Granted, only a standalone computer with no network connection of any kind
is fully secure from internet infections.

However, I have always assumed, subject to correction, that any malware
attempting to install itself via a script, would raise a dialogue asking for
the user's password. Unless the operator is so careless or naive as to type
it in when there is no reason to do so, most infections would not succeed in
(K) ubuntu.

But as I used to tell my students, (pulling a figure out of thin air,) "56%
of all computer failures are caused by operator error"!

if even if you never go on-line you
better not stick anything in a computer port that that good friend gave
you. I I warn all the people I teach about those dangers.

I do not think those scripts need user help nor a password to allow them
to enter you system. Take key loggers for instance. They just record
ever key stroke to a log file that is sent direct back to base. Neither
you password protection or the email programs is used.

> www.securelist.com/en/analysis?pubid=204791931

Many malware scripts are simple designed to auto direct you to other
sites that the crims have set up to look for the one you seek. They do
this with on line bank sites and those porn sites that infuriate you
loved one when you suddenly arrive at one you had no intention of visiting.

"Why GNU/Linux Viruses are fairly uncommon" from Charlie Harvey

evilmalware 0.6 (beta)

Copyright 2000, 2001, 2003, 2005
E\/17 |-|4><0|2z Software Foundation, Inc.

This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY, COMPLETE DESTRUCTION OF IMPORTANT
DATA or FITNESS FOR A PARTICULAR PURPOSE (eg. sending thousands of Viagra
spams to people accross the world).

Basic Installation
==================

Before attempting to compile this virus make sure you have the correct
version of glibc installed, and that your firewall rules are set to `allow
everything'.

1. Put the attachment into the appropriate directory eg. /usr/src

2. Type `tar xvzf evilmalware.tar.gz' to extract the source files for
this virus.

3. `cd' to the directory containing the virus's source code and type
`./configure' to configure the virus for your system. If you're
using `csh' on an old version of System V, you might need to type
`sh ./configure' instead to prevent `csh' from trying to execute
`configure' itself.

4. Type `make' to compile the package. You may need to be logged in as
root to do this.

5. Optionally, type `make check_payable' to run any self-tests that come
with the virus, and send a large donation to an unnumbered Swiss bank
account.

6. Type `make install' to install the virus and any spyware, trojans
pornography, penis enlargement adverts and DDoS attacks that
come with it.

7. You may now configure your preferred malware behaviour in
/etc/evilmalware.conf .

Viagra and other sudo medications are regularly sent out as scams and I
never get them on Ubuntu of my three Windows machines because of the
protection I run on those windows system

The weakest link is usually the human. Linux security tries to protect us
from ourselves, but people looking for ease of use often take shortcuts.
There is a trade off between ease of use and security. Absolute security, if
possible, would be at the expsense of the user experience. That is why I
keep mentioning Linux established procedures which may seem onerous to the
newbie coming from a less secure environment, but in the end they work if we
use them as they were intended.

Linus Torvalds who writes the kernel is understandably paranoid about
security. On his own computer he shuts off practically all ports which means
that his computer is virtually locked down from the outside. Since he
collaborates with kernel developers he needs to open ports as needed. It
does not sound like much fun to me. No browsing the internet etc. on that
computer. I am sure that he has more than one. I have heard that he has a
Mac and PC. I don't think that many of us would want to spend our computer
time that way. We want to enjoy all that the internet offers.

Someone recently did a study of passwords and found (by hacking) that many
people use easy to guess and short passwords and they use the same one on
every website. This makes identity theft quite simple and hijacking easy. So
having a password is fine, but we need to make a reasonable effort to foil
intruders and people up to no good.

Linux security is better than other OSes (or it wins the competition every
year against Windows and OS/X), but it is not perfect and we are not
bulletproof when we use it. However, if we follow procedures and work the
way Linux is meant to work then we can relax a bit. We still need to be
smart and act wisely to foil the determined. Most people who want to do harm
go for the low hanging fruit, which is one reason Windows users get burned
more often.

It does not help when Microsoft gives hackers openings as with the recently
discovered zero-day security flaw for which they just sent out an advisory
in order have a workaround (until they can stuff that hole on some future
patch Tuesday). A vulnerabliity was just uncovered in Red Hat and Fedora was
hacked, so Linux is not perfect. Linux flaws are found from time to time,
but not with the same frequency and they are often patched the same day. Red
Hat seems to be the exception to this rule and they take more time than most
distributions, probably for the same reason that Microsoft does. It is a
large company and it does not want to be alarmist to its user base, which is
business that is conservative and easily spooked. It is embarrassing for
these big companies when these things happen, but what is important is how
the company reacts and how quickly.

The collaborative model works hand in hand with the built in security to
protect users. Because the code is open and free it can be examined by a
broader community and vulnerabilities uncovered before it is released and
harm is done. Because the process is transparent it cannot be covered up or
denied, a tactic Apple likes to employ; first deny, then blame the user,
then quietly fix it. At least Microsoft is resonably honest about flaws and
even pays bounties to hackers to find them. They aren't the swiftest to
respond, though, and because it is so big in terms of its user base, delays
have more impact on users and do far more damage than they would in Linux.
The proprietary model used by Microsoft and Apple is more restrictive by
necessity. I am illustrating how users are impacted by both and why the
collaborative model improves security for Linux users. I think the
proprietary model could work if patches were speedier in getting onto users'
computers. I think Microsoft is on the right track, but I am not so sure
about Apple. Users have choice and can choose which model works for them.
Clearly there is little correlation between bugs and successful adoption
because Apple has grown despite having a number of well publicised bugs.

I like Linux security not for any one thing, but the combination that I have
mentioned. The concern that is cross platform is weak passwords, so beware.

Well on Ubuntu I just seem to be OK but on my Windows computers I use
Avast protection and this has great spam and malware ability but in
addition I use the BT Internet service and the have introduced a pretty
powerful filter now.