Microsoft Says Recovery from Malware Becoming Impossible

Ben Scott dragonhawk at gmail.com
Wed Apr 19 16:30:01 EDT 2006 

On 4/19/06, Jon maddog Hall <maddog at li.org> wrote:
>>  What Microsoft is saying -- you need to reinstall from trusted media after
>> a root compromise -- have been Standard Operating Procedure in the
>> security community for decades, on all platforms, nix and doze included.
>
> True, but the ease of getting to such a compromised situation might be a
> differentiator.

  True.  However, given the current state of affairs today, for the
typical system compromise -- be it on Windows or Linux -- the only
option is a wipe and reinstall.  Most operators haven't got what they
need (which requires a fair bit of prep work) to for assured recovery
otherwise.

> About a year ago there was a report done by a series of security experts
> warning about the issues of creating "one generic brand of operating
> system, on one generic brand of instruction set" ...

  Sure.  Diversity of systems means an targeted attack has less
surface to gain traction on.

  On the other hand, with things like Python and Java making
portability easier, portable malware is easier, too.  Proof-of-concept
malware that attacks both Windoze and Linux has already been
demonstrated.

> So if I had 2000 systems made up of 1000 Intel machines and 1000
> PowerPCs, running Linux and (perhaps BSD), I might find that given huge
> compromise of any one architecture/OS combination I might be able to do
> work on the other 3/4 of my machines.

  Unless the worm is written in Python, PHP, Perl, Java, shell script,
compiled from C code ...  :)

> Or by using a different strategy, such as LSTP, you may have to "re-install"
> a heck of a lot fewer machines.

  Sure.  Ditto with Windows Terminal Server.  (Windows just costs a
lot more to implement.  That's not news, either.)

> And finally, there is the issue of how fast can you get the patch, and
> whether it exists for all your operating systems, even the ones "retired".

  You got my patch kit for Red Hat Linux 7.1?  :-)

> Just some thoughts.

  Just more thoughts.

  Ultimately, my message here is: Security is hard.  For the vast
majority of security problems we see on Windows, Linux has no
particular immunity.  Linux isn't targeted nearly as much because
there are a *lot* fewer Linux boxes in general, and basically zero
Linux boxes in the "clueless home user" community.

  Attackers go after the easy targets.

  I believe there *are* things inherent to nix that make it easier to
secure than Windows, but *none of them matter right now*.  Almost all
of the attacks are of the "User explicitly runs the malware for the
attacker" or "User did not install patch for buffer overflow" variety.

> One of the authors of this report was mysteriously fired by his company, who
> valued the business of Microsoft.

  That's probably the single relevant piece of information in this
thread so far.  Linux isn't owned by anyone, so we're a lot less
likely to be in a situation where a single company can manipulate the
market at the expense of the user community.

  OTOH, one has to wonder what would happen if Red Hat Software
"asked" a big Red Hat shop to do something.... :)

-- Ben

More information about the gnhlug-discuss mailing list