Date: Tue, 29 May 2001 19:55:25 -0400 From: Christian Kuhtz <ck@arch.bellsouth.net> To: Bigby Findrake <bigby@ephemeron.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: freebsd rootkit Message-ID: <20010529195525.D24763@ns1.arch.bellsouth.net> In-Reply-To: <Pine.BSF.4.21.0105291533150.57736-100000@home.ephemeron.org>; from Bigby Findrake on Tue, May 29, 2001 at 03:34:29PM -0700 References: <20010529134040.R98104-100000@awww.jeah.net> <Pine.BSF.4.21.0105291533150.57736-100000@home.ephemeron.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 29, 2001 at 03:34:29PM -0700, Bigby Findrake wrote: > On Tue, 29 May 2001, Chris Byrnes wrote: > > > That's not a wise request on a list like this. Backup, format and > > reinstall. > > Why not? Surely you're not suggesting that a rootkit is a bad thing, or > that no one here would help him find one - wouldn't that be rather silly > of us? What would be silly is for one of us to say "here's a rootkit" and then for him to go thinking if he cleans those files up or only those are affected, he's safe. Fact is, rootkits come in many flavors. To think that they're all the same or to deduct from one specific rootkit anything which in turn is deemed to be definitively applicable to every other rootkit is a very naive and dangerous proposition. The best way to clean the mess up is to analyze the situation and take the safe route (which may include removing the network connection etc; and there are some rootkits which go into self destruct mode when you do so). If you think for one second that you've been compromised, IMHO, it's best to err on the side of safety... My point is that the fundamental approach is not only wrong, but dangerous for other reasons than simply 'distribution of rootkits'. There are probably other points to be made here, but these are the ones that come in mind first and kill the whole idea as far as I'm concerned. > If we knew where one was, wouldn't it make the most sense to make > sure that anyone could get there hands on it? As I stated to you in private email, a rootkit is typically used as a fairly seriously offensive weapon in information warfare. Because we have a few maniacs in our society doesn't mean we arm everybody with automagic rifles, mortars and the like. But, that's beside the point when you consider the flawed fundamentals of the original poster's approach. Instead, it would've been more helpful if he had inquired as to what rootkits typically do and what sort of things to look for. In fact, if you can't figure out on your own if you have a rootkit, what in the world makes you think you can figure out exhaustively what it does when some hands it to you?? > Isn't that (among other > ways) how open software advances? Give me a break. ;) This has *NOTHING* to do with open software. Rootkits are not limited to open software and there's absolutely no definitive link between them. Because they happen to occur in the same place on occasion doesn't mean they're related. > I can't count the number of times I've > seen security people make the argument that everyone should own lockpicks. well, and there's probably at least as many people arguing the opposite. PS: I'm not defending either side in this thread, just adding my own $.03. Cheers, -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only."" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010529195525.D24763>