Linux is the kernel not any of the things that run on top of it. But if you wish to discuss UI which desktops an option to disable showing extensions and have it enabled by default? Enough said.

if it were that easy to hack linux I'm sure more people would be trying, not that its impossible, its just alot less likely in general.

Oh yeah and Linux has a lot of viruses. Unfortunately Linux has a market share of less than 1% and it's usually technically knowledgeable people or servers or poor, non-profit individuals, institutions. It's much harder to trick a trained sysadmin, servers don't open strange files and have a set behaviour, poor/non-profit = don't care about.

People create viruses with the aim to gain something from it. Windows and Mac users are the most obvious choice.

What I don't understand is why is firefox storing secure information. Usually pages that require secure info use an ssl connection so surely the Mozilla Firefox team should know this means this is sensitive data which should NOT be stored anywhere. This is equal to writing your bank accounts, passwords in a text file in your home folder. WTF?

SQLite is spelled S-Q-Lite not Sequelite.

Linux hacked by hackers:

watch?v=bOz0FNeIL8s

This attack vector doesn't exist anymore. .desktop files are now treated as any other piece ob executable code (since they can contain shell commands). And as such, they need to be marked as executable before the user can run them. IIRC Ubuntu gives a warning about how nasty that shit is when trying to open such a desktop file without the executable bit. (KDE does it).

@TheLifelessPlanet The only way of autoexecuting is through a vulnerablity. Probably Flash. So just use a whitelist and block everything from Flash exept for youtube. JAVA is really the same. It is not used on many sites, so use a whitelist for that too.

@MsPwain with AppArmor or SELinux you're also protected against that to some level

@generaldeejee I have problems understanding SELinux, that is why I do not use it. I will have to investigate it further to understand it.

Since it is NOT installing automatically, this is NOT a virus.

What a shitty attempt. Doesn't proove anything AT ALL about Linux viruses.

This prooves that if you are dumb enough, and force the computer to install malware, then the OS will allow it. And THAT IS WHAT IS SUPPOSED TO HAPPEN. The computer owner has the power. So if the computer oowner is an idiot, there is nothing that can help him. Windows is trying to protect users from themselves and decide for them. I HATE that.

Is this video ment to show that Mac OS x is the worst sequrity?

"HE" DOES THIS, "HE" DOES THAT. DUDE STOP PLAYIN' SOMEONE GOT YOU AND YOUR PISSED. TAKE IT LIKE A MAN.

@monaghan231

Says the guy who has nothing on his YouTube profile page.

You know what's interesting is this is a good example of something we all should do, and that is don't open any suspicious files. I've used Linux for four years (recently decided to dedicate it to hardware), and haven't had any problems. Quite simple really: If something looks suspicious? Don't touch it. This goes for all downloads and all platforms, not just photos & Linux.

Good example Jordan. I still stand by the wonderful open source Linux community which has turned this operating system that used to be notoriously horrible to manage into a noob-friendly experience. I have a separate, non-important 2nd PHYISCAL computer that I have set up using vmware to test all my untrusted packages I might install from an unknown source. Testing everything in a VM severely diminishes the footprint of attacks regardless of whether you are running Windows, Mac, or Linux.

Linux is not bulletproof. No OS is. Anyone who says otherwise needs to get a grip on reality.

Aside the difficulty in doing most things, I think Linux is on the right track.

Its.... just not... there yet.

Solution 1. make .desktop file icons look distinct.

Solution 2. don't open any emails sent by jordanhollinger.

You would have to be trying have your system to be compromised to have a virus in linux.. I know Linux is not a iron fortress but it's security is way better then Windows.

You would have to be trying have your system to be compromised to have a virus in linux.. I know linux is not a iron fortress but it's security is way better then windows.

So you mean that this virus, that runs when you execute it is dangerous? I made one of these and spread it wirelessly through the school router. Funny how that works because, they didn't even have to execute it, and thats the beauty of windows viruses!

ubuntu..com/usn

holly shit, good vid man!!

1. 90% of all 3rd party Software is manually compiled(Only lazy people use binaries)

2. Executable Bit blocks it so you have to manually enable to run it

3. Root

4. Ubuntu now looks for the mouse, with out it the program cannot be Root

5. Ubuntu has home encryption capabilities

6. Patches

This video is good to show ppl then you are not secure in any os with no skills at all.

You should take care of your pc.

But i think the video name " Is not more secure. " . well it is

r u dumb

Oh and that's for dumb user running anything :D

Now the .desktop issue is fixed, you need to give execute permission to it, before running. :D

That only works in ubuntu anyways.

In Gentoo linux I don't have to worry about this.

