Slashdot Mirror

According to the Security Focus article the affected parking servers had been outsourced to Interland. Not really surprising, since Interland has left their servers vulnerable to various vulnerabilities for months at times.

>Or compromise the servers where you get your .debs.
>...
>Obviously nobody would have installed (and be updating) a package called "rootkit," but the scripts could be piggybacked on any security update.

First, it doesn't have to be installed through the updates to the server. It's probably actually easier to find some misconfig'd server or vulnerable daemon out there, establish remote access, and install the rootkit from ther. But you do have a point and that's why I just subscribe to bugtraq, etc. and never trust things like the .deb/.rpm updates.

Second, why worry about a rootkit when the underlying problem is how they get IN before the rootkit. I would definitely reccomend looking at securing-debian-howtofor those of you who are unsure of your debian security.

If the only problem were a rootkit changing binaries and installing a backdoor, then all an admin has to do is put a firewall in front of the server and control all the ports so that any unsolicited traffic from getting to the "unknown" daemon listening on port xyz plus stop ALL unsolicited tcp/udp/icmp traffic from leaving the server unless a handshake was completed. Most stateful pcket filters can do this. If your real paranoid, put an IDS (ie: snort www.snort.org) between the server and the outside to look for irregular activity. Worried about one of your services? Find a Proxy to inspect the connections. Worried about corrupt binaries? Install an integrity checker (ie:tripwire. www.tripwire.org)

Obviously, securing a server will require much more than this. Check out Sans.org. But AT A MINIMUM, the above should have been in place already. Hope that helps at least somebody out there.

Here's the link to their write up, commenting on Bruce Schneier's take No Big Deal .

Anyway, we all know they've been reading our sekrit kees by telepathy for years now, right?

Security Focus has story here

The defect was fixed in version 5.0.9 and Lotus has moved on with version 5.0.10 being released soon. Many people as of yet have not upgraded their servers, leaving ORBZ open to similar actions if they stumble accross other Domino servers that are running older software and whose owners might be more litigious.

So ORBZ isn't out of the woods yet.

"It was reported in vuln-dev list on May, 20 2000 by SMILER in same time with SMTP buffer overflow in Lotus. I wonder why it's not patched yet."

There is a note to that effect on www.security.nnov.ru.

It's two years since the report, so one might expect a fix in Lotus any time now.

Doing a little bit of searching, I found a much simpler explanation for his actions. Jerome previously volunteered himself for prison because of his court-imposed inability to support himself or live with his parents in Wisconsin.

My guess is he played the judge like a puppet, tweaking him just enough to get a paid stay at the government's expense.

I'd suggest all the amateur psychoanalysis can stop now.

Usually when a computer enthusiast is ridiculed in the media, most people on Slashdot rush to defend them. Why is it different this time?

Has anyone taken a moment to read anything about this aside from the two links CmdrTaco posted above.

The reason he fired his attorney is that she told him he would lose the case if he plead not guilty. Now I don't know about you, but if I was innocent and my lawyer told me to plead guilty or go to jail, I'd start looking for new representation too.

Also the article linked on HackerDigest is inaccurate on at least one count. qmail is not owned by Qualcomm. qmail was not the program that Jerome discovered the exploit in. qpopper is.

For information that may be more accurate or at least present the other side of the argument, try here http://www.freesk8.org/.

Usually when a computer enthusiast is ridiculed in the media, most people on Slashdot rush to defend them. Why is it different this time?

Has anyone taken a moment to read anything about this aside from the two links CmdrTaco posted above.

The reason he fired his attorney is that she told him he would lose the case if he plead not guilty. Now I don't know about you, but if I was innocent and my lawyer told me to plead guilty or go to jail, I'd start looking for new representation too.

Also the article linked on HackerDigest is inaccurate on at least one count. qmail is not owned by Qualcomm. qmail was not the program that Jerome discovered the exploit in. qpopper is.

For information that may be more accurate or at least present the other side of the argument, try here http://www.freesk8.org/.

