Malware for the Linux desktop. Yes, really.

[LAwLz]

11 hours ago, mr moose said:

I'll tell people what I see when i see it,  I'm sorry if that upsets you, but even in this thread there are people claiming you'll be fine if you only use certain repositories etc.    It is a very common theme within the Linux community, alongside many other claims.

1) you're generalizing (wrongly) about what the Linux community says. Hell, even the comments in this thread goes against your generalization. You will have a very difficult time finding anyone who says GNU/Linux is completely safe and doesn't have any malware or security holes. However, it is more safe than Windows, has a better architecture from a security standpoint (so much than Windows have tried replicating it since Vista) and fewer malware, and most of the ones that do exist are less severe than those on Windows in various ways. 

 

2) The people saying that you are fine if you download stuff from the official repo are not exactly wrong, are they? If you believe they are wrong, prove it. If you stick to the large and trusted repos then you will most likely avoid the majority of the small amount of malware that exists for GNU/Linux. 

 

3) Linux malware, while it exists, is very different from windows and you can't really compare the two. I don't think any sane person says Linux is impenetrable and flawless, but it's widely different from Windows. Hell, it was newsworthy that a single piece of malware, one that hasn't even been found in the wild, was discovered. And the fix for the malware? Delete the file... 

[mr moose]

Just now, LAwLz said:

1) you're generalizing (wrongly) about what the Linux community says. Hell, even the comments in this thread goes against your generalization. 

2) The people saying that you are fine if you download stuff from the official repo are not exactly wrong, are they? If you believe they are wrong, prove it. 

3) Linux malware, while it exists, is very different from windows and toy can't really compare the two. I don't think any sane person says Linux is impenetrable and flawless, but it's widely different from Windows. Hell, it was newsworthy that a single piece of malware, one that hasn't even been found in the wild, was discovered. And the fix for the malware? Delete the file... 

 

1. It's what I hear, even in this thread. It's my observation and I am not about to pretend I can't see it.

2. Linux is no more secure than any other OS in that if someone wants to create malware for it or break into it they will.  To think otherwise is just naive.

3. whatever,  the issue is pretending Linux is more secure because there is currently less malware is as silly as pretending MAC's don't get viruses.

 

 

 

 

[WereCatf]

3 minutes ago, mr moose said:

1. It's what I hear, even in this thread.

I looked through this thread and I didn't see a single post claiming that there aren't viruses/malware for Linux. You need to lay off the coke, you're seeing things that don't exist.

[mr moose]

7 minutes ago, WereCatf said:

I looked through this thread and I didn't see a single post claiming that there aren't viruses/malware for Linux. You need to lay off the coke, you're seeing things that don't exist.

didn't look too hard:

 

On 7/26/2019 at 9:13 PM, Sauron said:

It's worth noting that the average user who installs packages from the repositories does not need to worry about this.

 

On 7/27/2019 at 2:15 AM, Tenelia said:

And even if you grab flatpak direct from the main devs' sites, you're still quite unlikely to get hit... So you'd literally have to have worse browsing habits than the average grandma...

 

On 7/27/2019 at 2:40 AM, IAmAndre said:

I've used Linux for years with no antivirus and haven't had any issue, but as previously mentioned, just stick to official repos and you'll be good.

 

Like it's pretty cl;ear they are saying if you stick to X repository you are fine,   lets just forget about the other 50 million ways an OS can be compromised.

[WereCatf]

2 minutes ago, mr moose said:

Like it's pretty cl;ear they are saying if you stick to X repository you are fine,   lets just forget about the other 50 million ways an OS can be compromised.

None of them said that there are no viruses/malware. Also, it is actually true that if you install stuff only from the official repos you are very unlikely to get infected with anything. Feel free to try and prove me wrong on that. As for someone outside hacking in and installing stuff is an entirely different thing and not relevant here.

[mr moose]

2 minutes ago, WereCatf said:

None of them said that there are no viruses/malware. Also, it is actually true that if you install stuff only from the official repos you are very unlikely to get infected with anything. Feel free to try and prove me wrong on that. As for someone outside hacking in and installing stuff is an entirely different thing and not relevant here.

Yep, repositories could never be hacked, they are an impenetrable data set that no one can compromise in any way shape or form.

[WereCatf]

1 minute ago, mr moose said:

Yep, repositories could never be hacked, they are an impenetrable data set that no one can compromise in any way shape or form.

Did I say so? No? Well, then. Stop trying to put words in other people's mouths, mate, and prove your claims or shut up.

