On Thu, Jun 14, 2001 at 04:15:18PM -0700, Titus D. Winters wrote: > Why not? If someone finds a way to defeat a module, doesn't it help > if they can't be sure the module is what is actually running in the > first place? This is of dubious security value. Small-time crackers are liable to try script after script after script... Big-time crackers are liable to know what modules are inplace on their target systems with or without the module lying about its presence. > And if the blackhats already are doing it (which I'll look into, in > case this proposal is torpedoed) then we aren't really providing any > extra power to the bad guys. The Bad Guys do it in the hopes that an admin will try the obvious few things that come to mind when feeling suspicious; seeing normal responses from the several ways the admin can think of to check for loaded modules, most admins will just go away. This is very different from what we have to provide (as module implementors), which is strong security no matter what the attacker thinks the box looks like. However, the ability may be convenient for honeypot builders. And they are free to use the methods in phrack (or of their own devising :) to hide their modules as best they can. Honestly, I wouldn't worry about it too much. :) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 16:29:34 PDT