Stealthy Linux Trojan May Have Infected Victims For Years

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.

systemd hasn't been around that long, has it?

I thought that the systemd infection of Debian was much more recent than that. Like within the past year. But maybe I'm wrong, and it has been longer?

Re:systemd hasn't been around that long, has it?

[gweihir]

It is just that these things evolve and eventually move into the light ;-)

Re:systemd hasn't been around that long, has it?

[deviated_prevert]

As long as your sig is under construction it will not be ready to move into the light. Personally I prefer tailor made sigs.

Re:systemd hasn't been around that long, has it?

[gweihir]

I had one of those. But I found out my tailor was too limited for my tastes, so I upgraded to ultimate flexibility! ;-)

"Running arbitrary commands" is irrelevant

[gweihir]

The privilege system does not protect commands, it protects data. You can always run any command on any data that belongs to you. But when you want to access data of others or the system, you need elevated privileges and same for attacking to privileged network ports.

Re:"Running arbitrary commands" is irrelevant

[Antique+Geekmeister]

I';m personally aware of thousands of systems on which database data, backups, and system logs are not read protected from local users. They're left this way on the grounds that "if someone has local access, we're screwed anyway". They pass pass commercial security audits because the security companies do a handful of known external attacks, which giver a small set of tasks to fix the issue and do not address such fandamental issues.

This is particularly aggravated on systems with have password free sudo access for developers, which is very common on development environments, on systems with password free SSH keys casually stored with system wide access, and software systems that store passwords in clear text by default, such as Subversion HTTPS access. It's also compounded when home directories on which such information is stored is NFSv3 mounted and shared with all clients on the network. The concept of "data which belongs to you" breaks down quickly with NFS or CIFS without authentication in most environments. NFSv4 or Kerberized CIFS access can be helpful in restricting this, but I know very few partners or clients who go to the extra steps needed for this.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

Well, the other thing is that you cannot run commands on arbitrary data without privilege escalation, unless you are already root. It is simply conceptually impossible. Any process that allows you to access data above your privilege level includes a privilege escalation by definition.

My take is just that the article sound sensationalist and not very competent with regards to technology.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

I do not disagree. But that is a property of the target system, not of the attack.

Re:"Running arbitrary commands" is irrelevant

[Enigmafan]

Well, the other thing is that you cannot run commands on arbitrary data without privilege escalation, unless you are already root. It is simply conceptually impossible. Any process that allows you to access data above your privilege level includes a privilege escalation by definition.

My take is just that the article sound sensationalist and not very competent with regards to technology.

But if you run Linux from disk on a system, and you create a user with the same ID as the user data you're trying to access on that system, you can read all the data from that user. That is not privilege escalation, as far as I can see.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

The process that allows you to create that user already requires privilege escalation as non-root users are not allowed to create new users.

Re:"Running arbitrary commands" is irrelevant

[gweihir]

You can only restrict what can be executed from disk, and that is just a form of restricting read access. A user can still execute things in other ways. Sure, it gets a bit more challenging, but you are mistaken about the type of protection you get. As soon as you have some facility that can interpret commands from other sources than files (shell, Perl, etc.) your idea fails. You also need to be very careful about other tools, as for example TCC can compile and execute C code without writing it to disk first. The point is that the privilege system is concerned with read and write access, execution restrictions are just a side-effect of that and an imperfect one.

Re:"Running arbitrary commands" is irrelevant

[mlts]

Protecting commands (data goes without saying as well) is handled by a MAC/MIC system like AppArmor or SELinux.

What I don't get is how this Trojan could sit around for so long and not be caught by a competent admin. Between process accounting, Tripwire/Aide, mounting home directories with noexec, and finally a sane IDS/IPS [1] that does active protection, this should have been caught by someone and reported. Even a Linux based antivirus product like McAfee that uses the latest 2.6 kernel hooks to do realtime scans likely would catch something like this with heuristics.

