James Knott wrote:

James D. Parra wrote:

...

...

Well, I disagree with them. On-access IS needed now and even more in the future!

But it is not needed for linux. It is only needed for linux boxes doing file serving for windows boxes! Ie, it can be better handled directly from samba, not from the kernel. ~~~~~~~~~~~~~~

Just out of curiosity, why would on-access scanning not be needed for Linux?

Best,

James

Linux viruses tend to be scarce. In fact, IIRC, there's never been a successful one. So, what would you scan for, other than perhaps email carrying a Windows virus?

That's a good part of why I'm getting requests. And, I recently passed on a worm NOT knowing it was attached. I don't care to do that again. Fred -- This message originated from a Linux computer using Open Source software: openSuSE Linux 11.0 No Gates, no Windows....just Linux - STABLE & SECURE! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Monday 2008-07-07 at 22:11 -0400, Fred A. Miller wrote:

...

...

Linux viruses tend to be scarce. In fact, IIRC, there's never been a successful one. So, what would you scan for, other than perhaps email carrying a Windows virus?

...

That's a good part of why I'm getting requests. And, I recently passed on a worm NOT knowing it was attached. I don't care to do that again.

The point is, you do NOT need dazuko to scan mails for viruses and worms.

Sure......SAMBA and MickySoft anti-virus.....now that's a worthwhile solution.....NOT! Fred -- This message originated from a Linux computer using Open Source software: openSuSE Linux 11.0 No Gates, no Windows....just Linux - STABLE & SECURE! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Tuesday 2008-07-08 at 13:01 -0400, Fred A. Miller wrote:

...

...

...

That's a good part of why I'm getting requests. And, I recently passed > on a worm NOT knowing it was attached. I don't care to do that again.

The point is, you do NOT need dazuko to scan mails for viruses and worms.

...

Sure......SAMBA and MickySoft anti-virus.....now that's a worthwhile solution.....NOT!

Sigh... you do not need either samba nor "MickySoft anti-virus", nor dazuko, for scanning email in Linux.

That is true, and there is some software that is expensive that will do the job. No thanks. Fred -- This message originated from a Linux computer using Open Source software: openSuSE Linux 11.0 No Gates, no Windows....just Linux - STABLE & SECURE! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 08 Jul 2008 15:09:00 -0400, Fred A. Miller wrote:

That is true, and there is some software that is expensive that will do the job. No thanks.

Somehow you don't *want* to understand. You can integrate either free or commercial virus scanners directly into your mail server, so that the MTA passes the mail for checking to the scanner which then passes it back. No on-access scanning needed here. Likewise with samba, where you can also integrate a virus scanner in the same manner. Again no on-access scanning needed. This now understandable enough? Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G T Smith wrote:

Fred A. Miller wrote: only detected 60% of a virus test set and Antivir a better (but still unacceptable) 95% on the same set, rather suggest (at least until these

Oops It seems that Avira AntiVir did pass the VB100 assessment.... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIc8KoasN0sSnLmgIRAiBHAJ0b14zl4WXyMn75gA00dVgHT71RmQCfXTSH ihOVLbHzWxMcQbqOC600z/4= =+I2i -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Tue, 08 Jul 2008 03:41:25 +0200, Carlos E. R. wrote:

...

At worst, you can only do damage to your own user. No big deal. Next time you will be more careful :-P

Arguably, Carlos, damaging files in your own user home directory is the bigger deal. I don't know about others here, but I can replace my OS; I can't replace my documents.

From the daily backup maybe?

/Per Jessen, Zürich -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

The fact that someone created one shows that someone's exercising some forward thinking about this...Linux hasn't been a target because it's a small segment of the desktops out there. As the desktop market grows, the need will likely grow as well.

So goes the popular wisdom which I often hear repeated - however linux has been a major segment of the internet server market for some years, and still the sky hasn't fallen. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

* J Sloan [Jul 08. 2008 15:00]:

Jim Henderson wrote:

...

The fact that someone created one shows that someone's exercising some forward thinking about this...Linux hasn't been a target because it's a small segment of the desktops out there. As the desktop market grows, the need will likely grow as well.

Yep. I hear you. My UNIX Mac OS X laptop has been totally infested with virus files since OS X started grabbing so much of the desktop market. ;D The main reason for all these Windows virus infestations is due to the Windows scripting engine and how Windows programs handle files. I'm not say that UNIX/Linux desktops won't have issues with the cyclones of air between the keyboard and the chair just click, click, clicking on things but if the apps and os themselves have intelligence built into them to at least punch the user in the face with a warning that what they're doing isn't such a good idea .. we won't face near what the Wintendo crowd does. We won't get infested just by having the damn things on a network. -ben -- "Gratitude is merely the secret hope of further favors." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tuesday 08 July 2008 15:58, Carlos E. R. wrote:

The Tuesday 2008-07-08 at 17:26 -0500, Ben Rosenberg wrote:

...

Yep. I hear you. My UNIX Mac OS X laptop has been totally infested with virus files since OS X started grabbing so much of the desktop market. ;D

I know very little of macs, but I'm curious: what type of virus, what do they infest? macros, system binaries, what?

Note the huge winking grin: ;D When / where I was a kid, we called that a "shitty-assed grin." (Don't ask me why, I don't know. Some immigrant farmer thing, no doubt...)

-- Cheers, Carlos E. R.

RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

They are the same as Linux, Solaris or other BSD based systems .. rootkits and scripts that they LUSER has to execute for them to do anything. Some are executed by browers or whatever .. but those same bugs that do that will effect Linux, Solaris or other BSD based systems. There have been a bunch of "proof of concept" virus/trojans just like on other UNIXish OS's. * Carlos E. R. [Jul 08. 2008 18:03]:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

The Tuesday 2008-07-08 at 17:26 -0500, Ben Rosenberg wrote:

...

Yep. I hear you. My UNIX Mac OS X laptop has been totally infested with virus files since OS X started grabbing so much of the desktop market. ;D

I know very little of macs, but I'm curious: what type of virus, what do they infest? macros, system binaries, what?

- -- Cheers, Carlos E. R.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFIc/EptTMYHG2NR9URAnY4AJsHBShrEN7WEVuwx+i43sWHEzSVLACeNIgk eVtyUG8J7z267qZVQK3p8Bs= =1pzC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- XO Communications IP Tier 2 OPS St Louis, MO. -- "Gratitude is merely the secret hope of further favors." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 08 Jul 2008 22:30:15 +0200, Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

The Tuesday 2008-07-08 at 19:41 -0000, Jim Henderson wrote:

...

I've run Linux boxes for *years* without on-access virus scanning. And no, I've never been infected. But that doesn't mean that it shouldn't be being worked on; there's enough proof of concept viruses out there (and cross-platform OO - for example - ones) that it's something that should be worked on.

The fact that someone created one shows that someone's exercising some forward thinking about this...Linux hasn't been a target because it's a small segment of the desktops out there. As the desktop market grows, the need will likely grow as well.

But you don't really need on-access-scan to protect linux from possible (future) viruses.

What you need to protect are the entry points to the computer: email, external disks, shared mounts... and some inteligence on the part of the user, like scanning downloaded software, manually if needed.

On access scanning, though, is a proven way of dealing particularly with removable media - rather than: 1. I put a USB key in the drive. 2. I scan the key 3. I use the data on the key This process is streamlined by: 1. I put a USB key in the drive 2. I access the data on the key; if it's infected, I get a notification of some sort and access is denied to the file until it's cleaned, usually with manual intervention. This is the workflow users of DOS, DOS/Windows, and Windows are familiar with. From a "let's migrate people to Linux" standpoint, keeping a technical workflow like this as similar as possible is a good thing. Telling the users "it's your responsibility to scan every file you open on your own, manually" isn't a good approach. After all, end users have demonstrated an inability to do something like this on Windows; we are talking about people who forward "Bill Gates will send you $1,000 if you forward this message along" messages thinking they really will get $1,000 for forwarding a message along. In an ideal world, we *should* be able to expect users to be smarter than that, but in the real world, we really can't. We don't treat other aspects of security lightly in Linux, so why *should* we treat viruses as less than that? I would also think that users would only install services they need on a system, but we still configure a firewall for them. We expect users to login with a username and a password - but we have added autologon for those who can't be trained to login. Etc, etc, etc. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 00:33:57 +0200, Carlos E. R. wrote:

This is wasteful and even unsafe; unsafe because only accessed files are scanned. Wasteful because a file is scanned every time it is accessed, repeatedly, which is slow. I don't do that even when I use windows.

Unsafe? I want to protect my machine from files that I'm using. Personally, I don't care about the files I'm not using.

And not needed in Linux because linux doesn't need this protection: it is only needed for windows.

It isn't needed in Linux *today*, maybe, but again, it makes sense to plan ahead. If we want people to adopt Linux, we have to not tell them "so this thing you did with Windows automatically? You need to do it manually now. Sorry about that, but that's just the way it is." That's a good way to turn people off of Linux. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 12:21:55 -0400, Brian K. White wrote:

This is why they're just not a problem here. They can not proliferate like that.