You got cracked whilst running ssh? How?

I'm guessing that you didn't notice that ssh was found vulnerable to an off-by-one compromise recently, and that a new version is out. Check out the advisory on it, and get the latest version while you're there.

The solution to security flaws like this is not running in runlevel0 - it is diligance and administration. Subscribe to bugtraq (here, and keep an eye on what's coming out. Do an occasional nmap scan against yourself. *Know* what ports are open, don't wait to be surpised. ssh is by no means "stupid". Neither are you. Not keeping up to date on what's out there, however, is.

SecurityFocus has an article on passwords, while it has a NT focus (Lanmanager myths and such) it touches on lots of the same thoughts. Of interest is the use of high ASCII and/or Unicode in passwords.

I don't see it as the zlib author's responsibility to notify everyone that uses their library.

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.

It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.

Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.

Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.

--
Garett

CMU's cert organization can help with certain falvours of Unix (maybe windows) with an emphasis on data center computers (e.g. ftp or web servers) as opposed to command and control computing (like ships at sea). www.cert.org.

Also of use to Windows admins and similar folk is bugtraq at apparently a new URL. Ahoy and good luck.

hmmm

Interesting thought: I have had fairly good luck running somewhat robust servers with Windows (File/Print only) systems, the problem seems to be when you have other software (sometimes MS software: I have had bad luck with exchange, more often though third party software) The problem seems to be that very few people have the skills, knowledge, time or specs/API's for writing robust windows apps

Another problem: many writers take shortcuts like "I need to do x, y, z and to do z you need system user status, so I will run EVERYTHING as system" which makes everything a lot less stable I think.

What about kernel space third party dll's, if memory serves, it was a kernel space DLL that caused IIS's blackice to crap out on a reasonably high volume of pings... turned out to be exploitable. Mind you the same is true of the most recent telnetd, exploits for *nix systems. The common theme seems to be how robust the app implementation is and how well documented/well used the OS API's are.

seems that we shouldn't be searching for the best OS, but the easiest OS to develop secure stable platforms for... and there are a lot of factors that go into that... and please don't mod me down for being redundant with that last statement, I know others have said that same thing, I am just reiterating.

hmmm

Interesting thought: I have had fairly good luck running somewhat robust servers with Windows (File/Print only) systems, the problem seems to be when you have other software (sometimes MS software: I have had bad luck with exchange, more often though third party software) The problem seems to be that very few people have the skills, knowledge, time or specs/API's for writing robust windows apps

Another problem: many writers take shortcuts like "I need to do x, y, z and to do z you need system user status, so I will run EVERYTHING as system" which makes everything a lot less stable I think.

What about kernel space third party dll's, if memory serves, it was a kernel space DLL that caused IIS's blackice to crap out on a reasonably high volume of pings... turned out to be exploitable. Mind you the same is true of the most recent telnetd, exploits for *nix systems. The common theme seems to be how robust the app implementation is and how well documented/well used the OS API's are.

seems that we shouldn't be searching for the best OS, but the easiest OS to develop secure stable platforms for... and there are a lot of factors that go into that... and please don't mod me down for being redundant with that last statement, I know others have said that same thing, I am just reiterating.

Its a well known fact that security is a process, it should be considered right from the word go, and not just prior to a software release.

I've been writing a network server, recently, for streaming MP3's, so I been thinking a lot about the various issues.

I came up with a list of things that I should be doing, partly after reading bugtrack, and partly due to things I've picked up over the years.

I think its good to see books like this come out - if only to educate the newer/younger programmers who've never though about the issues before. After all many programmers just work on applications which aren't installed setuid, etc, so when they have to work on such a beast, for the first time, they're likely to work the way that they always have.

I believe that all the programmer courses available should have a section on security - largely because too many people learn from code printing in books, or online, which has all the error checking omitted, so the user can focus on the example. Its obvious from reading many peoples code that they never expect a malloc to fail!

