Re: recommended Virus Scanner?

From: Karsten M. Self (kmself_at_ix.netcom.com)
Date: 11/27/03

  • Next message: Karsten M. Self: "Re: Theoretical APT question" 
    Date: Thu, 27 Nov 2003 05:39:05 -0800
To: Debian-User <debian-user@lists.debian.org>

    on Wed, Nov 26, 2003 at 12:07:05AM -0800, Tom (tb.31123.nospam@comcast.net) wrote:
    > > Paul Johnson wrote:
    > > >Non-issue if you don't use Windows.
    >
    > This is totally piling on, but given this recent security compromise,
    > I think the whole Linux community needs to reevaluate its "can't
    > happen here" mentality.

    Preface: Paul's response was, IMO, somewhat unwarranted. It's
    technically correct: if you're not worried about dealing with legacy MS
    Windows users, you don't need to worry about viruses for GNU/Linux.
    However, since GNU/Linux makes such an excellent platform for providing
    web, proxy, email, file, print, data, and other services for legacy MS
    Windows systems, there _are_ people with a valid interest in
    virus-scanning solutions, targeting *Microsoft* viruses, but running on
    GNU/Linux.

    A few items:

     - Yes, security matters.

     - The Debian project compromise, by available (and some unavailable)
       information wasn't a virus. While a full report is forthcoming, the
       general outline appears to be that a Debian developer's system was
       compromised (how exactly isn't clear), the SuckIT rootkit installed
       on his system (this is a particularly nefarious kernel-space rootkit
       which leaves no filespace evidence, though it can be detected by
       looking at /proc files), and from there, several Debian servers
       accessed. Keyloggers, common passwords (you *really* shouldn't
       re-use passwords on different systems), and some other bad habits
       factored in heavily.

     - Specifically: it doesn't appear that there was a virus or worm
       component to the exploit(s) (though my information is incomplete and
       analysis remains underway) -- key defining point that one system was
       compromised and automatically propagated the compromise to others.
       Rather, social and/or technical cracking techniques were applied, a
       rootkit used to leverage the exploit, and guided analysis used to
       then target Debian Project (and possibly other) systems for further
       compromise.

       Contrast this to, say, the Microsoft Slammer worm, in which a 376
       byte UDP packet saturated the _entire_ Internet within 10-15 minutes,
       or the Swen and SoBig worms, which dumped thousands, or tens of
       thousand, or hundreds of thousands of emails daily on individuals and
       sites.

       GNU/Linux has a security profile. It's generally markedly different
       from legacy MS Windows. Best bet: focus on the actual threats
       _your_ environment faces.

     - Yes, I expect the security picture regarding GNU/Linux to worsen as
       more users adopt the platform. I don't think viruses and worms, as
       commonly defined, will characterize the problem. Rather, it's going
       to be poorly administered boxes and bad security practices writ
       large.

    > I don't care if its social engineering or I-Love-You, if the world
    > comes to an end, that's A Bad Thing.

    There are few attacks on GNU/Linux, *BSD, or proprietary unices which
    are of the "world comes to an end" variety. Most (but not all) software
    is designed with security in mind, the overall architecture is radically
    different from legacy MS Windows, and even in wide adoption, the
    environment is likely to be far more heterogeneous than the current Win32
    monoculture.

    > It's only going to get worse as Linux gets more popular. There were
    > dozens of Microsoft disasters before the mainstream press and the
    > general public noticed.

    And the response to these has been to thumb the dike. Leaks have been
    plugged, but the overall infrastructure hasn't been overhauled. And
    it's this infrastructure which is the problem: little privilege
    separation, pervasive cross-application scripting, commingling of "code"
    and "data", deeply pathological complex relationships between
    applications and OS making patching tedious and error prone, and a
    highly uniform OS and applications base, which lead to the problems.
    Compounded heavily by a culture which didn't "get security" until the
    past two years, despite repeated and significant warnings that this is
    and would be a worsening problem.

    By contrast, the free software community operates on a basis of full and
    timely disclosure, preemptive security measures (code audits, several
    independent hardening efforts from OpenBSD to SELinux), and in general
    takes security seriously. Not always seriously enough, but if there is
    a problem people speak up about it. And there aren't (yet) $6 billion
    marketing budgets to plaster over the disturbance. Most major distros
    now have systems which greatly facilitate the updating of systems,
    Debian more so than most.

    > Linux is long overdue for a major security black eye. It's going to
    > suck when it happens.

    There will be problems. There have been problems. They will likely be
    largely localized (affecting a subset of users and systems), disclosed
    fully, and rapidly patched and/or addressed. It's possible that
    popularization of GNU/Linux will eventually take it beyond the sensible
    design roots it's historically been based in (and I see some warning
    signs). But for the most part, engineers, not marketers, have final
    say, and tend to address problems.

    > I think all Linux devs, from Linus on down, need to stop and think
    > very seriously about what can be done to preemptively mitigate the
    > inevitable embarrassments which are sure to come (soon).

    I think that many do. I think your fears are somewhat misplaced.

    The advice is still valid.

    Peace. 

    -- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   ARM Computer:  Customer Service Hell On Earth
     http://lists.svlug.org/pipermail/svlug/2001-November/038616.html



    -- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Karsten M. Self: "Re: Theoretical APT question"