Can immutability be used to prevent this attack then? Or is setting +i on/proc/mtrr impossible?
I think that if you put "lcap CAP_LINUX_IMMUTABLE" in you're default runlevel startup scripts, even root can't screw up you system short of using direct disc access and i think there is an lcap for that too.
but google wont let you down! the cache (link will change, but you can just Google the url for a new one), because the top 6 images are remotely hosted it will still work while the actual server is being ddosd and i doubt that the conficker guys are going to take down google.
[citation needed] anyway, imho, if it did happen, the kids fault for: 1) being a dick 2) running an unsecured computer while pretending to know about computers
That's not the conficker source, that's merely source that perform the same actions as a subset of conficker. You do bring up the interesting point that as its difficult for a virus maker to copyright code, does that make most viruses are public domain?
I compare it to the pharmaceutical industry - pills cost, say, $0.05 to make. Why do they cost a great deal more on the market? Because you have to price in the cost of research and development.
Right! because pharmaceutical companies never charge far more than the research costs and milk rich charities for all they have?
It can, that's why i said usually, the problem is AFAICT(can tell), *It's a bit tricky to setup, *Hard to find documentation on it (command names are not covered my man iptables (debian lenny)) *Only 1 GUI firewall application supported it (and fireflies, got disconinued due to lack of interest) *Locking application->network access should be done using mandatory access controls (tux guardian style)
Where as on windows xp the default firewall is easier to setup and has a fully functional gui
Actually its easier to protect against outbound traffic using the windows firewall, iptables usually just locks down ports (making it fairly useless on a home dekstop) but the windows xp firewall will lock down ports to applications too.
I wholeheartedly endorse the above advice A. A small install base (easier to watch for security alerts and easier to plan for), OFC you'll need to cater for the needs of the workers but make sure all network facing programs have a good track record (this may meaning loosing features). Picking a stable secure distro as your base install is a good start. B. The firewalls should be configures restricted everywhere and trust nothing (no internal traffic that isn't on approved ports (if you use get to know IPTABLES you can also limit ports to apps and im sure windows firewall allows this by default) C. very strict Using flash will be inevitable but i think if you use nspluginwrapper it gets run in a separate profile that can be locked down even further than your browser. Network apps shouldn't be able to read/write to anything they don't need (cache,config,download dir)) Office apps should also be locked down tight (no interaction with network apps would be good) Graphics apps should also be locked down as the complexities of rendering stuff mean they are often a good target for an attacker locking down/etc/rc,/usr,/bin,/sbin to be read only (even by root), while making updating a PITA would also make owning boxes a lot harder.
additionally: D. Their passwords are likely to be the weakest link, so look into pam, with network/usb key modules (it may not be cost effective to give every user a usb key but especially look into it for root and servers) E. IDE and NIDE should be setup up so that when you are attacked, you know about it. F. If linux servers are being exploited, then it may be worth it to use rootkey, so that once the server is up and running no new processes can run as root when the rootkey is not present. F. Take steps to protect against physical attack (FDE, NFS, physically secure servers), while remembering two passwords may be a PITA for workers getting in in the morning it will provide at least some protection against computer theft. G. Users need to be taught about security, if they understand why opening unkown attachments is BAD they are less likely to do it.
Despite what other posters have said, it is possible to defend against even the most determined attacker and sandbox everything so that even zero-day exploits have little effect. Additionally with PAM and good passwords it's possible to prevent unauthorized access.
*Any imitation of fact is purely coincidental, i have no idea what im doing, I've just read a lot of stuff
We're not talking about a desktop system, securing a custom network IS gonig to take planning and time, I'd hazard a guess that as SELINUX has been around longer, it better documented and more secure, additionally as redhat based distros (RHEL,centos,fedora) all come with a fair bit of SELINUX setup for you it's not too hard to tweak from that.
you know your a shill when: *Page served on aspx *You make lists that contain just 2 valid criticisms then bloat it out to 5 with shillness
* TCP connection setup and teardown processing * Inspection of application data (layer 7 inspection is rarely computationally inexpensive) * Execution of functionality (caching, security, acceleration, etcâ¦) [does their software magically do these without executing the different operations] * Transfer of data between proxies (when deployed on the same device this is minimized) [A way of doing it, which is impossible to do with their stack, vs a way both systems can be deployed] * Multiple log files [cat log1 log2 log3 log4 > logALL too much? I'm sure many loggers could make it even simpler and that's assuming you don't prefer separate log files, for separate steps in the operation]
*You use very artificial scenarios to make your point:
In situations where images are being delivered over a LAN, for example, this will not provide any significant performance benefit and in fact will likely degrade performance.
would you really need ssl acceleration for your lan? would it really be the same one you use for web serving?