Post his address as anonymous. Then we can all head over to Security Focus and find a nice 'spolit to show him how much we love his crap.
I can't believe you're worried about him suing you for posting his IP. I mean just like he said, if he has a God given right to send SPAM, you certainly have the right to tell everyone about it. I believe I've got a God given right to lauch DDOS and hack attacks against these jerks.

Death to SPAMMERS!

Al.

Did either the Linux versions or does this crossover patch allow for the spoofed mp3 vulnerability?

You are wrong, Media Player is sending a globally unique ID to a MS server, along with a fingerprint of the DVD you are watching. This GUID is associated with an email address if you signed up for their newsletter, and also the newsletter encourages you to register for a Passport account.

Here was the original BugTraq post that started this all. Read carefully.

Serious privacy problems in Windows Media Player for Windows XP by Richard M. Smith

http://www.ComputerBytesMan.com

February 20, 2002

Introduction
============
I found a number of serious privacy problems with Microsoft's Windows Media Player (WMP) for Windows XP. A number of design choices were made in WMP which allow Microsoft to individually track what DVD movies consumers are watching on their Windows PC. Thesep problems which introduced in version 8 of WMP which ships preinstalled on all Windows XP systems.

In particular, the privacy problems with WMP version 8 are: - Each time a new DVD movie is played on a computer, the WMP software contacts a Microsoft Web server to get title and chapter information for the DVD. When this contact is made, the Microsoft Web server is giving an electronic fingerprint which identifies the DVD movie being watched
and a cookie which uniquely identifies a particular WMP player. With this two pieces of information Microsoft can track what DVD movies are being watched on a particular computer. - The WMP software also builds a small database on the computer hard
drive of all DVD movies that have been watched on the computer. - As of Feb. 14, 2002, the Microsoft privacy policy for WMP version 8 does not disclose that the fact that WMP "phones home" to get DVD title
information, what kind of tracking Microsoft does of which movies consumers are watching, and how cookies are used by the WMP software and the Microsoft servers. - There does not appear to be any option in WMP to stop it from phoning home when a DVD movie is viewed. In addition, there does not appear any
easy method of clearing out the DVD movie database on the local hard drive.

Technical Details
=================

When a DVD movie is played by the WMP, one of the first thing that WMP does is to query via the Internet a Microsoft server for information about the DVD. The query is made using the standard HTTP protocol that is also used by Web browsers like Internet Explorer or Netscape Navigator. Using a packet sniffer I was able to observe WMP making these queries to a Microsoft server each time a new DVD movie was played. The packet sniffer also showed the movie information which was returned to WMP by the Microsoft servers.
The first HTTP GET request sent by WMP identified the movie being played.

For example, an HTTP GET request is made for this URL for the "Dr. Strangelove" DVD: http://windowsmedia.com/redir/QueryTOC.asp?WMPFrie ndly=true&locale=409&
version=8.0.0.4477&
cd=1E+ 96+1B1E+30D9+42D8+5D61+783E+9083+C49C+F0C8+1 151E+13CF9+
15812+16C5D+1A04F+1BF2D+1ECB7+212E1+2 2E48+25724+27 E9D+2A91A+
2D0E6+2F451+38367+3CF64+4A4D6+4C001+4D 517+4E51B+4F DBC+51F74
The hex numbers at the end of the URL are an electronic fingerprint for the DVD table of contents which uniquely identify the "Dr. Strangelove" DVD. This URL is sent to WindowsMedia.com, Microsoft's Web site dedicated to the WMP software. The HTTP GET request also included a ID number in cookie which uniquely identifies my WMP player.
Here's what this cookie looks like: MC1=V=2&GUID=CA695830BB504D399B9958473C0FF086
By default, this cookie is anonymous. That is, no personal information is associated with the cookie value. However, if a person signs up for the Windows Media newsletter, their email address will be associated
with their WindowsMedia.com cookie.

