funsec mailing list archives
Re: idea
From: Rich Kulawiec <rsk () gsp org>
Date: Sun, 4 Jan 2009 08:27:39 -0500
On Sat, Jan 03, 2009 at 04:27:03PM -0700, Ben Li wrote:
It would be great to have that as a problem, since that means the AV app is running on the infected machine. If I can get my resolver on to the infected machine, I can also get an AV app on to the machine.
None of which matters. A compromised machine is enemy territory. It no longer belongs to its putative owner, and everything it does from that point forward is done at the pleasure of its new owners. [1] Nothing it does can be trusted. So it doesn't matter how clever you (or anyone else) are with AV apps and resolvers and DNSSEC and everything else. You cannot overcome this no matter what you do, because you cannot guarantee that the system is actually executing the instructions you intend it to execute. (Note that it's quite capable of doing one thing and claiming to do another. [2]) You can *hope* it's executing the instructions you want it to, but "hope" is a poor security strategy. There is only one fix for this: wipe and reinstall. ---Rsk [1] I use the plural because systems which are leased out in bulk might have a succession of new owners. [2] I think it's only a matter of time until malware takes advantage of virtualization technology to create an instance of the host OS and sandbox the former owner into it, while maintaining control of the "real" OS. "But my machine isn't infected" the former owner will say, and in a virtual sense, he/she will be correct. This is yet another reason why wipe-and-reboot-from-known-good-media is essential. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: idea, (continued)
- Re: idea Rich Kulawiec (Jan 04)
- Re: idea nick hatch (Jan 04)
- Re: idea Ben (Jan 04)
- Re: idea der Mouse (Jan 04)
- Re: idea Remo Cornali (Jan 04)
- Re: idea rackow (Jan 04)