Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Linux Virus Writing HOWTO

By notafurry in Op-Ed
Thu Mar 14, 2002 at 02:44:06 PM EST
Tags: Technology (all tags)
Technology

Yes, that's right. The "Linux Virus Writing HOWTO" has been written and published, albeit in a not-yet completed form. (The author's statement at the top of the article is "Unfinished snapshot taken on 2002-03-14. Genie escaped the bottle.") The question is, what do we do about it?


Now, Virus HOWTOs have been around for years. Any systems administrator who's done security work knows about the various "Virus Kits" that produce cheesy viruses from a menu-based system. Hollywood even borrowed the idea for the movie "Swordfish". If you go to your public library and browse through the computer section, you can find books about virus creation. Including source code. (Kind of makes all those idiots feverishly hunting the net for "how to make viruses" seem kind of silly, doesn't it?)

What's interesting about this document, however, is what the author has done with it. It's been submitted to The Linux Documentation Project (LDP) as a HOWTO. And they aren't really sure what to do with it.

The argument currently taking place on the LDP-discuss mailing list is centered on two issues - what is the liability of LDP if this material is published, and can they justify publication? Or, for that matter, can they justify not publishing it?

A couple of choice arguments from the thread, copied from the LDP-discuss archive:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 9 Mar 2002, David Merrill wrote:
> On Sat, Mar 09, 2002 at 08:56:13PM +0000, Martin WHEELER wrote:
> > On Sat, 9 Mar 2002, David Merrill wrote:
> >
> > > We got a submission of a Virus-Writing-HOWTO
> >
> > Seriously -- have we got a tame legal beagle online who can come up with
> > a standard publisher's disclaimer about use made of material published?
> > (i.e. we take no responsibility whatsoever for what you do with the
> > Nuclear Weapons / Virus-Writing / Biological Warfare HOWTOs, etc.)
> >
> > Alternatively, do we have a policy statement anywhere saying what is,
> > and what is not, the proper domain of the LDP?
>
> We do have a policy, and the policy is that we publish anything
> that helps people learn and use Linux. This document fits the
> criteria.

Then publish it.

With the relevant disclaimer prominently displayed.

msw
- --
Martin Wheeler <mwheeler@startext.co.uk>
gpg:1024D/01269BEB the.earth.li

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8inkzrJMO2AEmm+sRAlxKAJ4t3U7sV/ivkd7jR8T8jF3lLrSF3ACgu3Li
VkSlRyLJIqrmKWXVH5kn62M=
=FNH4
-----END PGP SIGNATURE-----

And the other side:
On Sat, Mar 09, 2002 at 04:50:50PM -0500, David Merrill wrote:
>
> We do have a policy, and the policy is that we publish anything
> that helps people learn and use Linux. This document fits the
> criteria.

Would we publish something teaching how to crack linux boxes? That
info is not hard to find, but I find it objectionable behavior and
prefer not to encourage or help those who are so inclined. By
publishing such stuff, LDP is tacitly approving it. Bad idea, IMO.

--
Hal Burgiss
It's an interesting problem. On the one hand, the document (even in this early stage) seems to be well written and informative. It's valuable to systems administrators who have never really bought into the whole "Linux is immune to viruses" argument, and it's valuable to those who have - by showing them ways in which they might be wrong. Last but not least, it's valuable as a case of the Linux community eating their own cooking - they've made the argument for years that they support openness and freedom, that anyone should be able to use the software for anything. Well, here's their chance to prove it - by accepting for publication documentation on how to break it.

On the other hand. It's publishing instructions, including partial source code, on how to create viruses for Linux systems. With the information publicly and easily obtainable, someone somewhere will use it to create a Linux virus. When that happens, there will be damage. Some administrators, even Linux administrators, are simply careless, or too busy to notice, or simply unlucky. Systems will go down. Data will be lost. There's no arguing that it won't happen; the only questions are "when" and "how bad".

In my opinion, this information should be published. This information, like the computers and software it affects, is a tool. Tools can be used for good or for evil, and this has always been the case. It is better to have the information available, and be able to use it when necessary, than to not have it be available when you need it. Consider this statement from the document's introduction:

"This document is my way to fight the FUD. Use the information presented here in any way you like. I bet that Linux will only grow stronger."

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Should this be published by the LDP?
o Yes 75%
o No 10%
o Yes, in edited form 7%
o Maybe 5%
o Other (comment below) 0%

Votes: 120
Results | Other Polls

Related Links
o Linux Virus Writing HOWTO
o Swordfish
o The Linux Documentation Project
o currently taking place
o LDP-discus s
o Also by notafurry


Display: Sort:
Linux Virus Writing HOWTO | 85 comments (74 topical, 11 editorial, 0 hidden)
Publish (3.33 / 9) (#1)
by DesiredUsername on Thu Mar 14, 2002 at 01:28:37 PM EST

It clearly belongs in the Linux-HOWTO family and not publishing it will accomplish nothing.

Play 囲碁
marketting (4.50 / 2) (#2)
by ucblockhead on Thu Mar 14, 2002 at 01:33:28 PM EST

It probably ought to be retitled, though. Just calling it "The Linux Virus-Fighting HOWTO" would quiet some of the controversy.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]
Controversy (4.00 / 2) (#3)
by notafurry on Thu Mar 14, 2002 at 01:35:11 PM EST

I suspect that's at least part of the author's goal. Whether that's a good thing or not is another question. <G>

[ Parent ]
Ick (4.75 / 4) (#4)
by DesiredUsername on Thu Mar 14, 2002 at 01:36:37 PM EST

Why use "marketing" to "quiet the controversy"? The document clearly teaches (or will teach) how to create a Linux virus whether it is called that or not. I don't think we need to add dishonesty to the mix in addition.

The Slashbots (I'm including ESR in that statement) have been saying Linux is more secure for years, let's see if that remains true when this HOWTO gets out. If it does, Linux gets a better rep. If it doesn't, Linux has a chance to earn a better rep.

Play 囲碁
[ Parent ]

More important than you think... (4.66 / 3) (#8)
by ucblockhead on Thu Mar 14, 2002 at 01:53:41 PM EST

You and I may understand that simply changing the title changes little. However, the FBI, the Ten O'Clock News and J. Random ScriptKiddie will not. Why make trouble?