For example, when I signed for the Windows Media newsletter, the following URL was sent to Microsoft servers: http://windowsmedia.com/mg/Newsletter.asp?eNws=rms @computerbytesman.com&
format=HTM

The same windowsmedia.com cookie value will be sent back to Microsoft servers when signing up for the newsletter and when a DVD moive is played. In addition, using various well-known "cookie synch" tricks, an email address can be associated with a cookie value at any time. Also when subscribing to the Windows Media newsletter, I was encouraged
by an email message from the Microsoft newsletter department to create a Passport account based on my email address. In theory, yet more personal information from Passport could be matched with what DVD movies I have
watched. There is no evidence however that Microsoft is making this connection. The WindowsMedia.com cookie was assigned to my computer the first time I ran WMP. The lifetime of the cookie was set to about 18 months. This cookie gives Microsoft the ability to track the DVD movies that I watch
on my computer.

After a series of redirects from the WindowsMedia.Com server, information about the "Dr. Strangelove" movie was returned in this XML file: http://services.windowsmedia.com/amgvideo_a/templa te/QueryDVDTOC_v3.xml?
TOC=90a1b0d1571524ea

WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All
Users\Application Data\Microsoft\Media Index". I didn't see any method
of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer. Because as of Feb. 14, 2002 the Windows Media privacy policy is silent about what is done with DVD information sent to Microsoft servers by the WMP software, we can only speculate what Microsoft is doing with the
information. Here are some possibilities: - Microsoft can be used DVD title information for direct marketing purposes. For example, the WMP start-up screen or email offers can be
customized to offer new movies to a WMP user based on previous movies they have watched. - Microsoft can be keeping aggregrate statistics about what DVD movies are the most popular. This information can be published as weekly or monthly "top ten" lists. - Microsoft might be doing nothing with the DVD information. (In my discussions with Microsoft, I was told this option is their current practice.) Note: The Video Privacy Protection Act of the United States prevents
video rental stores from using movie titles for direct marketing purposes. The letter of this law does not apply to Microsoft because
they are not a video rental store. However, clearly the spirit of the law is that companies should not be using movie title information for marketing purposes.
Recommendations
===============

I believe that the Microsoft should remove the DVD movie information feature from WMP version 8 altogether. The value of feature seems very small given that almost all DVD movies include a built-in chapter guide.
In addition, the Microsoft movie information feature is not available when DVD movies are shown in full-screen which is how DVD are typically watched. If Microsoft feels that this feature is important to leave in WMP, then I think it should be turned off by default. The feature can be made privacy-friendly very easily, by having WMP never send in cookie information with movie title requests. This change will prevent
Microsoft from tracking individual movie viewing choices.

Vendor Response
===============
Response from the Windows Digital Media Division of Microsoft Corporation is available here: http://www.computerbytesman.com/privacy/wmp8respon se.htm
Acknowledgements
================
Thanks to Ian Hopper of the Associated Press for bringing this issue to the attention of the author.

Links
=====
Digital Media in Windows XP
http://www.microsoft.com/windows/windowsmedia/wind owsxp.asp
Media Player for Windows XP Privacy Statement
http://www.microsoft.com/windows/windowsmedia/soft ware/v8/privacy.asp
The RealJukeBox monitoring system
http://www.computerbytesman.com/privacy/realjb.htm
TiVo's Data Collection and Privacy Practices
http://www.privacyfoundation.org/privac ywatch/repo rt.asp?id=62&action=0
Internet Explorer SuperCookies bypass P3P and cookie controls
http://www.computerbytesman.com/privacy/supercooki e.htm Video Privacy Protection Act
http://www.accessreports.com/statutes/VIDEO1.htm
Bill Gate's memo on Trustworthy computing:

http://www.computerbytesman.com/security/billsme mo .htm

Curse this Moz build... damn testing only binaries... :)

The links:
Here's his page on the topic;

Bugtraq post

Microsoft's response.

For a bunch of technical details about read this posting on Bugtraq.

"WMP extracted movie information from this file and then added this information to a database file, named wmplibrary_v_0_12.db, which is located on my hard disk in the directory " C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index". I didn't see any method of removing movie information from this file, so it appears to me that the file keeps a complete record of all movies watched that have ever been watched on my computer."

