OT:Malware

They've never called me, so I've not even managed the once.

It depends.

I've done that with a sales-droid. Just told her to hang on while I turn the dinner down, put the phone down on the worktop and carried on cooking dinner. I wonder how long she waited?

You don't get them on up to date windows machines. 8-)

The other reason is that linux users never check to see if their machine has been exploited.. not really surprising, they think its impossible and lack the tools and/or knowledge to check anyway.

Stopping them talking to those who might be taken in is a public service!

I don't understand why you would waste your time talking to them at all. If they phoned me I would hang up straight away*

• Actually I would be unlikely to answer the call in the first place.

Windows has come a long way since 98, but it still has some key security weaknesses compared to linux.

1. Ubuntu for example has a huge repository of checked software, whereas windows users are left to wander the web and download who knows what from who knows where.
2. Linux's great variability is a big security strength
3. Linux's open source nature means there's a huge number of eyes looking for security issues and looking to fix them asap.

NT

if even 1% of the people they called did this, the scam would evaporate in days. All scams like this rely on a marginal return on a large, but cheap investment. Remove that return, you make the scam useless.

If all the "hackers" in the world, got together, and scripted a few programs to automatically recognise a phishing scam, and reply with

1,000,000s of bogus login credentials, that scam would also disappear. Unfortunately, be the cognescenti ignoring such scams, any replies the perpetrators do receive are much more likely to be genuine.

What did you have in mind?

Assuming you get all your software through the "approved" channel, then that adds a little protection, although as google discovered recently they were hosting 50 odd malware apps on their app store - so its not a guarantee.

Depends a bit on what layer you are attacking. It helps certainly.

Also arguably true.

However I suggest much of the assumed implicit security still comes down to the fact that there is far less effort going into cracking it. As it achieves more significant penetration on the desktop (or mobile platforms) then it will become more of a target. Or more often, its users will become a target - an they are often going to be the weakest link, just as they are with windows.

You can't really have it both ways. When linux was a geek only system, it derived lots of security from the very fact that most of the users were geeks. Once you stick it into the hands of jo public, they are just as likely to hand it over the the remote control of some indian call centre scammer as they might their windows box.

below...

Guarantee no, but its a big improvement on the wild wild web as your applications source. If 90% of users get 90% of their apps from the repository, then thats a big improvement in the risks. Its not 100%.

Re hosting malware, the ubuntu team is likely to adress any such discoveries, dodgy web app sites dont.

Users are just as vulnerable of course, but even this route of attack is harder to do with linux, partly due to the large number of differing linuxes out there, and other reasons. I'm not saying its perfect, but there are still several factors that make linux far less of a target, not only its lack of popularity. If linux gets as big as windows, there will only be more people keeping their eyes out for security and malware issues in the source code and working to remove them. Windows just doesnt have that resource.

NT

Good work

And they did.

I think most of us would rather they didn't call back but your efforts may well have saved one or two less well informed computer users from becoming victims of the scam.

Use your noggin.

For non savvy windows users, their prime source of software will be shrink wrapped in a box. Not usually a prime vector for malware.

Depends on the site - some are better than others.

Once they have given remote access to someone else, it game over regardless what OS they have.

Alas sight of the source does not make spotting all the avenues of attack easy.

Note I am not particularly definding MS here - I am no great fan, and personally I would like to see altenative OSes to develop to the level of penetration and software support that MS platforms have. However I feel there are a large number of *nix users (Macs included) who still have their heads buried in the sand, and are in for a rude awakening.

8<

Checked by whom and for what? See point 3.

It makes point 3 less effective.

Plainly untrue.. remember the security hole that was reintroduced and remained in Ubuntu for 10 months before it was rediscovered?

rote:

:

From what I've seen they tend to download and install all sorts of crap from the www.

Lots knowingly host it. No linux distro knowingly hosts it. Gentoo got their fingers burnt, but gentoo is the kind of distro where you can expect that to happen, rarely. Its far from mainstream.

course

of course. But its gonna happen way more than with win, with no viewable source code

There will always be problems at times. But just how will a virus become a huge deal when a) linuxes vary so much? b) there's a huge number of people waiting to pounce on such issues and fix them

NT

OTOH I reported to Ubuntu a verified Postgresql server bug with a small example to demonstrate. The bug was passed up to the Postgresql guys and the updated Ubuntu package was in the repos and installed within a week.

If I was desperate enough I could have got the patch from the Postgresql guys after about 3 days and patched my local copy. If I was really really desperate I could have had a shot at finding the bug and patching it myself with a bit of help from the mailing lists.

This is something you rarely get with closed source software.

I have had dozens of these calls. I now claim to be a technician myself and offer my services at my normal rates. They don't half ring off quick.

Just ask them about their underwear. This triggers automatic call termination

Do you *really* need to ask?

MBQ