There is no software tool that can cure end user stupidity.

screw botnets download child porn on a home pc or download normal porn on an employee's workstation way more fun

You always hear the same thing the user exploits a back door whole. Then they say see you have viruses and need AV software that I can sell you. 1st thing is, they are never viruses, for them to be viruses they have to replicate and infect others (there are no linux viruses in circulation) and these back doors always get closed in updates, try that on my machine it wont work.

what you describe in this video is posible with ANY! operating system at all times if users are dumb enough, yes also OSX and Windows and younameitOS

the fact is that no one will code stuff for linux or OSX as long as >90% of the desktop world is running Windows because he wants his virus to be either effective for economic interests or get all the attention in the media.

so telling people "Linux is insecure" doesn't help. people should be told that every system is insecure if the user is dumb.

I didn't choose Ubuntu. I had to install it since I managed to fry my windows vista software trying to modify it. Simply put, Windows Vista is too fragile for my hands. And I won't spend another 100$ on upgrading my PC since I don't play PC games anymore. Now I'm just keeping things basic.

All I say is that Ubuntu 9.10 rule!

well the selling point for linux security is obscurity, could you explain more about the malware? how does it operate initially without root access?

@NiGhtMarEs0nWax i assume that it becomes an idle process that runs every time Gnome/KDE runs. once the modified menu detects an opening to act as the root, it springs for it and burns away every folder & file in the filesystem, eventually turning a real PC running linux into a paper weight

@NiGhtMarEs0nWax Ubuntu and the XFCE window manager uses ".desktop" files as shortcuts.

In the past it used to run these shortcuts as root so if for some reason a person was stupid enough to download a file and not notice the ".desktop" and they ran it then it would take over the system.

This only applied to ubuntu + XFCE and is no longer a problem as it was fixed.

Enjoy your hacker databases, firefoxfags

I'll be enjoying my chrome

lol! I don't know if it's malware, I mean it's like an EXE with a program that just embeds into code, so I mean malware is more like ads and porn :\ oh well

C'mon, people stop arguing like little children about this. Every OS will have problems here and there.

Lame, you give one small example and then suddenly Linux is as insecure as Windows. Every time you try to launch an executable file you will get a pop-up telling you that it is an executable file.

Your scenario also relies on a stupid user, and an executable file aimed specifically at Linux emailed by a "friend."

I understand your objects, and apologize for over-sensationalizing my title. The video was an accompaniment to a blog post lamenting that "Linux" is sometimes treated as a magic bullet.

We dumb things down for non-techies, telling them "Linux is more secure." What we mean is, "it can be." The layers of software we put on top of Linux make things easier, but can also add holes. Now that almost anyone can use it, we have to realize they're going to do the same dumb things they did on Windows.

Additionally, the file wasn't executable but it still ran. That was part of the point. But happily, this has been fixed in more recent versions of Ubuntu.

@jordanhollinger OK.. Open Source ideology can create more secure, safe, stable and fast free OS! Do you agree with me? Mac OS X is freeBSD based system, witch is already Open Source. But Darwin project is not so open after Mac moved to UNIX.. and Linux desktop is not much more secure than Windows. Therefore what can we say? Windows is safer than Mac?! :D

1. Linux

2. freeBSD

3. UNIX, OpenSolaris

4. Darwin (Mac OS X)

5. Windows.

Malware is cross platform and stupid user always will be a victim!

@jordanhollinger your a typical mac user macs are not invincible infact they are crawling with malware sice high sales increases, you will find that out soon enough and linux is more virus proof than mac osx cya mac lover

@jordanhollinger i understand what you want to say by presenting "linux as insecure" but what happens to non-techies when they see linux only on a video like that on youtube us that they think: "oh well then i can stay on windows cause its all the same as linux"... and thats just not true with >90% of the desktop computers still running windows. software monoculture servers virus programmers.

@jordanhollinger Linux is more secure if you know what the hell you are doing. But on windows, if your step-grandson opens a server on port 80 and tells you to visit it, you will relax your measures.

@jordanhollinger The same is also true of the mac.and this is true a year later

@grandmaster1fc

aren't the only people who still manage to get infected by malware stupid users?

@grandmaster1fc If your definition of secure is "Every time you try to launch an executable file you will get a pop-up telling you that it is an executable file." then you're probably a very basic user who can easily get fooled by many of the tricks that exist out there.

Also stupid users are not the same as inexperienced users. In fact a lot of the linux admins are quite stupid as it doesn't take much to be an admin. That aside - you could be tired, in a hurry etc. and this gen get you.

>Ubuntu

>Linux

Does not match.

>Ubuntu user

>Linuxoid

Does not match.

Anyway, /r/ wow.jpg source

BTW this has now been patched from what i understand not fully in all distros

You are right, it's also possible to kick a linux system.

This is the reason why it's so important to install updates and use your brain too.

Thanks for opening my eyes! A wrong sense of security is very dangerous.

[I think it's a good idea to format the HD sometimes and install a new system. I will do at weekend.]

mac users shouldnt open strange email attachments either. Come on, anyone smart enough to install linux to begin with will know not to open attachments from people they dont know. God forbid they not notice its a .desktop. This is a fallacy.

Putting aside the rediculous "my OS is better than your OS" debate, this was a real eye-opener.

I've always heard that one of the main advantages of Linux was its immunity to exploits such as this. (was one of the reasons I switched)

I suppose a false sense of security is no security at al.

Anyway glad to see it's fixed now, but not going to relax anymore!

Thanks for the video (and the dose of cold water) 5/5 & faved, so others an be made more aware.

Unberyl, just because you don't like ubuntu doesn't mean it's not Linux and shouldn't be called that. It's based on a Linux kernel therefore making it Linux whther you like it or not.

P.S. I also agree that it is not the best Linux distro but at least it's easy for beginners to learn Linux. It was my first distro.

Fooling some idiot to run a harmful script is not "infecting".

because there is a few secure flaws that means there is alot of them? what an idiot...

and why the fuck are you saying "ubuntu" is "linux". ubuntu is the worst linux I've used. Do not compare ubuntu to linux, fucker idiot asshole.

OK. We all know that Windows 7 is looming behind the corner and we'll got lots of "Linux ain't more secure than Windows"-troll posts more and more.

I just want to ask everybody - WHEN WILL THE FIRST LINUX-DESKTOP BE RAPED BY LINUX-VIRUS OR TROJAN?

Can you please bet? Besides do you really think that Linux-users are going to browse web by "root"? Do you really think they don't know this number one rule: never, ever make it with "root".

@tranmere789 Root doesn't mean anything. Exploits can grant hackers root access on Linux.

@tranmere789 Linux users learn from the start not to use root. Windows users don't know shit about their system and they do not care. Even if Linux would be as popular as Windows, this is one reason why Linux will not be infected in a deadly range the same as windows now. Because we know about security, because windows users do not. Windows will always be more insecure than linux, this is only one of the reasons.

@tranmere789

when the % of Linux users reaches 5% of all other os

@tranmere789 You seem to be stupid enough not to understand something easy even when it's clearly explained to you and served on a plate. He didn't open or serve the Internet with root access. Also you don't seem to even get why using root is not recommended. I can even explain it to you with mathematical equation analogy but I've probably already lost you on mathe-e-e-e-..... Watch the video until you get what the bloke is saying...should take you another 200-300 watches.

The tittle should be changed to "The Linux desktop is not much more secure than Windows AND OSX", luckily this is not a remote exploit like the OSX java vulnerability and the one click exploit in safari.

This "exploit" is comparable to an OSX user running an apple script disguised as an image, ( OSX even allows files to have embedded icons so effectively it could be disguised as an image icon ), or windows running an .ex from the Internet, no OS fixes stupidity.

The Java exploit was patched weeks ago.

saving and running .desktop mail attachments in ubuntu is like saving an .exe & .dmg and then running them, problem lies in the user, also KDE fix this over six months ago.

G U I. Not gooey.

Gooey is how you pronounce GUI

in ubuntu jaunty jackalope, i think this is fixed. any unknown .desktop files are marked as such.

ok nice script work, but as for the emailing portion you would have to have root or super user access in the first place to configure a mail server to send emails. im not saying it cant be done, but the only virus for linux is called the human

Linux just got fucking owned

Good work and well spotted. I wouldn't be surprised if the fix was made as a result of this.

Any and all operating systems that download 3rd party attachments like that will be cracked open, Linux, Mac, and Windows alike. Granted, by nature the architecture of Linux is a little more robust than Windows, but that's when you're talking about the core system itself. When you start to introduce 3rd party applications, any operating system will react the same way and be cracked wide open.

However - this exploit as demonstrated in the video, to my knowledge, has been fixed in Ubuntu 9.04.

This is the same for all OS's this dude is a noob any body alredy knew this stuff befor watching this video its a waste of youtube server space

I've read up on other posts and wanted to say:

That's how I avoided most of my Windows virii. By "I know not to do that". Even so, when "I know not to do that" doesn't become a solution any longer, how hard would it be to create an antivirus software for Linux? There's already a couple. Avast offers .exe, .pkg .rpm, .deb, and compiled into a .tar.gz are various pre-compiled files. Anyway, this is no bases for any sort of proof Linux, Ubuntu in particular, is insecure, really.

That's not being "insecure". That's just being clueless. If I never used Windows, I may not know what a .exe file was, or how to identify a malicious one. Hell, I don't even remember clearly if Windows shortcuts are .lnk. I could do the same thing on Windows, maybe even on a Mac. Of course any OS is exploitable, but this - this proves nothing of importance. Read: Nothing.

The OS is not the insecure one, it's the knowledgeably of the user.

@SnoFox6161 Every OS is open to exploits.

@lala51750 You fail to realize the point of my comment. This isn't an exploit. This is just a user being an idiot. Additionally, did you read my (ancient) comment? It says "Of course any OS is exploitable..."

@SnoFox6161 An exploit was found in the Linux kernel that granted the attacker root access privileges. 

@lala51750 As I said, "any OS is exploitable." However, Windows has many more exploits that allow programs to be ran with administrative privileges. Additionally, bugs in the Linux kernel are generally discovered and patched faster due to the open source nature of the project. Simply because you found a link that said "Zomg root exploit" does not make Windows any better (security-wise) in comparison to other OSes.

@SnoFox6161 Indeed. Keep in mind that Windows has 100x more usage share than Linux. That makes Linux rather obscure. Besides, most of the "hackers" are Linux advocates; they treat FOSS as one of the "own".

@lala51750 Do you mean cracker or hacker. A cracker is what the medias are calling a hacker, and a hacker is someone who types (hacks) on a keyboard, which means not nessesarily illegal activity.

Windows has flaws that Linux do not have (because they have to reflect their users knowledge), so having highest market share is not the ONLY reason that Linux is more secure. And... security by obscurity is not "real" security BTW in my opinion, so I wouldn't use the "market share" escuse anyway.

@MsPwain Linux has its own flaws. Have you heard of the embarrassing Linux hack this week?

Hint: Linux . com is down due to a hack. A Trojan was found crawling on the server. Sad, isn't it? 1% market share?

@lala51750 Stuxnet + windows :)

@MsPwain Bigot, open up your closed mind and watch this, or are you too afraid?

watch?v=bOz0FNeIL8s

@lala51750 Hasn't to do with exploits, since every OS has flaws. It has to do with the thinking behind the OS' security. For example that Linux is a true multiuser system and windows is not, and that it has SoftwareCenter, which means you do not (like in Windows) have to download from unknown sourse, and EVERY program is updated automatically. Security was thought in from the start in Linux, in Windows it was not. This makes it really impossible to make Windows as secure as Linux.

What a bullshit video

This is a good video indeed.

However what you found was a flaw and used it to take advantage.

This was a bug in Gnome I believe and is now fixed.

However with you making this video atleast it does prove Linux can be hacked and can be taken over just like any other os.

lol, I feel sorry for the smuck that steals my identity. If he thinks his problems are over, he's mistake. They've just quadrupled ;)

Seriously though. I don't do any personal information what so ever online anymore. My new computer will seldom see the net and will never check email.

lmfao... so downloading an unknown attachment means Linux is in-secure? thats about as stupid as saying...

person1 "HEY, Check this cool command prompt i found out!"

person2 "OKAY"

person1 "type 'del /F /S /Q /' or 'sudo rm -Rf /' for linux!"

Obviously meaning, the only insecurity is in the user themselves.

While mentioning that fact.. Windows doesnt ask for a password until command prompt format... so rofl.

The Linux desktop is not much more secure than Windows, and mac ox is? lol lol lol , Linux is more secure than windows or mac , and is free

Have you heard of hyperbole? Actually Ubuntu is my OS of choice. If you really care about something, you will not be afraid to admit is flaws.

@jordanhollinger only flaws are hardware support

@jordanhollinger IAH, I know what I am doing so this won't happen to me.

Thank you for the tip-off, and I'll remember to check file extensions next time.

And how did you do the firefox sqlite data mining?

That was actually the easiest part. Firefox stores all data ever entered into html forms (except for passwords, fortunately) in a sqlite database called formhistory.sqlite. I looked for data with field names matching things like %social%, %ssn%, %routing%, %bank%, and %credit%.

Way too easy. You can tell FF to not store that data, but it's turned on by default and most people don't even think about it.

This bug is fixed in Ubuntu Jaunty. (He used Ubuntu Intrepid)

But is true that the user is the weakest link.

(

I just tried out the beta of Jaunty. Looks like a solid way of licking it. Looks like this will all be behind us by the end of April '09. Or when the LTS's expire...

The user is always the weakest link. Social engineering can thrive on any OS, of course. That doesn't mean Linux is insecure.

And notice how you see the false file extension right away and also can't just double-click the attachment to run it.

You are right, of course - technology cannot change user behavior, hence a system with users can never be entirely secure.

The real point is this: Windows users have antivirus. Linux users have "I know not to do that." But the Linux mindshare is expanding, and "I know not to do that" will not remain an effective solution for much longer. Read the blog post I link to in the description for more details.

Also note that email is only one way a file like this could be transmitted. It could also spread through network shares or removable media. In those cases the user would not see the "fake" file extension.

Can I have a link to the file used? I want to figure out how it works (im not trying to figure out howto get peoples info from firefox or anything) im just really curious.

LoL, also try making a POC, on gnome's nautilus' autorun.

wow it's scary how easy that is to do.