[NCLUG] I was hacked!

Sean Reifschneider jafo at tummy.com
Thu Dec 28 23:29:22 MST 2000


On Thu, Dec 28, 2000 at 10:49:55PM -0700, John L. Bass wrote:
>Frankly, I disable the new RH7.0 update demons ... I see it as a big brother tool,
>who's primary task in life is to allow RH to claim in their next marketing round

You say that like the up2date tools are the only options for remote update.
There are options, but most non-debian users seem to be more of the
opinion that they don't want automated updates of their systems...

>That means the distributions need to be clean, maintainence free, and lights out
>(AKA hands free) admin'able for a reasonable period (2-3 years).

You mean like Windows?

With any OS deployment, you need to deal with "approving" updates,
distributing them to the desktops, and managing them.  The ability to
remotely diagnose and resolve something is quite a benefit.  One system
I did high-level support for was PC based and required a couple of people
to walk a section of the data-center all day to pick out which of the
150-ish PCs needed to be rebooted.  Sure, much of it was the custom
software reliability, but at least once we moved it to big HP unix
machines we could do restarts remotely and set up more reliable tools
to monitor the systems (the 150+ PCs were moved onto one or two Unix
boxen).

I shudder to think of what would have to happen to make the desktops
"hands free adminable".  While I haven't worked in a Windows environment
like that for several years, I recall that it required quite a number of
custom tools and work to set up and maintiain (which probably breaks
the "hands off" part of that, but it's the closest sort of setup I've
seen).  I believe that Linux is probably MORE suitable to act as a
base for that.

Who is it that's setting up the machines in Mexico in such an environment?
They are, effectively, doing that.  The reason is that when a user from their
campus calls up, it may be a 4 hour car trip to get out to lay hands on the
hardware.

>The problem with the OpenSource movement, is an explosive version of the Unix
>problem ... to many idle hands with egos, pushing unnecessary (improvements)
>features which contribute bugs (AKA security advisories) at an alarmingly
>ever increasing rate. Rule of thumb says it takes 1-2 product years to ring

This statement seems to ignore the fantastic work of the SecurityAudit
folks.  Something you can't do with closed source...

>running kernel mode code ... did that twice. The ultimate linux virus today,
>would not touch a single file in the filesystem, but rather patch itself into
>a running kernel and remain undetectable by tripwire or other "security" tool.

A Linux virus that you can get rid of by rebooting?  How...  Windows...

>Lastly, the ultimate crack, would be to divert DNS from the RH update site to a
>cracker managed server offering "updated" packages containing trojans. And without
>even a thought, millions of machines would be updated overnight with the latest

Correct me if I'm wrong, but doesn't up2date use signed packages?
Not quite so easy to acomplish in that case...  I would suspect that
the key 1024 bits long -- let distributed.net chew on that...  I don't
suspect that setting up a "distributed.net" key cracker could crack the
key before somone notices it, alerts RedHat, and RedHat ships out a
2048-bit key update.

Sean
-- 
 The question of whether a computer can think is no more interesting than the
 question of whether a submarine can swim."  -- Edsgar W. Dijkstra
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



More information about the NCLUG mailing list