flyer wrote:
>
> If the computer dependent don't wake up soon to the threat involked by
> using Microsoft code, there will be more that just the internet crashing.
> Windows could end up the very cause of a gaping hole in the defences of
> an entire nation. People are such a folly sometimes.
>
> A friend of mine drives a Dodge truck. A tiny chip went bad resulting in
> a useless transmission. Using windows on any networked machine is just
> asking for this sort of thing on a larger scale.
I was tempted to agree with you, but this time I can't.
The man had to carry the malware in to install it, these days with tiny
keyfobs and mayby even using the SD card on a phone, it is very easy for
people to walk in and load this stuff, just as easy for them to walk out
with information too of cause.
This one can't really be blamed on MS, had he been on a Linux terminal then
he still could have installed malware, within the confines of his user, or
as is often the case with contract programmers, within the confines of his
project admin area. If the purpose of malware is to gather information
about the system itself, then it could gather a great deal. It might even
have been possible to hook onto the users in his admin area and gather
information off them, but that depends on the setup of cause but if he is
the admin of the project then he could have done that.
Had the system been UNIX workstations or Linux, then would the problem have
been lessoned? Well as a user on a Linux, assuming nothing daft has been
done with user's access, such as Suse's putting everyone into the user
group and putting everything in /home in that group, then could I still
load something that would be a threat to security?
Well, yes I could, limited threat but still a thread. For example, as your
normal Linux user just have a look at the ammount of information you can
gather about the system right down as far as the first admin level, in our
case 'root'.
First there is a partial map, your computer is linked to others through
ssh/nfs etc, you can see those. You can gather a great deal from /proc. You
have access to network information tools. ok, it is information gathering
rather than data trawling, but for hackers from out side that information
can help them search for a weak spot.
Data trawling, well of cause that is only in the user's area and areas that
he has read access to.
I don't know how the US military system is set up, but programming on UNIX,
you were always in a user space in the development part. If the project
required manipulation of admin features, then you were in a change rooted
area for developing and testing so that you have an admin level to work in.
But at some point, assuming the UNIX you are on is the target for your
software, then you have to test it on the main live system. That is the
first time you get that level of access. But I have to say that hasn't
always been the case, sometimes the company IT who you were doing the
contract for would just give you a low level admin access and leave you to
get on with it.
The damage I could have done in banks and building societies at one time was
potentially huge. Then at the other extreme you had the likes of Lloyds
where almost every line of code would flag up an access denied error
requiring duplicate signed dockets from the cheif admin of the bank to
allow you to include that line of code, bit of an exageration there, only a
bit though.
I have also worked in the MOD and I did often have a great deal more access
than my project required. I think that was often because the admin didn't
know how to do it differently, 'your an admin or your a user mate I don't
have nothing else' (always followed by a tut as if you are stupid for
asking).
It's like the man said, at some point you have to let the developer in to do
his work and when you do there is always going to be a risk.
Personnaly I don't agree with him.
Yours Sincerely
Burgess, Blunt and Maclean Ltd
KGB
Moscow
|
|