Probably get modded down for this but..

This is getting out of control. Microsoft never claimed that the compiler feature would do what Cigital is blabbing about in that article. Check out the Microsoft Response or better yet go read the documentation.

The patch does not work!!!! See here!

thanks bill.... :-(

What is even more amusing is how the media, including Slashdot, seem to have misunderstood the bulletin entirely. This is not a flaw in MSN Messenger, this is a flaw in Internet Explorer - called crossdomain scripting.
Using MSN Messenger for our example was - just that, an example. We could as easily have used a .NET application and thus miscredited that Microsoft product instead.

Another amusing aspect is how people tie this together with the "privacy disclosure" vulnerability found last week in MSN Messenger. These are 2 completely different things. The "privacy disclosure" gives a malicious programmer the names (and possibly email adresses) of the user and his friends.
This vulnerability allows you to hijack the users MSN Messenger - the application itself ! This is why you can send messages through it, as you can do anything with the application that a normal enduser would be able to - including, but not limited to, sending messages, emails and files and co-starting appplications on the users machine (yes, this allows you to remote control a users entire Windows machine !).

Now, that should have cleared up a few things.

With regards to the latest "superpatch", Microsoft claims that it "eliminates all known security vulnerabilities affecting Internet Explorer 5.01, 5.5 and 6.0.".

As you can see on our vulnerability highlight page, this is not true.

It is still very much possible for a malicious programmer to read a users local files and execute arbitrary commands - even when you are fully patched !

This isn't a "Thanks Slashdot" thing; You make it sound like without slashdot this would never have seen the light of day. The thread had been going since last Thursday on vuln-dev. AP had already sniffed the story as of Friday. I know this because I was involved in the email thread, and because I was contacted by an AP reporter friday PM. The story was coming out; just because slashdot linked to a copy of a vuln-dev post (and not the actual archive with the thread intact) doesn't mean slashdot broke the story.

-BlueLines

http://news.com.com/2100-1001-835602.html

To mitigate this vulnerability OULU (the guys that found this a year ago) has some good links at http://www.ee.oulu.fi/research/ouspg/protos/testin g/c06/snmpv1/

Securing SNMP on Solaris
http://ist.uwaterloo.ca/security/howto/2000-10-04/
Securing SNMP in Windows
http://www.sans.org/infosecFAQ/incident/SNMP.htm
Securing your Cisco Router when using SNMP
http://www.sans.org/infosecFAQ/netdevices/router.h tm
SNMP - simple management tool for hackers?
http://www.nwfusion.com/newsletters/sec/1004sec1.h tml
Windows 2000, SNMP and Security
http://www.securityfocus.com/focus/microsoft/2k/sn mp.html

You seem to be ignoring the security you get wiuth Connectiva

[http://securityfocus.com/vulns/stats.shtml]

Not MSFT. You are a fool if you believe this .NUT technology will change things for the better.
Hell, MSFT cannot fix .NET security exploits in 6 months on their own servers!
This is just another security nightmare waiting to happen.

MS really only cares about the bottom line and obviously security issues are about to bite them financially. Right now, Bill can't do much except blow smoke. The distraction is really needed right now. Especially when you consider:

That the effort to squelch bug reporting is a tacit admission that none of the products in the current development cycle are likely to be secure

Prestigious and influential groups like the National Academy of Sciences are calling for punishment of software firms that skimp on security.

MS products will be magically secure and stable after February.

They've been found guilty of illegally maintaining a monopoly and the punishment is under discussion.

Several U.S. states and some European governments and commissions are pursuing / considering their own legal action.

The MS legal counsel is stepping down

MS-Passport, their new cash cow, can't even be made secure (thus their hop to Kerberos)

Revenue from upgrades is nil and given that Intel is not expecting to do well either the next few quarters will be for MS also.