So of course it makes sense to let the infected files lie dormant until someone uses a system like Windows to access them. This doesn't seem like a good idea to me, but what do I know - I've only been using computers for nearly 30 years now. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 19:20:46 +0200, Anders Johansson wrote:

On Wednesday 09 July 2008 19:11:27 Jim Henderson wrote:

...

On Wed, 09 Jul 2008 12:21:55 -0400, Brian K. White wrote:

...

This is why they're just not a problem here. They can not proliferate like that.

So of course it makes sense to let the infected files lie dormant until someone uses a system like Windows to access them.

This doesn't seem like a good idea to me, but what do I know - I've only been using computers for nearly 30 years now.

And in all those years, have you ever come across any system other than windows that needed a virus scanner?

I don't believe symantec does on-access scanning for the S/390 either, and the Sun machines in the world seems to have gotten along fine without it

Yeah, I didn't need one on my Timex Sinclair either. Or my C64. Or my Apple II. Those systems tended not to be networked. S/390 is kinda hard for virus developers to access to actually create a virus for it. It's not something you can just go down to your local computer store and purchase for a reasonable price, after all.

Let's face facts, shall we: you have been thoroughly indoctrinated by your windows experiences, and now you want to take that along with you.

It's just not needed

It's not needed *today* perhaps. That doesn't mean it will *never* be needed. I've been a Linux user for nearly 12 years now. Do I use virus protection? No. Why? Because, like you said, it's not needed. However, I also am *careful* about what websites I visit and what programs I run. As more and more "typical" users use Linux, *perhaps* this is something that will be needed. Perhaps not. That doesn't mean it's not an option worth exploring. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 22:35:26 +0200, Anders Johansson wrote:

On Wednesday 09 July 2008 19:30:44 Jim Henderson wrote:

...

I've been a Linux user for nearly 12 years now. Do I use virus protection? No. Why? Because, like you said, it's not needed. However, I also am *careful* about what websites I visit and what programs I run. As more and more "typical" users use Linux, *perhaps* this is something that will be needed. Perhaps not.

That doesn't mean it's not an option worth exploring.

What exactly do you think a virus scanner can do for you? Do you seriously believe it can protect against malicious code?

I have *seen* virus scanners protect against malicious code. Unknown malicious code? No, but (for example) when I had a lab full of machines that got infected by the Yale/Alameda virus because of students not being careful, I was glad to have a TSR virus scanner to prevent it from getting into memory in the first place.

A virus scanner looks for well known virus code. By definition, it is only useful once there are known viruses to look for. Any damaging code that is not already well known will not be found.

*Exactly*. Are you saying there's no value in looking for *known* threats? I'm not quite sure what your point is here.

Unless of course you think scanners look for all instances of "rm", or calls to socket() to send email, or whatever else viruses do.

No, I'm very well acquainted with what virus scanners can do (and do), having used them for many, many years, as well as having experimented with virus interactions in a secured environment.

Do you can safely ignore a virus scanner on your linux-only system until you start reading about virus proliferation, because then - and only then - will a virus scanner find anything.

That doesn't mean there isn't value in planning for that possibility.

Don't hold your breath though. As several have said already, the attack vector just isn't there

I'm not convinced it's not there. I'm convinced it isn't being used today. As long as there are users using systems, the vector is there. Many viruses spread now through social engineering. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 15:31:19 -0400, Brian K. White wrote:

...

...

This is why they're just not a problem here. They can not proliferate like that.

...

So of course it makes sense to let the infected files lie dormant until someone uses a system like Windows to access them.

Is it a car's responsibility to scan the trunk for bombs? Even if you could add that ability for a mere 100% increase in initial cost, weight, fuel consumption, occupied volume, and ongoing maintenance? Even a mere 10% overhead?

Not exactly the same thing, but if someone put an add-on in a car to allow it to be scanned constantly, would anyone object?

Is it your shirt's responsibility to scan every floppy you put in your pocket for viruses?

Of course not. My shirt doesn't run programs. My computer does.

How about thumb drives? Should we build a virus scanner into every usb thumb drive?

My USB drives don't run programs. My computer does. ;-)

Why don't SAN/NAS boxes do it?

Because they're *storage* devices, not *processing* devices.

I'm not denying that there are uses for virus scanners. I'm saying the average linux box has better things to do with it's cpu and i/o resources peforming actual useful tasks. If you want to scan everything for virii, then put that into a dedicated appliance on the network between the users and the application host.

Actually, the idea is not to "scan everything", it's to "scan things that are accessed". Scanning everything would be like running a scheduled scan once a day. When you've got relatively static data, that works fine, at least it has for me.

But I'll partially backpedal. I guess the same argument could be made about routers, spi firewalls, and vpn endpoints. There are hardware appliances for those, and yet there is also a use for doing them in software on the application host too in small sites. And probably SAN/NAS boxes that perform full time all data scanning will actually start appearing.

Quite possibly. But also keep in mind that people who implement a single system aren't going to want an overcomplicated second system to scan for viruses. They'll look at the Windows world and say "I don't need a separate machine to scan my Windows machines, so using Linux adds cost = another machine, another install, higher maintenance, etc". I don't think *anyone* is advocating that the *kernel* do the scanning. But leveraging kernel hooks to implement scanning is how it's done on other OSes. Hell, even NetWare has on-access scanning capabilities with third party add-ons, and NOBODY runs applications (not in the sense that one runs OpenOffice) on NetWare. End users have exactly ZERO access to run apps on the NetWare kernel. And on-access scanning there *typically* doesn't kill the kernel or overload it with work, even on systems 10 years ago. Even on systems with *thousands* of users accessing files. So it seems to me that if an on-access scanning agent on Linux impacts performance to the degree that some say it does, then there's an architecture problem in the agent. I've seen effective on-access scanning implemented on systems running 80[34]86 processors.

It's just retarded to make the box waste time scanning things it knows cannot possibly contain a virus, or that cannot hurt anything even if they do.

So a well architected solution wouldn't scan image files, for example - using the 'file' command it's easy to tell if a file contains executable code or not. Or to exclude /tmp directories. Again using the NetWare analogy, AV solutions there that do on-demand scanning typically allow the administrator to exclude files by file extension (since file typing isn't something implemented in that kernel or with the standard utilities - not that it couldn't be) or by directory. I remember seeing problems with some scanning the _NETWARE directory and deciding database files there that stored user information were infected and then "cleaning" them.

It's a bad trade-off, doing work 100% of the time just to protect against 1% chance of a problem. When ImageMagick reads a file, even one created on a windows machine that may contain a virus, I do not need the kernel to scan it for virii. When ImageMagick writes a temp file, I do not need to scan it for virii either at write or read times. When my multi-user database app writes a thousand temp files every minute and does thousands of surgical reads and writes of individual records evey minute I do not need every one of those transactions being scanned for a virus. I most especially do not need the the even more numerous index maintenance ops being scanned. If I wanted to be super nice, just as an over-the-top service to my users, I might possibly install a module into apache and scan all outgoing static and dynamic content as it is served out.

And that's what exclusions for. Why is it that some think on-access has to be an "all or nothing" proposition? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 15:11:36 -0700, J Sloan wrote:

If the "add-on" cut the gas mileage in half, limited acceleration, increased the weight of the car by 2300 pounds, and required daily updates and maintenance, I'd say "take that retarded thing out of my car". I don't need a solution like that.

I don't think I've ever seen on-access scanning that had that kind of an impact on a system. And I've seen some poorly-implemented on-access scanning in my time. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 18:29:43 -0400, Mike McMullin wrote:

I keep thinking that a hook to scan on a file being introduced to the system would be the way to go, matched up with scanning of any file accessed on removable media, like floppies, or usb/firewire-drives.

I don't know about usb/firewire drives being treated differently, but that's because I've got a couple 1 TB storage devices that connect that way. But if I could exclude their mountpoints from scanning after doing an initial scan, that'd make me happy (if I was really concerned about it). Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 17:57:32 -0500, Ben Rosenberg wrote:

...

This doesn't seem like a good idea to me, but what do I know - I've only been using computers for nearly 30 years now.

And in that 30 years UNIX was used to build the Internet and there has yet to be someone who cared enough to write something that can hack root on the fly and self-perpetuate a payload to every system that accesses it. Again, remember what Yoda said .. " you must unlearn what you have learned. "

Perpetrating a virus through servers doesn't make as big a splash. There are plenty of reasons why nobody has cared. Windows has a big ol' bulls- eye painted on it for the virus writers.

I just want the question answered as to why Apple has about 20% of the laptop market and x amount of the "desktop" market yet no one has written a virus that can hop from Macbook to MacbookPro to Mac Mini to Mac Pro as they hop from Win2k to XP to Vista? Please just answer why a mainstream UNIX OS has not one virus for it?

So, Bliss doesn't exist? Yep, that's a Linux virus that infects ELF binaries. It self-replicates. It is proof-of concept work, but it does demonstrate that it is theroretically possible. Then there's also things like the Morris worm. Some of the oldest worms on the 'net were propagated solely through Unix systems. That was designed as a POC and it got out of hand and caused massive denial of services. Oh, and the US GAO estimated the cost of the worm between 10 and 100 million US dollars.

