Ubuntu has just released the new long-term edition of its desktop Linux operating system. It has some new features, adding the addition of the “snap” packet control format. One of the claims about “snapshots” is that they are more secure: their read-only and necessarily self-contained installation makes them more difficult to hack between applications. At first.
[mjg59] questioned their claims of higher cross-app security. And in addition to complaining, he repaired a feat disguised as an adorable teddy bear. The central defect is something like twenty years old; X11 has no sense of permissions and any X11 application can pay attention to the keyboard and mouse at any time, regardless of what application the user thinks is offering input. This makes writing Trojan keyloggers and placing commands effortless, which [mjg59] has done. You can download an innocent edition of the demo from [mjg59] GitHub.
This defect in X11 is well known. In a sense, there’s nothing new here.It is in the delicacy of Ubuntu’s statement on cross-application security that this point is worth reviewing.
And the teddy bear in question? Xteddy goes back to the days when it was cool to display a static symbol on a desktop window. It’s like a warmer and more tender edition of Xeyes. Except he just stays there. Or, in the [mjg59] edit, it logs your keystrokes and uploads your passwords to suspicious underground characters or TLAs.
We’ve already talked about Snappy Core for IoT devices, and we think it’s a step in the right direction to create a formula in which all moving parts are loosely connected to each other, making updating a component of your formula imaginable without updating (or degrade) .Everything. Probably improves safety when paired with a newer demo manager like Mir or Wayland. But as [mjg59] pointed out, “cliches” alone do not fix X11’s security flaws.
“X11 has no sense of permissions” This is wrong.
X11 is not fundamentally uncertain. In fact, X11 had the security infrastructure for customers with each other for a long time.It is simply not in use and has also been overlooked, as the maximum distributions set everything to open.The fault is not with X11, the fault is with Ubuntu, CentOS, RedHat, etc… because distributions don’t use the built-in security that can and will keep bad programs from snooping on each other.And honestly, it’s not a “giant security hole” because you have to run the app and if you download random parts and run them without making sure they’re trusted, you have a lot more disruptions in your formula than X11.
Finally, the other processes of the same user are not opposed to each other in Linux anyway, so I can easily snoop around directly without X11 running. But then the same can be done under any operational formula if the malicious code is running as user, you can observe the user.
As for consumers and / or user processes themselves, X is essentially much more secure than Unix has been.
“And if you randomly download parts and run them without making sure they are reliable, you have a lot more upsets to your formula than X11.”
What else can you do if the desired software is not in the central repository and is a user without any knowledge of the source code?
You need to be able to download software, but you don’t have the ability to tell if it’s safe, and distribution lords can’t stay giving you everything you probably need, not even close.
Hey, there are a lot of people who make a lot of money spreading concerns about the “security” of the system. Stop looking to spoil it.
Yes, I totally agree. I’ve been on the net since the days of ad boards in the early 1990s.I never brought a virus checker, I only have what the operational formula offers.That’s because I never download random apps, reliable resources just for me.It turns out that too many PC operating formula installations have been interrupted via virus verifiers, they have never been detected via a virus.
You think you’ve never had a virus or anything because you’ve never had a way of stumbling when you had one …
You can search for viruses by installing antivirus immediately.
He’s right. Most AV software is crap, and even the most productive ones don’t.Most of the time, all you manage to do is slow down a PC until it crawls and cause some strange problems/failures with the operating formula apparently too smart and absolute breakage.Norton/McAfee in particular is as bad as malware itself to spoil your business, and even spreads like malware because it’s loaded with many popular applications.
This only works as opposed to the classic bonzi-buddy stuff where you have to download an Arrayexe record and run it; other vulnerabilities come from your Internet browser or other software that the antivirus doesn’t even verify because it works.already as trusted software, a service. Things like Flash’s exploits.
So, the story’s ethic is that it disables your PC with audiovisual software that doesn’t protect you from viruses/malware, while the only genuine solution is common sense: don’t download unreliable software and don’t stop at dubious flash websites., etc., running by default.
anyone who claims never had a virus and used computers sparingly, if for others, for himself.
He had a virus, which he knew was probably a bad registry, but reliable virus scanners.I had received a copy of a PC game five or eight years ago and needed a keygen or a registration crack.Whatever the reason, the record that came here with a list of key text, well, I ran it.I saw that most of my favorite Internet sites opened pop-ups, none of the addresses on the links were displayed correctly.I checked my proxy settings, and they were allArrayRestablish them, restart them and they were given again.Use a short Google search engine to fine-tune the virus, locate the registry keys and registries you used, and neutralize it.
Then reformated just to be sure. It’s the last game I hacked; not because of the virus, I get tired of it.
So aside from a record that I relied on the local VA to protect me, I wasn’t hit either. UMatrix configured to whitelist sites like HaD and others, while blocking Flash and tracking cookies, or just NoScript-like elements blocking Flash and JS. Virus vectors are not difficult to detect while driving.
That’s not necessarily the case. If you use a rare platform, such as OpenBSD or WebOS, you are in too small a group to be attractive to virus authors.This also makes it imaginable not to open all the stupid emails you get with an attachment.uses an email reader, which does not execute code just because the attachment is executable (and is not visually marked through the user as such). Also avoid stupid software like Acrobat Reader that implements a JavaScript engine (what can go wrong?) Or Flash, etc.Have I ever been hacked? I can’t say for sure, however, it would be through a smart hacker, not through an advertising virus and I doubt they’ll worry about me.
The only virus I’ve ever had on a private PC made its way through an inflamed game CD (commercially manufactured/sold).Urgent PC copies of the CD had become inflamed, so each and every disk created afterwards became inflamed.
I had my hands crossed for this article that was going to be about this bad boy.
I don’t have the precise specifications, but I know you have a camera, a microphone and Linux …That’s enough to do stupid things, isn’t it?
This is weird!
I’m not sure I perceive what you’re trying to argue, they don’t say “snaps fixes this x11 challenge”, just to say it’s safer, vague though. He just pointed out a challenge that existed before the cliches, and tries to make sure that the cliches don’t solve the challenge. Why target Ubuntu and snaps when the same can be said for tons of other distros? Looks like he gave me non-public revenge.
Re: Personal Vendetta – I think that’s probably true.There are others who complain strongly about the commitments between openness and security made through X11 (@Timothy Gray: as configured in the maximum primary distributions).
Canonical/Ubuntu _did_ stated that its snapshots isolate one application from another.And while this is true, since they don’t have percentages of related libraries, the point of this app is that it’s not enough.
There has been an organization of security researchers who have complained that without complete sandboxing applications, Linux is extraordinarily insecure.Canonical (Ubuntu) and Red Hat protect other approaches to smartphone-like application distribution/management.
[mjg] concerned to check the security style of xdg-apps which is the solution from Gnome / Red Hat / freedesktop.org .xevilteddy is a proof of concept to show that xdg-apps is better.
Now, this refers to the broader debate that the Linux network is going through about who defines the kernel that all Linux distributions will have to follow.There are 3 main fields: Canonical (Ubuntu) defines politics, Red Hat defines politics and prestige.quo (distributions do their own work).
The end result of Canonical or Red Hat is that all other distributions have only one logo symbol on their main operating system.
That’s why Canonical and Red Hat have had public battles to update parts of the old Linux Upstart stack and systemd for sysvinit.(Red Hat won). Mir and Wayland for X11. (Red Hat will win again).Snaps and xdg applications for classic package management (hopefully neither, still Red Hat).
Interestingly, the way to infect a Linux box is to publish a script as a reaction in stack swapping.You’ll have a lot of monkeys who will execute it without looking.:-p
You’re right, sir!
If you allow an unknown application to run, you get what it gets.
Instant packs seem like an idea: new inventions naturally want time to bear fruit.I am pleased to see Ubuntu innovate and check to provide its users with something new.There is also Arch and AUR, as well as the openSuse structure system, all check to solve problems/failures with classic packet control systems.
Personally, I prefer to use Debian on the desktop and server.I use Debian solid almost exclusively by flirting with Debian Testing from time to time and using Win10 for games.
Ugh.
Then… once I’m one of the systems I chose to download and run, you know Array …once my PC is a smart babysitter, what am I going to lose?Aren’t there times when I need a running app to monitor the keyboard and/or mouse while another is active?
It’s not similar to the keyboard/mouse, but in the brave new sandbox world, can I even take a screenshot?I’d probably be an idiot who downloaded something stupid and this can also send screenshots of my bank screen in Nigeria or something!
Literally, I’m in poor health because security gurus tell us they know what’s most productive for us without paying attention to what we might need our computers to do.