[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
jody salt wrote: | | Its was just that a few years ago I was slapped by the | slapper worm.... which brings to my next question: | | Is there a good mailing list for the notification of | security holes in GNU software, e.g. apache, samba | qmail etc....
Neither Apache nor qmail are even licenced using the GNU licences, much less GNU project code.
Samba is licenced under the GPL, but is not as far as I know part of the GNU project (I'm guessing if you run free software everywhere your need for Samba is pretty minimal?!).
| I guese its just a matter of keeping up with security | patches.
In general each distro has a mailing list, and update procedures. So check the distro site, you can follow the more general lists of problems but unless you have a lot of time and knowledge you'll probably not be able to tell what is applicable/important.
I think the list membership is unduely optimistic over the question of malicious code on GNU/Linux.
However the traditional MS Windows style antivirus approach of looking for virus signatures is pretty pointless if there are no major viruses in the wild. As by definition any new significant virus won't be in that signature file, and given the big use of GNU/Linux with exposure is Apache, you can bet if and when it gets a nasty worm it will spread everywhere it can VERY quickly.
Similarly with no or very few successful exploits in the wild, even approaches that look for common patterns of behaviour are almost by definition doomed to fail, as there is very little successful malware to generalise from.
Currently the most likely vector for spread is I would guess either a buggy Apache module, or a suspect web application (think automated exploit of weaknesses in one of the big web content management systems). Some sources are already claiming that Apache based web services are already attaining a similar level of defacement activity to Windows, precisely due to the commonality of higher level web applications.
Keeping upto date with security patches suffers similar weaknesses as the signature based antivirus approach, it does nothing to stop the initial spread if it is based on a new weaknesses.
As such you can use intruder detection and fingerprinting systems to spot a compromise, but most of your effort is probably better spent ensuring the software selection you use is as robust as possible, and that you block unneeded or unwanted services.
Whilst there are structural reasons why viruses and other malware are not as common on Linux and Unix systems, a meaningful security architecture being one (contrast "XP Home"), there is limited "defence in depth".
I also have some concerns about the assumption that free software project correct bugs quicker, or more comprehensively. Certainly some key projects (BIND, Apache etc) are patched quickly, and bugs get fixed in security sensitive areas.
But there are a LOT of exploitable bugs on most desktop GNU/Linux desktops that have not been fixed, just glance through the Debian bug tracking system for a selection. And I suspect a lot of servers out there have software with known vulnerabilities.
As such it is possible to conceive of malware exploits through projects like Mozilla, GNOME, and common email clients. Certainly none of these are as ubiquitous as the common Microsoft application software on Microsoft Windows, but it would be naive to assume that there is any serious protection beyond that provided by your last backup.
I think the SCANIT report comparing IE and Mozilla browsers summed up the current status nicely. It suggests that known exploits in the browser meant IE users were vulnerable to known remote code exploits 98% of the time, and Mozilla users 15% of the time (oh and Opera 17%, and note Mozilla on MACOS gets a special mention).
If one application can leave you open to known remote exploit 15% of the time, what proportion of the time do you think you are genuinely "safe" against known exploits with a desktop with say 12 main applications running?
The only way we will improve security substantially in the short term is to migrate to safer underlying libraries, in the manner of Trustix, and some of the other security hardened GNU/Linux distros.
In the longer term we can deploy more code written in type safe languages, and deploy more sophisticated security systems (SELinux got mentioned).
Anyone who thinks that if GNU/Linux (or MACOS) had the market share of Windows, that malware wouldn't be a problem is living in cloud cuckoo land. Malware might be much less of a problem in such circumstances than it is now, we would almost certainly survive without antivirus software (heck you can nearly do that with Windows already if you are knowledgable) but it wouldn't go away completely. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCdUoPGFXfHI9FVgYRArQYAKCcZfEBozg7mcRiaKUaodTfGbGPWwCgvtmt /gSE4PbDPrLtMZCrgsWDEV4= =zqkS -----END PGP SIGNATURE-----
-- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html