[opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!!
On Wed, 09 Jul 2008 20:46:56 +0200, Carlos E. R. wrote:
I mean really - what purpose do they serve? They just take up CPU cycles, slow the system down, and they protect things that don't need protecting. Everyone backs up their config files, so even if they are somehow compromised by a user doing something as stupid as launching an untrusted program, it's not a great loss, right?
There is something else.
An antivirus only protects agains _known_ viruses, while apparmour, that doesn't make the computer slower, protects agains new, unknown, "bad things".
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right? Isn't that somewhat the same argument now about AV - we don't need it now, so we'll never need it? And since we'll never need it, there's no use in discussing options for OAS for AV? The same solutions proposed in lieu of OAS for AV on Linux could also be applied to AppArmor. People back their systems up, badly behaving programs have to be changed to be executable before the user can run them and they must be invoked by the user, so before the user invokes an unknown program, they should back their stuff up in case it destroys their files, etc, etc, etc. I don't see how logically one can be said to be needed and the other isn't. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Henderson wrote:
On Wed, 09 Jul 2008 20:46:56 +0200, Carlos E. R. wrote:
I mean really - what purpose do they serve? They just take up CPU cycles, slow the system down, and they protect things that don't need protecting. Everyone backs up their config files, so even if they are somehow compromised by a user doing something as stupid as launching an untrusted program, it's not a great loss, right?
There is something else.
An antivirus only protects agains _known_ viruses, while apparmour, that doesn't make the computer slower, protects agains new, unknown, "bad things".
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
Isn't that somewhat the same argument now about AV - we don't need it now, so we'll never need it? And since we'll never need it, there's no use in discussing options for OAS for AV?
The same solutions proposed in lieu of OAS for AV on Linux could also be applied to AppArmor. People back their systems up, badly behaving programs have to be changed to be executable before the user can run them and they must be invoked by the user, so before the user invokes an unknown program, they should back their stuff up in case it destroys their files, etc, etc, etc.
I don't see how logically one can be said to be needed and the other isn't.
It's pretty clear that apparmor makes sense, in the unix philosophy It's non-intrusive, and serves a practical purpose, that of ensuring that if somehow, a program is compromised, it will be constrained in terms of what it can do. It fits linux. OTOH, resource-hungry, microsoft-style bandaids don't fit. Aesthetically speaking, they're ugly and awkward and should be kept far away from linux. If there is ever a problem to be solved, it should be solved the linux way, not by mimicking failed strategies from the microsoft world. IMHO of course. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 09 Jul 2008 12:12:35 -0700, J Sloan wrote:
It's pretty clear that apparmor makes sense, in the unix philosophy It's non-intrusive, and serves a practical purpose, that of ensuring that if somehow, a program is compromised, it will be constrained in terms of what it can do. It fits linux.
But if the only way a program is going to be compromised is if a user allows it, then AA is redundant to the tasks a user should be doing. Just like scanning files to make sure they're not infected.
OTOH, resource-hungry, microsoft-style bandaids don't fit. Aesthetically speaking, they're ugly and awkward and should be kept far away from linux. If there is ever a problem to be solved, it should be solved the linux way, not by mimicking failed strategies from the microsoft world.
Absolutely agreed. However, how much resource is actually consumed by something like Dazuko? I don't know, never needed to use it. Maybe the problem isn't the OAS piece of it, maybe it's the implementation. Maybe if instead of using whatever it is that it uses, it used a mechanism like AA did, it would be more efficient.
IMHO of course.
And same here. :-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Jul 9, 2008 at 2:00 PM, Jim Henderson
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
Isn't that somewhat the same argument now about AV - we don't need it now, so we'll never need it? And since we'll never need it, there's no use in discussing options for OAS for AV?
The same solutions proposed in lieu of OAS for AV on Linux could also be applied to AppArmor. People back their systems up, badly behaving programs have to be changed to be executable before the user can run them and they must be invoked by the user, so before the user invokes an unknown program, they should back their stuff up in case it destroys their files, etc, etc, etc.
I don't see how logically one can be said to be needed and the other isn't.
