AnonTechie writes:
"A surprising number of governments are now deploying their own custom malware and the end result could be chaos for the rest of us, F-Secure's malware chief Mikko Hypponen told the TrustyCon ( https://www.trustycon.org/ ) conference in San Francisco on Thursday.
'Governments writing viruses: today we sort of take that for granted but 10 years ago that would have been science fiction,' he told the public conference. 'If someone had come to me ten years ago and told me that by 2014 it will be commonplace for democratic Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that's exactly where we are today.'
(Score: 5, Interesting) by mrider on Friday February 28 2014, @10:37PM
Not because GNU/Linux (or BSD, or etcetera) is "immune" to viruses (virii?), but because my Debian box is so different than another person's Gentoo box, or Slack box, or BSD, or whatever, that the government would nearly have to tailor the malware just for me.
Whatever roadblocks I can put up are good so far as I'm concerned.
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 5, Funny) by mrbluze on Friday February 28 2014, @10:42PM
No, they just hire a guy to grow a beard around his neck and make code commits that someone else writes for him, get him to a position of power, and then put malware into the kernel.
Do it yourself, 'cause no one else will do it yourself.
(Score: 5, Funny) by mrider on Friday February 28 2014, @10:48PM
And then wait three years until that code makes it onto my box (running Debian stable). :)
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 4, Insightful) by crutchy on Friday February 28 2014, @10:50PM
there may be lots of different distributions and configurations, but the kernel is a common weak point (single point of failure).
and torvalds is only one human living in the united states... he is not immune from manipulation by the government (i hear waterboarding can be convincing)
(Score: 1) by mrider on Friday February 28 2014, @11:24PM
True. But unless the kernel is vulnerable to a remote exploit, then almost certainly the delivery mechanism that would work for you wouldn't work for me.
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 2, Insightful) by crutchy on Saturday March 01 2014, @01:18AM
probably, but i doubt most linux users would review kernel source changes before updating, so if torvalds opted to insert some kind of remote exploit into the kernel (thanks to some friendly "enhanced interrogation" techniques) most would have no idea. a lot would, particularly the core kernel devs, but no doubt they would be targeted too in that scenario.
(Score: 4, Interesting) by Anonymous Coward on Saturday March 01 2014, @01:31AM
The malware is in the hardware microcode. No amount of OS safeguarding will prevent a government organization taking over the hypervisor you never knew was running on your Intel CPU.
(Score: 2) by SMI on Saturday March 01 2014, @03:22AM
I'm interested to know more, if you have any reference material. I checked the links in TFS, but didn't find anything. I'm about to buy a new laptop, and full virtualization support in the CPU is one of my requirements. Unfortunately, there isn't much available with an AMD chip these days, not even in the custom laptops I've looked at.
(Score: 2, Insightful) by DNied on Friday February 28 2014, @11:56PM
Not only that, but the core userland is pretty much the same stuff across Linux distros, with minimal customization.
It would be an incredibly lucky coincidence if those slight distro-specific tweaks would somehow end up neutralizing the exact piece of malware to reach your machine.
(Score: 4, Insightful) by Runaway1956 on Saturday March 01 2014, @03:20AM
The kernel isn't the single point of failure that you think. Just because I might run Debian doesn't mean that I am necessarily running a kernel packaged and released by Debian. We can, and some of us do, "roll out own" kernels. An exploit that exists on one Debian box, may not exist on another Debian box. And, of course, there are differences between distros. The paranoid who compiles all of his own software from source may share some vulnerabilities with the larger community, or he may even introduce some unique vulnerabilities, but you can't count on much or anything.
A MAN Just Won a Gold Medal for Punching a Woman in the Face
(Score: 5, Insightful) by TheLink on Saturday March 01 2014, @04:09AM
And you don't need to infect the kernel at all. All you need are "zero days" on common browsers/clients(IM etc) or common plugins (many Governments can MITM you if you're in their territory or they really really want to). Then the malware gets in and sets itself up to keep running - at, crontab, sneaky aliases, etc.
Very few Linux users run their browsers using other accounts or sandbox their browsers (and do check if your sandbox is tight enough for such a scenario - the last I checked years ago Ubuntu's default apparmor browser sandbox was rather loose- but I've given up on Ubuntu for desktop stuff any more so I'm not bothered).
So even if kernel or privilege escalation exploits would be nice, there's no need in most cases. The user's stuff- email, keys, IM, browser cache (for frame jobs and other stuff), etc would all be accessible already.
There may be lots of different distros and configuration but in my experience writing cross platform stuff for linux and unix platforms (BSD, Solaris, AIX etc) a perl script can cope with most of that (one issue is SSL support across all those distros, but if you don't care about encrypting all your channels with SSL that's not a big problem- and even then there are usually workarounds with cli http clients).
TIMTOWTDI is great for writing malware too ;).
(Score: 3, Interesting) by sjames on Saturday March 01 2014, @07:08AM
The kernel isn't as interesting as it used to be. Getting the BIOS to run an exploit inside SMM or the BMC would be more interesting. Some BMCs have a JTAG connection to the system. This is especially dangerous since the BMC shares the main system's network port.
(Score: 5, Informative) by stormwyrm on Friday February 28 2014, @11:02PM
The proper plural of virus is viruses. If it were a Latin word, as in words like radius -> radii, 'virii' would rather be the second declension masculine plural of the non-existent word 'virius'. There is no attested classical Latin plural form for 'virus' (meaning 'poison' or 'venom'), as it was considered a mass noun, and even if there were one, it would most likely have been considered a second declension neuter noun, whose nominative plural would rather be 'vira'.
