Slashdot Mirror

I would humbly suggest that you drop the anti-government conspiracy theories and pay attention to facts.

As the Attrition rant notes, petty vandalism has been going on pretty constantly for a while now. The tone of it has changed, slightly, now that the vandals are making the news, but what you're seeing now really isn't significantly different, in volume or content, than it has been for a while now.

To the extent that the reporter talks about the increase in Chinese attacks during the timeframe in question, the reporter is wrong. There was no such increase. There were $foohundred attacks then. There were also $foohundred attacks the month before, and there were $foohundred attacks the month after. Big deal.

Not all vapid propaganda has to come from big brother...

[ http://www.microsoft.com/presspass/press/2001/jun0 1/06-04UshersPR.asp ]

" Windows XP offers an easy-to-use, real-time communication experience, enabling people to communicate and connect like never before," said Bill Gates, chairman and chief software architect for Microsoft.

The above is a parody, and isn't necessarialy meant to harm the company in question. Just in case you couldn't notice...

Just an OT pet peeve .... "FUD" stands for "Fear, Uncertainty and Doubt." It is a term for a particular type of propaganda, not a general term for all lies, exaggerations, cluelessness, and deceit.

So what? A couple of $kr1pt k1dd13z with too much time on their hands managed to deface a couple of websites. Big deal.

I had hoped that, in the absence of the attrition.org mirror, the k1dd13z might put away their sploits and go back to playing with their GameBoys (or whatever it is that 14 year-olds do these days).

I'm dismayed to see a non-event like this being given space on Slashdot. "Stuff that matters", right? This doesn't make the cut.