[1]: Never ceases to amaze me how few companies actually have a working IDS/IPS in place. So many breaches would be caught and stopped in their tracks, especially on secure networks where traffic is known and limited.

Re:"Running arbitrary commands" is irrelevant

[mlts]

There are a number of tools that give non-root users root access. It might be "just" sudo, or it might be some GUI tool to allow graphical administration. All it takes is a program that can hijack one of those, or just passively wait until the user issued a sudo command (so their password and access is cached), then it could jump in, grab root, stuff a module in the kernel, and all bets are off from there.

Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist. This could be something like Solaris's elfsign or AIX's trustchk, where an admin can make a self-signed key and sign all executables. With this in place, on a production system, if an executable, script, or library isn't signed, it doesn't run. Virtually every other OS has this functionality in place. This doesn't have to rely on an "official" signing key either, and could just be a manifest list generated after install, similar to tripwire's database, and if some executable's signature is different, it doesn't get to run until an admin updates the signature DB.

Re:"Running arbitrary commands" is irrelevant

[mlts]

In general, there has been a trend away from both local protection privilege escalation (from user to root.) Mainly the focus has been keeping people out of the box proper, although this does go against the defense in depth concept since once the box gets breached somehow (a security bug that commandeers a Web browser, for example), an attacker can gain a lot by running just with that user's context [1], or even using exploits to get root. Once root, burying kernel modules becomes quite doable.

There needs to be more focus on defense in depth. For example, there needs to be a separate context for a user's Web browser than his/her shell. This way, if/when the browser or add-ons get compromised, the hacked code doesn't have full run of the user account.

Local user protection on Linux has not been that much of an item that has been worked on. Usually at best, there might be a bootloader password or a LUKS encryption prompt to get the boot process past the initial RAM disk. What would be nice to see is work on both signed executables as well as the ability to use the TPM with LUKS for keeping volumes encrypted... but allowing the machine to boot completely without interaction (as the TPM supplies the keys to unlock the volumes.)

As for NFS v3 and earlier, it can be made decently secure if used only by a few hosts, and there can be made networking infrastructure to guard against spoofing, but if this can't be done, NFS v4 or even samba/CIFS might be the protocol of choice. However, as stated above, securing NFS in a shop takes a lot of time, either by having infrastructure in place for Kerberos for NFS v4 to work or having dedicated paths that are difficult for an unauthorized party to access so NFS v3 is secure. There is always going with samba/CIFS in general, but compatibility with the protocol can vary widely between UNIX variants, Linux distributions, or even versions in Linux distributions.

[1]: For the big bucks, just getting access to a user is enough. From there, an attacker can masquerade as that user with fake E-mail, upload documents used, use the user's LAN access to attack other boxes, or just encrypt all the documents for ransom. Spambots and such don't need root access to go out on port 25, nor do botnets need root to perform successful DDoS attempts.

Re:"Running arbitrary commands" is irrelevant

[turbidostato]

"There are a number of tools that give non-root users root access."

Yes. And all of them restort to already having root-level access so it is still a privilege scalation issue.

"Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist."

You are not too savvy about what Linux can and can't do, right?

Re:"Running arbitrary commands" is irrelevant

[gweihir]

Indeed. But most Linux installations do not have those or only have a generic config, as doing them right is pretty hard. I have some experience in that area. You run into things like Acrobat reader doing and needing code execution on the stack and other "fun" stuff.

As to your second point, you already said it: It needs a competent admin. Often that one is missing. It also needs a competent admin with the right to decide what to put on the machines and how to configure it. In large enterprises that is usually not the case and stops even competent admins from doing as good job.

[1] If you do not have said competent admins, or they do not have the rights they need to do a good job, IDS/IPS just causes a lot of false positives and eventually gets ignored or switched off.

Re:"Running arbitrary commands" is irrelevant

[HiThere]

Not necessarily true. If the comman resides in a directory that is read protected then you need to have the appropriate privileges to execute it. I've got an early version of Red Hat in a virtual machine where "shutdown" is protected in precisely that way.

