ubuntu-users Digest, Vol 53, Issue 235

Jeff Silverman jeffsilverm at gmail.com
Fri Jan 23 05:44:03 UTC 2009


>
> On Thu, Jan 22, 2009 at 1:03 AM, Jeff Silverman <jeffsilverm at gmail.com> wrote:
>   
>> >  My concern is that
>> > somebody is going to write a Trojan horse and get in one of the
>> > repositories.  Such a Trojan could sleep for a long time and then wake
>> > up and do whatever it decides to do.  The amount of damage such a Trojan
>> > could do to its own system is rather limited, if that system is
>> > reasonably well managed (don't use root, use sudo, that sort of thing).
>> > However, such a Trojan could be used to attack other vulnerable systems
>> > around it.  A well-written Trojan could be cross platform, written in
>> > Java or Perl for example.  A Trojan is hard to hide in source code, and
>> > it would be easy to track down the bastard that wrote it.  I think.
>>     
>
> Your concern is valid - but I think a few of your conclusions here are
> wrong.  I'm not a developer by trade, so feel free to correct me if
> you know different, but...
>
> If you install software from the repositories, you used root
> privileges to do so.  Therefore, the program you installed now can run
> as root whenever it wants to.  Simple example, there's nothing
> stopping someone from writing a program that runs SUID.  Another
> example, it could simply add a new user to the system with UID 0 (i.e.
> root) and then set up software to run as that user.   Once you give it
> root ONCE, it can hang on to it.  That's why the recent issues at
> Fedora/Red Hat with intrusions into the repository servers were taken
> so seriously.  On the other hand, lots of things are in place to
> mitigate this, like code signing, to make it very difficult to change
> the code unless you sign up to the project and contribute something
> useful like any other dev.
>
> A program with a back door would be very hard to write cross platform.
>  Things like Java or Perl or use the same language 'up top' at their
> interface, but down at the system level they are quite specific to the
> platform they are running on - there is an interpreter between the
> language and the hardware.  Writing something that works cross
> platform would not be easy.  I don't know for sure if it's actually
> possible...
>
> A program with a back door is probably easier to hide than you think -
> there's a paper floating around on the net somewhere where a well
> known developer discusses the fact that if he'd built a back door into
> a C compiler back in the 70's it would likely exist still now all over
> the place because each compiler since has been compiled with the
> previous version of the compiler, and it would be many levels buried
> in the machine code now.   On the other hand, a back door that's never
> used is a wall.  And the first time it's ever used anywhere it'll be
> detected, as it's hard to hide once it starts doing anything...  and
> lots of other levels like firewalls will still do their jobs even if
> the back door exists.  That's why security people talk about defense
> in depth - you're never 100% sure of any given barrier, but put a
> bunch together and it's a lot easier to sleep at night.
>
>   
>> > Poorly written code is a risk on any machine.  Open source
>> > mitigates that risk because lots of eyeballs get to see the code and can
>> > file bug fixes if errors are found.
>>     
>
> Amen  :-) 
>
> Brian
>
>   
Brian,

You may be right about the interpreted languages.  I was thinking in 
terms of macro viruses which run on MS-Word and are cross platform 
(Windows and Macintosh), and I was also thinking about poorly written 
PHP scripts, which are also cross platform.  But those are application 
level vulnerabilities, not system level vulnerabilities.  Of course, an 
AV system won't protect you against an application vulnerability.

I agree with everything you wrote.


Jeff



-- 
Jeff Silverman
Linux sysadmin
To get my addresses:
perl -wlpe  'y/a-zA-Z/n-za-mN-ZA-M/' << EOF
924 20gu NIR R
Frnggyr, JN, 98112
wrssfvyirez at tznvy.pbz
EOF







More information about the ubuntu-users mailing list