Hacker News new | past | comments | ask | show | jobs | submit login

I guess it depends. In the grandma scenario it adds a lot more effort. A corporate laptop in a standard AD environment, no problem. In a situation where you've customized the system (custom packages, sshd.conf tuning, flags in rc/csh/sysctl/resolv/loader/randomsbinutilityinstalled2yearsago.conf) it would be a lot more work than just reinstalling the OS. Use backups you say? What if I told you that you could use the very same backups to rollback changes to the user's home directory, in 5 minutes, and not have to reimage the entire machine? I'm just saying: even on a single user setup - there is a world of difference in what options you have open to you, depending upon whether you let the malware hit ring 0 or not.



Not sure why anyone with a compromised machine would rather have the risk of a lingering backdoor just to save 1-2 hours clean formatting and reinstalling


Because unless an unknown method of privilege elevation was used, it doesn't make sense. Do you throw a pinch of table salt over your shoulder as well? It also has a very strong Microsoft smell to it, where instead of doing root cause analysis on why Windows is misbehaving - you just reboot and cross your fingers.


> Because unless an unknown method of privilege elevation was used

You seem to think that is unlikely. Why? New privesc bugs are found on a monthly basis in Linux and Windows. Does Grandma stay on top of kernel patches?

Nobody who does sandbox security (hint: I do sandbox security) thinks UID separation is sufficient to cordon malware anymore.


> You seem to think that is unlikely. Why?

Because of the single user pc context. I've never seen a dropper that didn't have ring 0 later pull down a payload that escalated privilege. I'm not saying that it isn't possible, but at best it is very uncommon. I understand the better safe than sorry position, but with the context in mind, what safety are you getting by just assuming UID separation failed and going through the rigmarole of reinstallation? The user data has already been exposed.

I just don't agree with the simplified decision tree of "Infected --> reinstall", which disregards your work in sandboxing. Why should I even bother with the additional complexity of capability mode in my software, if we're all just assuming our defense has no depth.


> I've never seen a dropper that didn't have ring 0 later pull down a payload that escalated privilege.

Probably because it isn't very useful to the attacker. Pwning the single user's account is sufficient. But I wouldn't bet on that being the case if it happened to me.

> what safety are you getting by just assuming UID separation failed and going through the rigmarole of reinstallation? The user data has already been exposed.

Most user data is not executable, so can probably safely be copied over. But if you don't wipe all executable software on the system it's hard to tell if some of it is still infected.

> Why should I even bother with the additional complexity of capability mode in my software, if we're all just assuming our defense has no depth.

Well, I'm talking about today's legacy desktop (and, to some extent, server) OSs, which have not prioritized user isolation because it hasn't really mattered ever since people stopped using timeshare systems.

Modern OSs that sandbox applications (e.g. ChromeOS, Android, iOS) are another story. I would expect that one Android app being malicious does not mean you have to wipe your phone, just uninstall the app. I would expect that ChromeOS can even recover from a full sandbox breakout, given secure boot.

But I don't trust Linux, Windows, or Mac OS desktops to be suitably hardened nor able to recover. And as wiping the whole system does not add very much cost over the cost of wiping the user account, it seems to me worth it to go all the way.


> Probably because it isn't very useful to the attacker.

Ring 0 is really important for building a botnet, which provides a very real incentive for the folks that actually write the droppers. Ideally (for the botnet owner) they establish persistence, then sell access by directing the bots to download additional malware under the control of botnet customers. Long story short: you don't get paid as much if you don't have ring 0.

> Most user data is not executable...

I was speaking from the perspective of the real purpose behind all this, protecting user data - and that the horse is already out of the barn. As far as cleanup, you are presupposing a loss of ring 0. If ring 0 is secure then killing all the user processes and performing a snapshot rollback of user space will definitely clear the malware.

> Well, I'm talking about today's legacy...

Ah, well then I agree. If your platform does not have user isolation, then you shouldn't rely on user isolation for security.

> And as wiping the whole system does not add very much cost...

Well we've got a catch-22. Because implementing security practices that do harden the system add a lot more cost to a hamfisted wipe. For example: On my laptop I've got five jails, a maze of netgraph nodes that result in a complex ruleset, host IPS, kerberos authentication and authorization, encrypted filesytems, close integration with TPM and various certificate based credentials. Just assuming that none of that works and doing a system wipe is a lot more work than simply popping in the latest Ubuntu dvd iso... consider the labor of rekeying alone.

So the advice to do a system wipe isn't bad, but it should be prefixed with: "If you've made no effort to secure your system and are completely relying upon the distro provider for security".


Sure, if you've set all that up and know what you're doing, then you're in a position to make your own judgment call and maybe you don't need to wipe the system. Earlier we were talking about "grandma" which I assumed was a metaphor for "person who doesn't know computers".


> Earlier we were talking about "grandma"...

Don't forget the grandson part of the metaphor, he is the one who will be making that judgement call. Do you remember how everybody would blow into the Nintendo cartridges, even after Nintendo explained why it was a bad idea? I have a feeling that helpdesk folks will continue to advise a system wipe, even if your running the latest Windows 25 with its formally proven microkernel... just to be safe.


Me neither, but there's a whole industry of software for Windows users that promises to remove malware.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: