You are here: CrunchBangArchivesNovember '07Malicious Linux Instructions

Wednesday, November 28th, 2007

Malicious Linux Instructions

Tom Dryer offers some good advice to novice Linux users concerning the execution of malicious terminal commands/shell scripts:

Don't run a command if you don't understand what it is doing and don't run commands from untrusted people or places. Check with someone you trust if you are not sure, or check out the command's manual page.

Tom's advice is sound, but I fear he's shouting into the wind. I read the same Ubuntu forum announcement as Tom and while I've always been aware of the issue, it's worrying to read about it on such a high-traffic site as Ubuntu Forums — more so considering the site is heavily used for system support/help requests.

I find it funny that some Linux advocates proudly shout about the fact that Linux is near enough immune to virus attacks, yet rarely mention the negative aspects of running such a powerful system. Some of the malicious commands mentioned in the announcement are far more destructive than your average Windows virus.

The most worrying aspect to all this is the potential future implications for Linux on the Desktop. If When Linux finally gains real market share, then this type of maliciousness could really explode on the community [quite literally.]

Not a solution, just an idea

There isn't an immediate solution to this problem, there may never be a solution. However, I have come up with an idea that might help Ubuntu Forums to combat it:

The idea would involve Ubuntu Forum users [those wishing to post code or instructions] applying for a "seal of approval". The application would be looked at by a board/council and a seal issued when the applicant had shown enough evidence to warrant receiving it. Applicants could also submit testimonials from other forum members to backup their application.

Once a seal is approved it would be prominently displayed as an image link within the users profile bar. Clicking on the image would send the visitor to a notice page informing them that the message had been posted by an approved user.

All forum users should be made aware of the seal and its meaning. This could be done on registration for new users and via an announcement for existing members.

I'd be interested to know what people think of this. Please feel free to post a comment saying why it's either good or bad idea. Any technical suggestions about how it would work would also be welcome :)

Tagged with: security, ubuntu

13 Responses to “Malicious Linux Instructions”

  1. Tom Dryer wrote, Wednesday, November 28th, 2007

    Thanks for the mention, Philip. I your idea of an approval seal, but getting all forum users aware of it could be troublesome. How about a warning appended to posts written by newly registered accounts? It's not as foolproof as approving users one by one but I think it would be good enough to stop most people who are signing up just to cause problems.

  2. Alan Pope wrote, Wednesday, November 28th, 2007

    There is a spec for something very like this already and we discussed it at length at UDS in Boston last month.

    https://blueprints.launchpad.net/ubuntu/+spec/forum-content-certification

    It's difficult to distil down the numerous points of view and discussion that was had at UDS, but in a nutshell.

    Initially it was thought that we could have a team who certified forum content (how-tos) to say that they are "golden" or "pristine". These should possibly then be made read-only and in some way tagged as "good".

    It was also suggested that many of the (around 500) how-tos in the forum actually contained some bonkers things like "sudo rm rf *" (legitimately and meaning well, but just daft) or "sudo -s && tar zxvf foo.tar.gz" (nobody needs root to untar) and so on.

    I know Mike B contacted the community council and the general opinion of the cc was that we should not discourage people from creating documentation / how-tos in any way.

    There is also the following initiative on the documentation team server:- https://help.ubuntu.com/community/forum which seeks to take how-tos from the forums and make them part of the main documentation.

    Like I say, hard to distil the many hours down, but thats the jist.

  3. Rebenga wrote, Wednesday, November 28th, 2007

    I find it funny that some Linux advocates proudly shout about the fact that Linux is near enough immune to virus attacks, yet rarely mention the negative aspects of running such a powerful system. Some of the malicious commands mentioned in the announcement are far more destructive than your average Windows virus.

    With great power comes great responsibility. If you want to attack this non-issue (which it seems you do) then I say bollocks to you.

    Either you learn to distinguish what constitues a dangerous command, read up and learn stuff so you don't accidentally wipe something, and accept that it's up to YOU to know this stuff - or else you stay put in Mickey Mouse-land where some greedy corporation takes it upon themself to make all the decisions for you regardless of what you think.