When I get a good answer about why UNIX has to have it's users execute the Trojan like a bunch click-click monkeys .. I'll probably stop being a pain in da butt about it. ;D

Because people are moving from Windows to Linux. Windows users have a tendancy to do stupid things like run programs they shouldn't trust. There is no magic about becoming magically smarter when you move from Windows to Linux - you don't get any special insight that says "oh, I shouldn't open the executable file that my sister-in-law's second cousin's mother's third cousin sent to me without checking to see if it's a virus first". Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wednesday 09 July 2008 17:57, Ben Rosenberg wrote:

I just want the question answered as to why Apple has about 20% of the laptop market and x amount of the "desktop" market yet no one has written a virus that can hop from Macbook to MacbookPro to Mac Mini to Mac Pro as they hop from Win2k to XP to Vista? Please just answer why a mainstream UNIX OS has not one virus for it?

The public still has the mistaken impression that computer viruses (also trojans, worms, etc) are practical for all operating systems. This is stated on the net over and over and over... and its a lie. The design of *nix systems (including MAC) prevents 99% of all practical viri that are possible in windows (name your flavor). Penetrating the other 1% of potential vulnerability is just not practical. A person (very specialized person mind you) might be able to exploit a kernel vulnerability on a given *nix system.... but which kernel? If probing datagrams can not get past the kernel, who knows what is behind that address. Can it be done... sure! Is it practical (say easy) NO! So far the public doesn't believe this... but you have the right thought line. As linux (and MAC) market share increase and viruses don't (on that platform), then the truth will be realized. In the mean-time, its a waiting game... and some preaching. -- Kind regards, M Harris <>< -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Lars Marowsky-Bree wrote:

On 2008-07-09T18:26:58, M Harris wrote:

...

The public still has the mistaken impression that computer viruses (also trojans, worms, etc) are practical for all operating systems. This is stated on the net over and over and over... and its a lie. The design of *nix systems (including MAC) prevents 99% of all practical viri that are possible in windows (name your flavor). Penetrating the other 1% of potential vulnerability is just not practical.

Right. There never was a sendmail worm.

The internet was a different place in 1988. Systems were basically wide open, and there was a lot of trust. Heck, you could telnet from a server at University of California to a server at MIT back then. In the years since 1988, unix/internet security has hardened considerably, while microsoft is just now taking baby steps towards security it seems. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On 2008-07-11T16:12:50, M Harris wrote:

I am not saying that there have not been any isolated (even serious) vulnerabilities in the *nix world--- for crying out loud we're not talking about isolated bugs here. I *am* saying that the vulnerabilities *inherent* with windows (name your flavor) do not exist in *nix because of significant design constraints.

I think that's a somewhat dangerous attitude to take. With the prevailence of single user systems, the system is essentially just as toasted if the home directory is destroyed; further, there's a dangerous tendency for people to "cache" the root password, which strikes me as an execeptionally smart time to strike, and some people even recommend setting up sudo for all users without password! It's true that a traditional system setup has difficulty in spreading viruses, but against trojans the system is just as vulnerable; and local root exploits are not that rare, either. That doesn't mean that I consider on-access scanning, implemented via kernel hooks, a smart idea; clearly, scanning on or during transmission (ftp, http, smtp, IMAP etc) is preferable; server-side only is not sufficient for encrypted content though. INotify is neat, but is only delayed; it might be too late, as it needs to happen before the trojan is activated and had a chance to try and disable the local protection layer. AppArmor, DAC, MAC et al are great tools. This doesn't mean that we don't need a general API/ABI which applications - such as Samba, MUA and MTA, browsers et al - can call to have a particular bit of content scanned before proceeding. If you then wanted, you could run an LDD_PRELOAD for apps which don't cooperate and use this to map open()/close() to such functionality. This would approximate the protection you get on Windows with none of the problems of Linux kernel hooks. (Which does not mean this could not be used by an inotify() based scanner as well.) The clear thing though is that on Linux, scanning must happen in user-space. The kernel could possibly cooperate - access denied before the user-space scanner has cleared the file -, but we need something sanner than on-access scanning hooks. Regards, Lars -- Teamlead Kernel, SuSE Labs, Research and Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-07-13 at 16:48 -0700, John Andersen wrote:

On Sun, Jul 13, 2008 at 10:27 AM, Lars Marowsky-Bree wrote:

...

It's true that a traditional system setup has difficulty in spreading viruses, but against trojans the system is just as vulnerable; and local root exploits are not that rare, either.

Why do you say the system is just as vulnerable against/to trojans

Trojans usually involve a replacement module for a system module. To get a trojan to work on linux, you have to: 1) Convince someone to download it,

Just create an interesting repository in the build service and pervert it. Or hack pervert an existing repo. Or pervert the source code of some project, it might take some time till discovered. :-P - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIepc/tTMYHG2NR9URAunmAJ48FN1QcfHVPJH2+jajAdtU74CDWQCeKNHB 5ui34KgV3ECEUq6R7lPOlAc= =0BD4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-07-13 at 17:06 -0700, John Andersen wrote:

On Sun, Jul 13, 2008 at 5:01 PM, Carlos E. R.

...

...

Trojans usually involve a replacement module for a system module. To get a trojan to work on linux, you have to: 1) Convince someone to download it,

Just create an interesting repository in the build service and pervert it.

Or hack pervert an existing repo.

Or pervert the source code of some project, it might take some time till discovered.

Of these the last seems possible. Especially if the project is in disarray, and check ins are not carefully watched.

But Repos usually are signed, and in addition to the above you have to convince the masses that the key should be imported and trusted.

Just create a repo with a signature with the intention from the start to pervert it. It is signed, so what? There is no strong web of trust in the pgp sense (face to person signing of keys). About convincing the masses to import the key, that's easy enough: once you want to add a repo, you just press enter when yast asks about importing the key. What do you expect? How can we manually import each key and whom do we ask if each repo (there are hundreds) is trustworthy? How do we know who is behind and responsible for each repo? Where are the descriptions of each repo, a declaration of intentions, a list of owners? No, we simply search for a repo that contains what we want (with a search engine, perhaps), add it, answer yes to all questions. Bingo! F! I'm not telling there is inmediate danger, but that there could be. It scares me more than viruses, that's a fact. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIeqiDtTMYHG2NR9URArzzAKCGiIa7l94hClpoPhWpwBSjlCjqMQCfcH7V 4LhEU/R811kQClf4fCyRyrU= =yvz0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sun, Jul 13, 2008 at 11:38 PM, John Andersen wrote:

On Sun, Jul 13, 2008 at 6:14 PM, Carlos E. R. wrote:

...

There is no strong web of trust in the pgp sense (face to person signing of keys). True, but with source code availability this is less needed. (Anticipating your next question, No, I don't read every line of source code. :-(

...

No, we simply search for a repo that contains what we want (with a search engine, perhaps), add it, answer yes to all questions. Bingo! F!

Maybe some do, but I bet most don't. I bet you don't. Usually by the time you figure out how to add repros you also figure out some of the risks.

...

I'm not telling there is inmediate danger, but that there could be. It scares me more than viruses, that's a fact.

That's for sure. I would think a port-open log would be a useful thing. (Outbound and Inbound). Thatway the ticking timebomb at least leaves a track when it opens a port in the wee hours and sends your database to China.

You can upload it to the opensuse wiki... that seems to go pretty unchecked, too. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-07-14 at 19:30 +0200, Hans Witvliet wrote: ...

...

I'm not telling there is inmediate danger, but that there could be. It scares me more than viruses, that's a fact.

Yes, i agree, It's easy to create a repo. (well, atleast the administrative part of it, not the creating of a properly functioning spec-file)

Right; I wouldn't know how to do the second part :-)

But what do you suggest? You cann't ask the people of SuSE to check and re-check the content of the OBS for each and every repo.

I have no idea. I just throw the question, then go back and watch you argue it ;-) No, seriously, I don't know. I'm just airing my own doubts. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIe5o8tTMYHG2NR9URAsewAJsHZdWAVQByzPxTAmzarAbcjxEMXACaAmy5 +PXDvOQpVbbCRNJ8OFomZ6c= =RtcH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-07-14 at 11:56 -0700, John Andersen wrote:

On Mon, Jul 14, 2008 at 11:25 AM, Carlos E. R. wrote:

...

...

But what do you suggest? You cann't ask the people of SuSE to check and re-check the content of the OBS for each and every repo.

I have no idea. I just throw the question, then go back and watch you argue it ;-)

Most viruses/trojans are powerless to do anything but destroy data on the local machine unless or until they open a network connection.

The paragraphs above referred to the danger of someone perverting a repository and users installing perverted packages.

If there were to exist a test harness that could run any application and trap attempts to open any port (either to listen or to connect) and log these (perhaps asking for confirmation) it might be useful to detect these things.

This is available for XP and Vista, and works very well. Unfortunately you have no clue why its opening a port, and it doesn't tell you much other than that the application tried to listen on a port.

The test harness should also not let the tested application set the execute permission on any file. This would prevent it from making an outbound connection and downloading something nasty.