He also claims it's impossible to secure a Linux box against ARP poisoning and DoS attacks, which is a shame because in amongst the shilling there are some good points.
I'm a huge fan of chaining proxies, one program doing one thing then passing it on to the next, for the security, compatibility & debugging (contrary to what TFA say's you can check the pieces of a chain, but with an integrated solution you can't) benefits. The article does however raise a good point, the integrated solutions will have better performance:
# TCP connection setup and teardown processing # Inspection of application data (layer 7 inspection is rarely computationally inexpensive)
Which means you'd have to consider the options carefully when looking for an accelerator
Instant security updates are a pretty good thing, if ksplice is as good as it sounds, it won't take long for distros to integrate it into their update system. It's not limited to the kernel either so webservers can also be instantly patched with no downtime.
I hate to be involved in my DE is better than yours pissing competitions but if you were on kubuntu there is a tickbox to restart all your programs when your reboot:P
I'm sure there is something you can install to get gnome to do that too.
How is that relevant, those are obviously not the technologically uneducated users that ruin OSX's reputation, id hazard a guess they are aware that OSX is no safer than windows to the #1 type of attack (get the users to install your virus for you). NO its fanboys like yourself that claim that there are no OSX viruses because its technologically superior that ruin the reputation of OSX.
what about one that warns you when "photoshop" starts accessing the internet or schedules itself to start regularly, the tech is already there in UAC,apparmour,SELINUX,etc. Sure when many programs insist on updating themselves it gets more complicated, but surely pirates aren't going to want thier photoshop phoning home anyway.
But then your encryption is trivial. If "john smith" always goes to "wbua fzvgu" then your data can be scrutinized using frequency analysis, if "john smith" doesn't always go to the same thing then you need to upload what "john smith" would be at any given point in the data, at which point it makes it more efficient to download the data and then do a local search on unencrypted data.
Slashdot Mirror
Y2K did nothing, it was just an excuse for lots of american tech companies to scare everybody into giving them money!
but can root, make a file he himself can't (re)move?
.'. root > god
The answer ofc is yes
QED
Can immutability be used to prevent this attack then? Or is setting +i on /proc/mtrr impossible?
I think that if you put "lcap CAP_LINUX_IMMUTABLE" in you're default runlevel startup scripts, even root can't screw up you system short of using direct disc access and i think there is an lcap for that too.
but google wont let you down! the cache (link will change, but you can just Google the url for a new one), because the top 6 images are remotely hosted it will still work while the actual server is being ddosd and i doubt that the conficker guys are going to take down google.
nmap can scan an entire network though, this is good news, especially if your pen testing and you find the network is full to the brim with bots.
[citation needed]
anyway, imho, if it did happen, the kids fault for:
1) being a dick
2) running an unsecured computer while pretending to know about computers
just use netcat like the rest of us, that way you can always 'grep -v funny', when your bladder is full
That's not the conficker source, that's merely source that perform the same actions as a subset of conficker. You do bring up the interesting point that as its difficult for a virus maker to copyright code, does that make most viruses are public domain?
I compare it to the pharmaceutical industry - pills cost, say, $0.05 to make. Why do they cost a great deal more on the market? Because you have to price in the cost of research and development.
Right! because pharmaceutical companies never charge far more than the research costs and milk rich charities for all they have?
A -(control messages to B, to be triggered when B can connect to C)->B
C -> (top secret information) ->B -> A
5) western media doesn't report on western espionage. Much like the us doesn't fun freedomfigters (a.k.a terrorists) in Iran.
It can, that's why i said usually, the problem is AFAICT(can tell),
*It's a bit tricky to setup,
*Hard to find documentation on it (command names are not covered my man iptables (debian lenny))
*Only 1 GUI firewall application supported it (and fireflies, got disconinued due to lack of interest)
*Locking application->network access should be done using mandatory access controls (tux guardian style)
Where as on windows xp the default firewall is easier to setup and has a fully functional gui
Actually its easier to protect against outbound traffic using the windows firewall, iptables usually just locks down ports (making it fairly useless on a home dekstop) but the windows xp firewall will lock down ports to applications too.
Spammers can't copyright their code.
I wholeheartedly endorse the above advice /etc/rc, /usr, /bin, /sbin to be read only (even by root), while making updating a PITA would also make owning boxes a lot harder.
A. A small install base (easier to watch for security alerts and easier to plan for), OFC you'll need to cater for the needs of the workers but make sure all network facing programs have a good track record (this may meaning loosing features). Picking a stable secure distro as your base install is a good start.