My $.02 worth.

~~~~~~~~~~~~~~~

Those graphs are very misleading, because they lump NT4 in with Windows 2000. It is widely known that NT4 had serious issues, which isn't surprising, since it was designed prior to the real internet explosion -- IIS was originally an add-on.

That's a ridiculous argument. Regardless of what it was originally designed for, Microsoft ended up selling NT4 as an Internet server OS. If, as you readily admit, it had serious issues, then why were they promoting it as a premium Internet-capable OS in the first place? Further, when the server technology changes again in the future (and believe me, it will), how can you possibly trust Microsoft to get it right given the mess they made of transitioning NT4 to the Internet and webserving?

Second, I should point out that Linux, and indeed every other Unix and Unix-alike, was designed before the 'real internet explosion' too. Indeed, if you trace back the lineage of 'proper' Unix, it was around when the internet was just being born, and many years before the arrival of TCP/IP, let alone HTTP. A webserver is still an add-on for most Unices and yet they seem to be able to cope quite adequately and securely with it.

Third, all the other OS stats combine current and previous versions of the OS together. Given that Windows 2000 is merely NT5, why should it get any different treatment?

Finally, go have a look at Attrition's website defacement stats for May 2001 so far (although Attrition are no longer mirroring defaced websites, they are still compiling statistics on defacements). Here NT and Windows 2000 are treated separately. You will notice that although NT is by far the most defaced, Windows 2000 comes second with some 29.55% of all defacings (all this information correct at time of writing). This compares to a total of 8.99% of all defacings for combined versions of Linux. This is a quite remarkable achievement for Windows 2000, to achieve this in just 18 months since its release - over 3 times the defacement rate of Linux. Well done Redmond!

Oh yes, for those of you who need a reality check about market share in the webserver market, this is the latest Netcraft survey. Sadly, the statistics by OS are not available without paying Netcraft (come on, we know it's the SSL survey that you make money from, please give us some hard OS information for non-SSL sites). However, it would be conservative to assume that approximately 60% of all Apache sites run Linux, and that figure still gives Linux twice the market share of NT and Windows 2000 combined. If we make another very conservative assumption, that Windows 2000 is half of that combined Microsoft figure (the following figures get worse for Windows 2000 the lower that share is), then we get this rather amazing figure:

Taking even very conservative estimates, a Windows 2000 webserver is currently at least 12 times more likely to be defaced than a Linux webserver.

I think that says it all.

Seems like SourceForge is making no mention of it on their front page.

As a user that hasn't used SourceForge for more than a week, this makes me a bit worrysome. I strongly hope that they used one-way, 128+ bit encryption on the passwords.

SourceForge is a very large operation. Remember that. No big operation is perfect, them included. Even RSA has been cracked (their website, rather.)

No operating system, not even our beloved Linux, is totally secure. It's only secure until the next bug is found. Remember, security is a concept.

Now, I have noticed there are some Windows zealots trolling Slashdot right now about the insecurities of the open source model, a la Microsoft. As a user of Windows 9x/NT, Linux, OpenBSD, FreeBSD, and a number of various other OSes, I can tell you right now that neither is more secure.

It only takes more time to find the holes if the software is closed-source. At least with open source, they're generally found quickly and patched quickly.

Neither closed or open source is more secure. And no OS is completely secure. Not Windows, not Linux -- not even BSD. Sorry!

How about this one ?

It is hard to disprove the open source myth that it leads to bad security because of easier-to-find holes when PHBs read things like this, that happen to major Linux servers.

Right...because it never happens to Microsoft. That's very clearly known.

It is hard to disprove the open source myth that it leads to bad security because of easier-to-find holes when PHBs read things like this, that happen to major Linux servers.

Right...because it never happens to Microsoft. That's very clearly known.

They're only stopping the minor defacements "We will also continue to provide commentary and articles on high profile defacements, significant trends or other activity that warrants attention." Also, the Attrition Defacement Statistics are still being published.

Personally, I will miss the mirrors, but I'd like to see what becomes of the site now that the attrition staff have the extra free time on their hands

http://www.attrition.org/security/commentary/worm0 1.html
Let me guess. Every one of those 8836 machines with Windows 2000 was "misconfigured", should have had better administrators or should have been behind a firewall. Riiiight. So much for more secure out of the box.

http://www.attrition.org/mirror/attrition/os-graph s.html
Anyone with conscious knowledge of these numbers can not say that Windows is more secure than anything out of the box, because it just plain isn't.

--
Back your zealotry up with facts, not fanaticism.

http://www.attrition.org/security/commentary/worm0 1.html
Let me guess. Every one of those 8836 machines with Windows 2000 was "misconfigured", should have had better administrators or should have been behind a firewall. Riiiight. So much for more secure out of the box.

http://www.attrition.org/mirror/attrition/os-graph s.html
Anyone with conscious knowledge of these numbers can not say that Windows is more secure than anything out of the box, because it just plain isn't.

--
Back your zealotry up with facts, not fanaticism.

Ryan Permeh, resident shellcode ninja of eEye Digital Security, has created an example exploit to be used as a "proof-of-concept".

What about Fucked Up College Kids? It's even recursive...well, kinda.


kickin' science like no one else can,
my dick is twice as long as my attention span.

Really? It doesn't look like the US is disproportionately represented in this list. All of the 'generic' domains plus .us equals ~60%, and a significant number of .coms (over half of that 60%, BTW) are not US sites.