Is there anything that prevents an application from setting execute permissions is SELinux?

How much of this risk would be eliminated by using the SELinux extensions?

Apparmour can do that, and more, but you need to adjust the profile for each program it runs. Or rather services. I think you can not run bot selinux and apparmour, and suse comes with the second. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+GutTMYHG2NR9URAkfxAKCLnF5IDkt1pd5yKM08Wproer1fJQCffmvr qb8e2USlPLPw9jacaIx+DAc= =AyWo -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-07-14 at 21:55 +0200, Marcus Meissner wrote:

We have currently one student working on this notion of trust, but it is a very difficult topic to model and to make correct working.

Thanks: it will be interesting to learn of the results/conclusions :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+UttTMYHG2NR9URAud1AJ44HN0Fcs2w0tJYDg7CxL87OkhymACfdjse F9MEeNtm53fqsJvoR+mHrYQ= =FPcu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Thu, Jul 17, 2008 at 11:51:20PM -0500, Rajko M. wrote:

On Thursday 17 July 2008 07:34:49 pm Carlos E. R. wrote:

...

The Monday 2008-07-14 at 21:55 +0200, Marcus Meissner wrote:

...

We have currently one student working on this notion of trust, but it is a very difficult topic to model and to make correct working.

Thanks: it will be interesting to learn of the results/conclusions :-)

I know it exists, but I got to look all Build Service related pages: It would be nice to give a comments on ideas. Warning: It is a lot of reading.

http://en.opensuse.org/Build_Service/Concepts/Trust

This is a _DRAFT_ work and mostly it shows its near to impossible. And its not security related. ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sun, Jul 13, 2008 at 7:55 PM, Jim Henderson wrote:

On Sun, 13 Jul 2008 17:06:15 -0700, John Andersen wrote:

...

But Repos usually are signed, and in addition to the above you have to convince the masses that the key should be imported and trusted.

How hard is that - really - to do, though? Most people find something they want to install and install it. I wonder how many people just click through the "trust this key and import it" prompt.

Jim

True. I suppose anyone could put a repo out, sign it and await suckers to install compromised software. I always stick to repos mentioned on Opensuse's 3rd party repo page or from names I recognize. The ease with which a userland application can start listening on a port is the main risk (in my opinion) when it comes to rogue software. (This is THE one area where a iptables based firewall is useful IMHO, although I prefer a separate hardware firewall/router for this). Outgoing connections are even more problematic. But bringing it back on topic just a little, NONE of the available scanning packages check for Linux exploits anyway, so unless you are scanning to protect windows machines the anti-virus anti-malware scanners are useless. -- ----------JSA--------- Sig line deleted for the humor impaired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Sun, Jul 13, 2008 at 9:26 PM, Rajko M. wrote:

[1] Security trough obscurity is often criticized as bad practice, but actually it is the only way security can work.

Simply not true. Just because you don't have all pieces to the puzzle does not mean that the security is provided by obscurity. The entire plans for the lock (or the software) can be provided but the key is private. Its an absurd argument to state that because the key is private that obscurity is providing all of the security.

You will not see lock made out of glass, Glass breaks.

nor your password is not 'open source'. Obscurity is present in any security solution.

Describing Keys as obscurity is a stretch. It perverts the entire argument about closed source code vs open source. -- ----------JSA--------- Sig line deleted for the humor impaired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

The Sunday 2008-07-13 at 23:26 -0700, John Andersen wrote:

...

On Sun, Jul 13, 2008 at 9:26 PM, Rajko M. wrote:

...

[1] Security trough obscurity is often criticized as bad practice, but actually it is the only way security can work.

Simply not true. Just because you don't have all pieces to the puzzle does not mean that the security is provided by obscurity.

The patches for the recent DNS security problem were prepared in secret by all distros and OSes. The hole itself has not been publicly explained, as far as I know.

That's a good sample of security by secrecy...

Not quite. They simply didn't announce how that problem could be exploited. The source code and fix will be publicly available. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Sunday 2008-07-13 at 23:26 -0700, John Andersen wrote:

...

On Sun, Jul 13, 2008 at 9:26 PM, Rajko M. wrote:

...

...

[1] Security trough obscurity is often criticized as bad practice, but actually it is the only way security can work. ... The patches for the recent DNS security problem were prepared in secret by all distros and OSes. The hole itself has not been publicly explained, as far as I know.

That's a good sample of security by secrecy...

This is stretching the definition of "security by obscurity" to the point of silliness. You're usually better than this, Carlos. In all these cases, the algorithms are publicly known and described, the procedures are publicly specified, the programs are exposed to public scrutiny. All of this has always been known as "security by design". "Security by obscurity" has always been defined as hidden algorithms, hidden procedures, hidden programs. So we have no way of knowing whether a program is secure or not, until either someone cracks it, as is usual in the Microsoft environment, or until the developers and their allies uncover a flaw in the programming, as is usual in the open-source environment. When developers uncover a critical flaw in a critical, widely required component like DNS, it is only prudent to fix the flaw before letting it be known to users _and_possible_evildoers_. The old source has always been available (with the flaw), and the fixed source will be available as soon as is prudent. To put the hiding of keys and passwords in the same class as hiding algorithms, procedures, and programs is simply silly. Really, guys! John Perry -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

... Nevertheless, what I said is absolutely true: the recent patches for the DNS security problem have been prepared in secret. It was a secret there were a security problem and that they were preparing a solution, and it was released simultaneously by all distributions on the same day. Till everyone was prepared, the kept silence.

Splitting that particular set of hairs makes no difference to me; I stand firmly by all my comments. jp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

The Friday 2008-07-18 at 01:11 -0400, John E. Perry wrote:

...

Carlos E. R. wrote:

...

... Nevertheless, what I said is absolutely true: the recent patches

...

DNS security problem have been prepared in secret. It was a secret

for the there

...

were a security problem and that they were preparing a solution, and it was released simultaneously by all distributions on the same day. Till everyone was prepared, the kept silence.

...

Splitting that particular set of hairs makes no difference to me; I stand firmly by all my comments.

So do I :-)

It is a fact that secrecy is sometimes used for security in Linux. Temporarily at least.

-- Cheers, Carlos E. R.

You seem to be missing the entire point. "Security through obscurity" means never revealing how something works, in the hopes that someone won't look through the source code, in order to find a way in. It does not mean keeping a known flaw secret, while working on a fix. If they were to publicly reveal the flaw, before the fix was available, it'd be the same as putting a sign on your house "The back door lock is busted. Please go around back to break in". On the other hand, security in open source software means the mechanism is open for all to inspect and the strength depends on doing things properly, instead of hoping no one notices the flaws. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-07-13 at 23:26 -0500, Rajko M. wrote:

On Sunday 13 July 2008 07:01:01 pm Carlos E. R. wrote:

...

Just create an interesting repository in the build service and pervert it.

Build Service and any other large project is not the easiest venue. I don't think that some guys didn't came on idea to misuse them, but didn't made it [1].

If a chap is determined enough he can do it, at least once. Unless he manage a fake ID, and can try again with another.

...

Or pervert the source code of some project, it might take some time till discovered.

Make rpm and make people want it. They will download, install and run it.

The only thing is that it must be some *not* very interesting topic [2] for masses, otherwise it will come under scrutiny very fast. It is a Linux culture that actually keeps the things under control, not special Linux architectural advantages [3].

Probably. Maybe it is hapening out there in small scale (scams). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIezWVtTMYHG2NR9URApvhAJ9GpibjvqrVPyx2BHOk7VH4uQSJpgCfV5xC 0sSxslXOUnZ8BW9PR1DWlmM= =oLUk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Monday 14 July 2008 06:18:16 am James Knott wrote:

You're confusing method with keys.  Locks tend to use common methods, but the keys are "secret".  A password is a key.

What is kept secret is matter of particular security application. Common methods, or better to say design, are used in standard locks, but there are special locks that have even design hidden. It is just a matter of protection level. -- Regards, Rajko http://en.opensuse.org/Portal needs helpful hands. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

PerfectReign wrote:

On Mon, July 14, 2008 6:52 pm, Rajko M. wrote:

...

On Monday 14 July 2008 06:18:16 am James Knott wrote:

...

You're confusing method with keys. Locks tend to use common methods, but the keys are "secret". A password is a key.

What is kept secret is matter of particular security application. Common methods, or better to say design, are used in standard locks, but there are special locks that have even design hidden. It is just a matter of protection level.

That's why I keep all my important files on 8" Floppies.

Punch cards are better. Hollerith is an obscure code these days. ;-) -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Kai Ponte wrote:

On Tuesday 15 July 2008 04:13:43 am James Knott wrote:

...

...

...

What is kept secret is matter of particular security application. Common methods, or better to say design, are used in standard locks, but there are special locks that have even design hidden. It is just a matter of protection level.

That's why I keep all my important files on 8" Floppies.

