On Sun, 20 Mar 2005 14:16:18 +0000, Mike Hearn <mike@xxxxxxx> wrote: > On Sat, 19 Mar 2005 16:51:43 -0500, Gregory Maxwell wrote: > > If an untrusted source can execute code on your computer the game is over. > > Web browsers do that all the time with JavaScript. So it's not over, you > just have to be careful. The context you removed my text from was referring to 'removing' malicious after it's loose on a system... Fundamentally it's a very difficult problem, and it has no relation to running sandboxed code. If, through things like SElinux, someday we find the typical system is running almost entirely sandboxed software than the rules change substantially in the favor of security. But once something has escaped it's sandbox we're back to it being very difficult to remove. > No, anti-virus makes sense because the moment a bug is fixed the > fix does not appear on peoples systems. Online update for most Linux > distros is useless for dialup users, and worse most online update sites > can be taken down by a well timed DDoS anyway. Fixes don't magically appear... But code to detect instances of exploitation of the bug are magically written, and magically appear on systems? If download times are really the crux of the issue, then we should develop a binary patching service. Xdelta diffs for little bug fixes will likely end up being much smaller than 'anti-virus' definitions. > > The viruses and worms that have grown up on windows have now reached a > > level of sophistication that simple pattern matching isn't good > > enough... > > I disagree. While it's true that you can write very sophisticated viruses, > the most prevalent viruses are actually very simple. A virus scanner > doesn't have to work 100% of the time to be useful. The malware of the day on windows these days is binary patching the shell to hide their files, and the task manager to hide their operation. Some are patching the kernel now, but thats not supercommon yet, but thats only because it's not needed to defeat the current generation of antivirus protection. Long before windows ends it's reign of terror this arms race process will have caused superior malware which is near impossible to remove to become commonplace. There is no reason to think the malware authors will forget all their skills when they reset their sights on Linux desktops. > As already pointed out, bugfixes don't instantly appear on peoples > desktops. There are still a significant number of people running > completely unpatched, out of the box Red Hat 9 installs. This situation > will not change anytime soon, no matter how much we might like it to. Antivirus software and antivirus updates don't instantly appear on peoples desktops. Any solution that makes antivirus updates instantly appear can make bug fixes instantly appear. Furthermore, as microsoft has found out because of their shoddy fixing practices: There can be instances of a bug exploit per security bug... If you write detection code to catch an instance, a new one will just come out much faster than you can write more detection code.. You need to match the security hole.. but once you've done that, you might as well fix it. > > Virus scanners don't generally solve the problem of > > one-off attacks by qualified and determined adversaries, which is a much > > more dangerous threat in many ways... Fixing bugs stops them and they > > also stop the bulk spreading stuff, and fixing bugs is something we can > > do in the free software world that is much harder in the proprietary > > code world. > > If that was true then nothing on my desktop would ever crash, and > everything would have wonderful usability. That's clearly wrong, therefore > I think it's also wrong that being open source gives people immunity to > bugs (of which there will always be more). **shrugs** I have had no crashes on my fc3 laptop. :) But of course, in using linux since 1994 I've seen my share of buggy code.... I wasn't claiming that free software was bug free, but rather this: In the windows world, If I'm someone concerned about security and I detect a hole in some windows program. .. My only legal options are to scream and cry about it, and maybe write some anti-virus code to catch it being exploited. If the creator of the software doesn't care, I'm pretty much out of luck for getting a real fix. In the free software world, if I find a bug I have the right to fix it, and the ability to share my fix... Which will likely be quickly accepted into the mainline code, since I did all the work already. > Developing a native anti-virus system *now* before the shit hits the fan, > can only be a good idea. It's already done, see clamav, so it's a moot point. Also other tools list host and network based IDSes can be put to work on this application. [snip] > Saying that bugfixing is a suitable > replacement implies that Windows users who enabled automatic update don't > need a virus scanner anymore, which I'm not convinced is true. It's an entirely different game in windows. The system is fundamentally insecure, and users have been conditioned through years of social norms to perform unsafe behaviors. It's very difficult to live a life as a windows user without routinely downloading executing binaries from unaccountable random places on the Internet. With linux, it's quite reasonable to only run software that comes from a handful of widely used package repositories. This whole discussion is really offtopic for this list, I feel stupid for participating in it. :)