[Gllug] Hacker Attack

Mike Brodbelt mike at coruscant.demon.co.uk
Thu Jan 12 01:13:32 UTC 2006


On Thu, 2006-01-12 at 00:01 +0000, Bruce Richardson wrote:

> Well, even where a kernel was built using kernel-package, it isn't
> necessarily easy to tell precisely how it was built just from
> /boot/config and the auto-generated files in
> /usr/share/doc/kernel-image.  Any number of gruesome and unstable
> patches might have been applied with little or no external evidence.

Yes - odd patches are a nightmare.

> Stripped-down kernels built with no documentation *and* no support for
> modules (and, of course, no thought of a recovery strategy) are a
> special joy when the old hardware they were built on breaks.  Put the
> hard drive into something else and it won't boot.  Add a new kernel and
> it will boot but you now can't see how the old system was functioning.

I have a set of recovery disks I try to keep updated to solve that one.
Of course when I upgrade a kernel for security reasons, I don't always
have the time to update and test the recovery disks there and then......

> Then there is the "spare kernel", where some bright boy installs a new
> kernel on a system without doing anything to verify that it is suitable.
> Does it provide all the required features?  Will it even boot?  Nobody
> knows, but the magic of package management and automatically managed
> grub configuration is likely to have made it the default kernel and a
> lovely surprise for somebody at some unknown point in the future.

I don't do that one, though I have been bitten by it in the past.

<snip>

> problem.  The IT industry being what it is, many of them are in
> well-paid Sysadmin jobs.

One of the worst bits of sysadmin is all the stuff that should be done
to provide a robust environment that makes no perceptible difference
(until something blows up), but takes up a lot of time. With our XP
workstations, all software gets installed centrally from MSI packages.
Software that doesn't come as an MSI gets repackaged. This means we can
replace a users machine very easily, as the OS, patches and all their
software can be installed on a fresh box in less than half an hour. They
don't appreciate why we package stuff though - they just think its a
pain because they can't install the software on every junk screensaver
CD they get in the post. It takes a lot longer to do things properly
than it does to just wing it, and many people aren't willing to put in
the time and effort (or in the case of management, to allow their staff
to put in the time and effort).

> Rolling custom kernels can give very definite benefits if done with
> some thought.  Building custom application installs from source is less
> often useful (most distributions provide perfectly good packages that
> not only do the job but are usefully integrated with the rest of the
> system)

I used to build some stuff from source. for small gains. These days I do
it reluctantly, and only if necessary. Where I do it at all, I
build .debs an install from them, and I mark them with a version suffix.
Recent examples were things like Amanda (where the binary packages
didn't support xfsdump), Cyrus 2.0 (which never had debian packages),
and sendmail (where I wanted different compile options, and also just
loathe the maintainers version so much I can't put up with it).

<snip>

> Unfortunately, these things are done all the time by people who have
> given it no thought at all but who do it on principle, because they
> think that a) these activities have intrinsic value and b) that it shows
> how skilled they are.

One day they'll have to pick up after someone with the same attitude....

Mike


-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list