Re:"Running arbitrary commands" is irrelevant

[TemporalBeing]

There are a number of tools that give non-root users root access. It might be "just" sudo, or it might be some GUI tool to allow graphical administration. All it takes is a program that can hijack one of those, or just passively wait until the user issued a sudo command (so their password and access is cached), then it could jump in, grab root, stuff a module in the kernel, and all bets are off from there.

True, but those tools also require the user to have permissions to use them. For instance, sudo requires the user to be part of a group - root, sudo, wheel - that group is configurable so you can call it whatever you want. Even then it usually requires the user's password (which is also required to change the password, so you can't just change the password to be able to use sudo in your script).

Long term, what Linux really should have is the ability to have either signed executables or a manifest list that can whitelist or blacklist. This could be something like Solaris's elfsign or AIX's trustchk, where an admin can make a self-signed key and sign all executables. With this in place, on a production system, if an executable, script, or library isn't signed, it doesn't run. Virtually every other OS has this functionality in place. This doesn't have to rely on an "official" signing key either, and could just be a manifest list generated after install, similar to tripwire's database, and if some executable's signature is different, it doesn't get to run until an admin updates the signature DB.

Check out AppArmor, SELinux, etc - they have the ability to do very fine grain management of the system that really controls every little thing a user or program could do.

So yes, the ability is there. However, it's so easy to screw it up that most don't use it unless they really need it. And honestly most don't need it; the standard permission set (which still runs through SELInux, btw, just being configured with a default that matches the historical permissions) is sufficient enough to deter most things.

kinda makes you wonder

[v1]

just how many botnets the NSA is actually running?

Re:kinda makes you wonder

[camperdave]

The NSA doesn't run botnets... well, not many, anyways. However, they do analyze botnets completely and thoroughly, and thus they can take command of known botnets in a heartbeat if the need arises.

Re:kinda makes you wonder

Why should anyone trust these "labs" who seem to be always just a little behind the curve in releasing their dramatic security findings? Usually long after the security breach has fulfilled it's purpose. If they are so skilled at finding these complex security breaches they are certainly capable of creating the problems in the first place. And the skills attributed to the NSA or any government agency do not belong to any GS12 salaried government employee. They use highly paid contractors who, judged by the level of skill needed to create some of the purported NSA programs, are in the upper tier of computer scientists.

Re: kinda makes you wonder

[ColdWetDog]

Because obviously all the world's problems are always and only caused by government.

It's a pretty good first approximation ....

Re: kinda makes you wonder

[tehcyder]

Because obviously all the world's problems are always and only caused by government.

It's a pretty good first approximation ....

It's not "the government" that's the problem, it's the Military-Industrial complex, big business, land owners, capitalists, those with inherited money and privilege, and the wealthy self-serving elite generally.

A proper democratic government is the only real protection against these powerful interests.

Re: kinda makes you wonder

[Pieroxy]

A government, like any other entity, has a tendency to grow and expand its powers and perimeter. The problem is that the government also makes the laws, which makes it the worst and most dangerous of all entities, because if it doesn't have the absolute powers it's pretty damn close.

Re:kinda makes you wonder

[v1]

The NSA doesn't run botnets... well, not many, anyways.

From TFA:

The unknown attackers--who are probably backed by a nation-state, according to Symantec

Even Symantec thinks it's a government operation. We're just starting to see them, but I think there's a lot more government-run botnets out there that haven't been outed yet. These sophisticated, highly targeted malware like Stuxnet are all government-run botnets.

They either made them, or as you suggested, took them over for their own use. (that's actually a good idea, and I'd bet the more common option outside of say china or NK... those two I could really see rolling their own botnet) It's not like anyone's going to put up any resistance. You don't call the cops when someone steals your cocaine.

Re:kinda makes you wonder

[dragonturtle69]

This one appears to be a Russian Regin, looking at the Language Artifacts section of the securelist.com article.

"requires no elevated system privileges"??

If you are establishing a raw socket, you have to have privileges...

Re: "requires no elevated system privileges"??

