[TriLUG] spyware

[sholton]

>On Fri, 2004-04-16 at 15:25, Mike M wrote:

>Well, decide right now, how paranoid you need to be.

It's useful, in discussions such as these, to consider the
challence from the mal-war writer's point of view.

There are different strategies if I am targeting you or 
if I am targeting 'just anyone'.

If I can get you to install an untrusted software on your 
(otherwise secure) system, then I can probably get you.
Even if I give you the source, you're unlikely to go 
through every line before running make.

I would be limited to the privleges of the account you used to
install my stuff. In this respect, IMHO, we (computer users in 
general, and *NIX users (who would like to believe they know 
better) in particular need to be more dilligent.

(If you don't need to be root to play music on your system,
why should you need to be root to install the player?)

The rule here, then is a combination of 
a) only install software from people you trust
b) don't become a target.

If I'm targeting 'just anyone' then it's a problem of trying
to sneak a compromise into someone elses "trusted" source.

This is not as easy as it might seem. Every time you want
to make a change to anything widely used, somebody's gonna
complain that you broke their stuff.  Even if your change is 
completely legitimate.

(There's a stoopid problem in lance.c I've been trying to get
fixed for years; bacically anything from HP which uses lance.c
gets treated as if it were a Vectra, whether it actually is 
or not. But trying to locate an 'authorized maintainer' and
get a fix into place (and accepted) is darn near impossible)

In this respect, the open nature of Open Source makes it hard 
to get a compromise into a place where it would be trusted.

And then there's the whole problem of getting it distributed.
If I snuck a compromise into the next version of a popular
distro (like RedHat, or Debian, or Knoppix), how many TriLuggers
would never see it because they never use that distro? 

If we took a poll of kernel versions actively on systems today,
I'd bet we wouldn't find more than 10% coherence. I've got a 
2.4.18, a 2.2.?, a <whatever is on Knoppix 2.3> myself.
Perhaps others are better at upgrading than I.
In this respect generally, managing non-Windows users is a 
lot like herding cats.  In some cases that really sucks, 
especially if you're trying to gain control over them.

But some people like it that way.

>4) You're all against me, aren't you?  Burn your license.  Your $20
>bills have RFID chips in them.  Only trade using precious metals that
>you've smelted yourself, paper that you've made yourself, use only
>quills that you've plucked yourself.

On the other hand, if anyone needs self-plucked quills,
let me know.  I've got Naraganset (Turkey), New Hampshire Red 
(Chicken) and Silky (Bantam) available....
 

-- 
Innovation is a wildflower; you cannot choose where it will blossom,
you can only choose where it won't.

sholton at mindspring.com