-two-results
https://www.bleepingcomputer.com/news/security/researchers-earn-1-2-million-for-exploits-demoed-at-pwn2own-2021/

> > so why couldn't ransomware get in that way?

> It could. In a lack of a proper execution environment (be it JRE,
> flatpak, snap or whatever) - what should it do next? Wait for a user to
> execute it?

> Reco

Celejar
Reply to: