[SGVLUG] Something to take your mind of Reiser...

[Rae Yip]

One approach is to use an epidemiological analogy; there are few
viruses that jump species barrier, and usually they are within the
same family of organisms.

The shared "base code" for Windows and Linux is not completely null,
but the exploit targets are different enough that you can avoid worry
about cross-infection. For now, this likelihood is very insignificant,
and at worst would be something like the chance of getting rabies.

Thus just like we do a risk-benefit analysis that says it's okay to
pet a neighbor's dog, there's no use being overly paranoid about
OpenOffice being a vector for Windows viruses.

What is worth worrying more about is the safety of your Linux
environment. It's unquestionably safer than running on Windows, since
it obsoletes the necessity of practicing "unsafe sex" with software
downloaded from the net. This doesn't mean we're safe from "airborne"
infections from the browser world, though.

Anti-virus software is like getting an AIDS test every day (along with
the added inconvenience); this has helped significantly with stemming
the spread of computer viruses in Windows. We've been getting a free
ride on Linux despite the  derth of virus scanners, that may not last
much longer, for two reasons: firstly, as mentioned above, the browser
is increasingly becoming a target for infection.

Secondly, if miscreants decide to poison our packages with something
subtle enough to go unnoticed, this would be like a sleeper
bio-warfare agent. By definition, detection would be problematic even
if there were virus scanners in common use on Linux.

So is all of this cause to stop storing anything valuable on your
computer? No, because there are steps to mitigate the dangers.

If you're afraid of browser exploits, do what people have done
historically during periods of outbreaks of airborne plagues - don't
come into contact with parties you don't trust! Use tools like
noscript, and lock your valuables in an encrypted vault. If you're
super paranoid, don't browse unnecessary websites using the same
account that owns or processes your valuable info.

Measures against computer "germ warfare" will have to be executed at
the organisational level; as the risks become more apparent, we will
have to decide how best to certify binary package builds, especially
third party submissions. Certain sanitation standards will be required
during preparation, just like we have for food production.

But to bring things back to the real world, most of us operate on
assumptions far from extreme paranoia. We eat food from restaurants
without insisting on looking inside the kitchen. We hand our credit
cards to waiters without worrying too much about whether the card info
will be abused.

The reason all of this works is because we live in a world of checks
and balances, where we dole out permission to execute things on our
behalf, but we can revoke them and get restitution when things go
wrong.

As long as we make sure the electronic world is in accordance with
this larger picture, I think we'll all be okay.

-Rae.

P.S. If you want to read about a security model that attempts to do
this in a more fine-grained way, take a look at "capabilities-based
security".


On Wed, Jul 9, 2008 at 3:12 PM, Emerson, Tom (*IC)
<Tom.Emerson at wbconsultant.com> wrote:
> I was just asked a very interesting question in the breakroom -- "is it
> safer to use linux without any sort of anti-virus software compared to
> windows running stuff like Norton when doing online banking?"
>
> To be honest, I don't exactly know how to answer that.
>
> He was also a bit concerned about converting an openoffice document to a
> microsoft office format and somehow picking up a "macro" virus in the
> process (i.e., it would be "clean" on a Linux system in OpenOffice, but
> "dirty" once converted, and therefore capable of infecting a windows
> system)
>
> Again, I stumbled a bit trying to figure out HOW to answer that -- my
> mind kept coming back to a line from Star Wars: "The FUD is strong in
> this one..." -- Sure, I know WHAT the answer is (it is essentially
> imposible(*)) but I don't know how to answer it in a way that would make
> sense to him.
>
> Anyone else encounter situations like this?  What was your answer?  What
> would you tell this guy?
>
> Tom
>
> (*) or "highly improbable" -- that would mean that the version of
> Openoffice on a linux system was deliberately injecting viruses when
> converting to/saving as "Microsoft Office" formats -- certainly not
> impossible for this to happen, but given the "peer review" nature of
> open source, you'd have to be damn clever to get it in to the active
> codebase without anyone noticing.  [well, I suppose you could get
> "everyone on-board" on the idea that it /should/ do this, but that is
> only marginally easier -- refer to Dustin's post, to do wo would be
> ethically wrong, and we like to think we're above all that, right? ;) ]
>
>