I don't think my title is dishonest in that the reason for distributing the information is to prevent viruses.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]

Why coddle superficiality? (3.66 / 3) (#10)
by DesiredUsername on Thu Mar 14, 2002 at 02:10:06 PM EST

If the FBI and the ten o'clock news don't understand this concept then the title of this document is the least of our worries.

Sure his reason for creating it is to increase security. Nonetheless the actual contents are how to create a virus, not how to find, block, disassemble or prevent them. Therefore your proposed title is wrong and, because that error is deliberate, dishonest.

Play 囲碁
[ Parent ]

superficiallity (2.50 / 2) (#13)
by ucblockhead on Thu Mar 14, 2002 at 02:29:45 PM EST

If the FBI or the news media misunderstands, their misunderstanding can cause you all sorts of grief. Better to avoid it at the outset.
-----------------------
This is k5. We're all tools - duxup
[ Parent ]
Think. Think. Think. This *IS* the FBI. (none / 0) (#46)
by Anonymous 242 on Thu Mar 14, 2002 at 11:34:58 PM EST

If the FBI and the ten o'clock news don't understand this concept then the title of this document is the least of our worries.
Given that governmental agencies such as the FBI and Secret Service have trouble taking the time to understand weblog comments in the context in which they were originally created, I would think that the title of the document would be of tantamount importance.

But maybe that's just me. YMMV.

Regards,

Lee Irenæus Malatesta

[ Parent ]

J. Random ScriptKiddie? (4.50 / 4) (#24)
by ethereal on Thu Mar 14, 2002 at 03:11:18 PM EST

I would love to see J.R.S. successfully attack a box using this HOWTO. All it covers (so far) is how to hide your virus inside an ELF file. It doesn't cover how the virus will spread and propagate, which is really the most important part and which is the side of the argument where people say that Linux systems are safer than Windows systems. The point is not really the hiding of the malicious code, the point is in how you get the attack into the system itself either as a trojan, a worm that exploits a remote hole, a macro virus, etc. Inasmuch as Linux reduces these opportunities (especially in the email virus category) it will be found to be more secure.

Frankly, so far the document is an enlightening look at asm programming and ELF internals, but nothing much more. I don't see a reason not to include it in the LDP, under whatever title, as part of the full documentation of Linux systems that's already there.

A truly successful Linux virus virus/worm would have to take advantage of a remote attack (either through email, a web page, or a daemon exploit), replicate itself, and spread again. We should be worried if this document contains information on a remote attack that is widespread and hard to fix (like zlib but worse). Once the means of dissemination exists, whether or not the virus can hide itself within ELF files is the least of our worries.

--

Stand up for your right to not believe: Americans United for Separation of Church and State
[ Parent ]

Remeber, though (4.50 / 2) (#25)
by notafurry on Thu Mar 14, 2002 at 03:31:27 PM EST

The author states that this document is not complete. He may be writing the next chapter, "Virus Propogation", as we speak.

Or he might not.

However, this is just the first. This document, by itself, is not that important, no. It might shake some people up, sure, and that would - probably - be a good thing.

However, once the LDP has accepted a "Virus Writing HOWTO", how do they justify denying a "Virus Propogation HOWTO"? Or a "Remote Compromise HOWTO" document? They're the exact same thing, the exact same controversy - and if this is accepted, they will find it harder to refuse the next one.

[ Parent ]

remote compromise howto (4.00 / 1) (#34)
by ethereal on Thu Mar 14, 2002 at 05:14:58 PM EST

I don't know if we necessarily want to publish the exact shellcode that you can use to exploit zlib, or snmpd, or whatever. Although I imagine that everyone who wants to abuse those programs can already find plenty of examples with a little looking.

I wonder if open source programmers would actually make use of such a document if it listed exactly how their programs were being attacked - would this make future coders more careful? Although about 95% of the care is already expressible in a few pithy tips, like:

  • use strncpy, not strcpy
  • be careful when using /tmp
  • etc.

If it were me, I don't think that knowing the actual remote exploit against my code would make me a whole lot more careful than just knowing that it had been exploited in the first place. But maybe others would feel differently.

Now, as an academic exercize, I admit that I enjoyed this HOWTO so far, since I don't have a whole lot of knowledge of x86 asm or ELF innards. And I'd be interested in reading about how some of these exploits are crafted, just for my own edification. But I'm also not going to say that my academic interest is enough to say that this definitely should be published.

Of course, at this point it doesn't matter if the LDP accepts it or not. It's linked from enough places now that in a couple weeks I'm sure it'll be one of the top google choices. The knowledge is going to be out there, whether LDP picks it up or not.

--

Stand up for your right to not believe: Americans United for Separation of Church and State
[ Parent ]

LDP's "Manifesto" (4.58 / 12) (#5)
by StephenFuqua on Thu Mar 14, 2002 at 01:43:35 PM EST

I think it is important to look at the LDP's purpose. From the LDP Manifesto:

The Linux Documentation Project is working on developing free, high quality documentation for the GNU/Linux operating system. The overall goal of the LDP is to collaborate in all of the issues of Linux documentation. This includes the creation of "HOWTOs" and "Guides". We hope to establish a system of documentation for Linux that will be easy to use and search. This includes the integration of the manual pages, info docs, HOWTOs, and other documents.

LDP's goal is to create the canonical set of free Linux documentation. ...

From this description, I'd say a Virus-Writing How-To definitely fits. Now, of course, there are certain people behind this project, and if they don't think this is appropriate, they can and will choose not to make it a part of the "official" documentation project. However, if they reject it, I would suggest that they need to refine their manifesto, with something about the reason/spirit behind their endeavors. This How-To likely violates the spirit of their intentions--so perhaps this spirit should be made more clear in the Manifesto.



Should be published (3.14 / 7) (#7)
by M0dUluS on Thu Mar 14, 2002 at 01:46:29 PM EST

to remove any lingering illusions that may be held about *nix not being possible hosts for viruses.
Does anyone who's been following this know what "offensive" material is being referred to in this quote:
* Added epigraphs to all sections, removed one offending paragraph on the way.


