Re: Linuxfromscratch.org

[Tom <tom@lemuria.org>]

On Sun, Jul 27, 2003 at 04:13:04PM -0400, Colin Walters wrote:
> That is clever, but it seems to me you'd still have to take into account
> the machine's usage.  Again, none of what you listed above should be
> going to a file server, for example.  

Those were just examples. You can put your stuff into ANY traffic. If
the machine has any outside connections whatsoever, and be they DNS
requests, you have a channel you can use.

> to a development workstation.  So it doesn't seem too unlikely that some
> machine learning based IDS, somewhere, will eventually pick up on it. 
> Once that happens in multiple places, people will get suspicious.
> I guess all I'm saying is that the chances of a trojan going undetected
> for a long period of time approaches nil.

True, but "long period of time" is relative. All you need is enough
time to accomplish your goal. That may be months or seconds, depending
on what the goal is.

Again, we see why SELinux is what it is - all the race conditions and
other timing-based exploits show that "we'll catch them quickly" isn't
enough. Catching them works if you talk about theft or something else
where you can still undo the damage. It doesn't work for murder or
rape. Same in computer security: If you have something where the damage
likely can't be undone, monitoring isn't the correct approach because
it acts too late.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.