... which is the definition of "privilege escalation," no?

Hello spooks

[MrKaos]

It seems to be anyone else.

Re:Hello spooks

[MrKaos]

It seems to be anyone else.

It seems too obvious, that is. I shouldn't post when tired.

Stripped binaries, statically linked libraries, magic numbers in packets and so on. I'm sure there are a few shell vulnerabilities that we don't know about and certainly there are plenty of commands that can be exploited to escalate priviledge levels if required.

Re:Hello spooks

[ruir]

The last attacks I have seen they use coded transmission to talk with the CC, and I have seen a couple of instances where when running locally, they erase the binaries to not be tracked. If one is not careful analysing a system or too fast shutting down a compromised server, you will damage important data to be collected with foresync tools for sure.

Re:Hello spooks

[MrKaos]

It looks like a good platform for assessing a local system and installing a more serious exploit, so I agree, it would be very difficult to isolate these and identify what they are doing.

Hate being several clicks away from the actual inf

[ledow]

It's an ordinary piece of malware.

It talks home to a hard-coded URL.

It has to have a secret "knock" before it will talk back to you (port-knocking has uses both ways, it seems!).

It contains easily-greppable strings.

Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?

Re:Well

[jones_supa]

There has been plenty of people here who have claimed that Linux and open source provide an architecture which is by design more resilient against malware than proprietary solutions.

Re:Security through Obscurity

[GameboyRMH]

With closed source there are also no guarantees the bad guys won't see the source either. And it's far better to make the code visible to all then to wait for the exploit to be found in the usual ways while everyone was in the dark about it.

Security through obscurity is just like peril-sensitive sunglasses. Having the code visible makes you nervous for some reason? Well we'll just keep you from seeing it! Problem solved!

Re:Security through Obscurity

[Goaway]

And it's far better to make the code visible to all then to wait for the exploit to be found in the usual ways while everyone was in the dark about it.

That is quite a strong claim to make without providing evidence to back it up.

Re:Well

[ruir]

And it is. The fact that you may have a 10-year old server infected with some malware, and a FUD article for someone with vested interests in running AV solutions for every machines does not disprove it. Plus it is very easy to have malware and or running external commands through applicational holes, like wordpress both in Windows or Linux if your PHP is not well configured, and it is not exactly "Linux" fault. Pity the article is more concerned with fear mongering than providing technical details.

Re:Security through Obscurity

[MikeBabcock]

Linux certainly isn't obscure, or you're being sarcastic and suck at it ...

Re:Time for periodic offline audits?

[ruir]

People are cutting corner and costs everywhere... and then they got surprised.

Re:Well

[staalmannen]

There has been plenty of people here who have claimed that Linux and open source provide an architecture which is by design more resilient against malware than proprietary solutions.

It is. That is why a Linux malware get to be news whereas yet another Windows malware does not register above the noise as news because there are so damn many of them. The same thing with the Bash, GnuTLS, OpenSSL etc vulnerabilities. "More resilient" does not mean immune - claiming immiunity would just be silly. News of Critical Vulnerabilities in Windows are about as frequent as every Patch Tuesday.

Re:Well

[donaldm]

Pity the article is more concerned with fear mongering than providing technical details.

I read through both articles and it read as "The sky is falling! The sky is falling! Everyone panic!" but they did not really provide any technical details.

Oh the horror /(^o^)\

Liar

[s.petry]

Reading from disk is only one portion of a process and process protection, the actual execution occurs in memory and is _ALSO_ protected in *nix.. An easy example is to open a socket on a specific port as a user. A non privileged user can not open a port below 1024 because this is in protected space, but you can open a socket on 1025->64K without issues.

There is no point in attempting to explain SUID/SGID in addition to normal execution, because you don't even have the normal execution correct. I will however state that this is another dynamic to review after you figure out the difference between reading and executing.

