[opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!!
On Thu, 10 Jul 2008 01:25:00 +0200, Carlos E. R. wrote:
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
AA is initiated by the admin, not the user. It does not protect programs, but services.
And services are....*programs*, right?
Yes, but not any program. AA would be very difficult to apply, say, to oowriter.
Sure, that's kinda the point. AA does a very good job for what it's designed for; protecting documents isn't what it's designed for. There are a couple of cross-platform macro viruses, including one (proof of concept, I know) for OpenOffice.
For example, if postfix is compromised and suddenly wants to create a new user (write to /etc/passwd), the profile will not allow it.
Sure. And how exactly would Postfix decide to do something like this? Wouldn't it have to run some sort of executable code to do something like this - something that's not in its normal behaviour patterns to do?
It could be in memory, a buffer overflow hack. It could be the main program or a child. Not important.
But it is important. Many people here are saying "you have to explicitly make the file executable before running it" - but a buffer overflow or something similar is a way around that without the user knowing. Then the thing attaches itself to a file already flagged executable - or writes itself out to the filesystem and makes itself executable. No user intervention needd.
This is something an antivirus will not detect and avoid, unless it is a previously known _binary_ pattern.
Yes. And there is value in looking for *known* threats. rkhunter works based on previously known patters, not the unknown. Or are you saying that we should kill off rkhunter as well because it only looks for known threats?
No, I'm pointing the difference and the dificulty. Searching for patterns will seldom protect against new types of attacks.
It doesn't hurt to focus on the *known* types of attacks. Is it hard to protect against new types of attacks? Sure. Has that ever stopped the Linux community? Not that I know of. That doesn't reduce the value of looking for *known* threats. If you know someone's going to commit an armed robbery, you don't say "oh, it's a known threat, I don't have to deal with it". You call the police and you *deal* with the threat.
AA was designed for Linux and for the kinds of attacks Linux suffers. The antivirus were designed for the attacks Windows suffers.
And it's fair to say that Linux will never ever ever *ever* suffer the type of attacks Windows suffers? *ever*?
I have been seeing that argument for at least ten years, and it hasn't happened.
Absence of evidence is not evidence of absence. Again, can you *guarantee* it will *never ever happen*? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-07-10 at 16:02 -0000, Jim Henderson wrote:
For example, if postfix is compromised and suddenly wants to create a new user (write to /etc/passwd), the profile will not allow it.
Sure. And how exactly would Postfix decide to do something like this? Wouldn't it have to run some sort of executable code to do something like this - something that's not in its normal behaviour patterns to do?
It could be in memory, a buffer overflow hack. It could be the main program or a child. Not important.
But it is important. Many people here are saying "you have to explicitly make the file executable before running it" - but a buffer overflow or
I mean it is not important if it is the main program or its siblings that is hacked.
something similar is a way around that without the user knowing. Then the thing attaches itself to a file already flagged executable - or writes itself out to the filesystem and makes itself executable. No user intervention needd.
Notice that AA will protect against an attack made in the memory image, with the binaries of the program affected not modified. Ie, it watchs for variations in the behavior of the service, not on what code it contains. It is different.
AA was designed for Linux and for the kinds of attacks Linux suffers. The antivirus were designed for the attacks Windows suffers.
And it's fair to say that Linux will never ever ever *ever* suffer the type of attacks Windows suffers? *ever*?
I have been seeing that argument for at least ten years, and it hasn't happened.
Absence of evidence is not evidence of absence. Again, can you *guarantee* it will *never ever happen*?
No, but for till then (if!) it is a non-issue. There will first have to be a real virus attack, and then an antivirus will have to be made against it... Meanwhile, I will not scan my linux system for viruses if there is nothing to search for yet. Let windows protect itself :-P - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdpcztTMYHG2NR9URArfDAJ9dnUgIYaLBHQkdrpAKEZ+x8JQCpwCeK7h/ tctV+ih/2Hfx9pDpQH0osQg= =ixoY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 11 Jul 2008 01:11:46 +0200, Carlos E. R. wrote:
It could be in memory, a buffer overflow hack. It could be the main program or a child. Not important.