[mr moose]

1 minute ago, WereCatf said:

Did I say so? No? Well, then. Stop trying to put words in other people's mouths, mate, and prove your claims or shut up.

 

I am not putting words in anyone's mouth, I am just pointing out something that people obviously don't like hearing.

 

What do you want me to prove, that malware can be uploaded to an official repository?

here you are:

 

https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

https://www.zdnet.com/article/how-much-more-malware-is-lurking-in-linux-official-repositories/

 

 

I really didn't think people needed proof to understand the concept that nothing is intrinsically secure.  

 

 

 

[WereCatf]

Just now, mr moose said:

I am not putting words in anyone's mouth, I am just pointing out something that people obviously don't like hearing.

No, you are claiming people are saying things they didn't say.

 

1 minute ago, mr moose said:

I really didn't think people needed proof to understand the concept that nothing is intrinsically secure. 

No one said that. I literally used the word " unlikely" there -- " unlikely" does not mean "impossible", but here you go claiming that. You have either some serious fucking problems with reading-comprehension or you are deliberately twisting things people say.

 

Linking to two cases of malware being found in repos doesn't disprove what I said. In fact, it just strengthens my argument: there are hundreds of thousands of packages, some with thousands of versions, and you could only point out four examples. Four, out of hundreds of thousands. That does make it unlikely.

 

Here are two additional links for you to study: https://www.merriam-webster.com/dictionary/unlikely https://www.merriam-webster.com/dictionary/impossible 

[mr moose]

Just now, WereCatf said:

No, you are claiming people are saying things they didn't say.

 

No one said that. I literally used the word " unlikely" there -- " unlikely" does not mean "impossible", but here you go claiming that. You have either some serious fucking problems with reading-comprehension or you are deliberately twisting things people say.

 

Linking to two cases of malware being found in repos doesn't disprove what I said. In fact, it just strengthens my argument: there are hundreds of thousands of packages, some with thousands of versions, and you could only point out four examples. Four, out of hundreds of thousands. That does make it unlikely.

 

Here are two additional links for you to study: https://www.merriam-webster.com/dictionary/unlikely https://www.merriam-webster.com/dictionary/impossible 

 

what are you trying to prove here? 

 

people definitely used the the words " you do not need to worry" and "you'll be good" if you use the repositories, I even quoted them for you. 

 

I only claimed that nothing is secure and safe, you asked me to prove it and I did, I showed you two examples, one of a repository containing malware and the other of the official distro releasing with a Trojan. 

 

It seems you are just displeased to be wrong.

 

 

[Sauron]

25 minutes ago, mr moose said:

didn't look too hard:

 

Like it's pretty cl;ear they are saying if you stick to X repository you are fine,   lets just forget about the other 50 million ways an OS can be compromised.

Let me stop you right there - at no point did I say there is no malware for Linux or that if you stick to the repositories you'll be 100% safe from everything. What I said is that if you only install software from the main repositories you don't need to worry about this threat specifically. Which is true, unless you have some information that wasn't in the article - a one in 100000 chance of downloading an extremely rare infected package from the repos in the brief window in which it is up is not something you should actively be worried about. Plus, once you know it is there this malware is extremely easy to remove even without a AV.

 

So yes @Twilight, what I said was entirely true.

 

@LividPanda you are right in saying that there are other ways in which a Linux desktop could be compromised, however if you are at the point where you can install malware like this without user input then you can do a lot worse.

[Ashley MLP Fangirl]

21 minutes ago, mr moose said:

What do you want me to prove, that malware can be uploaded to an official repository?

here you are:

 

https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

the AUR is not an official repository. it is community driven and you are warned on tge home page. https://aur.archlinux.org/

 

@mr moose can you please just not turn this topic into a pointless debate. none of us said there are no viruses for linux, we just said that as long as you stick with official repo's (the aur isn't one) you are likely safe. we never said that you should not install AV software on linux, and we never denied there are other ways of compromising it. 

[mr moose]

Just now, Sauron said:

Let me stop you right there - at no point did I say there is no malware for Linux or that if you stick to the repositories you'll be 100% safe from everything. What I said is that if you only install software from the main repositories you don't need to worry about this threat specifically. Which is true, unless you have some information that wasn't in the article - a one in 100000 chance of downloading an extremely rare infected package from the repos in the brief window in which it is up is not something you should actively be worried about. Plus, once you know it is there this malware is extremely easy to remove even without a AV.

 

So yes @Twilight, what I said was entirely true.

