Re: Linux and security
From: Johannes H. Ahlmann (softpro_at_gmx.net)
Date: 07/29/03
- Next message: Carl: "Hiding files and encrypting stuff under Linux"
- Previous message: Bilbo Baggins: "Re: Security Tools RoundUp"
- In reply to: David: "Re: Linux and security"
- Next in thread: Michael Forster: "Re: Linux and security"
- Reply: Michael Forster: "Re: Linux and security"
- Reply: David: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jul 2003 10:13:25 +0200
> I agree that Linux specific viruses are less common because of market
> share, however I think the necessity for AV software is what is being
> questioned here.
well, that's NOT questioned by me... oh yeah, and don't top-post - it's so
hard to see what you are referring to.
> You need to put virus', worms, and trojans in the same
> basket
well, first you got to differentiate between them and THEN you can look at
all the different kinds of malicious code together and try to secure
yourselfs against them.
> because most of the AV software available deals with all three
> categories and much of the current malware uses more than one method of
> propagation. There has been no lack of exploits for Linux and the vast
> amount of software available for the platform. In this day and age of the
> internet it seems most of the newer self-propagating malware seems to be
> in the form of worms and trojans so AV software is not categorically
> unnecessary in any case.
i don't known who said that AV software was unnecessary!
AV software can't really help against many forms of malicious source code,
nor can it decide whether an ftp-daemon should be allowed to open port xyz
as a trojan backdoor. i'm not saying that AV software is useless, but when
it comes to updating your system or installing software there are many
cases where AV heuristics CANNOT identify a threat! still the benefit of
identifying a single "attack" is worth the hassle in most cases. what
should not occur is false alarms which can get VERY annoying.
> However if you look at "virus'" specifically, the
> propogation method consists of the virus attaching itself to already
> existing files. So although not running as root doesn't prevent the
> potential from virus' it does severely limit the ability a virus has to
> get unknowingly installed and also the amount it can be propagated through
> one's system (unless it uses an exploit to elevate its permissions).
but people do (and more so will) want to install third-party software and
if they can't do it as user they will become root to do it! often enough
have i myself become root on my home machine and executed "untrusted"
install scripts, etc, because i didn't have the time or the nerve to look
through the whole code!
and for example it's no problem to execute a trojan as user that opens a
port > 1000 and have it start via .bashrc or similar scripts. thus the
trojan runs whenever you are locked in and not-root-access
suffices to cause some serious damage!
as i said, on one-user-systems $HOME is much more valuable than the system
integrity!
> This is why I recommended file integrity software like tripwire or
> samhain. These types of programs will spot changes made to any files on
> your system that you wish to track. A well-configured file integrity
> monitor, along with process monitoring and network tools some that are
> kept on a removable disk will catch at least the symptoms of a vast
> majority of malware.
come on... this is a nice solution for a server and so forth, but don't you
think that this is a little over the top your workstation? i find that
quite a hassle. it sure helps against various threats but i for
example run debian and tend to update my system in very regular intervals.
so, i'd have a hell of a job to discern what changes were appropriate and
what changes might imply malicious code...
> I tend to think the file integrity monitors can catch more of the
> malicious activity that is currently happening these days in regards to
> Linux.
if you catch a virus by installing software then you gotta sift through
millions of log-entries to see whether anything fishy happened. i've never
used tripwire or similar and i think it's a great idea for very static
systems that are not supposed to change, but with workstations i'm not so
sure.
if the virus got to you by an application exploit, it is gonna go to your
$HOME directory, which is the only files you should have write access to.
and usually people tend to change many things in their $HOME - it's called
work *g*. so here you gotta sift through thousands of logged changes again.
> Its all about blind trust no matter what OS you use. There are well
> documented cases of trojan code getting into specific linux distros and
> various program source and compilations from generally trusted download
> sites. I suspect open source software is more succeptible to these
> problems since businesses tend to be more accountable and identifiable as
> opposed to a large portion of the global open source community.
generally true, although many of the Open Source community don't like to
hear it :-). but companies are no magical institutions!! there have also
been several cases of virii burnt on application cds. that is a problem not
so much of the code itself but its online distribution. debian still does
not have its signature system running AFAIK and thus you have to trust it
actually IS a debian server you are getting your whole system from :-))
> "Real education" of the average computer user will never happen. Most
> people don't have the time or interest to deal with it and will always
> expect or believe that it is the developers or vendors responsibility.
well, you could say the same thing for car safety, but most people take a
genuine interest in maintaining their car safe (tire pressure, oil, regular
check-ups, buckling up, slowing down when it rains heavily, knowing about
braking distance, etc). this is partly due to legislation and police
enforcement, but to a lesser extent due to people being informed about the
dangers and how to deal with them...
if there was a "driving license" for internet computer use, people might be
able to deal better with keeping their system SAFER and CARING about the
integrity of their files.
> a lot of users who don't realize their
> machine is not the "fortress" that they are led to believe it is upon
> installation. And the average home user will not be able to change this
> themselves until there are more GUI configuration utilities included in
> the standard distros.
yep, look at lindows that promises to be more secure than windows and then
runs root as only user!!!!
Johannes
- Next message: Carl: "Hiding files and encrypting stuff under Linux"
- Previous message: Bilbo Baggins: "Re: Security Tools RoundUp"
- In reply to: David: "Re: Linux and security"
- Next in thread: Michael Forster: "Re: Linux and security"
- Reply: Michael Forster: "Re: Linux and security"
- Reply: David: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