Punch cards are better. Hollerith is an obscure code these days. ;-)

Believe it or not, I've got an IBM 2540 card punch and a 3050 reader. Should work. :P

Got Linux drivers? ;-) -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Philipp Thomas wrote:

Reminds me that AFAIK, IBM once had the idea for a trade show (after their S/390 port) to bootstrap the kernel from punch cards and discovered that given the size of the kernel, it would take ages to do so and so dropped the project :)

Yeah, you'd need paper tape at least :) Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 16 Jul 2008 12:48:13 +0200, Philipp Thomas wrote:

and discovered that given the size of the kernel, it would take ages to do so and so dropped the project :)

A colleague just showed me in a zvm session that the current SLES kernel needs ~140000 cards and the rest that's needed is another ~ 190000 cards. Now you do the math :) BTW, it the kernel *is* still fed to the card reader, the reading device just isn't hardware anymore :) Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-07-17 at 02:47 -0400, Brian K. White wrote:

I've heard descriptions of card access memory from a partner in my company, Howie Wolowitz, who wrote the first versions of filePro (before that, profile, and before that it was "electric file clerk") for Tandy and worked in all manner of banks and things way way back.

I'm not sure if I'm glad, or crushed that I missed out and never had to/got to work on such a horrific contraption.

If you lived the times, you'd simply be amazed at the advancement from adding machines made of gears, and rooms filled with accountants. And they will keep coming. :-)

Can you imagine? A huge crazy looping spaghetti continuous running stream of paper cards as RAM?

ROM. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIfz2itTMYHG2NR9URAs1FAJ4uEwTDrmhnC/sSj2wcbb8DxIiapACgmMpW w3MFRasDqUUJGN81wC19msE= =btfE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On 2008-07-13T16:48:03, John Andersen wrote:

...

It's true that a traditional system setup has difficulty in spreading viruses, but against trojans the system is just as vulnerable; and local root exploits are not that rare, either. Why do you say the system is just as vulnerable against/to trojans

Trojans usually involve a replacement module for a system module. To get a trojan to work on linux, you have to: 1) Convince someone to download it, 2) put it in the path (usually ~/bin) 3) mark it executable

Binary trojans, if downloaded, are the same - if the user downloads and installs a binary from some untrusted source, they are vulnerable. That we don't see so many of those happening appears to be more of a social line of defense (users not as stupid and prefering to use "official" repos) than a technical one. For trojans in openoffice documents for example, I'd dare say that technically, that's just as vulnerable as on Windows.

Local root exploits generally require the same. You have to get something to execute before it can exploit any pre-existing root weakness.

True. But weaknesses exist in webbrowsers, and we've had exploitable PNGs, flash, java, ... Sure, Linux is good, but it's not perfect, and I think we should not rest on our achievements, but need to be careful to stay ahead. Regards, Lars -- Teamlead Kernel, SuSE Labs, Research and Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Lars Marowsky-Bree wrote:

... True. But weaknesses exist in webbrowsers, and we've had exploitable PNGs, flash, java, ...

Sure, Linux is good, but it's not perfect, and I think we should not rest on our achievements, but need to be careful to stay ahead.

All true, Lars, but no one that I recall said we were proof against all possible attacks -- indeed, several were emphatic in saying we needed _appropriate_ defenses. The subject, of this thread, remember, was the assertion that the kernel developers were idiots because they did not include an explicit kernel-level provision for intrusion checking on every access to any file. John Perry -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Hans Witvliet a écrit :

But are you willing to accept that 1% chance (probably much, much smaller)?

live if done so. one have to adress the most probable threat first. you have more risk to remove accidentally data from your server (yourself) than having a virus problem, so better work on backups, methods... even the time lost in reading this thread is probably worst than the virus risk... when one work on security he learn than the earlier the security is taken care of the better. That mean the earlier in the system building, that is in the os and in the applications, and this is what is done jdd -- Jean-Daniel Dodin Président du CULTe www.culte.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

* Jim Henderson [Jul 09. 2008 10:22]:

It isn't needed in Linux *today*, maybe, but again, it makes sense to plan ahead.

I've heard this on this list and other lists for going on 14 years now .. and Linux gets more and more and more popular. When are the script kiddies going to take advantage of the broken scripting engine in Linux? OH Right .. there is no such thing built into it's core. And if one needs to run windows on their Linux box .. VM's rock. A virus kills a VM dead .. rm -rf <file> and create a new one. Easy Peasy. Just make sure you VM can mount a share on your Linux/UNIX FS to store it's data where at least it's reasonably safe. -- XO Communications IP Tier 2 OPS St Louis, MO. -- "Gratitude is merely the secret hope of further favors." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 17:09 -0000, Jim Henderson wrote:

On Wed, 09 Jul 2008 11:29:37 -0500, Ben Rosenberg wrote:

...

* Jim Henderson <> [Jul 09. 2008 10:22]:

...

It isn't needed in Linux *today*, maybe, but again, it makes sense to plan ahead.

I've heard this on this list and other lists for going on 14 years now .. and Linux gets more and more and more popular. When are the script kiddies going to take advantage of the broken scripting engine in Linux? OH Right .. there is no such thing built into it's core.

And if one needs to run windows on their Linux box .. VM's rock. A virus kills a VM dead .. rm -rf <file> and create a new one. Easy Peasy. Just make sure you VM can mount a share on your Linux/UNIX FS to store it's data where at least it's reasonably safe.

Yeah, so of course it makes no sense at all to spend time on implementing on-access scanning. Ever.

You are right, it doesn't make sense :-P As I understand, it was implemented and then removed. It is not needed. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdPrwtTMYHG2NR9URApvfAJ0fS+6SiO0ZzCE8uZBTk8dPvrYmrQCdG08i Oh77a3cz5bt0NWIBEIlj4xg= =+FNb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Wed, 09 Jul 2008 19:52:46 +0200, Carlos E. R. wrote:

...

As I understand, it was implemented and then removed. It is not needed.

So, if I was going to be facetious, I'd say that AppArmor/SELinux also should be removed, since the only things changing files should be things the user is aware of, right? MAC is just an unneeded layer, since it takes effort on the user's part to change configuration settings and such. ;-)

No, apparmor is fine - it's lightweight and relatively non-intrusive. OTOH on access file scanning is overly intrusive, resource hungry and, to be quite honest, unnecessary for non-microsoft OSes. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Wed, 09 Jul 2008 11:13:30 -0700, J Sloan wrote:

...

No, apparmor is fine - it's lightweight and relatively non-intrusive.

But it doesn't serve any useful purpose, so why waste the resources on it?

Why do you say it serves no useful purpose?

...

OTOH on access file scanning is overly intrusive, resource hungry and, to be quite honest, unnecessary for non-microsoft OSes.

Unnecessary for non-MS OSes because virus writers don't target the platform. They want to cause the most damage possible (or spread the farthest, or whatever), so MS is the target. As MS loses their market share, that will shift.

That's where we differ. You folks assume that there is no difference between the unix and pc operating systems, other than market share, while we see major differences in the security model and overall design. As a result of your beliefs, you assume that linux will be as easy a target as ms windows, and that we must hurry to adopt cumbersome, resource hungry, microsoft-style band-aid solutions. I disagree. We might as well agree to disagree agreeably. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 18:57 -0000, Jim Henderson wrote:

On Wed, 09 Jul 2008 11:41:52 -0700, J Sloan wrote:

...

Why do you say it serves no useful purpose?

Because just like Antivirus on Linux, the only thing that AppArmor is doing is preventing a user-initiated program from making changes to the system; changes that wouldn't happen if the user were being smart.

No, it prevents a program initiated by the system, a program serving some service, from accessing things it was not designed to access. And it doesn't mean the user did something wrong: it may be that a cracker found a hole and violated apache. Even if an on-access-scanner scanned the apache binary chances are it wouldn't find anything wrong... because linux binaries are very diverse. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdRlYtTMYHG2NR9URAkmVAJ4iDd8N7EvOrjO7YggKgVYw03feegCgiJ6I 0KrlfAE16zxcHu7y7DKxJvs= =ky6X -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 18:03 -0000, Jim Henderson wrote:

...

...

Yeah, so of course it makes no sense at all to spend time on implementing on-access scanning. Ever.

You are right, it doesn't make sense :-P

As I understand, it was implemented and then removed. It is not needed.

So, if I was going to be facetious, I'd say that AppArmor/SELinux also should be removed, since the only things changing files should be things the user is aware of, right? MAC is just an unneeded layer, since it takes effort on the user's part to change configuration settings and such. ;-)

You'd find there has been lots of discussions about AA between the kernel devs. I'm not even sure AA is on the main kernel yet, it wasn't for some time. But AA serves a pourpose, O-A-S doesn't :-P No, seriously, AA is seen to do protection now in Linux against some types of attacks. Antivirus no, not now, yet, and hopefully, never.

I understand it's more a kernel issue, so from the standpoint of implementing it, this is the wrong place to discuss the actual implementation.