 

@LividPanda you are right in saying that there are other ways in which a Linux desktop could be compromised, however if you are at the point where you can install malware like this without user input then you can do a lot worse.

 

So the thing you are saying we don't need to worry about is this specific malware and not malware in general? 

Which if true then I apologise for misinterpreting it, however to me your post reads that we do not need to worry about malware if we only use the official repository. 

 

Also it is what the other posters have said, and the only thing I have contested in this thread is the generalization that Linux is safer or that you are safe if you only use repositories. As II have shown that is factually incorrect.  

[WereCatf]

13 minutes ago, mr moose said:

people definitely used the the words " you do not need to worry" and "you'll be good" if you use the repositories, I even quoted them for you. 

You could get hit by a space-rock the instant you step out the door, but it'd be unlikely, ergo "you do not need to worry about it." Same applies to stuff installed from official repos.

 

15 minutes ago, mr moose said:

I only claimed that nothing is secure and safe

Oh, really? Here's a direct quote from you:

On 7/27/2019 at 11:44 AM, mr moose said:

Meanwhile the Linux community are still in denial that anything bad can happen.

You are saying the Linux-community is in denial when they say you are unlikely to get infected when using official repos. In order not to be in denial of that they'd have to not be saying that, ergo you are claiming that you are likely to get infected even if using official repos. The burden of proof is on you for making such claims, for claiming that the community is in denial when they're saying something that is a fact.

 

 

 

[mr moose]

3 minutes ago, Twilight said:

 

@mr moose can you please just not turn this topic into a pointless debate.

 

I didn't realize it was pointless to point out you can get malware and Trojans from official repositories in face of what has been posted.

[mr moose]

2 minutes ago, WereCatf said:

You could get hit by a space-rock the instant you step out the door, but it'd be unlikely, ergo "you do not need to worry about it." Same applies to stuff installed from official repos.

I'll be sure to were a helmet next time I step outside. 

 

2 minutes ago, WereCatf said:

 

Oh, really? Here's a direct quote from you:

Yes, all that quote says is that I hear a lot from the linux community wax lyrical about how bad things don't happen in Linux.  What's your issue? Do you think I haven't experienced that?   Do you think making claims that sticking to repositories helps avoid malware is not furthering the "bad things don't happen" trope? I literally linked to two cases of repositories containing malware.

2 minutes ago, WereCatf said:

You are saying the Linux-community is in denial when they say you are unlikely to get infected when using official repos. In order not to be in denial of that they'd have to not be saying that, ergo you are claiming that you are likely to get infected even if using official repos. The burden of proof is on you for making such claims, for claiming that the community is in denial when they're saying something that is a fact.

 

 

 

 

No, I said they are in denial that bad things can happen to Linux.  

[WereCatf]

1 minute ago, mr moose said:

Do you think making claims that sticking to repositories helps avoid malware is not furthering the "bad things don't happen" trope?

I keep repeating the same thing over and over and you do not comprehend. Saying that you are unlikely to get infected does not mean the same as saying "bad things don't happen", but that's what you just keep on claiming and claiming. I am giving up, it's like talking to a wall. I hope you one day work how to improve your reading-comprehension skills to a suitable level for actual conversation.

[Ashley MLP Fangirl]

2 minutes ago, mr moose said:

I'll be sure to were a helmet next time I step outside. 

so your argument is that we should worry about everything that is unlikely? so we need to wear something along the lines of motorcycle gear everytime we go outside, we can't use the internet anymore in case there is a hacker?

[mr moose]

Just now, WereCatf said:

I keep repeating the same thing over and over and you do not comprehend.

there is a big difference between not comprehending and not agreeing or not seeing your argument as relevant to my position.

Just now, WereCatf said:

Saying that you are unlikely to get infected does not mean the same as saying "bad things don't happen",

Some people actually said you will be right, not just unlikely or mostly but will be. And even in that event, why is it so important to you to quantify a little bit of threat versus just a threat? It amounts to the same insinuation that the issue is a non issue or minor.  I would say downloading a trojan in your distro is not a minor thing even if it happens infrequently.  

 

Just now, WereCatf said:

but that's what you just keep on claiming and claiming. I am giving up, it's like talking to a wall. I hope you one day work how to improve your reading-comprehension skills to a suitable level for actual conversation.

Attack the person when you can't attack the argument?   As I said before, not agreeing is not the same as not understanding. Although I find it more likely that you lack the understanding given you have taken a general statement of observation and tried to tie it to only your specific understanding of a single aspect of the entire issue I raised. 

