Linux and Spywares - lack of reading

[jdow]

From: "James Wilkinson" <james at westexe.demon.co.uk>

> jdow wrote:
> > There is a basic problem with chkrootkit. It is "reactive" rather than
> > "preventative". (Firewalls are an example of a proactive tool, the third
> > type.) Unless you are running it every 15 minutes or so considerable
> > damage could be done to your system between runs. If you store customer
> > records on the machine you'd really like preventative or proactive type
> > protection. It is time for proactive system administrators to look into
> > this concept and what is available. The danger at present is fairly
> > small. And SELinux is a nice method of locking the door. However, over
> > time a tool such as Norton's AntiVirus will very likely prove beneficial
> > for people who have systems that contain student records, customer
> > records, company financial information, and other things which could
> > seriously damage their institution if they were released or even merely
> > released prematurely.
>
> You mean one that watches what all processes are doing, and terminates
> "suspicious"-looking ones? Ones that access the network when they're not
> supposed to, or try accessing the MBR?
>
> A lot of this functionality is already here (traditional Unix security
> and SELinux, for example). I suspect the rest will come. But what's
> already here doesn't look like a traditional anti-virus package, and I
> doubt the new stuff will, either.
>
> It's more likely to look like getting SELinux to cover capabilities, and
> an easy way for the end user to specify which processes should (for
> example) access the network, or the user's address book.
>
> And whereas Norton and co have to guess about the ethics of a program
> (good or bad), the Linux equivalents can say "if it's not on the list,
> and it's looking here, it's EVIL." That should be a *lot* more secure:
> new or old viruses will be caught.
>
> In the best Unix tradition, we are getting two programs to do the
> equivalent of Norton. chkrootkit is the "disk scanner", whereas the
> "real time scanner" is where it should be: integrated into the system.

James, this is "a good thing" for diligent system administrators who
are paid to lock down systems properly. It is not good for the typical
desktop system with an owner who wants to do what he wants without
jumping through fancy OS hoops. And it's those and desktop systems which
are the real attack and spam amplifiers out there.

And note I added the word "diligent" above. With a diligent system
administrator none of the recent .edu and .com breakins should have
happened regardless of the particular OS used. (It is possible to lock
down OS-X, BSD, and even XP to a remarkable degree. Too many
institutions do not bite the bullet and pay for the system administration
they really need. That means holes exist.)

Belt and suspenders is a good approach even if some people only use
(or need) the belt and others only use the suspenders. If both exist
then there is a better chance of seeing to it that Linux does not
become yet another malware host and amplifier system.

{^_^}   <- on whom suspenders look "odd" due to certain bumps.