-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stewart Stremler wrote: > (The counter response seems to be 'well, the user does not have any > useful data anyway', but that's insulting to the user and arrogant > on our part. Tell a prospective Linux user that thier data isn't
Actually, I haven't seen anyone make this response. > When you check for a compromised system, you _ought_ to do so by booting > from clean media; if you trust anything on the potentially compromised > disk, you're fooling yourself. Failure to find evidence using > potentially compromised tools is not proof; neither is it all that > compelling as an indication. Failure to find evidence is not proof but when you DO find evidence of a compromise it is proof. I like to be able to login to a box, notice the bogus processes or files or other activity and save myself the hassle of having to periodically boot off other media to see if the box has been owned. How does one initially discover that a box has been compromised? By noticing some suspicious activity. If the attacker is given root straight off it will be much easier for him to hide his activity and you not be given the chance to notice. > Plus, if you compromise the only user-account on the system, you can > also hide the evidence from _that_ user -- so you're right back in the > situation where running as root isn't any different than not. You could but I've never seen it happen. I have seen people get into the apache uid but not make it to root also. - -- Tracy R Reed http://[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCZycX9PIYKZYVAq0RAmtlAJ0QY+11VtoG5UaYe/uxCeAVUfKDWQCeOxsC ymymgULruSGypBQejK/Gexo= =RSIZ -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