Personally I think the general defacement of a website is downright dumb and those responsible seem to forget its outright illegal for one.

Its nice to get a message across but hacking for a so called cause only makes things worse for the hackers, and can sometimes work to the advantage of the target, as they can turn it around and misconstrue the scenario as something of a terroristic attacks. Not only that but the media has the whole concept of hackers distorted to hell due to some of these "hackers'" actions

I've interviewed about a dozen of hackers, a virus creation group, and a script kiddiot defacer. Now the "hackers" I've interviewed are not what media considers hackers, these are professionals in the security field so don't get it distorted, however the script kiddiot defacer and others I've spoken with use the curtain of "hacktivism" to solely get attention, nothing more.

If someone really wants to get a point across I think they should start an organization and speak up on it to raise awareness. "Hacking" to promote an idea is no better than what the Chinese did at Tiananmen Square in my eyes, its painting the kettle black at any cost.

Don't get me wrong I believe in Freedom of Speech, Privacy and all that good stuff, but at the same time I hate racism, I will not condone someone from saying what they want on a racist site. I don't think double standards should apply on subjects, and while some of the older hackes from the mid - late 90's were funny as all hell, no one has the right to take away someone freedom of mind, speech.

If you are bullied you are offered a chance to fight or flee.

Employers are required by law to stop behavior like this in their workplace. Failure to do so exposes them to huge liability, and nobody is even required to work at a particular job (or at all)! There is no excuse for schools failing to give the same protection to people who attend schools paid for by tax dollars. There is no excuse for bullies having the run of the school.

Cowardess inspired by a cowardly act is still cowardly.

To all the geeks out there getting picked on: Quit being such pussy's. Start fighting. If you let yourself get pushed around you will be pushed around.

We've been dominated by sadists, or ignored by the apathetic.... Isn't it true? It doesn't have to be; it only persists because all of us let it.
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!

While you may not agree with everything in it (I don't) it offers as much insight as anything else into the culture and the mindset. What I see, among other things, is the waste of a young brilliant mind by a system tumbling towards the state of being cripple ware.

I greatly admire this bit hacker culture. It communicates (more than anything else I've read) what is going on

"The Conscience of a Hacker" by Mentor
(reproduced without permission.)

Another one got caught today, it's all over the papers.
"Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker?
Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction.
I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool.
It does what I want it to. If it makes a mistake, it's because I screwed it up.
Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world...
rushing through the phone line like heroin through an addict's veins,
an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak...
the bits of meat that you did let slip through were pre-chewed and tasteless.
We've been dominated by sadists, or ignored by the apathetic.
The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud.
We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons,
and you call us criminals.
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us,
you try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity.
My crime is that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto.
You may stop this individual, but you can't stop us all... after all, we're all alike.

Anyway, for more information on what is wrong with your country see here and here

Enjoy, USA-boy, safe in the knowledge that the rest of the world thinks you are a bunch of polluting, arrogant, moneygrabbing morons.

Here it is

But the Lotus Notes backdoor story was true. Export versions of Lotus contained a 64-bit key, 24 bits of which were encrypted with NSA's secret key.

End result: A commercial eavesdropper would have had to break a 64-bit key, but NSA only had to break a 40-bit key.

My original point in defence of idefense.com still stands - idefense.com saying "don't trust products written in naughty countries" (because their core audience can't imagine "products" as meaning anything other than closed-source software purchased from vendors, and therefore don't see the security risks associated with closed-source vendors) or slashdot's perspective of "don't trust closed-source products because they're closed-source" (because our core audience can't imagine the country of origin as being a security risk) - are two sides of the same coin.

http://www.attrition.org/~wrlwnd/crypto/steanograp hy/jpeg-steg/

Maybe you could use this to tunnel IP over USENET porn?

• it's what happens when you put RMS in charge of cloning.
  
• it's the bastard offspring of a vicious attack on tux.
  

/me Sits back and awaits a bashing for supporting MS.

"...recent security problems". Compare NT vs Linux intrusions here.

are you suggesting that all tecno-geeks and related sorts are incapable of getting a root (no, not on a system guys, but im sure you're all 31337 h4x0r5)? one only needs to go here to see that ppl in the online community are capable of sexual contact beyond cyber in #beastial_cybersex_with_chicken_bots_and_ppl_who_t hink_their_chickens. and how many ppl have picked up at a lan party? all us geeks get sex! (well almost all, but who the hell is bill gonna pick up on msn with the nick 'micro-soft-guy'?

Its funny how the government is now looking into possibly not using Microsoft products based on this incident. Last I checked at Attrition they couldn't even lock down their Unix stations either.

Maybe Mickeysoft should just open their source code to the industry everyone knows their op sys can only get better this way and maybe their programmers could stop focusing on all the patches they have to create stemming from posts @ SecurityFocus

Does this mean that since Glock sells to foreigners some of whom may be terrorists they should stop using them for possible leaks of information to customers, or perhaps because they'll be a fair leverage?