 

Just now, Twilight said:

so your argument is that we should worry about everything that is unlikely? so we need to wear something along the lines of motorcycle gear everytime we go outside, we can't use the internet anymore in case there is a hacker?

 

My argument is that we shouldn't dismiss a threat because it is small or pretend that official repositories are intrinsically safe.  My argument is that the Linux community in general makes all sorts of noise about Linux being safer and more secure etc.   As I said before, they used to say that about mac. 

 

There is nothing you can say that will change my experience of the Linux community on this level and there is nothing you can say that is going to make me believe that it's ok to pretend official repositories are any safer than any other data set.  If someone wants to infect it with malware they will find a way.

[Blademaster91]

21 minutes ago, Twilight said:

so your argument is that we should worry about everything that is unlikely? so we need to wear something along the lines of motorcycle gear everytime we go outside, we can't use the internet anymore in case there is a hacker?

But people seem to be making arguments of because its not likely, the malware shouldn't be anything to worry about, which sounds a lot like Mac users claiming they can't get malware. The whole point of the article is the malware could affect regular users, which may not be using "official repositories" which IMO is a serious security issue.

[Ashley MLP Fangirl]

1 minute ago, Blademaster91 said:

The whole point of the article is the malware could affect regular users, which may not be using "official repositories" which IMO is a serious security issue.

that is true, but this topic turned into a debate around using official repo's... 

[Sauron]

48 minutes ago, mr moose said:

So the thing you are saying we don't need to worry about is this specific malware and not malware in general?

Yes.

48 minutes ago, mr moose said:

however to me your post reads that we do not need to worry about malware if we only use the official repository.

I don't know how I could have expressed it any better - I said the average user who only installs from the repos doesn't need to worry about this, where this in context refers to the malware mentioned in the OP.

50 minutes ago, mr moose said:

Also it is what the other posters have said, and the only thing I have contested in this thread is the generalization that Linux is safer or that you are safe if you only use repositories.

That's not what I said and I think most other users meant what I meant. Of course it's ridiculous to assume that using Linux and sticking to the repos is enough to protect you from any and all threats, I just don't see where that argument was being made.

[IAmAndre]

1 hour ago, mr moose said:

people definitely used the the words " you do not need to worry" and "you'll be good" if you use the repositories, I even quoted them for you. 

 

Well those are the words people use when referring to antiviruses as well. The point is even with the best antivirus you're not safe and you can never be 100% safe no matter what and nobody claimed that here. However using the official repos and common sense is a practice that's safe enough to afford not to install an antivirus.

[mr moose]

1 hour ago, Sauron said:

Yes.

I don't know how I could have expressed it any better - I said the average user who only installs from the repos doesn't need to worry about this, where this in context refers to the malware mentioned in the OP.

That's not what I said and I think most other users meant what I meant. Of course it's ridiculous to assume that using Linux and sticking to the repos is enough to protect you from any and all threats, I just don't see where that argument was being made.

The problem is with the word "this" is because without further qualification "this" can mean "this specific malware threat", or it can mean "this malware on linux".  both are logical conclusi9ons from your post.  Hence why I apologized after clarification.

 

However that to me isn't even the real issue in this thread.   Pointing to your post and that of the other two was merely in addition to the experiences I have of what the Linux community can be like.  

 

As much as the others don't want it to be true, my experience of the Linux community is that they are in denial that bad things can happen on Linux, I linked to two examples already (I am sure there are others) and they were both in repositories (one official) and their response is to try and trivialize that threat and make it a word game instead. (which I think highlights my observations, as had I said this about windows they likely all would have clicked agree instead of arguing semantics).

 

 

[Sauron]

2 minutes ago, mr moose said:

The problem is with the word "this" is because without further qualification "this" can mean "this specific malware threat", or it can mean "this malware on linux".  both are logical conclusi9ons from your post.  Hence why I apologized after clarification.

 

However that to me isn't even the real issue in this thread.   Pointing to your post and that of the other two was merely in addition to the experiences I have of what the Linux community can be like.  

 

As much as the others don't want it to be true, my experience of the Linux community is that they are in denial that bad things can happen on Linux, I linked to two examples already (I am sure there are others) and they were both in repositories (one official) and their response is to try and trivialize that threat and make is a word game instead.

Well, what would you like us to say about that? Some people are just ignorant, unfortunately there isn't much we can do about it and I don't see anyone here making that argument. For all the problems the Linux community has I'd say people trusting their system too much is a pretty minor one. It's not like people don't have bad security habits on Windows or MacOS.