Lets forget, for the sake of the discussion, the technical attacks as these are relatively easy to handle and Linux operating systems are already pretty well protected against such. The main vector of attack for malware these days is Social Engineering anyway – this is how Mac OS-X users get attacked by malware: you browse a web site, and an image that looks like a a blinking dialog box notifies you that your computer has been infected by a virus and prompts you to download this “fix”.

Most of us, technically inclined users, sneer at this type of “threat”, but most people aren’t technically inclined and there are enough people out there that will be fooled by this practice time and time again. Click the image and a binary gets downloaded to your computer and if it is in the correct format it will get executed.

This is where the Linux side of business starts (and where the “Mandatory Access Control” part of the title comes to play) – a binary that you just downloaded and executed cannot just go and do anything. Most Linux operating systems these days (at least the more popular ones) employ some sort of “Mandatory Access Control” – be it SELinux or AppArmor – which means that unless you specifically say, ahead of time, that some program can do something – then it can’t. This applies to all access including access to user files.

The thing is – Linux users are already well protected against the user of “downloading an executable file” and running it: You have to download the file and save it somewhere that you can find, then double click it. At which point a dialog box pops up and tells you that you can’t execute files with out the “execute bit”, so you have to open the file properties, go to permissions, figure out what the “execute bit” is and set it, click OK and try to run the file again. That is on Ubuntu – other OSs have even a worse user experience. So you see – no worries there: if a user is gullible enough to download just any file of the internet and try to run it – there’s no way they’re going to be able to do it.

So what’s the problem?

The problem is that if you can target Mac users and get them to download a Mac specific binary file (vs. a Windows specific executable for Windows users), then you can easily target specific (and popular) Linux distributions by getting their users binary files formatted with the appropriate software installation package format (“.deb” for Ubuntu, Debian and related OSs and “.rpm” for Fedora, SuSE and related OSs). All these operating systems, when you start downloading a file with the appropriate format, helpfully pop up a dialog that allows you to easily type in your password and install the “helpful software” right into your operating system!

Unlike getting a user to just execute a program, which will run with the user’s access level and at worst will trash the user’s files, this procedure lets loose an unverified piece of software into your operating system with full administration privileges. With that kind of access, such software can easily install its own “Mandatory Access Policy” that lets itself do whatever it wants.

And how does your operating system protect you from this vector? Very little if at all. At least in Ubuntu you get the very detailed “dpkg UI” dialog which presents a lot of information on the software you are going to install before you click OK – which may also expose you to additional social engineering. Fedora on the other hand does very little except show you the file name and allow you to click OK.

At no point there are warning to help the user decide what is the right thing to do – not that I expect this will do any good: uneducated users are very prone to just click “OK” to any dialog box that pops up without ever reading what it says, let alone considering it.

The Android styled “Mandatory Access Control” that has programs request specific permissions and the user is presented with this list for approval is not any better – for most users this is just another dialog that they don’t have to read if they just want to click OK.

What can be done about it?

Very little I’m afraid. Linux users are currently around 1~2% of total internet traffic and as long as it stays this low it unlikely malware authors will invest the extra effort to target us. But if we want to get more market share – and that means getting more uninformed people to use Linux based operating systems, then this will change.

I think its unhelpful to think that we can educate people to the point that these type of social engineering attacks will fail. If we really want to tackle the problem we have to be pro-active about defense, and as they say – “the best defense is a good offense”

What I propose should be done is that whenever a user tries to install a software using the “single click install” procedure, the confirmation dialog will be much more verbose and ask the user, not for their password, but to fill a simple multiple selection quiz: choose one of the provided reasons you want to install this software (or click “other” and type your own) and a couple of other questions like you get when you try to subscribe to a website – “where did you hear about it” and such. Not something truly drastic, just enough to get the user to think a bit more about what they are about to do.

After completing the dialog, the system will file all this information, along with the URL from which the software was downloaded, to a central repository on the internet (without any personally identifying information of course, not even the IP address) and interested individuals can look at these reports and vote if the software is valid or malware. Whenever an operating system is trying to install a specific piece of software from the internet, it can first look up the target in this database and if the consensus on the internet is that this is malware, then the operating system can refuse to install – very similar to how the website verification process that Internet Explorer and Mozilla Firefox use.

Advanced users can be spared this process (if they want to) as command line installations will not trigger this behavior and if you are really inclined there would be a checkbox in some system settings dialog that says something like “stop harassing me when I install software off the internet”.

