On Wed, 21 Jul 2021 18:38:30 +0300 Reco <recovery...@enotuniq.net> wrote:
> On Wed, Jul 21, 2021 at 10:51:40AM -0400, Celejar wrote: > > On Wed, 21 Jul 2021 11:16:46 +0300 > > Reco <recovery...@enotuniq.net> wrote: > > > > > Hi. > > > > > > On Tue, Jul 20, 2021 at 11:32:26AM -0400, Celejar wrote: > > > > On Thu, 15 Jul 2021 09:46:59 +0300 > > > > Reco <recovery...@enotuniq.net> wrote: ... > > > > https://hacked.com/linux-ransomware-notorious-cases-and-ways-to-protect/ > > > > > > Requires Java to be installed. A rare case on a Linux *desktop*. > > > > Rare? I don't have statistics, but on one of my Linux desktops, I do > > some development work for Android, using IntelliJ IDEA / Android Studio, > > which depend on at least some Java components. > > Numbers show that I was incorrect. Let's call it "unlikely" instead of > "rare". Let the popcon graphs speak for themselves: > > https://qa.debian.org/popcon.php?package=firefox-esr > vs > https://qa.debian.org/popcon.php?package=openjdk-11 I'm not sure I'm reading the numbers correctly, but the openjdk-11-jre figures are 26-29% (as opposed to firefox-esr's 42%) - hardly "unlikely." > I agree with you that one should uninstall Java unless it's needed. > After all, they at Oracle always find something to fix in Java security > every three months, and this goes on for last ten years. > > > I don't know if I have > > enough Java installed to be susceptible to the malware in question ;) > > Famous Java's slogan "you write it once and run it everywhere" is an > exaggeration, to put it lightly. Chances are, you don't have that exact > minor update of Oracle JRE that this malware actually needs. Well, I suppose that's a relief ;) > > Fair enough - but I see no reason why in principle desktop Linux will > > remain immune from ransomware. > > It won't by itself, of course. One sure way to beat ransomware is to > take immutable backups (i.e. unmodifiable by host during and after the > backup is taken), and as recent history shows us - ransomware victims > apparently do not use this approach. > > Another sure way is to forbid running executables downloaded from random > Internet sites, but no thanks to appimage, flatpak, snap, and Go Linux > desktop goes straight into Windows desktop direction. > And again, as recent history shows us - ransomware victims apparently do > not use this approach too. Good points. > Currently a Linux desktop is better in this regard, but I agree that it > may not remain the same. > > > > Even if Linux word processors are safer than their Windows counterparts, > > Last time I ran Libreoffice I had that distinct feeling I'm running a > Java program. You know - long startup, eating memory like no tomorrow, > trying to write useless junk at least to four different places at my > filesystems, and eating the unhealthy amounts of CPU time in the > process. Funny - I always have that feeling and most of those experiences with Firefox, (even) these days ;) > I know that Libreoffice is written in C++, but the code quality of it is > definitely left to be desired. At least then the thing crashes (it did, > several times) it produces a standard core dump, not some unreadable > stack trace and a heapdump. > > In retrospect, maybe feeding Libreoffice Draw that 800-pages PDF was not > the best of ideas, but no free software tool comes close to the > capabilities of Libreoffice in editing PDFs, and I really needed that > PDF to be modified (mass-replacing embedded fonts, to be specific). > > > On the other hand, Windows counterparts are typical enterprisey software > written by generations of overseas workers with the code quality (or > rather the lack of) that's expected from enterprisey software. > > My opinion on this - both are bad. Lireoffice is better being free > software, of course, but that does not make it secure by definition. > > > > browsers are just full of vulnerabilities, > > True. Every version of Chromium and Firefox fixes at least one. > Most of said vulnerabilities do cannot be used to get Remote Code > Execution (RCE) though. Which leaves us with "random download" scenario, > which I've discussed above. Most, yes. But the pwn2own hackers, for example, seem to pretty routinely get RCE on the major browsers, so I wouldn't bet my data that ransomware authors won't as well: https://www.zerodayinitiative.com/blog/2019/3/21/pwn2own-vancouver-2019-day-two-results https://www.bleepingcomputer.com/news/security/researchers-earn-1-2-million-for-exploits-demoed-at-pwn2own-2021/ > > so why couldn't ransomware get in that way? > It could. In a lack of a proper execution environment (be it JRE, > flatpak, snap or whatever) - what should it do next? Wait for a user to > execute it? > Reco Celejar