On Sun, 2 Jun 2002 23:38:05 -0700 James <[EMAIL PROTECTED]> wrote: > I've been watching how this thread progressed. I've noticed two pieces > of FUD that keep appearing. > > 1. The assumption that a virus writer wouldn't know that he/she needs to > be root to do real damage and that he/she won't do just that. Don't > give yourself a sense of false security here. All they need to do is > have a line appended to Passwd and shadow (yes even MD5 is vulnerable > here, all it takes is some math.) and they have a new user that has UID > 0 and they don't even need to be root. Remember they are in your box. > Harden it all you want to the outside. Your vulnerability is when they > are inside. (Oh and we did this recently to a Linux box that the user > had forgotten the root password on. For reasons it couldn't be shut > down. If we had it would never boot again. Didn't have a spare to mount > the disk on. So I used a friends tool to append a new user to passwd > and poof root2 was now UID 0. ) >
ok ok but to have a line appended to Passwd and shadow don't you need to be root in the first place? > 2. That backups cure all ills. > > True if I have a desktop. That never moves, and I have hard copy > backups disassociated from my LAN (Tape CD-Rom etc.) is guaranteed to be > free of the virus, and that the virus lives in user land where it can be > found. A backup is useful. What if the virus lives in the MBR? MBR's > are usually written to during an install, but not wiped and written > over. (Don't ask me how I know this is a great place to put a virus > .... just trust me.) What if the virus infected your box 2 months ago > and is just now activating? How far back do I go in backups? If it was well, if you are REAL paranoid about MBR you can set a job on bootup to clean it up with simple fdisk/lilo commands... > just the OS I wouldn't care. OS's can be recreated in a reasonable > amount of time. DATA is the key. If I just restore from a backup ..... > how much do I lose? When did I get the virus? Do I lose a week a month > a year of data? (get Chernobyl the day after the anniversary it will > wait a year to activate.) Backups although a great Idea are a false > sense of security. Not to mention that since my backup is currently > about 12gigs of data. It takes me about 8 hours to restore. (It has to > move over a LAN as the tape is on another box and yes.... 13 of them. > Let's see at 150 bucks an hour consulting rate I'm losing 1200 dollars > just in time spent restoring. (can't do work till I get the data back.) > > Then if I'm on the road with my laptop and a virus activates.... how > do I restore? The presentation before the customer is in 3 hours. My ...let's just call that a bad day. a REALLY bad day. almost a WINDOWS day. > box just went sideways because of a virus. (caught it when I connected > to the LAN at the last customers office. They run windows and this is a > dual affect virus.) I'm in Philly and my backup is in Memphis.... Move > several gigs of data over a hotel phone line? Yeah right.... > > The only answer is to realize that Linux is vulnerable. It's just not > as popular an OS for script kiddies and the script kiddie tool writer to > use. Remember folks the first worm was a Unix worm. The first Virus I > know of ran on HoneyWell Main Frames. And it wasn't networked. They > didn't read e-mail on it, and all someone did was load a data tape > received from our best customer. (actually it took 3 tapes. Loaded nobody is saying viruses are impossible on Linux/Unix. it's simply harder to do it. not seeing it is being blind. to make a virus/worm that is equally effective in windows as in Linux, it takes 50 times more skill, time, knowledge, luck, and most of all you have to rely on VERY stupid people more than you can think of.. setting permissions is so simple. you don't even have to split it into "to root or not to root" problem. you can define groups so you can protect data by denying access and still not using the root account to do so.. > weeks apart each one contained, unknown to the customer, a piece of the > virus stored in the leftover space in partically used data blocks so > that we couldn't see a size change from what was expected. When part 3 > came in it looked for 1 and 2 and re-assembled itself.) > > I apologize a little bit here. Didn't want to shake the tree and > start a war. But I do care enough about fscking the "blackhats" that > the occasional wake up call for those of us who respect each other, and > their data (which is a lot of why we use Linux/BSD et al), is needed. > My wife just got a virus sent to her that had already been through at > least 3 other anti-virus programs. (My MailScanner caught it so no harm > to me.) We don't need a patch gentlemen we need a plan. uhm.... what do you mean "we don't need a patch"? it's obvious, on every OS the threat of losing data exists. but then, let's not put all the eggs in the same basket. <MHO> the "Linux is safer for now because is less popular" line of thought is far too simplistic and WRONG. an operating system enforcing permissions-based security is tougher to crack. even more being open-source.. solutions to these problems can be issued at a speed that would render most viruses ineffective only hours after it's discovered. patch the source, recompile, and go. yeah and i know what you are thinking. "if someone downloads an amail that contains an attachment that upon execution........" yes, that's true, but idiot-based traps are always going to exist, secure OS or no secure OS. </MHO> Damian
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
