From: Theodore Tso <tytso@mit.edu>
To: "Jörn Engel" <joern@wohnheim.fh-wedel.de>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>,
linux-mtd@lists.infradead.org,
David Woodhouse <dwmw2@infradead.org>,
KaiGai Kohei <kaigai@ak.jp.nec.com>
Subject: Re: JFFS2/xattr problems.
Date: Wed, 14 Jun 2006 17:58:35 -0400 [thread overview]
Message-ID: <20060614215835.GA5983@thunk.org> (raw)
In-Reply-To: <20060613141317.GB30066@wohnheim.fh-wedel.de>
On Tue, Jun 13, 2006 at 04:13:17PM +0200, Jörn Engel wrote:
> On Tue, 13 June 2006 22:36:59 +0900, KaiGai Kohei wrote:
> >
> > >Seems you missed Ted's presentation at LCA this year. Among the
> > >interesting bits:
> >
> > If this presentation is public, could you tell me the URL?
> > This indication is highly suggestive for me.
> > Especially, I have not imagine yet the possibility that
> > malware uses xattr to hide itself.
>
> I can only find the abstract:
> http://lca2006.linux.org.au/abstract.php?id=384
>
> [ adding Ted to Cc: ]
>
> Ted, do still have your foils and can make them available? Kaigai-san
> is working on an xattr implementation for jffs2.
Sure, here you go (see attached)
> > >o The biggest user of Alternate Streams (less-limited versions of
> > > xattr on Windows, Solaris, etc.) arguably is root kits. Alternate
> > > Streams have the advantage that tripwire etc. don't understand them
> > > and won't look for malware there.
> > >o Some system administrators have no plans to upgrade to Solaris 9
> > > ever, because it supports Alternate Streams. The trouble of hidden
> > > malware is not worth the gains.
> > >
> > >Notable was also, that Ted repeated the last two points in several
> > >variations. Not sure if I would follow his line of thought 100%, but
> > >he does have a point.
See the article referenced in the slide, "Alternate Data Streams:
Threat or Menace?"
http://www.awprofessional.com/articles/article.asp?p=413685
(I love the title. "Threat or Menace?" "Menace or Threat?" Or, to
take a line from an old Bugs Bunny/Daffy Duck cartoon, "You got me
dead to rights, Doc. Would you like to shoot him now or shoot him
later?" :-)
- Ted
next prev parent reply other threads:[~2006-06-15 3:12 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-20 18:41 JFFS2/xattr problems David Woodhouse
2006-05-21 3:22 ` David Woodhouse
2006-05-21 11:24 ` KaiGai Kohei
2006-05-21 11:19 ` KaiGai Kohei
2006-05-21 12:41 ` David Woodhouse
2006-06-12 2:17 ` KaiGai Kohei
2006-06-12 8:03 ` David Woodhouse
2006-06-12 9:43 ` KaiGai Kohei
2006-06-12 9:53 ` David Woodhouse
2006-06-12 18:06 ` Jörn Engel
2006-06-13 13:36 ` KaiGai Kohei
2006-06-13 14:13 ` Jörn Engel
2006-06-14 21:58 ` Theodore Tso [this message]
2006-06-15 11:47 ` Jörn Engel
2006-06-15 15:24 ` Theodore Tso
2006-06-13 13:30 ` KaiGai Kohei
2006-06-24 5:58 ` KaiGai Kohei
2006-06-24 12:44 ` David Woodhouse
2006-06-26 15:45 ` David Woodhouse
2006-06-27 2:43 ` KaiGai Kohei
2006-06-29 6:02 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060614215835.GA5983@thunk.org \
--to=tytso@mit.edu \
--cc=dwmw2@infradead.org \
--cc=joern@wohnheim.fh-wedel.de \
--cc=kaigai@ak.jp.nec.com \
--cc=kaigai@kaigai.gr.jp \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.