Re:Liar

[gweihir]

You can stuff your patronizing attitude up you backside. I actually know very well what I am talking about, but you do not seem to have the first clue what a standard Linux protection model gives you and what not. For example, you seem to have no idea that a process is free to write as much code as it likes into the heap or onto the stack and execute it there.

Re:Liar

[gweihir]

And while that is convenient and simple to do, it is not even necessary. It is however a situation that is basically impossible to prevent (a very, very careful SELinux config might be able to do it), so it serves well to prove the point.

Re:Liar

[s.petry]

Bullshit! You stated if you can read it, you can execute it and that statement is patently false.

Your claim of a process being free to write memory fails to consider a process that already has claimed memory and it's protections. Yeah, forty fucking years ago I had to worry about a user reading and writing to my memory space as a Kernel, but that has been fixed for decades. I can also easily set limits to prevent you from having free reign to wipe a system out of memory because of memory protection built in to the kernel.

You claimed that a read is enough permission to execute, and that is absolutely false. If being wrong hurts your feelings ask mommy for a hug, not me. Go cry victim to someone who may actually give you sympathy, I'm not going to console you for making false statements.

Re:Liar

[s.petry]

No they can't, and I gave the example. A socket is a file, so go ahead and open up a socket on port 99 as a user. After you figure out you are wrong come back and tell me so. I don't want to rub your nose in you being incorrect, I want others to see that you are incorrect.

If you want another example, go ahead and write and compile a piece of code that executes a shell with UID=0. This is 2 system calls, yet you won't be able execute the shell by running your code without root access, even though you can write the source and compile the binary. The system calls are "suid()" and system() just in case you are lost. Another example would be to copy the su command to what ever location you want and lets see how quickly you can su root. The protection in this case has absolutely nothing to do with what files you can read and where you can write.

File system protection is only 1 layer of *nix security, there is also process protection and memory protection. This does not even consider add on or additional tuning available in limits and SE *nix kernels.

Re:Liar

[Pieroxy]

The original answer was to a post that claimed to have a filesystem "non-executable", which pretty much means nothing. Also, a socket does not reside on a file system (at least not a regular one). At last, a shell with UID=0 *can* be executed by at least one user. The original claim was for a "non-executable" filesystem.

The claim that was answered to implied that you can store any binary (say, gzip) on a "non-executable" filesystem and that would prevent users from ever running it. Which is moronic.

Context people, context.

Re:Liar

[Pieroxy]

Let's say you remove the executable flag on the GZIP binary, but leave me with read access to said binary. You think I won't be able to run GZIP on your box with a guest account and a writable home directory? (let's assume I can't bring in some other binary of my own, I just have access to your system)

Re:Liar

[s.petry]

You also need to be very careful about other tools, as for example TCC can compile and execute C code without writing it to disk first. The point is that the privilege system is concerned with read and write access, execution restrictions are just a side-effect of that and an imperfect one.

I was not defending the original post, but attempting to correct the bad response. Sockets are files, and I can create a socket in any directory I have write access to. /tmp is a safe "default" location because all users can write to /tmp, but there is no restriction on where I can create a socket in *nix by default.

I agree that the original logic is bad, but the explanation is wrong for why that logic is bad. As written, it claims that the only protections in *nix are at the file level.

RAW sockets without escalation?

[Circuit+Breaker]

Something does not compute here. The SecureList blog post says that the port knocking works by getting a raw socket from pcap and looking at the ack. On any Linux system I've ever used, this DOES require root privileges. And yet, they also claims it does not need any special privileges?

Re:RAW sockets without escalation?

[Dcnjoe60]

Something does not compute here. The SecureList blog post says that the port knocking works by getting a raw socket from pcap and looking at the ack. On any Linux system I've ever used, this DOES require root privileges. And yet, they also claims it does not need any special privileges?

From what I gather from the linked articles from the summary link, you need root and command line access to install it, but after it is installed, it doesn't take root to activate it. That said, if somebody has access to root or the command line, you need a new security administrator.

Re:RAW sockets without escalation?