Yes, but I suppose the dazuko people could (should!) argue that point with the kernel devs. I hope they did and lost, because the thought that they simply forgot to argue or did not notice the problem is worse. I, dunno. The thing is they have been overrun by the train and left their users with their pants down. Bad on them, not the fault of suse as the OP claimed. Hopefully they will find some way to do they type of scanning you want, but that will take some time. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdQKYtTMYHG2NR9URAqTfAJ4jG6+jKTE95bGE7BF5xxcGCLlO8ACeJQOo U4yl+KSKUo3eGL/lDUJog6w= =24Sh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

* Jim Henderson [Jul 09. 2008 12:13]:

On Wed, 09 Jul 2008 11:29:37 -0500, Ben Rosenberg wrote:

...

* Jim Henderson [Jul 09. 2008 10:22]:

...

It isn't needed in Linux *today*, maybe, but again, it makes sense to plan ahead.

I've heard this on this list and other lists for going on 14 years now .. and Linux gets more and more and more popular. When are the script kiddies going to take advantage of the broken scripting engine in Linux? OH Right .. there is no such thing built into it's core.

And if one needs to run windows on their Linux box .. VM's rock. A virus kills a VM dead .. rm -rf <file> and create a new one. Easy Peasy. Just make sure you VM can mount a share on your Linux/UNIX FS to store it's data where at least it's reasonably safe.

Yeah, so of course it makes no sense at all to spend time on implementing on-access scanning. Ever.

It's so much better to use much more complicated solutions. I should've seen that at once! ;-)

It's not ANY more complicated then the ritualistic reinstall of Windows to clean it up .. that most users have to do or have done on a regular basis. *rolls eyes* ;D If it's just Linux with NO VM or Wine and your in some kind of danger of passing on a virus via your mail client .. change mail clients cause if a Linux/UNIX developer doesn't have it built into their client to warn the user they are doing anything with a file that is a binary exe file ... that's a crappy mail client. As I said .. I see nothing wrong with a user having ClamAV or some other solution scanning their files if they so choose to do so .. but unless someone gets a self-perpetuating virus to buzz around a UNIX system as root without any interaction from me as a user .. I'm not wasting cpu cycles on that stuff. I know what I send out via email and windows virus/trojans can't hurt a UNIX system. Just like in life .. a little care and no passing of infections is needed. ;D It boils down to that personal responsibility thing. :D -ben -- XO Communications IP Tier 2 OPS St Louis, MO. -- "Gratitude is merely the secret hope of further favors." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Mittwoch, 9. Juli 2008, Ben Rosenberg wrote:

...

It isn't needed in Linux *today*, maybe, but again, it makes sense to plan ahead.

I've heard this on this list and other lists for going on 14 years now .. and Linux gets more and more and more popular. When are the script kiddies going to take advantage of the broken scripting engine in Linux?

Don't forget, it's not a worthwhile target. It's not the machines of Joe's Pizza down the street that might be affected, only unimportant sites like Google, eBay, Amazon and the like. If I was a hacker with an ego to prove and in need of my personal 15 minutes of fame, for sure I'd goe for Joe's Pizza, not for one of those big players... ;-) SCNR CU -- Stefan Hundhammer Penguin by conviction. YaST2 Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Nürnberg, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 11:05:55 -0700, J Sloan wrote:

Jim Henderson wrote:

...

It isn't needed in Linux *today*, maybe, but again, it makes sense to plan ahead.

Wrong kind of planning - I don't think we should plan to be as insecure as windows.

A lack of planning is exactly what it seems is happening on this front. "We don't need it, we're invulnerable to viruses, no, don't tell me differently - lalalalalalala I'm not listening!" seems to be the predominant attitude.

...

If we want people to adopt Linux, we have to not tell them "so this thing you did with Windows automatically? You need to do it manually now. Sorry about that, but that's just the way it is."

That's a good way to turn people off of Linux.

What an odd way to look at it. I find that the reality is more along the lines of "You know that thing you had to do all the time in windows? Well, you don't need to waste your time doing it in linux, as it's totally unnecessary". That applies to e.g. disk defragging, therapeutic reboots, OS reinstalls, anti virus/popup/worm software maintenance, etc.

So again, we should also get rid of AppArmor and SELinux as well, since we obviously don't need those - since the *user* has to start a program that would make a change to the things those security layers protect. Right? I mean really - what purpose do they serve? They just take up CPU cycles, slow the system down, and they protect things that don't need protecting. Everyone backs up their config files, so even if they are somehow compromised by a user doing something as stupid as launching an untrusted program, it's not a great loss, right? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, Jul 9, 2008 at 8:14 AM, Jim Henderson wrote:

If we want people to adopt Linux, we have to not tell them "so this thing you did with Windows automatically? You need to do it manually now.

No, you say you don't need to do that at all any more, and you get the 30% resources you were devoting to on-demand virus scanning back. -- ----------JSA--------- Sig line deleted for the humor impaired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Wed, 09 Jul 2008 19:35:37 -0700, John Andersen wrote:

...

On Wed, Jul 9, 2008 at 8:14 AM, Jim Henderson wrote:

...

If we want people to adopt Linux, we have to not tell them "so this thing you did with Windows automatically? You need to do it manually now.

No, you say you don't need to do that at all any more, and you get the 30% resources you were devoting to on-demand virus scanning back.

I don't know of ANY platform where on-access scanning takes 30% of the system's resources. If that's the state of things on Linux, then there's an architectural problem in how it's being done.

Have you done benchmarking then? Something like dbench with on access scanning turned on vs no access scanning? what were the results? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Thursday 10 July 2008 09:03, Jim Henderson wrote:

...

I don't know of ANY platform where on-access scanning takes 30% of the system's resources. If that's the state of things on Linux, then there's an architectural problem in how it's being done.

I've seen abominations like this on Windows (where at one job, the IT infrastructure management mandated a A-V program for all Windows desktops and attempted to prevent users from disabling it). It depends greatly on the kind of use you make of your system. If you're doing software development, say, where common activities such as rebuilding a large program can cause hundreds or thousands of files to be accessed, the A-V scanning (highly redundant and manifestly unnecessary) can take more time by a wide margin than the actual work of the program that accesses the files.

Jim

Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Wed, 09 Jul 2008 19:35:37 -0700, John Andersen wrote:

...

On Wed, Jul 9, 2008 at 8:14 AM, Jim Henderson wrote:

...

If we want people to adopt Linux, we have to not tell them "so this thing you did with Windows automatically? You need to do it manually now. No, you say you don't need to do that at all any more, and you get the 30% resources you were devoting to on-demand virus scanning back.

I don't know of ANY platform where on-access scanning takes 30% of the system's resources. If that's the state of things on Linux, then there's an architectural problem in how it's being done.

Jim

Way back in the dark ages, when I was using DOS on an XT clone at work, the network login forced a virus scan at boot up. This made my computer unusable for about a half hour! -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

----- Original Message ----- From: "Jim Henderson" To: Sent: Thursday, July 10, 2008 12:03 PM Subject: [opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!! On Wed, 09 Jul 2008 19:35:37 -0700, John Andersen wrote:

On Wed, Jul 9, 2008 at 8:14 AM, Jim Henderson wrote:

...

If we want people to adopt Linux, we have to not tell them "so this thing you did with Windows automatically? You need to do it manually now.

No, you say you don't need to do that at all any more, and you get the 30% resources you were devoting to on-demand virus scanning back.

I don't know of ANY platform where on-access scanning takes 30% of the system's resources. If that's the state of things on Linux, then there's an architectural problem in how it's being done.

It doesn't have to take 30% of all resources to be intolerably inefficient. If it turns an N usec syscall into a 3N usec syscal, well thats a 300% drop in efficiency. If it turns a syscall that requires N memory transactions into one that requires 3N transactions, thats a 300% drop in efficiency. The more those calls are used, the worse the real-world hit. -- Brian K. White brian@aljex.com http://www.myspace.com/KEYofR +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO FreeBSD #callahans Satriani Filk! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

How many home users even know how to do daily backups? How many have the technology? Of course my coworkers might argue I am not the normal user but I have daily backup of my wife's computer. One of our admins here showed me how to do it with rsync and it was very easy. Thanks for reminding me that I was supposed to help my father set that up on his computer.

I've got 4 dead DLT drives in the basement. I just suffered the near total loss of the drive that was holding my backups (the drive isn't even recognised by the system any more). for me that isn't a problem because I have two identical backup drives and use rsync for those too. The nightly order is backup1 > backup2 then wife's pc > backup1

small segment of the desktops out there. As the desktop market grows, the need will likely grow as well. That makes me wonder if Linux ever really catches on in the desktop market, would the virus issue become as serious as it is for Windows? I have heard plenty of arguments that Linux is much safer but I often wonder if it is safer only because it isn't mainstream enough to interest the virus writers.

Damon Register -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 2008-07-09 at 20:44 +0800, Joe Morris wrote:

On 07/09/2008 07:19 PM, Damon Register wrote:

...

Jim Henderson wrote:

...

As the desktop market grows, the need will likely grow as well. That makes me wonder if Linux ever really catches on in the desktop market, would the virus issue become as serious as it is for Windows? I have heard plenty of arguments that Linux is much safer but I often wonder if it is safer only because it isn't mainstream enough to interest the virus writers.