"[...]no American spin is involved at all. Is that such a stretch?" -On Lawn
offending !necessarily= offensive [nt] (4.00 / 2) (#12)
by miller on Thu Mar 14, 2002 at 02:26:03 PM EST



--
It's too bad I don't take drugs, I think it would be even better. -- Lagged2Death
[ Parent ]
No one (4.25 / 4) (#21)
by binaryalchemy on Thu Mar 14, 2002 at 02:58:02 PM EST

No one, even the worst of the Linux (or even OpenBSD) fanatics, say that *nix can't host viruses. They say that it's very hard to get them in, which this document does nothing to disprove.

To do what this document talks about you'd have to root the system, and if you've done that why not just rm -rf / and be done with it?

There have been unix viruses in the past, their will be unix viruses in the future. The security of unix is that unix viruses still rely on the same transition methods DOS viruses did, user error, and it's near to impossible to protect a generic operating system from that. (by generic I mean you home PC. You could probably make your pocket organizer virus proof, because it doesn't have to deal with unexpected situations)

This document isn't new, it's just old fashon and well know information with a fancy name so script kiddies will read it.
------
Defending the GPL from a commercial perspective is like defending the Microsft EULA from a moral perspective. - quartz
[ Parent ]

Really? (4.50 / 2) (#52)
by gazbo on Fri Mar 15, 2002 at 06:01:46 AM EST

No one, even the worst of the Linux (or even OpenBSD) fanatics, say that *nix can't host viruses.

Been to Slashdot recently? The most active voices in the *nix community are the least qualified Linux users. They make this sort of ludicrous claim all the time.

and if you've done that why not just rm -rf / and be done with it?

Propagation. Root and rm -rf a system and you'll annoy a person for a day. Install a virus that propagates to other machines and rm -rf /usr, and you'll annoy a community forever.

The security of unix is that unix viruses still rely on the same transition methods DOS viruses did, user error...isn't new, it's just old fashon and well know information

I quite agree with most of this. An important thing to realise is that user error is a loose term. Running an attachement in Outlook is a user error clearly. However, you can go as far as to say that root installing a package without checking the MD5 is user error. Or let's be a bit more adventurous: root user downloads a handy looking script. Being security conscious, he runs it as an unpriviledged user. It works as expected. Delighted, he then starts using it as root - it is useful for system administration after all. The only step he hasn't followed is to examine the source code (or decompile the binary). Can we really claim that not examining the source code is user error? The only other suggestion is to not download from anything but a trusted site - well wtf is a trusted site? There's always a blurry line there.

My point is that by levelling an accusation of user error, it is easy to absolve the OS of blame, and instead target it at the user. In the cases I suggested, there is no real blame (except for not installing a *nix virus scanner) There is real potential for a problem, but the zealots are so busy apportioning blame to defend their OS of choice that the problem is not being addressed logically.

Back on the tpic of whether the guide should be published, there are two things to consider. Firstly, the OSS community constantly criticises closed source software vendors (OK, MS) for keeping vulnerabilities quiet; they champion their own methods, whereby bug reports are made public and then addressed within an hour (I'm playing devil's advocate here) In this case it is hypocritical for them to *not* publish such a report, just because it is not a simple off-by-one error that can be fixed by in one man-hour.
The second point is that what other people have posted is true, that this is all known knowledge etc and will only benefit the script kiddies, talented hackers (fuck you ESR) already know/are capable of divining this information. However, what they don't realise is that a talented hacker will discover an exploit/procedure, and this is their intellectual challenge completed. It is the *untalented* script kiddies who get pleasure from mindlessly copying someone else's work and just changing the payload etc. Take the Code Red and similar worms. The exploit was discovered, fixed and published nearly half a year before the major worms hit - it is these people who do the damage, and it is these people who need a hand-holding guide.

-----
Topless, revealing, nude pics and vids of Zora Suleman! Upskirt and down blouse! Cleavage!
Hardcore ZORA SULEMAN pics!

[ Parent ]

There is more than one way to skin a cat (none / 0) (#73)
by panum on Sat Mar 16, 2002 at 03:20:01 PM EST

rm -f / is not a smart thing for a virus to do. It will alert the administrators immediately. All serious systems have backups, and the destruction covers only a few hours work. When the system is restored, the admins are extra careful to put up more secure a system.

Now, there exists a nasty bug like the one that corrupts databases. For a serious vandal, this kind of activity is way more "profitable" than single-strike damage.

What about a virus that sniffs passwords? Or mails confidental documents around? Ordinary troians already do that; a virus might do that and also spread itself to many systems. Talk about Melissa / Loveletter / Whatever is the poison of the day for VBScript. Should someone build a bug like that for Linux, I assume the creator wants to draw as little of attention as possible in order to cause maximal damage.

-P

--

-- I hate people who quote .sigs
[ Parent ]
Unix viruses. (5.00 / 2) (#31)
by Znork on Thu Mar 14, 2002 at 04:29:52 PM EST

Few people claim it's impossible to write virii for unix. It is, however, exceedingly hard to get them to actually spread. Which the author of the HOWTO notes.

There are many reasons for this; lack of binary compatibility between different architectures, the separation between user and admin priviliges, and when it comes to linux, the differing distributions, builtin md5 checksumming and digital signing, as well as easy updates to avoid lingering security holes.

A virus that could successfully spread to more than a small specific subset of machines would be conspiciously large and complex.

[ Parent ]
But what's the point? (4.58 / 12) (#15)
by binaryalchemy on Thu Mar 14, 2002 at 02:31:59 PM EST

It's not really that good, no great and magic exploits, just how to insert arbitrary assembly code into an ELF executable. Not even how to hide it, not how to take over a running process, no polymorphism.

I've seen exacting instructions on how to break into Windows/Older *nix (Linux included), but this is just something on how ELF files work. All dressed up so the l33t h4x0rs will read it.

I don't see why the LDP would host it, this doesn't really provide anything that a sysadmin, or even a real virus writer, would benefit from. If your truly paranoid, make MD5s of your *bin directories. I'd be fairly sure most truly paranoid people already though of that.
------
Defending the GPL from a commercial perspective is like defending the Microsft EULA from a moral perspective. - quartz

MD5 of bin dirs (4.00 / 3) (#22)
by hardburn on Thu Mar 14, 2002 at 03:00:50 PM EST

If your truly paranoid, make MD5s of your *bin directories. I'd be fairly sure most truly paranoid people already though of that.

