RE: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning

[Eric Paris]

On Tue, 2008-08-05 at 16:28 -0400, Press, Jonathan wrote:
> -----Original Message-----
> From: Greg KH [mailto:greg@xxxxxxxxx] 
> Sent: Tuesday, August 05, 2008 4:18 PM
> To: Press, Jonathan
> Cc: Arjan van de Ven; Eric Paris; linux-kernel@xxxxxxxxxxxxxxx;
> malware-list@xxxxxxxxxxxxxxxx; linux-security-module@xxxxxxxxxxxxxxx
> Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to
> alinuxinterfaceforon access scanning
> 
> On Tue, Aug 05, 2008 at 02:38:23PM -0400, Press, Jonathan wrote:
> > >> I think you might be missing the point a bit here, as the
> traditional
> > Unix model that 
> > >> Linux has prevents much of what the "traditional AV" products need
> to
> > do, right?
> > 
> > Is your point that Linux and Unix machines are less vulnerable to
> > viruses?  If so, that's not relevant to my point at all.  A Unix
> machine
> > can be a carrier, passing infections on to other vulnerable platforms
> > (guess which one).
> 
> So you are going to try to force us to take something into the Linux
> kernel due to the security inadiquacies of a totally different operating
> system?  You might want to rethink that argument :)
> 
> [JON PRESS]  On the contrary...you might want to rethink your reaction.
> The security inadequacies of that other operating system that happens to
> have a 90+% market sure are exactly why Linux and other OS's that
> coexist with it should be more conscious of their own interactions with
> it.  Enterprises that see Linux as a potential breeding ground for
> infestations are less likely to tolerate Linux in their environment.
> Why do you think we have so many customers who have a corporate mandate
> to have AV software on all machines, no matter what platform type?

I don't think the pissing contest is going to get us anywhere.  I think
Jon might want to realize that the linux kernel is not driven by
business needs, we are driven by technical correctness and technical
necessity.  lkml isn't a place where you wave a bag of money and say "do
you want to be in the data center, do as I say."  Techies always win,
not business.  I think Greg needs to realize that not all of the AV
vendors are being or want to be difficult, thick, or stubborn.  I would
like to point out for the community's enjoyment that much of the heavy
lifting here has been done by one of these vendors who is currently
using the above mentioned horrible hacks to make their product work
(although at least I believe GPL horrible hacks).  Most all of the black
magic vendors agree they want to work towards a real upstream solution
so lets try to find it, not just build walls and get defensive.

I personally agree with Greg that I don't care if its 'hard' to get all
the information you need to do your job as long as it is reasonable and
sustainable.  I think this interface is both and I'm going to be looking
for numbers to show it over the next couple of days.

I think Alan and I have both described how greater linux security can be
gained through this interface compared to glibc or LD_PRELOAD even if it
isn't perfect security.  I certainly don't make the claim that all
malware (for any OS) is going to get stopped dead in its tracks.  But
then again I also haven't heard any vendor say "we don't look for any
linux malware."  Even if the majority of their business is driven by
"that other OS" it doesn't mean that software on linux is without flaws
and we don't have attackable programs.  Would any vendor who does this
type of work stand up and say how your product may have stopped or been
able to stop a vulnerability that would have been impossible in
userspace.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/