[rescue] NeWS

Peter Corlett abuse at cabal.org.uk
Fri Feb 3 10:30:41 CST 2006

Charles Shannon Hendrix <shannon at widomaker.com> wrote:
> I can check just about everything on my UNIX boxes very quickly,
> including checking for unwanted kernel bits. I admin part of that is
> simply because that's what I've used for years, but some of it is
> also because it is a cleaner and more consistent system.

I've had to delouse a few crufty old Linux boxes that nobody bothered
to harden or admin over many years, and a fairly standard technique
the crackers use is to install a kernel module that hides itself and
whatever they want to do.

Obviously, if their rootkit was completely undetectable, it wouldn't
actually serve any purpose to the cracker since doing useful work
makes it detectable.

> If people started having to install games as root on UNIX, they'd
> probably start using wrappers that protected the kernel and other
> bits that didn't need touching.

Sure, but how do you protect the kernel from X, which only nominally
runs in userspace but has full access to pretty much everything in

> Incidentally: I never hear anything about issues like this for MacOS
> X. Is it just not popular enough yet?

It's more solid out of the box than Windows is, but whoever installs
the OS (or at least accepts the license agreement on a virgin Mac)
will end up being an adminstrator. Administrator on OSX grants
read-write access to various system folders, but is not root. Gaining
root is normally done via sudo or the GUI equivalent on an as-needed
basis, or if you hack the OS and explicitly enable root logins. (I
did. It's useful.)

It seems no worse than a competently-configured Linux box.

Ultimately, I don't worry if I've given somebody an account on one of
my Linux or OSX boxes, because they can't cause any real damage beyond
their own account. I don't let people access my Windows box because I
just know they'll manage to get it owned somehow.

I mainly treat Windows as a curiously-heavyweight embedded system for
controlling some obscure bits of hardware. It doesn't get used for
general-purpose computing.

PGP key ID E85DC776 - finger abuse at mooli.org.uk for full key

More information about the rescue mailing list