FemmeFatale wrote: >Miark wrote: > >>Sure--put it to the list. >> >>Miark >> >>On Wed, 2002-05-15 at 12:55, FemmeFatale wrote: >> >>>Miark wrote: >>> > >>>>>>Miark >>>>>> >>>>>Remind me sometime to remove winblows K? :) For now I enjoy the dual >>>>>boot but if things keep going this way I'm gonna just give up. >>>>> >>>>>Btw, explain why something like that wouldn't work on Linux? >>>>> >>>>I don't think it's as easy to hide processes in Linux as it is in >>>>Winsux. That is, I think it may be easy to hide items from "Task >>>>Manager", but I don't think it's nearly as easy to hide things >>>>from ps, top, and the like. >>>> >>>>'Course, I could be dead wrong. >>>> >>>>Miark >>>> >>>Hm... question for hte list you think? Thx for the "food for thought". >>>-- >>>Femme >>> > >OK anyone got an answer to the above Question Miark & I were tossing >around on that windows product that spies on you? > Well, first of all, it has to be installed. Either it gets started at boot by initscripts (privileged edit), by a cron job (listable and requiring at least a privileged edit) or someone has to start it. Clearly the last option makes the use obvious.
It would remain detectable to ps, top, find, slocate, ls, etc unless these programs were modified specifically to ignore it (a rootkitting exercise to conceal an external crack). In fact every binary that could list processes and might be called by any of the monitoring programs would have to be modified. To store modified copies of binary executables in the standard execution paths, /bin /usr/bin /sbin and /usr/sbin ALL require write privileges to those directories and for those files. [root@v5 tester]# ll /bin/ps -rwxr-xr-x 1 root root 62424 Feb 27 05:31 /bin/ps* [root@v5 tester]# [root@v5 sbin]# ll /usr/bin/top -rwxr-xr-x 1 root root 36504 Feb 27 05:31 /usr/bin/top* [root@v5 sbin]# OK it should be obvious that to conceal the spyware, you have to be root. SO the question comes down to, "How does one sneak in a root-privileged program to spy on the users and to conceal its activites?" The "hard-to-impossible" answer is to use a remote access root exploit in the remarkably short time between discovery and patch (if the exploit isn't anticipated and fixed before announcement) which is OK for the casual blackhat cracker but not for the commercial exploiter who needs a reliable way of distributing his poison to satisfy his merchant clients. The easy answer is to approach someon like MS and have the company use its muscle in offering a "Special relationship" to one of the hardware vendors that makes attractive hardware and have a binding non-disclosed contract to install the spy and rootkit binary in its binary-only driver for linux. In that way, linux is deposed as having better security, making MS happy; the merchants get their marketing data and are happy; the spyware producer gets paid and is happy; and the linux users do all the dirty work to themselves by installing binary-only drivers and are happy because their super hardware works fully fiunctionally under linux. So, everyone is happy in this scenario, unless someone happens to restore /bin from a backup and gets a nasty surprise about a phone-home sitting in the kernel processes. If you think it cannot happen... Think again, and remember the stolen homework that became Excel, the plagiarized DOSes, the Nantes Commercial Court findings, the Ztore that was linux/Samba and was billed as secret and proprietary network storage devices.... It happens all the time. The question is not _if_ but _When_ and _Who_. As long as users buy hardware and accept binary-only drivers, linux is as vulnerable to the installation of spyware as any other system. Most likely it will be a winmodem driver, but it coud be a video card or it may already have been a high-level sound card. Civileme
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
