On Tuesday 15 November 2005 17:50, SOTL wrote:
> Actually I thought it was completely impossible as a user to put a CD in
> the computer, hit play, and install a root kit but as I continue to read
> and thanks to Paul missunderstanding what I was really asking [my fault for
> not expressing myself well] has shown that users CAN do this on a McIntosh
> which has a BSD system. Apparently Sony has caught everybody with their
> pants down as NO ONE expected a major company to ship CDs with root kits on
> them so not only can root kits be installed on MS Windows by playing music
> but also on Linus and BSD boxes too.
>
> If I understand all this correct Linux and BSD both have a major security
> issue with CD and DVD drives.
Well, no not exactly. Sorry for not having been specific enough!
It's not the CD or DVD or the software that loads them, that has issues
necessarily. The point here is that a user CANNOT under normal circumstances
install a rootkit which has root access.
The problem is so much larger with Windows due to the unalterable flawed
basics of it. The same problem does not exist in *unices, as they can be
totally modified, and have been, without rendering it too incompatible.
What I described is that IF, there is a program that is running as root
(administrator), AND it has a flaw that can be used to execute arbitrary
(your) code, then that aribtrary code will run as root.
In which case you're done with.
When that is not the case, ONLY the user who's violated can be wiped and/or
modified. Which it's important to keep the system up to date.
The response time of all the major Open Source software security flaws is
almost instant. And they have a great record of having them fixed before they
even appear in the wild as a virus or worm.
There is really NO comparison between the windows model and f.ex. the Linux
model. MS traditionally handle any kind of bug with more PR. If it's too big
it's usually not even acknowleged. Well, they used to operate that way
extensively. These days they have been burned so many times doing it it's not
done as often. Whereas OSS is honestly acknowledged and handled in a
responsible manner.
The big difference is that OSS is technology driven, whereas MS is money
driven and motivated. Money is the lowest of motivators, duty the highest.
You see OSS living up to the latter all the time.
Now if you are installing software from an infected CD then you can be in
trouble. This does not happen very often fortunately.
Just look at the trouble you need to go through to maintain up to date s/w
with windows. When it comes out you cannot just install it. You have to
install it on a test bed to see what else it breaks. Then try to work out a
way around these casualties before being able to implement. Just keeping up
with all the patches and viruses is more than an full time job.
This is why a serious windows plant only runs one app on each server. Plus the
fact that MS only certifies s/w to be able to run as the only app. (They
simply don't know how to keep multiple s/w running reliably at the same
time.)
Now under Linux I have been doing updates for something like ten years and
there are not the same worries at all. These days they simply just works.
Once a year or less, when something is released with a problem it's
re-released fixed very quickly. I test it mostly out of habit and trying to
do it right on important 24-7 operations. For all my own I just do the
update.
That is inconceivable in the big corporate windows world. They know you are
lying because it "cannot be done safely".
True, XP is in many ways the very best to come out of Redmond, but fixes still
come out breaking other things, like previous fixes. Having some insight into
how MS works internally it does not surprise me at all. To many independent
"groups/teams" fighting/competing with each other.
The type of flaws under windows are often Full System Access, type flaws,
while OSS are usually more minor which, to be taken advantage of, usually
have to coincide with other flaws to lead anywhere. Even bigger ones usually
require other problems to coexcist to be Full System Access type flaws.
So, to recap. As a user to break in to the system you need to have something
running as root which can be gained access through, to get Full Access.
Unless your password is to easy to figure out of course, then you bypass
_almost_ everything automatically.
So you keep your system up to date and only run services that are accessable
to you. Never to the Internet. Of course I'm assuming you are running a unice
type OS.
When you do need to service the world, that box only has on it what needs to
be on it. You run s/w which will let you know if imporant files have been
altered and so on. I.e. you know what you are doing or spend time and money
to educate yourself to know what you are doing. Good books exist for that.
Meanwhile you run md5sum and sha1sum to verify checksums on s/w you download.
Yum and the likes usually are configured to verify the s/w before installing
it.
I'm trying to not go into a full security howto here as I simply don't have
the time. Again the best defense is knowledge, educate yourself if you are
online. Get so you have a basic understanding of security issues and you'll
probably be OK. It's not entirely bad. Most attacks are done by people
executing a program which is only as good as it's written.
The really good criminals always find their own way in. And so if you have
something important running make yourself a small target. Just like you do
with your home or car. (Hopefully! : )
I run a seperate computer as a firewall for my LAN and to the best of my
knowledge it has never been violated. I also never trust commercial
firewalls. They all suffer from the same flaw of being money motivated. Only
something like OpenBSD with it's record of only one remote access hole in
eight years has a proven track record.
I never really worry too much over things, but I run with really tough
passwords, always think about keeping a minium online profile and make my
updates as soon as they come out. I leave an ISP to protect my web pages, so
nothing is available to the outside.
Which reminds me. I once had an IT guy who installed a filesharing program on
his I.T. computer creating a nice portal. So straight through the two
firewalls was this shared disk on the LAN. Sharing porn with the world. (He
did not dare do it at home.) So much for security when people do stupid
things! Imagine my surprise when I saw these connections from all over the
world leading into the LAN... But you got to trust someone. I was more
specific with the new guy though. Haha.
Hopefully that did not just offer a bunch of confusion but some more
understanding.
Let me know otherwise...
--Steve Szmidt
"They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:08:17 EDT