Numquam ponenda est pluralitas sine necessitate.
(Score: 1) by seandiggity on Friday February 28 2014, @11:11PM
Erasmus, is that you?
(Score: 2) by mrbluze on Saturday March 01 2014, @01:33AM
Viridae, actually.
Do it yourself, 'cause no one else will do it yourself.
(Score: 0) by Anonymous Coward on Saturday March 01 2014, @02:03AM
The -idae suffix does not form a Latin plural, but is a formation from Greek (from εἶδος) that means 'in the form of', and is used in taxonomy to denote subclasses and families.
(Score: 0) by krishnoid on Saturday March 01 2014, @01:40AM
blah blah blah ...
it would most likely have been considered a second declension neuter noun, blah blah blah 'vira'.
'Vira' it is, then. Thanks for clarifying that -- I'll be sure to start using it with the security people I know.
(Score: 1, Insightful) by Anonymous Coward on Friday February 28 2014, @11:08PM
No, virii is Latin for "men".
The correct English word is "viruses".
On top of that, I would like to see us discontinue the use of Latin plurals in English. It's not 1500 anymore
(Score: 0) by Anonymous Coward on Saturday March 01 2014, @07:27AM
(Score: 2, Informative) by Asshole on Friday February 28 2014, @11:17PM
If you remember this video http://www.youtube.com/watch?v=vILAlhwUgIU [youtube.com] then you know that Windows, OSX, Linux, and Freebsd are all compromised by NSA. So if you want to be truly safe, you should use OpenBSD.
(Score: 4, Insightful) by Runaway1956 on Saturday March 01 2014, @03:32AM
*sigh*
Understand, I'm not finding fault with you or your link. But, I was hoping to see a three to ten minute video, from which I might learn something. An hour long video is just to much. I bookmark these links, but I just never get back to them. Got anything similar that summarizes the presentation? "Executive summary" so to speak?
And, before anyone asks, no, I don't watch Hollyweird movies. It's not a question of trading off some pointlessly spent time with the television to watch this video.
A MAN Just Won a Gold Medal for Punching a Woman in the Face
(Score: 1) by Asshole on Saturday March 01 2014, @09:52PM
This is the only summary I could quickly find.a ppelbaum-spiegel/ [cnn.com]
http://tech.fortune.cnn.com/2013/12/31/apple-nsa-
Everything else is either a full transcript or does not cover enough of the talk.
(Score: 1) by Runaway1956 on Sunday March 02 2014, @05:56AM
Thank you for that. I've just emailed my son with links to this discussion, the video, and the article you supplied just now. His life is at least as active as mine - but he may actually watch the entire video.
A MAN Just Won a Gold Medal for Punching a Woman in the Face
(Score: 1) by mrider on Friday February 28 2014, @11:53PM
To all of you that keep replying that the vulnerability can be hiding inside the kernel - or whatever - you miss the point. Unless my box is remotely exploitable, how do you deliver the virus? I almost certainly don't have the same vulnerability vectors as you.
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 5, Informative) by HiThere on Saturday March 01 2014, @12:03AM
Well, Flash is a crossplatform delivery vector, and it appears that HTML5 will also be one. So is Java. I'm not sure about JavaScript, but with a few extensions (common) it probably is.
It's true that the item delivered will need to be configured to run under your system, but if you're on the web, you can probably be compromised. If not this year, then next year.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Interesting) by mrider on Saturday March 01 2014, @12:10AM
Noscript.
Not installed.
Noscript.
Undoubtedly. But you see what I mean about how my computer isn't standard?
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 3, Insightful) by tibman on Saturday March 01 2014, @12:38AM
I use noscript as well and run FF within a sandboxie container. In linux i just use FF and don't really care.
What do you do when you want to buy something? Constantly run into problems because the site you are buying from is actually using 3rd party services. None of those are whitelisted and die horribly. Adding them to the whitelist causes data to be resent and could cause an error : /
SN won't survive on lurkers alone. Write comments.
(Score: 4, Informative) by SMI on Saturday March 01 2014, @06:22AM
I use (among other things) NoScript and RequestPolicy [mozilla.org], and when I want to buy something, of course I make sure to be aware of what is being allowed (both temporarily and permanently) and what is being blocked. In other words, I buy things online all the time and haven't had any problems or double charges. If a person doesn't understand how to use a chainsaw, that isn't the chainsaw's fault.
(Score: 1) by tibman on Sunday March 02 2014, @08:33AM
I'll take a look at RequestPolicy. You might also like https://www.eff.org/https-everywhere [eff.org]
SN won't survive on lurkers alone. Write comments.
(Score: 2) by SMI on Sunday March 02 2014, @08:40AM
Thanks, I'm already [soylentnews.org] using it, though I do appreciate the advice anyway.
(Score: 5, Insightful) by Koen on Saturday March 01 2014, @01:06AM
Conclusion: if anybody wants to attack us soylentils (and pipedotters, technocrats & comp.miscfits), NoScript would be the perfect virus vector.
/. refugees on Usenet: comp.misc [comp.misc]
(Score: 0) by Anonymous Coward on Saturday March 01 2014, @07:29AM
+1 Insightful, kingdom for mod points, you know the schtick.
(Score: 1) by sjames on Saturday March 01 2014, @07:42AM
You'll get it in the BIOS itself, fresh fropm the factory that REALLY doesn't want to be 'audited'.