WannaCry wouldn't be able to spread inside a SELinux secured environment because it wouldn't have network access.

SELinux will protect you from most exploits, but if you'd ask most people to run an application many would happily do so

SELinux doesn't care who you are.

Even if you're root.

WannaCry wouldn't be able to spread inside a SELinux secured environment because it wouldn't have network access.

it's news to me that SELinux will prevent network access. Maybe if you'd explicitly run stuff in a restricted environment?

No.

SELinux doesn't allow unknown applications to use the network.

will have to check it, sounds nice

what protection? if you'll run a program which will encrypt all your stuff in your home folder, nothing will prevent you from doing that

Wannacry took advantage of existing weakness in windows (which was only in the outdated machines tbh).

that way or another, you can make a cryptolocker which doesn't need network access (encrypt a key using a public key embedded in a ransomware, so the original key needs to be decrypted in a network service for example)

Wannacry took advantage of existing weakness in windows (which was only in the outdated machines tbh).

are you 100% sure Linux is flawless? There is SELinux which many people (wrongly) disable anyway

The thing is WannaCry spread through the LAN using SMB exploits.

That would have been mitigated.

And I'm not completely sure SELinux would allow an unknown application to mass-encrypt files.

Certainly not delete the shadow copies (Which WannaCry did)

...Which would render it useless.

I am pretty sure there are bugs in all applications. SELinux makes the attack vector narrow and things harder to pull off, plus low marketshare on desktops makes Linux not really an interesting target, but to think that such thing is impossible to do is foolish IMHO

I never said impossible.

In fact I specified "mitigated"

Never said "block" but "mitigated"

It's hard and that's a very good thing, but we need to keep in mind that the more popular Linux gets, the more probable is that attacks will start to appear - quite scary example was https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html

Linux is incredibly popular.

Linux powers more machines in the world right now than all the Windows versions combined.

You can be sure of that.

Linux powers more machines in the world right now than all the Windows versions combined.

yeah, like webcams, which were sucessfully targeted by Mirai ;)

I know of shitty configuration on the vendor part

but still

yeah, like webcams, which were sucessfully targeted by Mirai ;)

Good point! Yes! Absolutely!

Those webcams weren't protected by SELinux now, were they? :P

It's hard and that's a very good thing, but we need to keep in mind that the more popular Linux gets, the more probable is that attacks will start to appear - quite scary example was https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html

and the patch is to remove the gstreamer. lmao

Those webcams weren't protected by SELinux now, were they? :P

Nope, but if they were, and any powerful enough attacker would find it a good enough target (easier than other possible targets), then I guess a way would be found

Nope, but if they were, and any powerful enough attacker would find it a good enough target (easier than other possible targets), then I guess a way would be found

Meh... No.

Meh... No.

So you're saying that if NSA would reaaally like to target Linux they would for sure be stopped by SELinux.

No.

But it's highly unlikely.

SELinux is absurdly strict.

the issue is, it takes one smallest mistake in SELinux

I don't know exactly how it works, does it protect kernelspace as well?

No. Not only a mistake in SELinux.

SELinux is a layer of many.

A well configured system has software and hardware firewall, user privilege separation, IDS/IPS...

And SELinux is only a layer more.

Break it all.

A well configured system has software and hardware firewall, user privilege separation, IDS/IPS...

how many people do all this on a desktop system?

Don't forget a router is a hardware firewall on its own

"Also, a comparison of Ubuntu vs. Fedora — even when extended to the latest releases — reveals that Ubuntu is slipping behind Fedora " Nice fedora

So at least that

I think I may learn something today - if I theoretically get to execute a malicious code as an user and miraclously overcome SELinux, what else is stopping me from doing bad things?

assuming an average desktop system, where applications are not executed as separate users

Firewalls, IDS/IPS, as many layers as you wish.

default Fedora installation

Firewall is not protecting me from doing curl to an http(s) server, I guess

Depends on your goal too.

I know I can do a lot, but I'm thinking default Fedora installation

I want to get ~/.ssh/id_rsa and post it to http://myserver.net using HTTP POST

I have run my code, overcome SELinux, so I can essentially cat ~/.ssh/id_rsa, what's stopping me from calling curl and uploading that?

...or someone listened to all these great advices on the internet to turn off SELinux :D

What are you trying to prove?

That by turning off all possible protection you can do malicious stuff?

That by turning off all possible protection you can do malicious stuff?

that by telling the people that SELinux is solving their problems magically they may put their guard down, then all it takes is to make a nice gnome theme with its own installer that asks for a root password, disables selinux and you're in. Of course, it requires some work on users part, but nevertheless, I think this myth of Linux being magically secure and virus-free is going to bite some newbie someday

that by telling the people that SELinux is solving their problems magically they may put their guard down, then all it takes is to make a nice gnome theme with its own installer that asks for a root password, disables selinux and you're in. Of course, it requires some work on users part, but nevertheless, I think this myth of Linux being magically secure and virus-free is going to bite some newbie someday

Who told anyone SELinux solves their problems magically?

Because I didn't.

Who told anyone SELinux solves their problems magically?

not saying that you did, just when someone wonders whether Linux is virus-proof, it's important to remember that even with these security layers, people are always the weakest links

+ those layers make things harder, but usually not impossible

Yes.

That's the past. Who cares?

Seriously? ?

ERROR: S client not available

There are only three things that are sure in this life: taxes, death and the shittiness of windows

Depends on how the government invest those taxes, in Germany or Finland high quality college is free thanks to high taxes on USA you still have taxes but healthcare and education are part of a business model. Taxes aren't that bad...

Right! They are not bad, they are ABSOLUTELY terrible.

Taxation is theft

If the money is invested on war, massive destruction weapons and international terrorism aka democracy then yes, taxes are theft.

It's been proven over and over in history that public infrastructure is ALWAYS more expensive than private business. You know why? Because taxes will always be there, even if they don't do their job OK. Private businesses go bankrupt if consumers don't vote them with their wallet.

If the money is invested on war, massive destruction weapons and international terrorism aka democracy then yes, taxes are theft.

Taxation is always theft regardless of their end goal.

These are facts.

You may not like facts.

These are facts.

> BS.

You may not like facts.

:s/facts/alternative facts/g

Okay. Way to dismiss reality.

Your problem, not mine.

he's right tbh

https://m.youtube.com/watch?v=d79vYwh4N1s#

TIL in 1952, Wernher von Braun wrote a book called "Project Mars" which imagined that human colonists on Mars would be led by a person called "Elon" [Source]

It's been proven over and over in history that public infrastructure is ALWAYS more expensive than private business. You know why? Because taxes will always be there, even if they don't do their job OK. Private businesses go bankrupt if consumers don't vote them with their wallet.

Aside in Germany of course

Where we pay more in taxes to DB after it has become a private company

And it shuts down more and more Services.

That's what usually happens when the politicians are in bed with private entities :3

That's what usually happens when the politicians are in bed with private entities :3

The only good-sounding part is "in bed"

good morning, humans, furries and other entities

hello

hope all of you is good

:D

what a badass

?

I arrived to Sochi. Got hotel room 404.

Funny part: I didn't find it initially. :D

Funny part: I didn't find it initially. :D

They knew a Convention of Hackers was around, eh? XD