Gov sucks.

Windows2000 Spoof

Looks like someone finally did something about that big red guy that breaks into everyone's homes:

http://www.attrition.org/gallery/other/xmas/noxmas .jpg

http://www.attrition.org/gallery/other/takeittux.j pg

Imagine doing that to a window.... ouch!

This is a cool attempt.. for one thing it shows how flexible the linux kernel is.

Um... Not really. It's almost trivial to put something inside of something else, as long as you write good interfaces. And the more 3rd party code you accomodate, the more risk there is of unstable code crashing the system, or of security breaches.

If necessary, kernel interfaces to userland programs are probably the best way to go, but even then you're not necessarily safe. Remember: try to run code as an unpriveleged user at first, then as root if necessary, but only in kernel space as a last resort.

but it would be funky having device drivers loaded from anywhere using this technology!

Like Jini? I hope you're not suggesting we embed the JRE into the kernel! That would be grotesque, despite the niftiness... No! No niftiness! Don't tempt me! Back!

--

Don't dismiss the possibility of computer error and fraud so lightly. This year, the Republican National Committee's webpage was defacedVolusia County is doing a manual recount now, after computer error injected 15,000 erroneous Socialist Workers and Constitutionalist Party votes into their first tally. Keep in mind: the people who will be administering our first computerized elections will be these people, not Linus and Alan.

Sure, we can have physical "backstops" to try and prevent these kinds of problems... but if these backstops have to be resorted to every time an election comes this close, how is it any improvement over our current situation? If a software glitch in your voting machine causes every voter whose last name begins with Z to get 10 votes, will that same glitch from causing your voting machine to print out 10 punchcards to backstop those votes?

Don't get me wrong, there's certainly a lot of room for technological improvement here. Some Slashdotter suggested a touchscreen voting machine which would give you a clearer GUI, prevent or check for any invalid double votes, and print out a sheet with your ID and only the names of the people you voted for, in easily machine-scannable form, so you could take that sheet and give it to the poll workers. That would prevent both the ballot and the discarded vote problems in Palm Beach, at least.

It's tempting to think that there could be something even better. A little smartcard (because I don't trust the nation who let Melissa and ILOVEYOU loose to maintain their PCs securely) with public key crypto could let your "vote" be a digitally signed statement that you could safely send over the net, and the collection of all those signed statements could be publically downloadable, to allow you to check and make sure nobody tampers with your vote or the vote count. But even in that case, who would we trust to distribute the private keys, and never have their systems compromised? Verisign? Even if you can check your own vote's integrity, how do you know that a 6 million vote list isn't actually 5 million real votes, plus 1 million fraudulent inserts?

Oh, yeah, I forgot; I titled this post "Optimizing Election Fraud" for a reason. Consider: Right now, tampering with n votes is an O(n) operation. A well designed computer system could make that an O(1) operation. In most programs this would be a fantastic optimization; in this particular case it is not an improvement.

You can see the hacked version of the website here .

Seeing as how the hacker finishes off with "As such, I must vote Gore, and I urge you to do so." and then links to Al Gore's web page, I doubt it was a Green sympathizer. Of course, it could be a Green trying to make both Democrats and Republicans look bad, but now we're in conspiracy theory territory.

While there are an equal share of positive and negative responses to the student's actions and the consequences, his/her original point hits home with me. None of the ports hit would have triggered my IDS. They would have generated logs, but, it would have been clear that the curiosity-seeking occurred after the fact. I've seen this type of activity so many times, I don't even pay attention to it anymore.

I probably wouldn't exert the same effort in my curiosity seeking, and, would have probably just looked at the sight and noted: "Yeah, looks like it was hacked." He/she dug a little deeper. A year ago, that probably wouldn't have triggered the interest of law enforcement. But, a year from now, would a web-log at attrition.org with your IP in it offer similar grounds for a warrant?

Maybe not; but, the trend is disturbing. I hope other curious folk out there aren't missing this message. I happen to be pretty curious, too. Just too busy, right at the moment to raise these kinds of flags.

Linux rocks!!! www.dedserius.com

This is going to be a reality everywhere sooner or later. Get used to it.

I'm not saying anyone should lie back and let it happen, but whoever yells the loudest and has the most money is always "right".

I truthfully see this from our end as a loosing battle. Amerikans (sorry non-amerikans, but we do influence your governments) are too busy giving up their rights for "protection" that we don't even notice anymore. Not that most Amerikans even understand or have even studied the Bill of Rights. Plus, one cannot fail to point out the general police mind state...

I like to checkout the attrition.org stats once in a while too. Swimming around the link you provided, there was a period from early August - mid September where Linux cracks outnumbered NT, (reference) but IIRC, this is when the WU-FTPD exploits were publicized. Is this not to be expected? I mean, so the script kiddies saw the bug on bugtraq, reviewed their nmap logs for Linux hosts and then went to town. Not too impressive. What is impressive is the sheer number and variety of ways the white hats keep discovering to get M$ internet software to execute code without user intervention or knowledge.

Also, a look at the pie chart shows NT with a 57% share of all defacements. I am not sure how you draw the conclusion that there are more Linux defacements than NT. Care to fill in the blanks for me?