Damon Register

I may be naive, but I just don't see it this way (but I a not a programmer). I used to use OS/2, which was a great system, and AFAIK NEVER had a virus, not because it was not popular, but because it was well written. Though systems are more complicated and asked to do a whole lot more now, I think Linux is well designed from the basics up, and is more secure by design, not just because of obscurity. One of the strengths of open source is the fact that more code is reviewed and by more people. It is also designed to actually work as a regular user. I know I use and promote Linux not because it is more secure by obscurity, but because it is more secure by design. It would seem to be easier to write a virus for Linux in the sense it is open source and you can see the code. It is also obvious that since there are many virus writers in it for the prestige and fame they get, and yet there hasn't been any Linux viruses, that just seeing the code doesn't make it easy. The Linux design makes it better, not just its market share, IMHO.

No matter how well designed an o.s. is, there will allways be weakpoints, and people waiting and trying to abuse them. Any os can be cracked, some are infested be design (don't have to specify that one -;) Others are harder to break, Linux, FreeBSD, OpenBSD.. An innocent and handy rpm, provided by someone who claims to have an updated version of tcpdump, strace what ever.... For many month everything goes well and the program performs as expected. But then, one nasty day, a sloppy admin uses the tool as root user in stead of his normal account And then: Bingo! backdoors opened drives screwed up. Some minutes ago, someone asked how often people make backups. I wonder how often do people examine the source code of the stuff they install? Probably even less. The software that comes directly from SuSE i trust for 100%. But how about the stuff that comes from packman or the buildservice Or some obscure download site. Or Adobe? Closed source drives for wifi or video card? Do you trust them? Did they wrote it themselves or was it obtained by some obscure company that is persuaded to include some backdoors by the cia/mosad/your friendly heroine dealer..... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 10:58:42 -0700, J Sloan wrote:

LOL! linux has been a major player in the internet server market for years...

Server use cases are different than desktop use cases. As a result of being in the server market, it *is* targeted for rootkits. That's why we have rkhunter. IMHO, the biggest danger is thinking the systems are invulnerable to attack. That's a HUGE mistake to make - because when you get to the point of being all cocky about "my system can't be hacked", someone will prove you wrong. That's the worst kind of hubris there is from a systems standpoint. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Wed, 09 Jul 2008 11:17:22 -0700, J Sloan wrote:

You're attacking a straw man here. Nobody has ever claimed that any OS is invulnerable. However, the sort of irrational fear that one becomes accustomed to as a result of using microsoft OSes is out of place in the *nix world. In other words, linux users should be aware of the environment, and exercise due diligence, but there's no need for the chicken little routine.

Just because there's "no need for the chicken little routine" doesn't mean that we shouldn't be vigilant about protecting ourselves from potential threats down the road. Today viruses are not a major problem on Linux. They're hardly a blip. I hope they stay that way. But that doesn't mean it makes sense to not explore ways of protecting oneself against that threat. I wouldn't want to be caught at the 11th hour when the first massive virus attack hits Linux and have nobody have even thought about how to deal with it in a way that makes sense for the "average user". Users shouldn't *have* to be rocket scientists to protect themselves. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apologies for length of this mail but the issue is not simple... I am getting the impression that the *NIX community is moving into new territory here and some of the discussion does seem to show a lack of awareness of the nature of the current threat in terms of Linux and Windows. This is a little ironic as some of the original inspiration for the early DOS viruses came from some of the antics of early UNIX hackers, and some of the original (legitimate?) research on self replicating automata was also performed on the platform. Many years ago (just after the Flood ) I was a minor part of the group charged with assessing AV products for recommendation to the UK academic community, So I know a little about the subject. To start, three points... Firstly there is no bulletproof way to determine whether a system has been compromised by a virus or other malware. Secondly, the virus, or trojan (or worm) to really worry about is the one you do not know about. Thirdly AV protection is more about avoiding the embarrassment of being caught out by something we do know about than anything else. When one is told a system is virus free what really is being said that nothing that we know about has been detected. Even then the most reliable results on determining whether a system has been compromised are only to be found on a cold system examined by a read only trusted bootable media booted from that media (a cold scan). Compromises with stealth capabilities are unlikely to be detected reliably on a running system and can be dangerous to attempt to remove while the system is running. BTW If one is connecting a writeable device to an untrusted machine without cold scanning it first, you will always be a taking a risk. (I am still slightly bemused by the number of experienced technical support people who bypass this precaution). Signature based scanning has had its critics for quite some time, and the first weaknesses showed up with the early polymorphic and stealth viruses in the early 90s. Heuristic scanning that looks for code patterns which may not be benign rather than strings of bytes has the potential to detect potential new threats (at the cost of a slightly higher risk of false positives). The two approaches used in conjunction give a very good chance of recognising code that may not be benign, but usually have a somewhat heavier performance payload. Tools such as AppArmor have a part in a non development environment but have the potential to be problematic in a development environment. The role this tool is somewhat different in any case. If one looks at the classes of virus that exist and the normal vectors for those viruses in the context of *NIX systems one can get an overview of the probable real risks involved. Binary viruses are usually OS specific and new variants are relatively rare nowadays. However, there is no reason that these cannot be developed for Linux systems. As binary viruses require good technical knowledge and are hard to write 'script kiddies' are unlikely to have either the skills or patience to write these when easier options are available. Professional criminal authors are a different story. Macro viruses are almost exclusively application specific, early on M$, WordPerfect, CA, Lotus and others incorporated mechanisms for office applications to interact with the host OS and filesystem with a script autoloading facility. It took a little while to realise what a big mistake some of this was. Unfortunately, by the time the mistake had been realised it proved to be difficult for the genie to be put back in the bottle for a variety of reasons. Macro viruses will be a problem across platforms *iff* system calls are generalised and things like path naming are standardised. (Open Office is moving down this route). With the advent of malware scripting toolkits the number of script based viruses has exploded (but AFAIK most of the toolkits have signature components that can be used identify the results of their products). These are the preferred tools of 'script kiddies' and the criminal community because of the ease of production, but the product is potentially easier to identify. In the M$ world the scripting component of a compromise is more usually a dropper which changes COM configuration and registry settings, the script does not normally propagate itself but is propagated by the components it installs. This is also the architectural vulnerability most often exploited by most known mail WORM or browser based attacks. (M$ have taken some measures to block these particular holes but in such a manner that some of their user community seem to spend a lot of effort circumventing the effects of this protection). The *NIX architecture is radically different and does not have an equivalent security hole and the usual constraints on the privileges afforded to scripts are such that the threat should be minimal, but that is not to say that a dropper script is not a theoretical possibility with *NIX. The ability for these viruses to compromise a Linux system at the system level would be more related to bad security practices or malicious intent by someone already on the system rather than any weakness inherent to the *NIX system model. Using a Linux to host Windows clients networked filestore is in this context a very good idea as the server if properly secured will effectively be in a position to perform a cold scan of Windows files. (Something that would be questionable on a Windows Server). But on-access scanning ideally should be restricted to the results of write operations on the windows client filestore (some admins apply on-access scanning in a fairly indiscriminate manner). The scanner software selected should also have been properly assessed by an independent body, and at this moment in time one of the most popular linux based scanners (ClamAV) appears to have never been submitted to such an assessment. The comments on the ClamAV website about this are not very reassuring. see http://www.clamav.net/index.php?s=linuxworld (It does do other things but as an AV tool at this moment in time it is of questionable value and probably should be supplemented with something else). Boot sector viruses are a very different issue, on server class machines which are rarely rebooted or booted from untrusted media the risk is probably minimal. On client workstations (particularly multi-boot systems) these still have the potential to be a major threat. One surprise is that AFAIK no-one has written a successful compromise to GRUB or LILO (but give it time). As boot sector virus payload become active before the OS takes control of the system, the system can potentially be compromised before the OS and its security provisions are in place. (Conventional BIOS related protection which always has been weak is unlikely to be useful in more complex modern partitioning setups in blocking this particular attack). The original vector for infection is by having infected media on a device which is checked in the boot sequence (and the infected media does not itself have to be bootable). This can usually be easily blocked by changing the boot sequence. However, there was and is a class of multi-vector viruses in the DOS world which propagated by both boot sector and file infections so there are other possible routes for this type of infection to occur. (The NT bootloader sequence was in theory less vulnerable to this type of attack, but I do recall that at least one proof of concept was produced). Again cold scanning is probably the only way of assuring that such an infection has not occurred, however as the contents the boot records should be well defined this should be bulletproof for this threat. It should be noted file system based viruses are something that can be a problem but they are no longer the most serious security threat. Far more dangerous and damaging are the various SQL injection attacks and the resultant compromised web sites dropping or running damaging scripts and applications on client workstations. These are often the result of poor security awareness by non technically orientated PHP web developers. Most linux browsers default settings can make such attacks more difficult on the platform, but only if those in front of the screen act with some sense. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIdhFIasN0sSnLmgIRAox7AKDv69GHr2i6GI6bO/KHVXn0I9CW9wCdHJQ0 5zpeXpfaxJp3Y9XhKT9pudo= =Jcfv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-07-10 at 16:02 +0200, jdd sur free wrote:

G T Smith a écrit :

...