[Lumpy]

It's because the Article is 100% FUD. Read it carefully, notice how there are zero details at all and a lot of things just dont add up about it.
Then look at the source and realize it's a PR piece.

Re:RAW sockets without escalation?

[cheater512]

Err so that just describes SUID. Nothing magical or unintended, it still can't operate on a system without root.

And it being on a single computer for years just means it has been found on one single computer, with an admin who didn't look.

Re:RAW sockets without escalation?

[Dcnjoe60]

Err so that just describes SUID. Nothing magical or unintended, it still can't operate on a system without root.

And it being on a single computer for years just means it has been found on one single computer, with an admin who didn't look.

I don't disagree. Plus, from the article, it hasn't been found in the wild on any linux installations. It speculates that it could be a problem, but, without either root access or direct access to the box, I don't see how.

FUD

[s.petry]

Reading TFA I see no mention of Linux at all, it mentions Windows and PHP. Perhaps the author is confused and believes that anything with .PHP must exist in Linux, but I'm skeptical. They spend lots of time talking about the various .exe files, "Administrator" privileges, and "Network Shares" which are exclusive terminology to the Windows OS. Nobody can be that ignorant as a technical writer.

Re:FUD

[whoever57]

Take these comments from the article:

Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers

....

Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers under the control of attackers and functions allowing attackers to run commands of their choice and perform remote management.

Both of these statements cannot be true. Linux requires root privileges to listen on a port without opening it (essentially, packet dumping).

Let's be pragmatic. Kaspersky has no interest in there being a widespread view that Linux is less likely to be infected by malware than Windows.

Click-bait

[Dcnjoe60]

From the article link to from the article in the summary:

Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet.

It might be because you need root and command line access to install it. After that, however, it can be activated without root.

Re:give Peace a Chance

[ChrisMaple]

There is a class of people, ranging from street thugs to vicious dictators, who choose to use violence or threat of violence to steal and destroy. I have two basic choices when faced with such people:

1. Submit. The thug prospers, I suffer and probably die early. If nearly all people do this, thugs find it an easy way to live, and the class of thugs expands until it dominates the whole world. The whole world becomes a cesspool like North Korea.
2. Arm myself to resist the thug, and on a national scale arm to resist thug-states. At the cost of defending myself, I can prosper in relative freedom. One of the worse costs is listening to ignorant tools like you advising me to let my throat be cut.

There are costs involved in all decisions. I can't drive a car without contributing to the cost of a road. I can't keep warm in a snowstorm without buying shelter. I can't prosper, or even live long, without paying for defense.

Do not rail against war and its expenses, but rather oppose those who use force to achieve their ends.

Kaspersky Labs discovers port knocking ..

[lippydude]

"This Turla cd00r-based malware .. can't be discovered via netstat, a commonly used administrative tool" link

'To activate the real remote access service (the attached code starts an inetd to listen on port 5002, which will provide a root shell), one has to send several packets (TCP SYN) to ports on the target system' link

How exactly does this 'Linux trojan' get onto the computers in the first place, without the end user going to a site and downloading the malware and explicidly running it and entering the root password.

Re:Kaspersky Labs discovers port knocking ..

[EvilIdler]

A little B&E might do it. Seems the targets were high-value targets.

Re:Hate being several clicks away from the actual

[lippydude]

@ledow: "Quite what distinguishes this from other malware, I'm not too sure. Just that nobody had seen it before?"

What this is even doing as an article on slashdot is beyond me, apart from giving Kaspersky some free advertising space.

Re:give Peace a Chance

[tburkhol]

Submit. The thug prospers, I suffer and probably die early. If nearly all people do this, thugs find it an easy way to live, and the class of thugs expands until it dominates the whole world. The whole world becomes a cesspool like North Korea.

Arm myself to resist the thug, and on a national scale arm to resist thug-states. At the cost of defending myself, I can prosper in relative freedom. One of the worse costs is listening to ignorant tools like you advising me to let my throat be cut.

