Re: Linux and security
From: David (davidwnh_at_adelphia.net)
Date: 07/29/03
- Next message: Digi: "0wnz0r dialup"
- Previous message: DigitalElf: "Cryptoapi problem - remounting encrypted filesystem"
- In reply to: Johannes Halmann: "Re: Linux and security"
- Next in thread: Johannes H. Ahlmann: "Re: Linux and security"
- Reply: Johannes H. Ahlmann: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jul 2003 01:06:42 GMT
I agree that Linux specific viruses are less common because of market share,
however I think the necessity for AV software is what is being questioned
here. You need to put virus', worms, and trojans in the same basket because
most of the AV software available deals with all three categories and much
of the current malware uses more than one method of propagation. There has
been no lack of exploits for Linux and the vast amount of software
available for the platform. In this day and age of the internet it seems
most of the newer self-propagating malware seems to be in the form of worms
and trojans so AV software is not categorically unnecessary in any case.
However if you look at "virus'" specifically, the propogation method
consists of the virus attaching itself to already existing files. So
although not running as root doesn't prevent the potential from virus' it
does severely limit the ability a virus has to get unknowingly installed
and also the amount it can be propagated through one's system (unless it
uses an exploit to elevate its permissions). You need root level access on
a properly configured system to do the same level of harm that can be done
using any user on a Win9x system.
This is why I recommended file integrity software like tripwire or samhain.
These types of programs will spot changes made to any files on your system
that you wish to track. A well-configured file integrity monitor, along
with process monitoring and network tools some that are kept on a removable
disk will catch at least the symptoms of a vast majority of malware. Not as
easy to configure,use, or analyze as AV software so maybe a newbie would
benefit from a commercial AV package.
So the question is whether any currently available AV package for Linux
would be beneficial today or are the file integrity programs currently
available a better choice, and for which types of users and system usage?
I tend to think the file integrity monitors can catch more of the malicious
activity that is currently happening these days in regards to Linux. I have
read a lot of posts about people getting rooted in which AV software would
not have helped but file integrity monitors would have, but have seen
nothing to indicate that as of today Linux AV software has been beneficial
to your average user who is not running a mail,ftp, or samba server.
>
> i don't necessarily agree... viruses are less common on linux because its
> market share isn't yet big enough and perhaps more importantly because
> software (hopefully) mostly comes from some trusted channels and isn't
> software or even worse pirated software from some dingy download sites...
>
> but my point really is, that viruses don't have very much to do with the
> "root" user! every local user has a home directory and most certainly some
> kind of files that are valuable to him/her. if he then starts an
> executable (i.e. by automatically started downloads, etc) all these files
> can be tainted, infected, deleted, whatever!
Its all about blind trust no matter what OS you use. There are well
documented cases of trojan code getting into specific linux distros and
various program source and compilations from generally trusted download
sites. I suspect open source software is more succeptible to these problems
since businesses tend to be more accountable and identifiable as opposed to
a large portion of the global open source community.We are dealing with ftp
servers that can be compromised and signature schemes that are hard to use
and not much more trustworthy than unsigned code. There are plusses and
minuses for both open and closed source but both are vulnerable.
"Real education" of the average computer user will never happen. Most people
don't have the time or interest to deal with it and will always expect or
believe that it is the developers or vendors responsibility. Not the way I
look at things but there are a lot of home users in that camp. You have a
lot of vendors trying to tout Linux as being more secure than it truly is.
Most distros sacrifice some security for ease of use and installation as MS
has so there are a lot of users who don't realize their machine is not the
"fortress" that they are led to believe it is upon installation. And the
average home user will not be able to change this themselves until there
are more GUI configuration utilities included in the standard distros.
Most of what I currently see are automated scans and canned scripts looking
for and exploiting open services. When the next Linux virus hits in which
the AV definitions are updated before a configuration solution is found,
then maybe I'll start thinking AV software for Linux is worth the CPU
cycles.
> until now most users of linux/bsd/*nix are rather tech-savvy and know not
> to execute anything unless they know what it is, but with "normal" users
> rushing into these OSs the spreading of viruses will most certainly also
> begin on linux. that is, unless some REAL education about how to avoid the
> threat of virus infection is somehow distributed to the less professional
> users!
- Next message: Digi: "0wnz0r dialup"
- Previous message: DigitalElf: "Cryptoapi problem - remounting encrypted filesystem"
- In reply to: Johannes Halmann: "Re: Linux and security"
- Next in thread: Johannes H. Ahlmann: "Re: Linux and security"
- Reply: Johannes H. Ahlmann: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