Simply put, Bill is on so many people's shit list with no easy way off. A few decades ago, IBM used to have most computing centers by the short-n-curlies, but pushed it too far and more or less disappeared. MS is in a prime position to do the same.

If Microsoft weren't actively advocating non-disclosure of vulnerabilities, then sure -- I'd say it the other way around as well. The point is, RedHat seems eager to fix and disclose their own vulnerabilities (to the point of accidentally jumping the gun), and Microsoft seems eager to squelch discussion on theirs.

Given their stances, who would you trust to release advisories in a timely manner?

NTBugtraq is actually part of TruSecure, not SecurityFocus. What SecurityFocus has in a separate list called BugTraq. Very confusing...

NTBugtraq is actually part of TruSecure, not SecurityFocus. What SecurityFocus has in a separate list called BugTraq. Very confusing...

Regardless of anything else, using these number to declare that one thing is more secure than another is a mistake.

That sounds like another piece of advice that should be on the stats page, not buried in a slashdot comment. Its unfortunate that someone misinterprets your statistics and publishes a misleading article every 6 months, but I can't help but wonder why you don't take proactive steps to help people understand the meaning of your web page.

He does put it on the stats page. From the page:

The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.

In all fairness, it might have been added in response to your comment. After a hasty glance through the page source, I didn't see any sort of timestamp. But I seem to remember that disclaimer always being on the page (though it had been a while since I last visited--back before the site migration).

I can't connect to WinInformant, but if you look at the numbers available at SecurityFocus, you'll see that they did not simply add up the numbers. Linux is listet with 96 aggregated vulnerabilities for 2001, while e.g. Red Hat has 54, Debian got 28, and Mandrake got 36. There are more Linux distributions listed, but these numbers allone show that your claim is wrong (unless WinInformant has different numbers).

I thought that too after looking at the SecurityFocus numbers, but then I figured it out. Scroll down the page a bit to the "Top Vulnerable Packages 2001 Packages", and there you'll see the numbers that the article references -- "MandrakeSoft Linux Mandrake 7.2: 33", "RedHat Linux 7.0: 28", etc.

Open source haven't proven more secure than closed, as the theory about "given enough eyes all bugs are shallow" says.

you should always include a link so it shows you're not making shit up.

What I read was the original article before it went down by /.

So worry for the thing on Win9x/3.x + WinNT/2000.

So they are talking of Server OSes. So Win9x/3.x do not account as such.

What you say is that, of course, they do not include duplicates of the same vulnerability. But then there's no such program as rsync-2.07-3.i386.rpm on Debian 2.2 . Can you see it?

Also, why it is strangely coincidental de number of bugs for Red Hat Linux 6.2 for Alpha and Sparc? See:

For 2001, we see:
RedHat Linux 6.2 sparc - 18
RedHat Linux 6.2 alpha - 18
Debian Linux 2.2 sparc - 18
Debian Linux 2.2 arm - 18
Debian Linux 2.2 alpha - 18
Debian Linux 2.2 68k - 18

Coincidental? See it yourselves at SecurityFocus WebSite

Maybe is a cross-architechture bug? Will this mean that, in fact, it is the same bug?

Then the numbers for Mandrake, Red Hat and Debian are waaay too similar (2001) to be just a coincidence (Mandrake 7.1, Red Hat 7.0 and Debian 2.2 can be thought as "equal distributions" by means of timeline, packets versions and such):

RedHat Linux 7.0 - 28
MandrakeSoft Linux Mandrake 7.1 - 27
Debian Linux 2.2 - 26

Then, on 2001, we can assume that Red Hat 6.2, Mandrake 6.0 and 6.1 have the same package versions :

RedHat Linux 6.2 i386 - 20
MandrakeSoft Linux Mandrake 6.1 - 20
MandrakeSoft Linux Mandrake 6.0 - 20

And those numbers are also very very close to the ones for Red Hat Linux 6.2 on different architectures.

Maybe, just maybe... they are the same bugs?

Then, on previous years, the trend is the same.

With all the respects, I am no FUDing here. I post my comments to some piece of news that was flawled.