Yes, that is what tripwire scripts do. It is suggested you keep the orginal MD5 values on a write-protected floppy (or some other form of read-only media) that is always in the drive.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
Whimps! (4.75 / 4) (#27)
by schrotie on Thu Mar 14, 2002 at 03:52:55 PM EST

You are not nearly paranoid enough.
There are Joe Wannabe rootkits out. Rootkits that hack the kernel by directly writing to the RAM to circumvent detection of trojans. And they are easy enough to use for your average script kids. If you are really paranoid, you need certain kernel patches and advanced intrusion detection tools. And you always need to keep track of the latest technology of hackers. Read: if you don't loose big money with downtimes skip paranoia. Make backups. You can only go so far with security.

[ Parent ]
yep (none / 0) (#62)
by QuantumG on Fri Mar 15, 2002 at 01:42:47 PM EST

Inserting into running processes being one of the most promising linux virus techniques I fail to see how it could possibly be missed.

Gun fire is the sound of freedom.
[ Parent ]
Bad examples (4.07 / 14) (#23)
by hardburn on Thu Mar 14, 2002 at 03:05:27 PM EST

I've seen posters below talking about how this HOWTO uses a bad example. It reminded me of an example that showed up on TechTV (which I don't watch myself, but my wannabe brother often has it blaring). They had their "secret hax0r" (wearing a bandana over his face, so as "not be to identified") show people how to break security on a GNU/Linux system. Their meathod involved putting a backdoor in Pam, which would require you to ALREADY HAVE ROOT ACCESS!!! Breaking a system after having root access, eh? I'm impressed![/sarcasm]


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


Backdoors serve a different purpose (none / 0) (#76)
by blackwizard on Sun Mar 17, 2002 at 02:59:51 PM EST

Of course you have a point -- to put a backdoor in a system, you generally already have to have access to it in some way. If not as root, then as the designer/implementer of the program that has the backdoor. (If he used social engineering to get a luser admin to install a PAM "upgrade" that he put a backdoor in, that's a bit different)

I'd be willing to wager that backdoors are usually placed there by systems architects/sysadmins/etc for "job security" purposes -- people paranoid that their employer is going to screw them, so they give themselves a way to get even. Perhaps this is what the "secret hax0r" was doing? Of course, if that were the case, I don't think his bandana would protect him from the lawsuit about to hit him. =)

[ Parent ]

Publish it far and wide (4.33 / 12) (#26)
by baronben on Thu Mar 14, 2002 at 03:50:11 PM EST

The first step to stoping a problem is knowing why it happens. Thats why we study what causes things like AIDS, cancer, or Crime. Simply knowing that something exists doesn't mean that you can stop it. You need to know what causes it.

In this case the author(s) might have found some previosly unknown exploite, or combined the knowledge on Linux viris writing into one easy to read format. This gives the kernal hackers and programers a very good resorce to make Linux more secure. What better way to fight a viris then to see partial source code?

The fact that the author(s) sent this to a Linux community instead of the secret anti-linux devsion of Microsoft sugests that the author(s) want Linux to be more secure by giving them this knowledge.

The only question is now if the communty can be held responsible for damage that this causes, but I don't think this is the case, because there are formuals for gun powder in my Chem book, descriptions on how to make atomic bombs in Clancy books. A disclaimer attached to this should imdemnify everyone.


Ben Spigel sic transit gloria

By all means (4.35 / 14) (#28)
by miah on Thu Mar 14, 2002 at 03:57:08 PM EST

Publish this. File it under security. This would be on the same level as a "Recover Root Password HOWTO". Now for an example:

1. You've forgotten your root password by being a good little admin and not writing it down or sharing it with people that have no need for it.

2. You can pass the 'single' value to the kernel and it will dump you into single user mode effectively as root. Push your password and you're done.

3. If for some reason your bootloader will not let you add the 'single' string to the list of values passed to the kernel, make a boot disk. Mount the partition with /etc/ on it. open up /etc/shadow in a text editor and wipe away the password and add in your own MD5'd string (I'd post a link to a perl script to generate that but I've forgotten where it is).

This is all very harmless and useful to some budding young admins. The virus HOWTO would be in the same boat. Useful to admins that are trying to harden their systems. One solution to harden your binaries from this attack is to `chattr -i` you executables to make them immutable. The ways to thwart viruses would also be a good addition to the HOWTO as well.

Linux also needs to shake the 'immune to virii' FUD and use a more accurate sentiment of 'resitstant to virii through good security practices'.


Religion is not the opiate of the masses. It is the biker grade crystal meth of the masses.
SLAVEWAGE
Viruses/Virus protection under Linux (4.00 / 2) (#35)
by simon farnz on Thu Mar 14, 2002 at 05:19:19 PM EST

I sometimes get asked why I don't run McAfee when I'm booted into Linux, yet I do when in Windows; my stock answer is simple:
  1. Most viruses target Windows, as it is more popular; I am therefore resistant to them anyway.
  2. I have security measures in place under Linux (which I talk techies through), which limit the damage a virus could do, and the chances that I might get a virus in the first place.

--
If guns are outlawed, only outlaws have guns
[ Parent ]
chattr (none / 0) (#53)
by bags43 on Fri Mar 15, 2002 at 06:33:41 AM EST

One solution to harden your binaries from this attack is to chattr -i you executables to make them immutable.

Isn't that supposed to be chattr +i?

[ Parent ]

right again (1.00 / 1) (#60)
by miah on Fri Mar 15, 2002 at 11:26:57 AM EST

All of my post's yesterday fall under that "I didn't have enough coffee" realm. So yeah, you are right...


Religion is not the opiate of the masses. It is the biker grade crystal meth of the masses.
SLAVEWAGE
[ Parent ]
That won't work. (none / 0) (#66)
by Wouter Coene on Fri Mar 15, 2002 at 02:40:33 PM EST

That won't work, as once the attacker has gained root on your box the only thing he has to do is to chattr -i whatever file he'd like to infect.

Of course, there are patches to prevent this (LIDS for example), and other UNIX-likes (like OpenBSD) support this natively.

Alternatively, you could use this technique on a system with a plain Linux kernel to protect your binaries against attackers less-experienced with UNIX systems.

