OpenSSH Trojan

Steve Bougerolle steveb at creek-and-cowley.com
Fri Aug 2 20:44:18 PDT 2002


On Sat, 2002-08-03 at 02:22, Pawel wrote:

> Did you take a look at SFS from www.fs.net ?
> Seems rather transparent, uses encryption, they even say it outperforms
> NFS over tcp.

I just had a look at it now.  It looks interesting and I'll add it to my
to-do list.  The lack of an automatic facility for connecting to shared
home dirs makes it a bit more work than I'd like but it's worth some
work.

However, I personally don't think it's wise to bank on protection at
all.  I pay attention to this stuff because I have to, as a basic matter
of responsibility, but I have zero faith in it.  I think real security
(as close as you get to that) comes from some sort of constant automated
backup system so you can roll back whatever damage happens.  

Even if that's not feasible I think it's always more practical to set
things up so you can quickly recover from damage, rather than spend huge
effort trying to avoid cracks in the first place.  It's just too easy
for people to keep finding and using new exploits; there will never be
any end to them and we'll never be fully protected against them.  

Linux is a security disaster waiting to happen.  We boast that it's more
secure because it has built-in security features, but in reality almost
all of us use huge amounts of unaudited code obtained from sources that
are unreliable at best (by which I mean they don't worry about SECURITY
anywhere near as much as they should).  The kernel guys actually sign
their stuff, and we hope they manage internal security well enough for
that to mean something.  SOME of the people writing key must-run-as-root
packages do the same, but not even all of them.  Sooner or later
somebody will manage to trojan the right bit of software and wreak great
huge amounts of trouble in the Linux world.  Companies like Red Hat will
take a huge PR hit (and probably a big dent in earnings as well), and
everyone will have to start paying a lot more attention to this glaring
security issue.  

Then you'll be feeling pretty smug if you've got started now doing
things the way Matthias suggests. :)

I used to run the computers for a school here, which used Win98.  In
practical terms that's as insecure an environment as you're likely to
find.  How did I handle it?  I set up every user PC so Windows could be
automatically re-installed through the network just by booting with the
right option.  Then whenever I smelled any small bit of trouble I just
pushed a couple keys and zapped the whole thing (and believe me, I never
hesitated to do that).  The result of this sort of caution: in five
years running the computers nobody in the place ever took the slightest
bit of damage from viruses and worms, while schools around us got
trashed by every new pest that came along.  That's pretty good
considering I never bothered with any of this "personal firewall" or
anti-virus crap Windows users put too much faith in.

-- 
Steve Bougerolle
Creek & Cowley Consulting

http://www.creek-and-cowley.com

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list