But it is important. Many people here are saying "you have to explicitly make the file executable before running it" - but a buffer overflow or
I mean it is not important if it is the main program or its siblings that is hacked.
I see. I think I actually conflated a couple of things there by mistake. :-)
something similar is a way around that without the user knowing. Then the thing attaches itself to a file already flagged executable - or writes itself out to the filesystem and makes itself executable. No user intervention needd.
Notice that AA will protect against an attack made in the memory image, with the binaries of the program affected not modified. Ie, it watchs for variations in the behavior of the service, not on what code it contains. It is different.
How well it does that, though, depends on how well things are profiled, correct?
Absence of evidence is not evidence of absence. Again, can you *guarantee* it will *never ever happen*?
No, but for till then (if!) it is a non-issue.
There will first have to be a real virus attack, and then an antivirus will have to be made against it... Meanwhile, I will not scan my linux system for viruses if there is nothing to search for yet. Let windows protect itself :-P
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Henderson wrote:
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive.
I don't know that I'd classify mimicking failed strategies from the microsoft world as being proactive. If a problem of the type that you fear arises, or seems likely to arise, it should be solved using strategies and algorithms developed according to *nix principles IMHO. As for trying to label something as being right or wrong, that's probably not a productive exercise - l'd rather evaluate scenarios based on cost and effectiveness. You're certainly free to use whatever security measures make you feel more comfortable, but I personally wouldn't want to have a considerable chunk of system resources devoted to a non-issue, just so that I can imitate the microsoft-using world. To make an analogy, I'd never dream of stopping you from wearing a tinfoil hat, but I reject the idea of forcing tinfoil hats on all linux users as a standard feature. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 11 July 2008 18:57:24 J Sloan wrote:
Jim Henderson wrote:
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive.
I don't know that I'd classify mimicking failed strategies from the microsoft world as being proactive. If a problem of the type that you fear arises, or seems likely to arise, it should be solved using strategies and algorithms developed according to *nix principles IMHO.
<snip>
Joe
As an aside, Dr. Crispin Cowan, one of the leading developers (if not THE leading developer) of AppArmor, is now working in the Core OS Security team at Microsoft. A very clever guy, who I admire very much. Novell (and Linux in general) lost a very valuable advocate there, but maybe the next version of Windows will have a proper security model, not the current nagware that's been bolted onto Vista. We can only hope. Cheers Pete -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Pete Connolly wrote:
On Friday 11 July 2008 18:57:24 J Sloan wrote:
Jim Henderson wrote:
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive.
I don't know that I'd classify mimicking failed strategies from the microsoft world as being proactive. If a problem of the type that you fear arises, or seems likely to arise, it should be solved using strategies and algorithms developed according to *nix principles IMHO.
<snip>
Joe
As an aside, Dr. Crispin Cowan, one of the leading developers (if not THE leading developer) of AppArmor, is now working in the Core OS Security team at Microsoft. A very clever guy, who I admire very much.
Novell (and Linux in general) lost a very valuable advocate there, but maybe the next version of Windows will have a proper security model, not the current nagware that's been bolted onto Vista. We can only hope.
Yes, I'd heard about that. a real shame. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Pete Connolly wrote:
On Friday 11 July 2008 18:57:24 J Sloan wrote:
Jim Henderson wrote:
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive. I don't know that I'd classify mimicking failed strategies from the microsoft world as being proactive. If a problem of the type that you fear arises, or seems likely to arise, it should be solved using strategies and algorithms developed according to *nix principles IMHO.
<snip>
Joe
As an aside, Dr. Crispin Cowan, one of the leading developers (if not THE leading developer) of AppArmor, is now working in the Core OS Security team at Microsoft. A very clever guy, who I admire very much.
Novell (and Linux in general) lost a very valuable advocate there, but maybe the next version of Windows will have a proper security model, not the current nagware that's been bolted onto Vista. We can only hope.