So this is my proposal. What do you think?

From reading the article, I’m not really clear who have levied this fine – from a naive reading of the article, it sounds like the complaint was filed against the Pub’s wireless internet service provider – The Cloud (a company that provides wireless hotspot services to businesses), and its not clear whether a court was involved or if the fine was levied by some sort of arbitration process handled by the company.

Obviously there is a serious issue here – A business that provides internet access to its clients, whether if its the primary service or a complementary service, whether its free or for charge, is not really a subscriber and should benefit from the same “safe harbor” provisions as any service provider: a communication service provider is not responsible for misuse of its service for illegal purposes. The same way that The Cloud is not responsible for the infringement, the pub itself is just as much exempt under the same clause.

I would have taken them to court about this.

I wonder how this apply to the ACUM (the Israeli equivalent of the RIAA) operating of suing businesses that have a radio open to a music channel during business hours under the assumption that this is unlicensed rebroadcasting of copyrighted music.

הייתי אתמול במצעד זכויות האדם הראשון בארגון האגודה לזכויות האזרח בישראל. היה מאוד צבעוני. במיוחד למרות שאני לא מסכים עם הרבה מהדעות שהועלו על נס ודגל במצעד (שימו לב בוידאו) היה חשוב לצעוד על זכותם של אנשים להביע אותן (בפראפרזה על הציטוט הידוע של וולטייר).

חבל שהרבה אנשים שאני מכיר, ושאת דעותיהם אני מעריך ושאפשר לקרוא להם “הרוב הדומם”, לא חשבו שזה חשוב מספיק להגיע למצעד, אבל כן פגשתי שם את מני ליבנה (כל הכבוד!).

בכל מקרה, הינה וידאו קצר של המצעד חולף ברחובות תל אביב – כ-14 דקות (בסך הכל כן הגיעו הרבה אנשים). המיקרופון במצלמה היה מקולקל אבל לא שהיה יותר מדי מה לשמוע במהלך רוב המצעד. במקום זה שמתי פסקול קצת רועש של מוזיקה חופשית, אז אני ממליץ להתחיל בלהחליש את עוצמת הקול במחשב

אבל בפרספקטיבה של 24 שעות אחרי, הנה אסופה של מאמרים מבלוגים אחרים בנושא:

• עירא אברמוב
• יהונתן קלינגר
• דר’ קרין ברזילי-נהון
• ירון סגמן
• גל מור (חורים ברשת)
• טל גלילי
• נעמה כרמי
• דובי קננגיסר
• היתוך קר למפגרים
• מאירשטרית.קו.יל
• יובל מישורי (הפילוסופיה של מרפי)

נ.ב. ולמי שהתעניין, אני נורא חולה ולא יוצא מהבית (ירביצו לי אם אני אנסה ).

והנה קישור לעמוד המקורי באתר של TED.

Israel has on general very good road – compared to many modern countries (in Europe and North America): national roads are all at least dual carriageways with many of them triple carriageway or even more; roads are mostly lighted at night except maybe single carriageway roads in rural areas; even road maintenance which was historically horrible in Israel is pretty good now days.

That being said, the state of driving in Israel is horrendous – people simple have no road courtesy whatsoever! The most common annoyance I have with traffic in Israel is that on a triple carriageway, where you have three lanes to choose from, the slowest one (which often has average speeds way under the low Israeli speed limit) is the middle one! If you’re just driving along at about the speed limit (maybe a few km/h over it, I can’t pretend I’m a saint), then you normally would be driving on the rightmost lane, passing people on your left. Very very annoying, not to say dangerous near interchanges. More ludicrous is that if you are in a real hurry and want to drive at speed that will normally get you a speeding tickets, you also mostly drive on the right most lane – as the left lane is occupied by people who think they are the fastest on the road but in actuality only drive around 100 km/h.

And all that before we discuss drivers switching lanes without signaling, driving on the center between two lanes, breaking abruptly for no obvious reasons, and the most annoying behavior – being the first car at a stop light the driver stops about 2 car-lengths away from the stop line. I have no idea why they do that, except for increasing the likelihood of a traffic jam this serves no purpose I can understand.

I hate Israeli drivers.

As the story goes (and don’t look in The Register for the details, read the original article at WKOW TV’s web site – the original news source for the story), a woman purchased a Dell laptop – the Ubuntu version, and apparently she did so by mistake: she expected to get MS-Windows on her laptop.