Wouter Coene

[ Parent ]

Already covered in depth before... (3.25 / 8) (#29)
by polgair on Thu Mar 14, 2002 at 04:23:38 PM EST

Linux binary infection has been covered in depth by silvio cesare circa 1998 or so. I wonder why this person chose not to provide any references ? Is all the work shown original ? Why don't you see for yourself: http://www.big.net.au/~silvio/elf-pv.txt

I fucked up... woops (4.00 / 3) (#30)
by polgair on Thu Mar 14, 2002 at 04:26:17 PM EST

I'm sorry I fucked up. Man I do apologize. His name is right on the bottom. I knew the man and actually tested some of his stuff, so I got a little bit aggressive and wasn't careful at all. My apologies to everyone

[ Parent ]
If it's well done, publish it (4.71 / 7) (#33)
by substrate on Thu Mar 14, 2002 at 04:56:56 PM EST

In a previous life I somehow picked up a system administrators hat, a hat I've since discarded fortunately. One of the most helpful things I had read on network security was a publication by Dan Farmer: Improving the Security of Your Site by Breaking Into It. It was where I first learned about the hazards of poor programing practices and resulted in me learning how to be a better programmer, a programmer that could design secure code. The paper infected me as well beyond the topics it described, I learned how to look for weaknesses through other mechanisms as well.

Erm... (2.80 / 5) (#36)
by krogoth on Thu Mar 14, 2002 at 05:33:02 PM EST

The best argument I could find for publishing this is that it helps system administrators defend against it. Why not take a Virus-defense-HOWTO instead? I don't think this should be included, but for educating people on defense a document could be written with a less destructive intent.
--
"If you've never removed your pants and climbed into a tree to swear drunkenly at stuck-up rich kids, I highly recommend it."
:wq
Simple (3.00 / 1) (#39)
by notafurry on Thu Mar 14, 2002 at 06:02:27 PM EST

You don't learn how to secure a system by studying documents of security techniques. The best any such document can do is get your system secure *up to the date that the document was written.* New techniques won't be covered.

By studying the actual methods used to compromise systems (viruses and other malware fit this category) you learn more than how to prevent attack X. You learn the methods used to create X, and therefore hopefully to discover attack Y and prevent it, too.

[ Parent ]

I didn't mean that (4.00 / 1) (#47)
by krogoth on Thu Mar 14, 2002 at 11:38:43 PM EST

I don't ask for a guide on upgrading to OpenSSH 3.1p1. What about a discussion of virus writing strategies and <b>what makes it harder for them to spread</b>, but from a defensive point of view?
--
"If you've never removed your pants and climbed into a tree to swear drunkenly at stuck-up rich kids, I highly recommend it."
:wq
[ Parent ]
You can't do that directly (5.00 / 1) (#48)
by notafurry on Fri Mar 15, 2002 at 12:24:03 AM EST

To develop defensive strategies, you have to know the offensive strategies. And there's no way to learn the offensive strategies without documents like this one.

[ Parent ]
Antici....pation (4.00 / 1) (#43)
by tenpo on Thu Mar 14, 2002 at 07:27:05 PM EST

If you can learn thoroughly the methods and techniques of designing viruses you can ready yourself against more than just the current season's strains. You can get inside the other guy's head and look for weaknesses that they're looking for and (perhaps) plug them before they become a problem. That's just one benefit that i thought of straight away.

[ Parent ]
Well . . . (5.00 / 1) (#45)
by regeya on Thu Mar 14, 2002 at 10:19:22 PM EST

Considering how easy (really, it would be) it would be to infect a machine, the defense issues are both simple and complex. They can be outlined thusly, and should already be done by competent administrators (NOTE: I'm not one. ;-)

1.) harden the security of the box(es) you're responsible for
2.) keep your system updated any time a patch comes along for your system, especially local and remote 'sploits. I know a lot of people who think that Linux is less virus-prone than other OSes, but it's not, really, as it should be possible to write a Trojan that can start by r00ting the box. Once that's done . . . well, I leave it to you. ;-)


[ yokelpunk | kuro5hin diary ]
[ Parent ]

Is a virus part of Linux? (2.50 / 6) (#37)
by Tezcatlipoca on Thu Mar 14, 2002 at 05:54:53 PM EST

My answer is no.

Thus to publish this as part of the LDP is not appropriate.

By all means this must be published, but it does not belong to the LDP project.

If in the other hand it would be presented as how to harden your box first studying intrussion techniques, perhaps as part of a Security-HOWTO then I would be more willig to take it on board.
---
"At eighteen our convictions are hills from which we look;
at forty-five they are caves in which we hide." F. Scott Fitzgerald.
Not relevent (4.60 / 5) (#38)
by notafurry on Thu Mar 14, 2002 at 06:00:17 PM EST

Apache is not part of Linux, either, but there are several Apache HOWTOs. The document is about writing viruses for the Linux platform, therefore it is appropriate for the LDP.

[ Parent ]
Impurity (4.75 / 4) (#42)
by tenpo on Thu Mar 14, 2002 at 07:23:52 PM EST

There are HOWTOs on linux advocacy, hosting a linux event, writing a linux HOWTO and switching over to linux from DOS. None of those things are purely regarding how to get a linux machine to work, and yet they describe different regions in the world of the linux user, as do the threat of viruses. If you think of it as complementing all those HOWTOs on security how can you deny its relevance? And if it is relevant in that instance there you are - it should be published.

[ Parent ]
You said it! (1.50 / 2) (#54)
by Tezcatlipoca on Fri Mar 15, 2002 at 06:34:18 AM EST

All those How-to help you to make *work* a machine.

A virus, by definition and by custom, is understood to have as objective to impair the proper functioning of a computer.

Let me make an allegory: it is like if with your CD player you would get a chapter entitled "how to destroy your player".

It is completely against the most basic intuition.
---
"At eighteen our convictions are hills from which we look;
at forty-five they are caves in which we hide." F. Scott Fitzgerald.
[ Parent ]
Right (4.66 / 3) (#55)
by tenpo on Fri Mar 15, 2002 at 07:01:26 AM EST

First of all, only one of those examples i gave has anything to do with touching a linux machine. So please don't put words into my mouth for me.

Secondly, IMO good security comes from an understanding of how you are going to be attacked and coming up with a *prescriptive* and fundamental solution for any weaknesses that can be found. Any other method is known as 'fire-fighting' and is generally responsible for a great amount of extra work.

