On Sun, 20 Mar 2005 11:11:09 -0500, Gregory Maxwell wrote: > Fixes don't magically appear... But code to detect instances of > exploitation of the bug are magically written, and magically appear on > systems? Well, this is a good point. It's possible though to write generic scanners that detect suspicious behaviour. Also generally AV definitions are much smaller than software patches. Binary patch RPMs could help with that. I think it is often easier to write a AV detection update than a bugfix update though, especially if the flaw is a design issue and not a simple typo/mis-use of strcpy. > If download times are really the crux of the issue, then we should > develop a binary patching service. Xdelta diffs for little bug fixes > will likely end up being much smaller than 'anti-virus' definitions. I'm not so sure, some fixes can be quite large. But I don't have any numbers either way so maybe you are right. > The malware of the day on windows these days is binary patching the > shell to hide their files, and the task manager to hide their operation. Yes, I know. Still there are many viruses (as opposed to spyware) which just exploit a buffer overflow and replicate, or even just mail/IM themselves to people in the address book. > Long before windows ends it's reign of terror this arms race process > will have caused superior malware which is near impossible to remove to > become commonplace. There is no reason to think the malware authors > will forget all their skills when they reset their sights on Linux > desktops. Indeed, you are right that it's an arms race. Unfortunately we are in the unfortunate position here: without some way to try and clean up after a widespread outbreak we are relying on getting lucky every time, but the bad guys only need to get lucky once or twice. > In the windows world, If I'm someone concerned about security and I > detect a hole in some windows program. .. My only legal options are to > scream and cry about it, and maybe write some anti-virus code to catch > it being exploited. If the creator of the software doesn't care, I'm > pretty much out of luck for getting a real fix. > > In the free software world, if I find a bug I have the right to fix it, > and the ability to share my fix... Which will likely be quickly accepted > into the mainline code, since I did all the work already. Yes, that's true if it's still maintained. But most exploits are for the OS or OS-level services. How often do you hear about Photoshop viruses? Or Half-Life viruses? > It's already done, see clamav, so it's a moot point. Also other tools > list host and network based IDSes can be put to work on this > application. Well ClamAV is a server product for detecting Windows viruses, right? It's not an end-user level product for the Linux desktop. > It's an entirely different game in windows. The system is fundamentally > insecure, and users have been conditioned through years of social norms > to perform unsafe behaviors. It's very difficult to live a life as a > windows user without routinely downloading executing binaries from > unaccountable random places on the Internet. With linux, it's quite > reasonable to only run software that comes from a handful of widely used > package repositories. Oh well I'm not convinced that works better either :) After all, who audited all the code going into Fedora Extras? Including all 100,000 lines of configure script? Hmm, I think we trust upstream ... thanks -mike