I like to checkout the attrition.org stats once in a while too. Swimming around the link you provided, there was a period from early August - mid September where Linux cracks outnumbered NT, (reference) but IIRC, this is when the WU-FTPD exploits were publicized. Is this not to be expected? I mean, so the script kiddies saw the bug on bugtraq, reviewed their nmap logs for Linux hosts and then went to town. Not too impressive. What is impressive is the sheer number and variety of ways the white hats keep discovering to get M$ internet software to execute code without user intervention or knowledge.

Also, a look at the pie chart shows NT with a 57% share of all defacements. I am not sure how you draw the conclusion that there are more Linux defacements than NT. Care to fill in the blanks for me?

Besides, as another poster pointed out, if we hear about a vulnerability in an open source OS, whether or not it's Unix-like, we can fix it a lot more easily than with closed-source NT.

I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.

The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



Second Law of Blissful Ignorance

Compare this to Linux's web server market share according to Netcraft.

Together, this tells me that Windows boxes are more likely to get cracked than Unix boxes. Of course, the numbers may be different for home systems, but as these are the only numbers I have I'll believe them until something better shows up.

Cheers //Johan

Compare this to Linux's web server market share according to Netcraft.

Together, this tells me that Windows boxes are more likely to get cracked than Unix boxes. Of course, the numbers may be different for home systems, but as these are the only numbers I have I'll believe them until something better shows up.

Cheers //Johan

Erm, the bug (in IIS4 and IIS5) was patched on July 17th, and if I interpret the text correctly, that's THE SAME...

Yes. You did interpret the text correctly. Your failing, however, it to assume that MSPatch==ProblemFixed. I am an MCSE and a security consultant. I have been doing this since 1997. Right now I'm managing the security on about 200 NT 4 servers. My experience would lead me to guess that either one of two things happened: A) The fix was a "band-aid" that defeated the given exploit code but ignored root cause B) The patch was merged into the wrong source tree and was subsequently broken by the next patch.
Both of these are very common occurences. I have had to back many hot fixes out because of regression errors. I have also seen many cases (especially in the last few months) where Microsoft has released a patch only to release a second patch a few days later because the first one was inadiquate. I'm not saying that the Nasdaq admins didn't drop the ball, I don't know the specifics of their environment. Making OS updates that often is a pain, even Microsoft has trouble keepi ng up. I find this whole thing funny simply because Microsoft has spent the last two years holding the Nasdaq up as one of their big success stories. I hope lots of CIO's see that article so that we can start to bring sanity to the server room and shed the Microsoft shackles.

--

Jeezus...You really worship Bill, don't ya?

But anyway. Bill's right. It's ok to rape the consumer, steal other people's ideas, buy or destroy the competitor...Just as long as you don't copy *Bill's* software.
The fuckin' amerikan way, right? Money rules, fuckin' sue em' if they don't like it.

You stupid fucks really don't 'get it', do you? Despite what the Rev. Bill may have preached to you, money isn't everything.

Richard Fuckin' Gere
Hey! Check it out! You're a karma whore and I'm a troll!
----

While I am not personally very fond of MS and its products, I'm really not sure what good the attack by the US government has done. I don't think that it will do what they think it will do.
Anyway, to steer more towards the topic: Look at the cracked pages mirror on attrition. They have stats on the os's of the cracked servers . Look at these. Currently, IIS, with approx 40% of the server market (yeah, yeah, I know, there are other servers, don't flame me.) has 56% of the cracked pages. Apache, OTOH, with 60% of the market, has 28% of cracked pages. Many of these can also be explained by sleeping admins who don't patch known bugs. The problem inherent with the big, lumbering beast that is MS is that nothing, even the most critical of security flaws, gets fixed until another SP comes out. When something goes wrong with your Linux distro, some hacker somewhere codes a fix and shoots it up to a server from which it is distributed around the world. If the admins are paying attention, they will very quickly have a secure system again. There is also the fact that many service packs make the NT system unstable. For example, I installed SP 5(?) on my dad's NT box and I couldn't install MS media player. It will _run_ if previously installed, but the installer chokes and dies.

People flock to MS because they think it's the easiest solution. It is, in a way--the setup is a lot less intimidating. But most of these people can't ever hope to fix their windows box. They have to hire somebody like me, at astronomical wages, to press enter or something. If they were using Linux, chances are that it wouldn't break as often, and when it did, they'd hire the same dude. They're just scared, but I doubt that they would notice if you just plunked them down in front of their shiny new box with WordPerfect for Linux running.

Also another big factor would be the time the none exploit is out to the time the bugfix is released. Microsoft is improving in this department, so lets give credit where credit is due... but I would never ever ever ever trust a SMB NT machine out on the open internet.

In conclusion.. scared of your linux / windows nt machine? (shameless plug), try OpenBSD!

Then it wouldn't be harder to hack... than nt.
See attrition.org statistics

Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.

Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).

I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.

Just my $0.02.

$ flames > /dev/null 2>&1

Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.

Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).

I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.

Just my $0.02.

$ flames > /dev/null 2>&1

Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.

Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).

I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.

Just my $0.02.

$ flames > /dev/null 2>&1

Is this the same Brian Martin who runs Attrition.org and does a lot of security crap?