If you want to destroy your CD player look in the section that describes how to care for it. Ignore the words "Do not". You can of course say that i can't ignore those two words when they appear in front of "expose CD Player to extreme heat or cold" but nevertheless I now know how to destroy my CD Player and I got that information from the manual.

[ Parent ]
Assuming that it does not lead to infections... (3.00 / 21) (#40)
by QuickFox on Thu Mar 14, 2002 at 06:50:59 PM EST

Customer: The Linux camp is publishing manuals on how to attack their own system with viruses!

Microsoft Salesperson: Yes, they are totally irresponsible, they are compromising the systems of all their users. Here at Microsoft we would never do that! We have a serious commitment to security. We invest a major part of...

Customer: Yeah, sure, but it sounds damn impressive! Think of it! They seem to have quite some self-confidence over there. Would you dare do the same thing?

Microsoft Salesperson: Of course we would never do such a thing! We take the concerns of our customers seriously! For the safety of our customers we have a policy of security through obscurity. Obscurity! It's ingenious! The crackers simply don't know how to get in! This is a much safer path.

Customer: Yet Linux doesn't seem to get more infections than Windows. I bet this strange open policy of theirs keeps their programmers on their toes all the time.

Microsoft Salesperson: Yes, well, as I said, here at Microsoft we have a strong commitment to security. We invest a major...

Customer: Yeah, sure. Well, nice talking to you. Bye!

Microsoft Salesperson: But weren't we going to discuss your expansion into...

Customer: Maybe some other day. Bye!

Click!

... Damn impressive ... Hmm...

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.


Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.

in reality, though (4.60 / 5) (#41)
by tenpo on Thu Mar 14, 2002 at 07:17:06 PM EST

That dialogue wouldn't get past the Microsoft salesperson's first spiel. The cutomer wouldn't know enough not to be convinced immediately. To the layman it DOES sound like a self-descructive, irresponsible, kids-running-the-world kind of prank.

I doubt that most customer's would even hear of this document anyway, unless the Microsoft salesperson brought it up. And if they did you can bet the farm that they it fits into a nice sales pitch.

[ Parent ]
Consider what happens in the long run (5.00 / 1) (#44)
by QuickFox on Thu Mar 14, 2002 at 08:53:28 PM EST

It seems to me that it might gain quite some publicity in the long run, simply for showing such a daring attitude. If it became more or less customary, in time people would know about it as "the Linux way of managing security".

You're right that it can sound like a kid's prank. To make the publicity positive it would be necessary to emphasize that all such information is readily available anyway, that it spreads quickly all over the Internet and all you have to do is look around a little. By collecting it you make sure it reaches the programmers early, instead of waiting for someone to exploit it and then patch.

Still it would be risky, especially in the beginning.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.


Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.

[ Parent ]
Agree (none / 0) (#56)
by tenpo on Fri Mar 15, 2002 at 07:10:39 AM EST

I do think this is an excellent idea, and that they should publish it as part of the LDP if its good enough to be included on its own merit.

I'm wary though, of any idea which will only work if we (you know, the good guys) manage to educate the public. Obviously it'd be just as good if the people making decisions can see the good of it. I'm afraid that the message here will be garbled and incoherent due to the many different opinions within the technical community itself.

If it's emphasised that the HOWTO contains no virus source code, just the theory of programming a linux virus then its harder to make it look like a bomb making kit. It could easily be compared to the availability of certain nuclear physics textbooks that can be found in any public library. Whether that would panic or quiet the herd though, i'm unsure :)

[ Parent ]
That's one way it could go... (4.33 / 3) (#49)
by martingale on Fri Mar 15, 2002 at 12:31:50 AM EST

Or perhaps it would go like this?

  • Customer: The Linux camp is publishing manuals on how to write viruses!
  • Microsoft Salesperson: Yes, they are totally irresponsible, they are compromising the systems of all users. Here at Microsoft we would never do that! We have a serious commitment to security.
  • Customer: I'm scared, send in the ATF! (walks to cashier and hands over credit card)
  • Linux advocate: (walks over to Microsoft Salesperson) Hey, I heard that! You were misleading the customer by implying that all systems are compromised. But the HOWTO only shows how to write Linux viruses. You liar! Bad!
  • Microsoft Salesperson: Yeah, but can you prove that Linux viruses won't be used to remotely inject Windows viruses into that guy's box?


[ Parent ]
Mystery mods (5.00 / 1) (#67)
by QuickFox on Fri Mar 15, 2002 at 04:18:44 PM EST

Sometimes I wish K5 gave clues on the reasons for moderations. I really, really would like to know why my customer-salesman post (the parent) gets such negative ratings (2.50/12). What's wrong with it?

It can't be considered zealot since it argues both sides. It can't be seen as a troll. (Or can it?) Maybe it has some minor glitches in style, but it's just a comment.

To me it seems the post presents two viewpoints in a fairly thought-provoking way, and also makes it somewhat entertaining. Nothing very great of course but good, that's how it seems to me. When I submitted it I thought it was one of my more successful posts! Yet judging by the rating it's my second worst ever!

Not that I'm upset or anything, it's just really very intriguing. Also, I might learn something.

If anyone would comment on this I'd be grateful.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.


Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.

[ Parent ]
testify! (3.00 / 1) (#70)
by tenpo on Fri Mar 15, 2002 at 11:08:44 PM EST

Well, i can't speak for anyone else but i rated it a 3 since it was topical and humorous but at the same time naive (in as much as i've talked to lots of company's purchasing officers and realise that they don't seem to be on the same planet as most of us) and hence a little evangelically linux. You've scored a few 1's, don't know how that happened, but... well... it's not that important anyway, right?

[ Parent ]
Thanks (4.00 / 2) (#72)
by QuickFox on Sat Mar 16, 2002 at 01:57:05 PM EST

Thanks for the explanation. It's interesting, it shows a difference in outlook. It never occurred to me that the naive view might have this effect because it's intentional, part of the style, just like a caricature drawing exaggerates details and makes no attempt to be realistic.

Maybe this caused the 1's too. I don't think I'll stop occasionally writing a caricature or naive exaggeration, even if I should find that they often attract low ratings, because personally I like such comments. They give moments of relaxation in the middle of the debate. (Of course they must be spread thinly, else they can become a hindrance.) High ratings are of course fun, but writing these comments is fun too.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.


Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.

[ Parent ]
Get with the program, man! (none / 0) (#74)
by tenpo on Sat Mar 16, 2002 at 09:36:22 PM EST

Relaxation in the middle of the debate? We're fighting for our lives here, man! Personally, I take myself very seriously indeed and I have no sense of humour. Your obvious and now admitted lack of self-interest is going to force me to go through all of your comments and rate each of them 1. Them's the brakes.

[ Parent ]
Tremble (5.00 / 1) (#75)
by QuickFox on Sun Mar 17, 2002 at 09:11:21 AM EST

Fighting for your life without relaxation? Well, then I might just as well shed a tear for you right now, 'cause you're gone.

Clearly you've never heard of Aikido, Jiu-Jitsu or Karate. Relaxation and calm breathing are the Very Essence of a nicely savage blood-splattering fight. Stand back in profound meditation, just give some subtle, carefully balanced guidance to make your opponent direct all his force into thin air and back at himself.

Modding me to all 1's? Have you really thought this through? For instance, are you sure it would be polite?

Asserting one's personality just occasionally amid the never-ending struggles to be a good sheep in the flock is something quite different from the disasters and cataclysms that you wish to wreak upon me. Should these horrors come to pass, I shall have no choice but to point out that you have much more to lose than I, having posted much more...

Should this thing escalate between us, in the end it might attract the attention of the Almighty, the All-Seeing, the Merciful and All-Powerful. It might come to the point where Rusty starts Frowning upon us and making us Tremble.

Do you really want to Tremble?

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.



[ Parent ]
umm... look... (none / 0) (#77)
by tenpo on Sun Mar 17, 2002 at 08:54:22 PM EST

It was a joke. I thought it was exagerrated enough to make that obvious. Guess not.

[ Parent ]
and another thing... (none / 0) (#78)
by tenpo on Sun Mar 17, 2002 at 08:57:21 PM EST

i apologise that my poor attempt at humour caused you to write a unneeded but lengthy rebuttal. If I were indeed a sociopath and my original 'get with the program' post was serious i'd be forced to concede that your counter-points are all on the money. Happy St. Patricks Day. Have a beer.

[ Parent ]
Mine too (none / 0) (#79)
by QuickFox on Mon Mar 18, 2002 at 12:35:04 AM EST

It was quite clear that it was a joke. And it was not a "poor attempt", it worked fine.

It was also a challenge to continue the joke with a good reply. I like challenges, I enjoy them. So my answer was all joke too. Didn't you notice? The text is absurd! In any case don't be sorry because I had lots of fun writing it. I wouldn't have made it that elaborate if I hadn't enjoyed writing it.

We don't have St Patrick's here in Sweden but I'll share a beer anyway. Cheers! Enjoy!

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.



[ Parent ]
heheheh... (none / 0) (#80)
by tenpo on Mon Mar 18, 2002 at 01:18:32 AM EST

I feel like a fool and i'm laughing pretty hard. I suspected at first that you were joking, but then i remembered how many crazy people there were in the world and figured that statistically speaking you were probably one of them so i'd better cover my arse. Bah! My arse gets me into a lot of trouble.

[ Parent ]
Cheesy Poofs? (none / 0) (#81)
by martingale on Mon Mar 18, 2002 at 09:02:11 AM EST

Bah! My arse gets me into a lot of trouble.
Nah, I think you're confusing yourself with Cartman.



[ Parent ]
Me too, so I spied a little (none / 0) (#84)
by QuickFox on Mon Mar 18, 2002 at 11:52:08 PM EST

Heh, similar thoughts about crazy netizens did pass my mind when I first read your joke. To complicate matters that post has all the ingredients of a very typical troll! But a quick check on a few of your comments made it seem most likely that it was just the honest joke it seemed to be.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fish.



[ Parent ]
Phrack (4.00 / 4) (#50)
by prometheus on Fri Mar 15, 2002 at 04:03:26 AM EST

Phrack is a pretty good source of information for these types of things. Here are some of their newer articles which don't really cover propagation, but are fun for covering your tracks once you've gained root.
Linux Kernel Patching
Function Hooking
--
--
<omnifarad> We've got a guy killing people in DC without regard for his astro van's horrible fuel economy
Illegal? (3.33 / 6) (#57)
by Ranieri on Fri Mar 15, 2002 at 07:50:06 AM EST

In the Netherlands (you know, the country much touted for it's freedom and tollerance) virus authoring is illegal (Article 350a of the dutch penal code) and can be punished with prison sentences of up to four years. When/if this happens, can the LDP be regarded as an accessory to the crime? Or could they possibly even be charged with instigation?

If i were the LDP, i would consider the legal implicaltions very carefully (very very VERY carefully) before accepting it.
--
"Look, Hoagie, it's a hamster! Just what I need for dissection lab tomorrow!"

A rather exaggerated argument. (5.00 / 1) (#63)
by Kugyou on Fri Mar 15, 2002 at 02:00:03 PM EST

By your logic, a shooting instructor could be taken as an accessory to murder, or an instigator, because he taught you how to shoot at a man-shaped target. Or, as someone else stated, saying that Tom Clancy is an accessory or instigator of nuclear attack because he mentioned rudimentary directions on how to build a nuke. Or - here we go - that pornography is an accessory or instigator of rape, because it contains detailed depictions of having sex. Knowledge is power. Crime is an abuse of power. Do you take away Superman's powers in case he goes evil?
-----------------------------------------
Dust in the wind bores holes in mountains
[ Parent ]
The way I read it.. (3.00 / 1) (#64)
by Wouter Coene on Fri Mar 15, 2002 at 02:26:32 PM EST

WvS article 350a doesn't prohibit the writing of virii, but the gaining of unauthorized access to a computer-system, whether through the use of a virus or not.

In fact, I can't see why virus writing should be made illegal, as it's a very usefull activity to learn the strengths and weaknesses of a system.