Apologies for length of this mail but the issue is not simple...

just changing subject on a so boring thread is not a good idea

I don't think so, the name change was appropriate :-)

...

Secondly, the virus, or trojan (or worm) to really worry about is the one you do not know about.

rignt. So why do you write all the rest, given I don't know of any Linux virus?

There are linux virus, only that they haven't been successfully. More like a proof of concept. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdiMktTMYHG2NR9URAjTjAJ49pyzIB2TKmdMHYsoX9wV4HtGlUACffBq9 6WDyuIgsatTXnGoQ6Y0XdSw= =FcNd -----END PGP SIGNATURE-----

On Thursday 10 July 2008 07:56:33 am Carlos E. R. wrote:

The Thursday 2008-07-10 at 16:02 +0200, jdd sur free wrote:

...

G T Smith a écrit :

...

Apologies for length of this mail but the issue is not simple...

just changing subject on a so boring thread is not a good idea

I don't think so, the name change was appropriate :-)

...

...

Secondly, the virus, or trojan (or worm) to really worry about is the one you do not know about.

rignt. So why do you write all the rest, given I don't know of any Linux virus?

There are linux virus, only that they haven't been successfully. More like a proof of concept.

Yeah I remember the first one making big news around '97. http://tinyurl.com/6dqgto It was somewhat shot down then too. Still, the Bliss virus made news back then.. http://math-www.uni-paderborn.de/~axel/bliss/ -- kai www.filesite.org || www.4thedadz.com || www.perfectreign.com remember - a turn signal is a statement, not a request -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

On Tue, 08 Jul 2008 03:41:25 +0200, Carlos E. R. wrote:

...

At worst, you can only do damage to your own user. No big deal. Next time you will be more careful :-P

Arguably, Carlos, damaging files in your own user home directory is the bigger deal. I don't know about others here, but I can replace my OS; I can't replace my documents.

Quite right, Jim. Carlos is smug about this whole issue, but because of Linux's popularity, we WILL SOON have much more of this to deal with. On access filtering IS the correct answer when your mail isn't being fed through your own or business email server software. Here again, in particular for newbies, it MUST be working out-of-the-box - easy for them to install and setup. Fred -- This message originated from a Linux computer using Open Source software: openSuSE Linux 11.0 No Gates, no Windows....just Linux - STABLE & SECURE! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Stefan Hundhammer wrote:

Just think about it: The major points of attack of the well-known Windows viruses simply don't exist. No Linux programmer in his right mind will write a mail client that simply executes anything that might be a piece of code in a mail attachment. There are no ActiveX controls that are commonly downloaded and executed as the user surfs the web. There is no plethora of games and warez that users are so used to download and execute without thinking. And even if any of those scenarios actually happen, it will hit that one user, not the entire system. Sure, that's bad for that one user (and hopefully that user has a backup of the files he invested time in on a USB stick or DVD or some other media). But it's not the complete system that is compromised.

CU

FWIW, one thing I would like to scan is USB external drives. Recently I plugged my USB flash drive into a customer's computer and wound up with a virus on it. Many years ago, floppies were a common way of spreading a virus. Now USB drives fill that role. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

The Tuesday 2008-07-08 at 13:42 -0400, James Knott wrote:

...

FWIW, one thing I would like to scan is USB external drives. Recently I plugged my USB flash drive into a customer's computer and wound up with a virus on it. Many years ago, floppies were a common way of spreading a virus. Now USB drives fill that role.

But surely, that virus was not propagated by the linux machine, and it probably came from another windows machine.

Quite so, but that drive gets plugged into Windows boxes (I use it for work). It included an autorun.inf file, so it would run when that drive was plugged into another Windows box. ClamAV on my Linux box found it.

I met the first IBM PC virus when I was a student somewhere in the eighties. A dancing ball. There were two viruses then, one a boot sector virus, another attached itself to the end of executables. I killed them with my "bare hands", I had no antivirus, not invented. I used msdos debugger and pctools. Things have changed.

I once got a boot sector virus from a night school computer, via a floppy disk. Fortunately, IBM AV caught it. My computer was running OS/2 then and the boot sector was about the only way in for a virus.

I was never infected. Not then, not ever since. And I have never infected anyone.

And since I use Linux, hundreds of virus have come my way in email. I have never propagated any of them, I have never been affected. I don't even have to think about them.

It is not that difficult.

-- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

----- Original Message ----- From: "Fred A. Miller" To: "opensuse" Sent: Tuesday, July 08, 2008 1:16 PM Subject: Re: [opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!!

Jim Henderson wrote:

...

On Tue, 08 Jul 2008 03:41:25 +0200, Carlos E. R. wrote:

...

At worst, you can only do damage to your own user. No big deal. Next time you will be more careful :-P

Arguably, Carlos, damaging files in your own user home directory is the bigger deal. I don't know about others here, but I can replace my OS; I can't replace my documents.

Quite right, Jim. Carlos is smug about this whole issue, but because of Linux's popularity, we WILL SOON have much more of this to deal with. On access filtering IS the correct answer when your mail isn't being fed through your own or business email server software. Here again, in particular for newbies, it MUST be working out-of-the-box - easy for them to install and setup.

I think you are just plain wrong about this. You can stop picking on Carlos. Many people who are smarter than you or I share the same opinion on this topic. (It could also be argued that smarter people than me wrote dazuko, *shrug*) Universal, kernel-level, on-access scanning is a horrendous kludge patch slapped onto an otherwise insecure and fundamentally insecurable os (windows). It's necessary there because the underlying os is not capable of promising actual security. To make linux or any *ix do that is retarded. Otherwise, why stop at files? If the on-access argument is valid, then so is memory acces, and nic traffic, and serial traffic, and keybaord input, etc... Take the on-access argument to it's next logical progression and have memory access scanning. But, what will scan the memoy before it's accessed? Code stored in other memory. Better scan _that_... never ending and basically not sane. The sane approach is make the kernel able to make certain promises, and all of kernel and userspace can safely make assumptions based on that. In the case of linux, barring the usual exceptions of plain bugs which all software has including virus scanners, the kernel can and does make those promises, and so it is perfectly safe to build the rest of the system on top of that and so only certain files ever need to be scanned and those only need to be scanned during certain operations, not every access by the kernel. Files in a samba share can be scanned _by samba_ or by an agent samba invokes, as they are being written or read _via samba_. Any other files and subsystems can have a similar targeted scanning module, such as postfix, etc.. You are right that software should do a better job of "just working", but you should probably not try to meddle in basic system design. Instead, openSUSE, if it's going to declare that dazuko is not a proper design and will not be supported, should probably just remove all rpm's and dpendancies rather than have broken ones in the repo's. And place an explanation in the release notes. Let MS do on-access scanning. The fact that it needs to is just part of why that os sucks. We do not need to emulate it. -- Brian K. White brian@aljex.com http://www.myspace.com/KEYofR +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO FreeBSD #callahans Satriani Filk! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On 2008-07-09T00:54:09, Hans Witvliet wrote:

On access scanning (once, after download completes and before it is moved to the users home-dir) is the best solution.

I suggest someone to go and implement it cleanly then, instead of arguing how it is needed and best ;-) Regards, Lars -- Teamlead Kernel, SuSE Labs, Research and Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 08 Jul 2008 13:16:12 -0400, Fred A. Miller wrote:

Jim Henderson wrote:

...

On Tue, 08 Jul 2008 03:41:25 +0200, Carlos E. R. wrote:

...

At worst, you can only do damage to your own user. No big deal. Next time you will be more careful :-P

Arguably, Carlos, damaging files in your own user home directory is the bigger deal. I don't know about others here, but I can replace my OS; I can't replace my documents.

Quite right, Jim. Carlos is smug about this whole issue, but because of Linux's popularity, we WILL SOON have much more of this to deal with. On access filtering IS the correct answer when your mail isn't being fed through your own or business email server software. Here again, in particular for newbies, it MUST be working out-of-the-box - easy for them to install and setup.

I don't disagree, but can we make this not be a personal issue, please? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, 08 Jul 2008 20:37:11 +0200, Carlos E. R. wrote:

Mmmm... what about backups? Surely, there are other things that scare me much more, as a real danger of loosing my documents, than viruses: disk failures (sw&hw), for instance. Antivirus is not going to protect me.

Sure and I make backups. But if I make backups of an infected file, the backups don't really help me, do they? I personally think the lack of Linux viruses is overblown - sure, there aren't many out there, and they are hard to catch, but that doesn't mean that there's no point in protecting yourself. If you run WINE, for example, now your machine is somewhat more susceptible. I can't run Norton Anti Virus under WINE, though, so something's got to be available to protect the system to any potential exposure. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Jim Henderson wrote:

I personally think the lack of Linux viruses is overblown - sure, there aren't many out there, and they are hard to catch, but that doesn't mean that there's no point in protecting yourself. If you run WINE, for example, now your machine is somewhat more susceptible. I can't run Norton Anti Virus under WINE, though, so something's got to be available to protect the system to any potential exposure.

Jim

I use Avast "free for personal use" antivirus for linux to do an occasional scan. Its rated up with macafee and norton. Regards Dave P -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org