-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sunday 12 January 2003 08:43, Kevin Anderson wrote:
> Lindows selling on WallMart PCs would be one. Like it or not, that is
> Linux, and it's target is inexperienced users.
this is indeed troublesome. however, i predict that this will not be a
long-term trend. lindows is the only (semi-)well-known linux system that does
that, and it still has a tiny % of the already pretty small linux desktop
market. other distros that come preinstalled (including Walmart's) don't
promote running as root and users manage just fine...
i don't think lindows will survive the long haul, either. it's enterered quite
early, doesn't have the level of name recognition and visibility others do
and is far too cruddy of a product. also, successful desktop linux will
likely debut in the corporate and government arenas where they won't be as
susceptabe to "well, it sounds like 'windows' and comes on a walmart pc! it's
good enough for me!"
of course, if lindows does survive but remains a fractional player in the
Linux desktop (which in turn will be a fractional player of the entire
desktop market) then things are still ok (not great, but ok) since one of the
prerequisites for a successful virus vector is a large number of similarly
vulnerable systems, otherwise the virus dies out.
between the various linux distros, windows and mac systems viruses and their
ilk will likely have a harder and harder time wreaking havoc in the future.
the reproliferation of choice in various software packages (including web
browsers and office suites) also hurts what viruses (and worms) will be
capable of. the biggest reasons we have such horrible problems with viruses
and worms is a lack of diversity and traditionally poor security practice in
writing software; both trends are in reversals now though.
look at how little damage the last few linux worms actually did to see the
results of these new trends. it's sort of like a virus that kills mexican
parakeets. it may wipe out a good percentage of the dozen or so mexican
parakeets in town, but the rest of the birds will be fine and the virus will
run out of steam pretty quick. things will go less well down in mexico, but
overall the impact will be lower. with a lower overall impact, the impetus
for such mayhem drops and there will be less black-hat interest in such
inanity. if nothing else, i'd expect a surge in more traditional direct
cracking efforts.
time will tell, though.
> Even with Red Hat, or
> something else, most inexperienced users will sign in as root, because they
> don't know about su (or sudo), and don't care about the side effects. This
i'd be interested in seeing the numbers on this.
judging by my interaction with people both in the real world and on irc
running as root seems to be the minority situation even for new users. this
is probably due to the fact that the defaults in most distros are to run as a
user and that there is little need to run as root these days (everything you
need to do as root as a normal user prompts you for a password, is suid or
sudo'd)
with distros such as mandrake offering autologin by default, the user doesn't
even get a chance to choose to login as root when they first switch on the
system. this is similar to the situation in mac osx, where pretty much nobody
logs in as root from my experience despite it having the exact same issues.
defaults and convenient access to root priveleges are the key.
> As previously stated, Administrator is probably the most common user (or
> users given admin equiv) in Windows. I don't foresee this changing when
> Linux becomes more popular with less technical users.
less technical users will use whatever they are given. it's the people in the
middle that scare me, as they often know enough to get around defaults but
not enough to know when not to.
> Having patches/fixes available, and having fixes in place are two VERY
> different things.
agreed. which is why the newest batch of autoupdating tools are SO important.
and unlike some company's update systems, these linux based systems rely on
cryptographic signatures to ensure the health of the packages they download.
> > i think perhaps we're talking about different issues. i'm talking about
> > viruses, and you're speaking about worms (and viruses). but they are
> > completely different animals.
>
> Sure, but both are adressed by Anti-virus software, so I'll lump them
> together.
no they aren't. explanation below:
> > antivirus type software isn't effective in stopping worms, though...
>
> Why not? I'm far more likely to update an Antivirus DAT file in an
> automated procedure than I am to update an entire system. I don't care if
> it's Debian, Red Hat, Suse or Gentoo. I wouldn't run an automated update
> for any of them in an evening procedure. Maybe, MAYBE on a desktop, but
> even then, I'd run it on one desktop, not across a corporation.
>
> Any time the OS loads a file, it should be scanned for known sigs. If it
> matches, the file is shut down. Virus, worm, rootkit, whatever, it should,
> and does work against them all.
worms work primarily over the network. the executable never hits your machine
until it's too late and it's already done its damage. this is why scanning
for files already on your system is pretty much useless against worms. the
same is true for rootkits.
one defense is to know the request signatures of some exploits and filter all
network traffic through such a system. however, the signatures of a remote
(or even local) exploit are trivial to modify (even automatically) unlike
those for a virus.
additionally, many of the exploits that a worm will take advantage of don't
really have a signature: a perfect legitimate network request that is
mishandled by the service in question may open the door for the worm. once on
the system, the worm will likely have a very free hand and can counteract
pretty much anything you do. due to the unique self-mobiility of worms (vs
viruses which almost always require some human element, e.g. checking your
email) worms can vector with extreme rapidity. by the time any (pretty much
useless) signature file could be updated on the vendor's site a worm can
easily have hit you and gone.
ergo, worms and viruses can not and are not combatted by the same sorts of
tools.
as for rootkits, well... those are put in place (and usually hidden) after the
compromise has occured. and once root access is had, pretty much any defense
the system has is circumventable and already too late.
i'm sure cade or one of the other security professionals in the group will
correct me if i'm wrong.
> Chances of me getting a worm/virus/trojan/etc before a signature file is
> released is far less likely than the chances of me botching something up
> with a new deb/rpm/etc.
botch something with a new package? hrm... then your distro isn't doing proper
Q&A. i've yet to have a security update package botch anything in a system in
the last few years. this isn't like new functionality is being installed,
it's the same package you already have isntalled with a few patches applied
and recompiled.
> Look what happened when Clinton's
> infidelity became public. Imagine that happening now...
hehe... well, clinton's infidelity is trivial compared to Visa's online
transaction services. or ameritrades trading servers. or sun's R&D systems.
or...
those are the sorts of targets the seriously tallented people go after, which
is why there is so little creativity seen in the virus writing world.
interesting tidbit that's semi-related: it was a compromise of sun's R&D
network that led to some otherwise fairly unskilled (but very dilligent)
people learning of a hole in sendmail that was being kept hush-hush while a
fix was being formulated that allowed them to take over many core pieces of
Internet infrastructure in the early 90s.
those are the sorts of targets that attract the truly capable black hats.
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+Ikgq1rcusafx20MRAnQdAJ9V+6kCvKf+ZX4W8b3CH6VJ0OoQNACfSCrQ
PJmp0yC5bNkiEJrmpzg+Mxw=
=ro2K
-----END PGP SIGNATURE-----