Here is where your black-and-white, false dichotomy fails. You can "arm" yourself to resist the thug by hiring your own gang of thugs, by buying your own gun, or by buying armor. You can arm yourself against the worst thug your imagination can conjure, or against thugs that actually exist. You can prove the strength of your arms by walking into every dark alley, kicking down the doors of hovels and speakeasies, loudly proclaiming your invincibility, or you can follow open, well-lighted paths without offering to fight all comers, and at least pretend to be civil.

Liar

If a user can read a file on a *nix system, and can write to even a *single* location, that user can execute that file.

1) Copy the file to the location where I can write.
2) Set the execute flag on the file.
3) Execute the file.

Permissions will prevent you from accessing data you don't have permission to, but will only prevent you from running an application if you can't even see it.

Re:Security through Obscurity

[HiThere]

What evidence would you find convincing? (I can't assess this, as I'm already convinced.)

Re:Security through Obscurity

[HiThere]

A valid point, but this *is* an unusual case. OTOH, we don't necessarily know that a bug isn't being exploited just because nobody had noticed it happening.

FWIW, in my viewpoint Linux gave up a lot of it's security when it allowed files that were expanded from archives to have the executable bit set. And that's a long time ago. (OTOH, even without the executable bit set, you could always execute a file from an explicit shell command [usually "sh"].)

Re:Security through Obscurity

[Goaway]

Did you actually try doing that? Because IIS is doing quite well on that score, last I checked.

Re:give Peace a Chance

[FreedomFirstThenPeac]

Because in the end, someone has to be as powerful as the most powerful state we might logically fear. Right now that is the Russians (simple tanks and bombs), the Chinese (economic warfare), and the Islamofascists (intent). Of these, we cannot afford to fight the Chinese, we are not the bleeding edge in defending against the Russians, and we might be able to defeat the Islamofascists here at home using ideas, not so sure about in other countries.

But the old days of raising armies only when needed has gone the way of the horse and buggy. Unless you are the Swiss, who count on others to provide defacto long-arm defense, you probably cannot count on an armed population either ("Red Dawn not withstanding)

First two Links are Backwards

[tmjva]

Speaking of links, the descriptive texts in the first two links in this post are backwards. The reference to the "siphon data from governments and pharmaceutical companies" links to the stealthy trojan link and the "stealthy trojan..." link, links to the "siphon data ..." article.

Re:Security through Obscurity

[HiThere]

I've also seen non-FOSS systems that I've trusted. One of them read paper tape.

You are asking for evidence that is guaranteed to not be available. I'm sorry, but it's impossible. Some of the users who are sabotaged will refuse a subpoena rather than admit that they had been penetrated. And the software that they are using is irrelevant to their opinion. Their opinion is driven by image.

OTOH, let me point out that it is irrelevant what the average FOSS user does. It's that any FOSS user who chooses CAN check the code. And this does happen. With closed source products, nobody can legally check the code and report on problems except the company (not the individuals) that owns the copyright. This isn't invariably true, but is almost always true. It's also true that there are open source software packages that aren't free. That used to be a very common model. And most of them would also allow any user to report a detected error TO THEM. Only some of them would allow publication of the error. So there do exist intermediate positions.

The fact that you trust a system says much about how you feel about the system, and little about the system, without knowing you. What tests did you run? Etc. (I'm not asking for an answer, this is rhetoric.) I have often encountered systems which many people trusted and which were later found to have SERIOUS security flaws. Thos Sumner, a Systems Programmer at LBL, once asserted that no program longer than 10 lines could he be certain was operating as intended. I'm not sure whether he was thinking of assembler.

Well, there ARE languages that claim to have proofs of program correctness available. One is a subset of Ada. I once looked into it, and what they proved is that the programs match the specifications, but the specifications were required to be so complex that I was unsure that this improved the actual correctness in any but a formal sense.

Re:Security through Obscurity

[gregstumph]

I assume you meant "than" rather than "then" in your second sentence; it changes the meaning of the whole sentence in this case...

Re:Security through Obscurity

[GameboyRMH]

Yep my mistake.