I don't.......sorry but I can't wish anything "good" for them. They've been buying good talent for the past few years. Fred -- This message originated from a Linux computer using Open Source software: openSuSE Linux 11.0 No Gates, no Windows....just Linux - STABLE & SECURE! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 11 Jul 2008 10:57:24 -0700, J Sloan wrote:
Jim Henderson wrote:
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive.
I don't know that I'd classify mimicking failed strategies from the microsoft world as being proactive. If a problem of the type that you fear arises, or seems likely to arise, it should be solved using strategies and algorithms developed according to *nix principles IMHO.
I'm talking about being proactive by looking at the options. Not sticking our fingers in our ears and going "lalalalallalalala Viruses are not a problem on Linux we don't have to worry about them lalalalallalalalalala" until there is a major hit. I don't see anyone here suggestiong strategies or algorithms developed according to *nix principles; I see a lot of people saying "Viruses aren't a problem, so why worry about it?". Big difference there.
As for trying to label something as being right or wrong, that's probably not a productive exercise - l'd rather evaluate scenarios based on cost and effectiveness. You're certainly free to use whatever security measures make you feel more comfortable, but I personally wouldn't want to have a considerable chunk of system resources devoted to a non-issue, just so that I can imitate the microsoft-using world.
And just like in the MS-using world, you're free to install whatever security solutions you feel are necessary, and to leave out the ones that you don't feel are necessary.
To make an analogy, I'd never dream of stopping you from wearing a tinfoil hat, but I reject the idea of forcing tinfoil hats on all linux users as a standard feature.
Where have I *ever* said "force OAS on all Linux users as a standard feature"? Please, please, PLEASE don't put words in my mouth. :-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
----- Original Message -----
From: "Jim Henderson"
Then again, that's your choice as a system user. I personally think waiting until the first major attack to go "oh, wow, we need an AV solution *now*" is the wrong time to start developing a solution or looking at the options. I really don't understand what's so wrong about being proactive.
If there is no technical justification for an action, that is all the reason necessary for resisting doing it. Also as for "then fine you don't have to use it" that's true as far as it goes but there is more to the story than that. It's damaging to me when stupid things become popular. I end up being forced to do stupid things myslelf even though I know better. It's very difficult to do very well while being to deviant or subscribing to unpopular philosophies or opinion, regardless of their technical merits or lack of same. If OAS becomes seen by the unwashed masses as necessary for safety, how do I sell my companies services and software to business owners who ask if we do it and we say no we don't? It doesn't matter that we've never had a virus in our lives and no customer ever lost data or even uptime due to an virus on any unix or linux server in the last 15 years. My boss and the sales people will sooner or later simply demand that we do it simply so that they can say yes more often, and thus sell more. And it will have absolutely no technical justification but it will cost not only my machines, but me, time and effort that I'd rather spend on anything else, since there's not enough to go around already. The same interaction applies in lots of other similar contexts. I never learned perl because I happen to have never yet met a problem I didn't solve with ksh and awk or other much more universal and lighter weight tools. What?? Your companies head genius IT guy, complete with beard and ink-blot for a sleep/eat pattern, doesn't know something as basic and universal as perl???? Ah, he bathes, so he's not a _real_ geek, that explains it. :) Luckily that one's merely amusing and not harmful. Then there are all the other people I have no control over but who's efficiency has some influence on me. I'm not saying OAS is going to make all my various isp/hosting bills go up, or power or groceries for that matter, or that a hospital will be one doctor poorer because their computers were more expensive, etc etc... I'm just saying that in this day of uber communication where a silly email joke or video can become known to the whole world overnight, it is actually important to resist bad ideas (if you beleive them bad) early while they are still small, because practically overnight something can become effectively a requirement just to be able to interoperate with everyone else. Or almost as bad, the other thing that happens is, maybe no one cares what I think or do about idea X, but I can't buy goods & services that don't come with whatever the bad idea of the day is built-in. -- Brian K. White brian@aljex.com http://www.myspace.com/KEYofR +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO FreeBSD #callahans Satriani Filk! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Brian K. White
-
Carlos E. R.
-
Fred A. Miller
-
J Sloan
-
Jim Henderson
-
Pete Connolly