The difference is in the price. O-A-S is expensive (as system resources). While there are other, less expensive solutions (on-write check, on download check, on email receiver check, on document/macro open check, AA), etc., there is no need to nail a fly with a hammer. Also, as I said - this is decision, made by kernel devs, in part maybe because the dazuko implementation is too intrusive, or dazuko people did not present their case properly, or they did not commit to support their part after the inclusion. All these are speculations, as I did not went out of my way to check what and why happen. Anyway - the kernel is open source - anybody can make modifications to it. If there is a linux distro, which wants to go out of their way and offer ultra-virus-protected system, they can use modified kernel, with dazuko included. If antivirus vendor wants their product used undel linux (and convince enough people to use it), they can spend some resources to prepare enough kernel patches for every kernel out there. After all, Nvidia finally saw it, and now they prepare their drivers with every kernel update I receive for opensuse. So, complaining that the kernel does not include this and that - especially when dazuko is mostly used by a closed-source application (is antivir open-sourced?). As I said before - most of this conversation should happen on kernel dev list, not here. And even for opensuse (and SLED/SLED) there is more appropriate way - file a bug, vote for it, let others vote for it. Novell will listen, and decide. Creating a thread which already has more than 100 posts, which can be shortened to fit in 10 arguments pro and cons is useless waste of time, network bandwidth, diskspace, and people's time. There's another thing as well - antivirus solutions just make feel people safer, w/o adding too much of a protection. Usually the people, which do not care do not update their definitions regulary, and on the top it, "being protected" means for them that they can download and run whatever garbage they can set their hands on. So, again - it is a balance of the cost - I would better prefer some kernel devs to work on and create a more stable kernel, which works with better and newer hardware, that to waste their time on a such a low impact subject. But everybody else if free to change/modify/use whatever solution which will make them happy. And they have all the information they need - the kernel is opensourced, has a release cycle, what changes are going to be put in the next release are well known, etc. Cheers -- Svetoslav Milenov (Sunny) Even the most advanced equipment in the hands of the ignorant is just a pile of scrap. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 09 Jul 2008 14:26:58 -0500, Sunny wrote:
The difference is in the price. O-A-S is expensive (as system resources). While there are other, less expensive solutions (on-write check, on download check, on email receiver check, on document/macro open check, AA), etc., there is no need to nail a fly with a hammer.
And nobody has ever said that OAS is an all-or-nothing option. As I said elsewhere, I've seen OAS systems that care about file types or allow excluded directories (such as /tmp). There's no reason that footprint can't be minimised. It could be done effectively on OSes running on 386/486 processors. With computing power that's 20x those old systems, I can't see the impact being *worse* if implemented properly.
So, complaining that the kernel does not include this and that - especially when dazuko is mostly used by a closed-source application (is antivir open-sourced?).
I don't know - and I didn't now the history of dazuko, either. I'm not pro any particular application - just the idea.
There's another thing as well - antivirus solutions just make feel people safer, w/o adding too much of a protection.
Tell that to the millions of Windows users who have been infected over the years. There is value in protecting against known threats.
Usually the people, which do not care do not update their definitions regulary,
That's what auto-update is for. Part of the problem with closed-source AV solutions is that they use a subscription model - if you don't pay, you don't get current virus definitions. That is a business model that says "my business is more important than the users". They haven't figured out (generally speaking) that taking care of the users *takes care of business*.
and on the top it, "being protected" means for them that they can download and run whatever garbage they can set their hands on.
True, but some people will do that regardless.
So, again - it is a balance of the cost - I would better prefer some kernel devs to work on and create a more stable kernel, which works with better and newer hardware, that to waste their time on a such a low impact subject. But everybody else if free to change/modify/use whatever solution which will make them happy. And they have all the information they need - the kernel is opensourced, has a release cycle, what changes are going to be put in the next release are well known, etc.
Sure, but there's nothing that says it has to be implemented at the *kernel* - I've not said the kernel devs need to spend time writing AV software. If there are hooks there, let someone else write it. Doesn't the Linux kernel support some form of copy-on-write mechanism, or a file modification monitoring mechanism? I'd think it must in order for an app like AppArmor to detect changes that aren't permissible. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 19:00 -0000, Jim Henderson wrote:
There is something else.
An antivirus only protects agains _known_ viruses, while apparmour, that doesn't make the computer slower, protects agains new, unknown, "bad things".
