Mythic Monday – Medusa and Immutability

Most people these days know at least part of the tale of Medusa. You know that she had snakes for hair and that everything she looked at turned to stone. Well, unless you’re big into gender theory, you can ignore the rest (at least for the purposes of this post), because today we’re going to talk about stone.

Throughout myth, stone is often viewed as unchangable.  Even in this modern day, we have phrases like “etched in stone” and stories of the weeping angels.  Despite the obvious fact that it’s not true, we tend to think of stone as permanent.  After all, making it otherwise requires special tools and/or special skill.  In everyday experience, something that is made of stone is going to stay that way forever.

If only there were a way to apply the same concept to business security.

Granted, in many cases, you wouldn’t want this.  Security should be reactive and responsive. As stable as stone may be, very few people would call it highly responsive.  (Amusingly, as I write this, reports of the eruptions of Redoubt and Tonga are just coming in.)  However, it would be nice if you could effectively lock certain changes into stone, rendering them immutable.

Well, you can.  Most systems have access rights that can be tuned.  If you configure them correctly, only the right people will be able to write to those files.  In effect, it’s like the computer has a special Medusa inside it that can turn files into stone for most people.  This is a basic aspect of system hardening.  If an attacker cannot write to a file, they can’t make changes, and you’re better off.

Ah, but what if you’re one of those Greek heros for whom the computer’s Medusa doesn’t work?  Shouldn’t you have the ability to ask Medusa to lock your files so that even you can’t change them?

Well, once again, you can do this.  Most Linux systems have what are called extended file permissions that, strangely enough, are generally only used by attackers.  In addition to the basic read/write/execute (in this case, “execute” means “run”, not “stalk with mirrored shield, cut off head and cause the birthing of the pegasus”), you get special magic powers such as:

  • Make immutable
  • Make undeletable
  • Make appendable-only

Thus, you can create a configuration that is readable and works just fine, but is completely unchangable unless you are the admin of the server and you know the extra level of protection.  Now, it’s not a panacea by any means, but one more layer of protection keeps out one more class of attacks. . .  and that’s a win.

For more information:

6 comments

  • Paul

    I was shocked to learn how few people actually do know Medusa and other common tales that most of us take for granted. (And these statistics are from well-educated people.)

    http://scienceblogs.com/cognitivedaily/2009/03/casual_fridays_generation_gap.php

    good points, though.

    March 24, 2009
    Reply

  • Josh

    That was an interesting article, and like many of the commentators over there, I’m not terribly surprised. I had hoped that Medusa was still part of our common culture, but I suppose I could be wrong. I know that when Neil Gaiman wanted to do an Orpheus story in Sandman, he realized that he had to basically retell the entire story, because most people wouldn’t catch the allusions.

    Society morphs as time goes by, and the common culture milestones become decreasingly common. I think that this is OK and just how things go. However, I hope that posts like the Mythic Mondays approach security from an interesting angle as well as potentially introducing readers to stories that they might not be too familiar with. (Thus far, they’ve been Greek-heavy, but that’s not going to last, believe you me :) I try to identify the particularly weird ones and give a bit more context. I don’t know how well I’m doing at that yet, time will tell.

    I am certain that there are some very interesting security lessons to be learned from more modern sources like movies and video games. However, I am simply not familiar enough with those sources to write about them. Maybe someone else (someone younger?) will pick up that torch.

    March 24, 2009
    Reply

  • moso bamboo lover

    Hi, I can’t understand how to add your site in my rss reader, help please :)

    November 12, 2009
    Reply

  • Josh

    @moso bamboo lover

    You should just be able to add http://feeds.feedburner.com/starmind-blog . This can either be directly, or you can click on the orange RSS icon in the address bar in Firefox. If you hover over the orange RSS logo at the top right of the page, it should display some common newsreaders. If none of those are what you use, just clicking on the orange RSS icon itself should work just fine.

    November 14, 2009
    Reply

  • Bette Stotelmyer

    So it would seem. The more layers of security, the fewer attackers there will be in that class of skill willing to spend their time.

    May 05, 2011
    Reply

  • Jim P.

    I am certain that there are some very interesting security lessons to be learned from more modern sources like movies and video games.

    About video games, from a player’s point of view, there aren’t any actual security risks unless it’s a game master hacking you or you provide your log in info to some websites. There are keyloggers thought, but that’s only something to be careful with if one plays in internet cafes.

    May 15, 2011
    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.