Re: How real root kits run. (was: Re: Root Kit Protection)

[Chad Miller <cmiller@optilinkcomm.net>]

Hi Ethan, thanks for the reply.

On Wed, Feb 16, 2000 at 10:20:37PM -0900, Ethan Benson wrote:
> the `false sense of security' argument can go to far IMO, while I
> agree this solution does not provide complete protection nor compete
> security (there is no such thing) it does take care of many security
> problems, I would guess that most script kiddy root kits do not go so
> far as to modify the kernel and whatnot..  (i could be wrong)

We agree, except I was noting that although permissions, the login
program, &c., do explicit things and have limitations that anyone can 
figure out, and this proposed program has the same explicit actions, but
people's excitement caused me to think that people didn't understand the
limitations of it.  

``It won't detect all break-ins, and here's { 1)foo, 2)bar, 3)baz, 4)quux, 
...} are the ways a break-in won't be detected.'' should be bonked over 
the head of anyone who wants to use this to detect break-ins.

That's all of my point.

							- chad


PS
Maybe I should ``intent-to-package'' one of these root-kits.  Ha!