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
AA is initiated by the admin, not the user. It does not protect programs, but services.
Isn't that somewhat the same argument now about AV - we don't need it now, so we'll never need it? And since we'll never need it, there's no use in discussing options for OAS for AV?
The philosophy and method of working is different, they protect different things. AA doesn't scan anything, doesn't search for patterns. What is does is simply allow or disallow certain actions against a list of allowed actions. For example, if postfix is compromised and suddenly wants to create a new user (write to /etc/passwd), the profile will not allow it. This is something an antivirus will not detect and avoid, unless it is a previously known _binary_ pattern.
I don't see how logically one can be said to be needed and the other isn't.
AA was designed for Linux and for the kinds of attacks Linux suffers. The antivirus were designed for the attacks Windows suffers. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdRWstTMYHG2NR9URAmu8AJsHHCZ6d6b6TpSYU4UNlfiHnbBbuQCfe+P4 iz+2zIXSEMmXy9ZGhp70SqA= =EEE8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 09 Jul 2008 21:46:51 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2008-07-09 at 19:00 -0000, Jim Henderson wrote:
There is something else.
An antivirus only protects agains _known_ viruses, while apparmour, that doesn't make the computer slower, protects agains new, unknown, "bad things".
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
AA is initiated by the admin, not the user. It does not protect programs, but services.
And services are....*programs*, right?
Isn't that somewhat the same argument now about AV - we don't need it now, so we'll never need it? And since we'll never need it, there's no use in discussing options for OAS for AV?
The philosophy and method of working is different, they protect different things. AA doesn't scan anything, doesn't search for patterns. What is does is simply allow or disallow certain actions against a list of allowed actions.
Sure, I understand that. I happen to think AA is a pretty cool technology.
For example, if postfix is compromised and suddenly wants to create a new user (write to /etc/passwd), the profile will not allow it.
Sure. And how exactly would Postfix decide to do something like this? Wouldn't it have to run some sort of executable code to do something like this - something that's not in its normal behaviour patterns to do?
This is something an antivirus will not detect and avoid, unless it is a previously known _binary_ pattern.
Yes. And there is value in looking for *known* threats. rkhunter works based on previously known patters, not the unknown. Or are you saying that we should kill off rkhunter as well because it only looks for known threats?
I don't see how logically one can be said to be needed and the other isn't.
AA was designed for Linux and for the kinds of attacks Linux suffers. The antivirus were designed for the attacks Windows suffers.
And it's fair to say that Linux will never ever ever *ever* suffer the type of attacks Windows suffers? *ever*? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 21:40 -0000, Jim Henderson wrote:
On Wed, 09 Jul 2008 21:46:51 +0200, Carlos E. R. wrote:
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
AA is initiated by the admin, not the user. It does not protect programs, but services.
And services are....*programs*, right?
Yes, but not any program. AA would be very difficult to apply, say, to oowriter.
For example, if postfix is compromised and suddenly wants to create a new user (write to /etc/passwd), the profile will not allow it.
Sure. And how exactly would Postfix decide to do something like this? Wouldn't it have to run some sort of executable code to do something like this - something that's not in its normal behaviour patterns to do?
It could be in memory, a buffer overflow hack. It could be the main program or a child. Not important.
This is something an antivirus will not detect and avoid, unless it is a previously known _binary_ pattern.
Yes. And there is value in looking for *known* threats. rkhunter works based on previously known patters, not the unknown. Or are you saying that we should kill off rkhunter as well because it only looks for known threats?
No, I'm pointing the difference and the dificulty. Searching for patterns will seldom protect against new types of attacks.
I don't see how logically one can be said to be needed and the other isn't.
AA was designed for Linux and for the kinds of attacks Linux suffers. The antivirus were designed for the attacks Windows suffers.
And it's fair to say that Linux will never ever ever *ever* suffer the type of attacks Windows suffers? *ever*?
I have been seeing that argument for at least ten years, and it hasn't happened. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdUjNtTMYHG2NR9URAvDLAKCNeDqP3gWxd8fnLds0fyzNGnx4gACdEHvt 0VMiZneqnYPOzANyQjTmsRw= =QTl7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R.
-
J Sloan
-
Jim Henderson
-
Sunny