Wouter


[ Parent ]
Whoops (5.00 / 1) (#65)
by Wouter Coene on Fri Mar 15, 2002 at 02:32:49 PM EST

I missed this:

"- 3. Hij die opzettelijk en wederrechtelijk gegevens ter beschikking stelt of verspreidt die bedoeld zijn om schade aan te richten door zichzelf te vermenigvuldigen in een geautomatiseerd werk, wordt gestraft met gevangenisstraf van ten hoogste vier jaren of geldboete van de vijfde categorie."

In English: "He who intentionally and illegally publices or spreads information intended to replicate and damage automated systems is to be punished with a prison term of at most 4 years or a fine of the 5th category."

Of course, IANAL, but I'd say that it'd be perfectly legal to write and spread virus writing information, as long as you don't include the destructive portions.

Wouter

[ Parent ]

Dutch rules (Nederlands regelt?) [n/t] (none / 0) (#85)
by tps12 on Fri May 10, 2002 at 08:38:46 AM EST



[ Parent ]
Security by obscurity anyone? (4.75 / 8) (#58)
by haro on Fri Mar 15, 2002 at 09:00:19 AM EST

The information in the HOWTO exists. If nowhere else, at least in the head of the author. Not to publish is seeking security by obscurity. No harm can come from making this information available to those of us who would never want misuse the information. Those who would want to misuse the information are likely to search for it and thus find similar information from other sources anyway.

Not to accept it is an attempt at security by obscurity.

Publish It (4.00 / 3) (#59)
by bsmfh on Fri Mar 15, 2002 at 11:22:32 AM EST

My $.02 (U.S.) is that it should be published. I have been reading over it, and the proactive sysadmins will respond accordingly. The catatonic sysadmins will get hacked anyway, with or without this article. The first page clearly explains ways to avoid getting bitten. If you are too lazy to keep things secure, what do you expect?

This is a naive opinion, but it's mine and I'm stickin to it.

Shame the HOWTO sux (4.50 / 6) (#61)
by QuantumG on Fri Mar 15, 2002 at 01:21:20 PM EST

There is about zero real content here. I've had a linux virus page on my web site for years. This field was pioneered by hackers a lot of years ago. Thankfully Mr Bartolich has credited those pioneers:

Everything in this document is either plain obvious or has been written by someone else long time ago. My meager contribution is nice formatting, reproducibility and the idea to take the subject to mainstream media. But I'm certainly not innovative.

Silvio Cesare. <silvio@big.net.au> Founder of the trade. Keeper of the source. Check out http://www.big.net.au/~silvio and admire the release date.

John Reiser. <jreiser@BitWagon.com> Found one bug and two superflous bytes in In the language of evil.

Gun fire is the sound of freedom.

Publish it! You might as well since Google has it. (4.60 / 5) (#68)
by elliotj on Fri Mar 15, 2002 at 05:48:41 PM EST

There is zero harm in publishing it considering that a simple Google search for "linux virus HOWTO" turns it up as the first hit.

If anybody thinks that a bad guy would read the LDP and, upon not finding anything, give up without even searching Google, I'd be surprised.

And frankly we're only concerned about what bad guys would do with the info.

-- e.j.
so? (4.00 / 3) (#69)
by svampa on Fri Mar 15, 2002 at 06:02:36 PM EST

It's not a secret that a virus is a piece of software that modifies binaries. Why sould linux be different? it is able to execute software, ELF binaries are just files, and they can be modified as any other file

The difference is that UNIX files have permissions, so the user that executes the infected file must have permissions on the file that it's going to infect.

If the user is not the root the damage is limited, if the user is the root it can do anything. Every user may destroy his own files, and root the whole sytem.

If you execute a file as root, it may be a troyan, a virus or anything, that's the curse of root

Here a have a troyan for you:

#!/bin/bash
rm -f /*

run it as root



Publish - suppression will only lead to neurosis (3.75 / 4) (#71)
by bediger on Sat Mar 16, 2002 at 01:06:56 PM EST

All the information in the HOWTO is available all over the web, in books, papers, etc. I've had a Unix virus bibliography out there for years. Source code for various Unix viruses has been published in journals, dissertations, books, CDs and web pages for years - Doug McIlroy's "Virology 101" paper has source code for a sh script virus that's probably a lot more portable than an ELF/x86 virus built from Bartolich's HOWTO.

Has any Unix virus of any stripe gotten a toe-hold? Absolutely not, despite source code, tutorials, and design document availability for years.

Even in the MS-DOS world, the only truly wide-spread viruses and worms have been Word macro, boot sector, Outlook/Exchange and IIS viruses and worms - straight ahead file infectors have never been the threat that "A-V" flacks and newscasters would have us believe.

So why should the Linux (and by extension, open source) community subject itself to the paranoia, persiflage and PR flack from the professional Anti-Virus people? The Anti-Virus Industry is just one of the many neuroses of the Windows world that open source should avoid. Publishing HOWTOs, virus source code, design documents far and wide, and not suffering from even a tiny virus problem is one way of demonstrating freedom from that neurosis.


-- I am Spartacus.
Yes, but show your work! (none / 0) (#82)
by freebird on Mon Mar 18, 2002 at 03:43:08 PM EST

That is, I agree with the majority of the posters; it's as useful/dangerous a reference for an admin as a passwd recovery FAQ, and thus should be published.

BUT:

You've not really addressed the core issue.
Fine, it should be published, but what about the legal and public-opinion consequences?

Most people here clearly don't buy the 'security-through-obscurity' argument, but lots of people in the "Real World" (read: those with access to legal dep'ts) do NOT buy those arguments. Is it possible to:

a) publish the FAQ safely
b) not alienate possible users/customers who aren't well-versed in security philosophy, and will be intimidated by the existence of such a FAQ.

If the answer to both of those questions (and they are seperate) is not an unequivical 'YES' then it's not a question of the 'right' thing to do, but of balancing cost/gain.

Again, I think it should be published, so don't waste time arguing that with me. But I'm really curious about how people think these subtleties are best approached.

...TAGGATC...(etc)

Linux virus writing howto? (none / 0) (#83)
by bazbarfoo on Mon Mar 18, 2002 at 06:21:00 PM EST

Wow! That must be some AI code! A Linux virus is writing a HOWTO? We have enough trouble getting all of the developers to write a HOWTO, and a virus is writing one! Who'd have thunk it?

Red Tape Holds Up New Bridge!

Linux Virus Writing HOWTO | 85 comments (74 topical, 11 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!