On Tue, 9 May 2000, Simon Richter wrote:
> On Mon, 8 May 2000, Igmar Palsenberg wrote:
>
> > You can always find out.. Logging is normally done through syslogd and
> > klogd.. Try to hide those..
>
> <ot>Use a rootkit. If they reappear, someone installed a rootkit.</ot>
>
> > Some weird modification is useless with Open Source. Everybody can just
> > read the code and write some nice detect app..
>
> A thing that would be cool would be some mutually exclusive #ifdef'd code
> segments selected at random at compile time. Noone knows which traps are
> in the system... :-)
Yeuch! This discussion is heading further off into insanity every post,
IMHO.
A few things we need to remember about security:
#1: There is nothing as a completely safe system
#2: Remember #1
#3: The best safety you can get is turning off your system completely.
No one will hack it then, unless someone gets physical access
#4: The next best thing is no connection to the outside world. The same
applies here as for #3
#5: There are several different types of external attacks to protect
oneself from;
a.) Denial of service
b.) Destruction of data, either through corruption (dangerous, especially
if you do not detect it) and through removal (usually restorable from
backups)
c.) Use of your system as a means for doing other attacks
d.) Industrial espionage
No SANE computer-system should make d.) possible; important
costumer-information should always be possible to have on a separate
network protected by a oneway firewall etc. Ideas on how to do this was
discussed half a year ago or so on this list, if I'm not all wrong.
For instance, the Swedish police do not have separate computers for
browsing the internet/e-mail etc. and for their data-bases, and they
are NOT interconnected through any kind of network. If I'm not all
wrong, the computers connected to the internal network doesn't have
any floppies or CD's, to avoid people moving information between the
systems. Police-reports are still filed manually (at least the one
they wrote when I reported my cell-phone stolen a few weeks ago...)
a.) and c.) Is very hard to protect yourself from; a.) can partly be
solved through load-balancing and redundancy
b.) Is what you should be really afraid of. As long as you have
a thought-through backup-system and a working logging-system, the
damages that can be done this way can also be minimized. While
downtime is never good, downtime is almost always preferable to
lost data.
Detecting the intrusion, and most important, detecting what has changed
is of vital importance. This is why things like LUID's are not
simply paper-products without use. Logging is a fundamental part of
any security-system.
If you have 100 accounts and your system gets broken into, and you
can (using the logs) find out which account was the entry-point, you'll
know who to whip to change his/her password/stop using the same password
on several systems/securing his/her machine at home etc.
Some intrusions can be made without having a valid password, but those
are becoming rare these days. And in a sane setup, you would only allow
persons to logon, not group-users/system-users etc.
Just my 0.02 SKR.
/David
_ _
// David Weinehall <tao@acc.umu.se> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:12 EST