  4. Philip wrote, Wednesday, November 28th, 2007

    @Tom: No problem :) To be clear, I'm not suggesting that any users are somehow forbidden from posting code/commands/instructions until they are approved, but rather encouraged to apply for a seal of approval/certification. It's not foolproof by any means but I think a system that self moderates by a mixture of peer review and self certification is the way to go.

    @Alan: Fountain of all knowledge, that should be your new handle :) Thanks for the links and related information. Summary from the wiki:

    Design a forum team that would review forum posts that are instructional in nature and check validity of instructions. The team would also be charged with promoting and marketing these approved instructions in the forum and the Ubuntu community as a whole. This would act as a enhancement to the existing Tips & Tutorials section on the Ubuntu Forums.

    I think the above would be a great idea. Maybe the inclusion of a "seal of approval" system would reduce the amount of administration needed!? I'll tag a comment to the end of the wiki page.

    @Rebenga: I'm not sure this "non-issue" is as black 'n' white you seem to think. Peace.

  5. Vincent wrote, Wednesday, November 28th, 2007

    +1 from me :)

  6. Adam wrote, Wednesday, November 28th, 2007

    This is a slightly different spin on the 'certified how to's', just to get the ball rolling, add a new forum to the forums main page called 'Ubuntu certified how to's' and move all reviewed how to's there as read only. Make it so that only forum moderators are aloud to add content their as certified after review. Then their would be no need for a seal or some other indicator on individual posts or forum topics and how to's, they would be in one central place and those selected for forum review could start right away with out much effort! On the main forum page the forum could be marked with an icon indicating that it new or bold or a larger font to draw attention to it when one logs in. Problem solved!

  7. HeartBurnKid wrote, Thursday, November 29th, 2007

    I find it funny that some Linux advocates proudly shout about the fact that Linux is near enough immune to virus attacks, yet rarely mention the negative aspects of running such a powerful system. Some of the malicious commands mentioned in the announcement are far more destructive than your average Windows virus.

    This is nothing unique to Linux; in fact, powerful commands like this are a vital component to any operating system. For example, try telling your (least-)favorite Windows newb to enter the following at their command line:

    cd /d c: & del * /s /q

  8. Philip wrote, Thursday, November 29th, 2007

    @HeartBurnKid: This is true, however is it not far more common to give command line instructions for Linux than it is for Windows?

  9. HeartBurnKid wrote, Thursday, November 29th, 2007

    @Philip: Not if you're an old DOS warhorse like me. I give people instructions for the command line all the time. Often it's the fastest and easiest way to do something.

    By and large, probably yes, because most of the Linux community is old geeks like me, while most Windows users are not.

  10. ed wrote, Friday, December 14th, 2007

    Just make an array of commands that contain sudo, rm etc, then when the user posts this the admins have to moderate the reply to allow it to appear.

    Not all replies to forum posts need code to backup what to do, only a small percentage. This malicious activity is here because some people expect to just copy/paste to make the world carry on spinning, how about training people to describe what to do rather than to solve it for them? It would probably help educate them in the long run.

  11. Antho K wrote, Sunday, January 27th, 2008

    I think a better solution would be that when you run these commands in the terminal (or other methods), it is a requirement to say 'you are about to insert malicious thing that's about to happen here to your computer, are you SURE that you want to do this, this is a fatal command', saves the need to punish anyone at all, really.

  12. Mark wrote, Monday, March 8th, 2010

    I'm on the same page as Antho K. Perhaps a feature in an upcoming ubuntu pkg, could be a 'fatal command' warning, prompted by those rm-rf , mkfs commands or by those command 'bombs'

  13. Yuhong Bao wrote, Friday, April 30th, 2010

    Windows already does this with the FORMAT command, for example, and has since the DOS days.

Add Your Comment

Use the form below to add your comment. Markdown syntax is available. Note, comments are moderated by me for spam filtering. Alternatively, feel free to contact me privately.

CrunchBang - A weblog & personal resource about coding, design & GNU/Linux.

  1. Home
  2. Archives
  3. Tags
  4. Projects
  5. Wiki
  6. About
  7. Contact

Subscribe to RSS feeds | | Interesting stuff elsewhere on the interweb

Archives

Copyright © 2010 Philip Newborough. Some Rights Reserved.
Licensed under a Creative Commons Attribution-Share Alike 2.0 UK: England & Wales License.