B. The firewalls should be configures restricted everywhere and trust nothing (no internal traffic that isn't on approved ports (if you use get to know IPTABLES you can also limit ports to apps and im sure windows firewall allows this by default)
C. very strict
Using flash will be inevitable but i think if you use nspluginwrapper it gets run in a separate profile that can be locked down even further than your browser.
Network apps shouldn't be able to read/write to anything they don't need (cache,config,download dir))
Office apps should also be locked down tight (no interaction with network apps would be good)
Graphics apps should also be locked down as the complexities of rendering stuff mean they are often a good target for an attacker
locking down
additionally:
D. Their passwords are likely to be the weakest link, so look into pam, with network/usb key modules (it may not be cost effective to give every user a usb key but especially look into it for root and servers)
E. IDE and NIDE should be setup up so that when you are attacked, you know about it.
F. If linux servers are being exploited, then it may be worth it to use rootkey, so that once the server is up and running no new processes can run as root when the rootkey is not present.
F. Take steps to protect against physical attack (FDE, NFS, physically secure servers), while remembering two passwords may be a PITA for workers getting in in the morning it will provide at least some protection against computer theft.
G. Users need to be taught about security, if they understand why opening unkown attachments is BAD they are less likely to do it.
Despite what other posters have said, it is possible to defend against even the most determined attacker and sandbox everything so that even zero-day exploits have little effect. Additionally with PAM and good passwords it's possible to prevent unauthorized access.
*Any imitation of fact is purely coincidental, i have no idea what im doing, I've just read a lot of stuff
We're not talking about a desktop system, securing a custom network IS gonig to take planning and time, I'd hazard a guess that as SELINUX has been around longer, it better documented and more secure, additionally as redhat based distros (RHEL,centos,fedora) all come with a fair bit of SELINUX setup for you it's not too hard to tweak from that.
A home built solution will only get you fired when something goes seriously wrong.
If you need commercial support, pay for it, my guess is that it will come to less than 45k
you know your a shill when:
*Page served on aspx
*You make lists that contain just 2 valid criticisms then bloat it out to 5 with shillness
* TCP connection setup and teardown processing
* Inspection of application data (layer 7 inspection is rarely computationally inexpensive)
* Execution of functionality (caching, security, acceleration, etcâ¦) [does their software magically do these without executing the different operations]
* Transfer of data between proxies (when deployed on the same device this is minimized) [A way of doing it, which is impossible to do with their stack, vs a way both systems can be deployed]
* Multiple log files [cat log1 log2 log3 log4 > logALL too much? I'm sure many loggers could make it even simpler and that's assuming you don't prefer separate log files, for separate steps in the operation]
*You use very artificial scenarios to make your point:
In situations where images are being delivered over a LAN, for example, this will not provide any significant performance benefit and in fact will likely degrade performance.
would you really need ssl acceleration for your lan? would it really be the same one you use for web serving?
He also claims it's impossible to secure a Linux box against ARP poisoning and DoS attacks, which is a shame because in amongst the shilling there are some good points.
I'm a huge fan of chaining proxies, one program doing one thing then passing it on to the next, for the security, compatibility & debugging (contrary to what TFA say's you can check the pieces of a chain, but with an integrated solution you can't) benefits. The article does however raise a good point, the integrated solutions will have better performance:
# TCP connection setup and teardown processing
# Inspection of application data (layer 7 inspection is rarely computationally inexpensive)
Which means you'd have to consider the options carefully when looking for an accelerator
Instant security updates are a pretty good thing, if ksplice is as good as it sounds, it won't take long for distros to integrate it into their update system. It's not limited to the kernel either so webservers can also be instantly patched with no downtime.
I hate to be involved in my DE is better than yours pissing competitions but if you were on kubuntu there is a tickbox to restart all your programs when your reboot :P
I'm sure there is something you can install to get gnome to do that too.
Funny, somebody should have told apple & their fanboys that before they went round claiming there are no viri for OSX.
How is that relevant, those are obviously not the technologically uneducated users that ruin OSX's reputation, id hazard a guess they are aware that OSX is no safer than windows to the #1 type of attack (get the users to install your virus for you). NO its fanboys like yourself that claim that there are no OSX viruses because its technologically superior that ruin the reputation of OSX.
what about one that warns you when "photoshop" starts accessing the internet or schedules itself to start regularly, the tech is already there in UAC,apparmour,SELINUX,etc. Sure when many programs insist on updating themselves it gets more complicated, but surely pirates aren't going to want thier photoshop phoning home anyway.
But then your encryption is trivial. If "john smith" always goes to "wbua fzvgu" then your data can be scrutinized using frequency analysis, if "john smith" doesn't always go to the same thing then you need to upload what "john smith" would be at any given point in the data, at which point it makes it more efficient to download the data and then do a local search on unencrypted data.