> less technical users will use whatever they are given. it's the people in the > middle that scare me, as they often know enough to get around defaults but > not enough to know when not to.
Easy, you're talking about me there... :) > worms work primarily over the network. the executable never hits your machine > until it's too late and it's already done its damage. I don't agree with this. Most worms run code, and before it can run, it needs to be loaded by the OS. And antivirus should step in at that point. At least in theory. > additionally, many of the exploits that a worm will take advantage of don't > really have a signature: a perfect legitimate network request that is > mishandled by the service in question may open the door for the worm. once on > the system, the worm will likely have a very free hand and can counteract > pretty much anything you do. due to the unique self-mobiility of worms (vs > viruses which almost always require some human element, e.g. checking your > email) worms can vector with extreme rapidity. by the time any (pretty much > useless) signature file could be updated on the vendor's site a worm can > easily have hit you and gone. Slapper ran code. Lion ran code. It didn't come and go, it came, and sat running, and running, and running. AV software could and would catch it. The transfer of the code to the system may be undetected originally, but it would be caught when it tried to run. (excepting a rootkit). How many machines are still running Slapper, for example? And will until it is cleaned from their system. Even if I accept that a worm moves faster than AV updating a DAT file (and I'm not sold on that), I'd still rather see the issue resolved by AV software 10 days after the initial attack than not at all. > as for rootkits, well... those are put in place (and usually hidden) after the > compromise has occured. and once root access is had, pretty much any defense > the system has is circumventable and already too late. Rootkits are cool. I played with a Windows rootkit once, and it was the coolest thing I had ever seen. Linux has tripwire which may not prevent a rootkit from being installed, but it should help detect it's presence after the fact. Windows has nothing that I'm aware of. Though I think rootkits are less common on Windows than Linux. > botch something with a new package? hrm... then your distro isn't doing proper > Q&A. i've yet to have a security update package botch anything in a system in > the last few years. this isn't like new functionality is being installed, > it's the same package you already have isntalled with a few patches applied > and recompiled. I updated an RPM for RH7.2 a few months ago, and it kyboshed the admin tools for my mail server. Nothing serious, but it was annoying... Apache was updated, and it rendered some links to our webserver invalid (It deleted the links. (ln -s linkname, not the pages)). Sure, that affects only me, but both the mail package and the RPM were developed specifically for that version of Red Hat. > hehe... well, clinton's infidelity is trivial compared to Visa's online > transaction services. or ameritrades trading servers. or sun's R&D systems. > or... Sure, but I'm saying they should develop something that INTERESTS me. You're bang on that most attacks are rehashes of the same old thing. I want something that makes me think. Something challenging. I'm in over my head on this project again though. So I don't want them to do it just yet... :) Kev.