When she got her computer she tried to install some software that she “needed” in order to enroll for studies in her local college: Microsoft Office suite and Verizon’s broadband windows drivers. Both of course failed to work, so she dropped out of both fall and spring semesters (yes, she figured she can’t get the computer to work now so she might as well cancel her studies for the year).

There are several things that trouble me about this story (which I’ll go over briefly before focusing on the real problem):

• How exactly does one get a Dell laptop with Ubuntu by mistake? From browsing the Dell web site, the only way you can get to the Ubuntu section is by specifically searching for Open Source laptops (just searching for Ubuntu will get you nowhere), and then – if you don’t know anything on subject – you are just as likely to choose the FreeDOS version. At no point you can go through the standard ordering process (or any ordering process for that matter) and choose Ubuntu over MS-Windows
• Said woman is so un-tech-savvy that it boggles the mind – anyone who ever owned a computer knows to call someone when you have problems. Instead of calling for support she canceled her studies and called a TV station. The TV station apparently later called the local college (which said they can work with Open Office that comes installed on Ubuntu laptops) and Verizon (which said that Ubuntu is supported by their service and they will help her install it). The only support call the woman in the story did was to Dell, before she tried to work with the computer, to complain that she didn’t get MS-Windows.

Now the real problem is that Ubuntu is not user friendly enough for people that have no concept of an opearting system other then MS-Windows: an operating system is something that runs programs; Program are things that you buy at store or download from the internet and carry large “Works with MS-Windows” stickers. And this is what we have to work with, people.

I have no magic solution for the problem, and it is stupid to expect that we can educate the general public about what an operating system is and that while all operating systems should help you do the same things, they go about it in different ways and software for one is not applicable to another.

Maybe what Ubuntu should have done is to have something that detects that you are trying to run an MS-Windows installer, figure out what you are trying to install and offer native alternative – if good ones exist – or point you to wine/crossover-office otherwise.

ICANN are planning to open up the process for adding new top level domains to the point where anyone can request to register new top level domains – even in a non-latin script.

Many commenters agree that implementing this suggestion would cause an explosion in the available and used top level domains, and as a result also the number of actual domains registered, which can also be a bad thing – for example, domains named after common file extensions (Firefox.exe anyone?), for specific fringe interest groups or a top level domain per city (The .nyc domain for New York City seems to be the most coordinated).

But worse are the implications of the new plan for brand names. As an Australian developer news site noted, the implications for brand managers are enormous: simply using “domain hacks” with some randomly looking TLDs can be a real headache for large corporations: the .LA domain for Los Angeles can offer coca-co.la for the quick entrepreneur, or maybe www.dis.ney.

But I don’t think this the worst problem. What I think will happen is that large corporations with large pockets will go and buy their own top level domain names and just have that as their web address! what will prevent Sony from buying the .sony TLD and have www.sony as their web address or maybe even simply http://sony/ (and http://ps3.sony, http://music.sony, etc).

I don’t think there is a single corporation that wouldn’t jump at the option to do this, and we will end up with something far worse then a messy and non-hierarchical naming – a web where most top level domains are brand names of global corporations.

להקה בריטית בשם The Get Out Clause מצאה שימוש למצלמות במעגל סגור שפזורות בבריטניה בכל פינה. לפי אחד המאמרים, תושב לונדון מצולם בכל יום 300 פעם על ידי מצלמות אבטחה, ו-The Get Out Clause החליטו להשתמש בכך כדי לחסוך קצת כסף על הקליפ הראשון שלהם, בכך שהם נעמדו וניגנו בכ-80 מקומות במנצ’סטר שהם יודעים שמנוטרים על ידי מצלמות במעגל סגור, ולאחר מכן דרשו את קטעי הוידאו מבעלי המצלמות במסגרת חוק ההגנה על המידע.

התוצאה:


$ history | perl -nle 'split /s+/,; $a{$_[2]}++; END { for (keys %a) { print "$a{$_} $_"; } }'| sort -nr | head
388 mcedit
229 svn
77 ssh
28 cd
12 php
12 ls
12 curl
10 cp
9 rpm
9 man


This is my work computer, and its quite obvious that I’m a programmer, if only for the fact that everyone else is copy&pasting awk for the history analysis and I chose to rewrite it in perl, but also for the top two commands. Looking a bit lower it looks like I’m doing a lot of PHP/web programming lately, and what am I doing running RPM in my user account ?

The entire list has 70 commands in it, which also means I’m quite a versatile command line user.