And I tried to explain why it was flawed. And I was vry carefull to not to blame conspiracy theories.

Then, again, I'm human. And I make mistakes. Like the Win0x/3.x and Win2000/NT of my previous post.

But this does not invalidate at all my message.

Take another look at the data refrenced by the article! It actually shows the Windows 2000 was one of the worst as far as security goes. The linux aggregate score does not resemble any of the individual linux distros mentioned. What I would like to know is, How did the author ever draw the conclusion that Windows 2k was more secure ? And what was the point of comparing the score of an os with an aggregate score ? That makes no sense either!

Maybe since they are reporting that Windows is more secure.
SecurityFocusdotcom is now switching over from Linuxto XP.

The SecurityFocus charts seem to say that in the last several years, WinNT/2K has had 2/3 to 3/4 the vulnerabilities of Linux -- all Linuxes combined, that is.

When you break it down, however, Windows has been about equal to Red Hat and well above all the othe Linuxes and Unixes in the chart.

As a willing participant in the capitalist scheme, I don't care how secure everyone else's servers are -- just the one securing my stuff. The only thing this chart tells me is that if I want a secure server OS out of the box, I should start with Mandrake or Debian instead of Red Hat or Windows.

Quite right.

In fact, this stuff has been known about for quite some time now. A quick search of Bugtraq came up with this message. It basically says that Fasttrack based clients have a built-in http server. Big deal.

This sounds more like a misconfiguration issue in the sense that people may be sharing entire harddrives. But until this is discussed and verified in some sort of forum like Bugtraq I wouldn't believe it.

The story says that there are more BugTraq entries for Linux than Windows 2000. QED.

Yeah, and likewise, according to the full stats, there were three times as many NT/2000 bugs as Win98/95/3.1 bugs. Thus, Windows 3.1 is three times more secure than Windows 2000!

The reality, of course, is that we don't know what they mean by "Linux (aggr)". They have separate lists for SUSE, RedHat, Debian, etc. Ony RedHat had more vulnerabilities than Windows 2000. Even then, "RedHat" means the entire distro. That means that they're counting far more software (i.e. three different ftp servers) than for Windows 2000.

So in summary, if you don't tell the whole truth, you can support just about any claim... :)

Additional articles related to this topic:

SecurityFocus home news: Will Microsoft's Trustworthy Computing Sell?
Gates: Security is top priority - Tech News - CNET.com
Earthweb IT Management: Security Guard: Is Bill Gates Sincere About Security?

I mean, Microsoft already has fewer vulnerabilities than Linux distributions (securityfocus, wininformant). If they actually go and clean up their code and get this new initiative working as well as their "take over the Office software market" or "take over the browser market" initiatives, in a year or two Linux people are going to have to be on the defensive about their own less stable and secure operating system...

What's the best way for genuine, qualified, informed candidates to distinguish themselves from this rabble?

Hack Slashdot, then brag about it.

Microsoft will have to drop its spyware and its insane licensing policies before I will try Windows again. Microsoft will have to drop the Globally Unique Identifier before I will use Windows Media Player.

In short, this is a good move for MS, but for me it is too little, too late. I have switched to Mac OS X and will never go back to Windows.

Check out SecurityFocus, particularly the ARIS. You can set up a cron job to submit snort reports. This is exactly the thing you're talking about, and it's been around for a while. Why don't people use it? Because it costs money (to subscribe -- submitting reports is free), because they don't know how, because they don't care...

SecurtyFocus

Financial Motive Alleged

Willard says that McOwen was singled out for prosecution partly because he had ignored his supervisor's warnings. "In this case, Mr. McOwen was expressively prohibited by his superiors from downloading these programs and was informed on many occasions by his supervisors to stop downloading programs," said Willard. "They were aware that he was doing it and he had gone in and cleaned it up on numerous occasions." Joyner insists McOwen received no such warning.

Prosecutors also claim that McOwen had a financial motive for volunteering the school's machines. McOwen was a top producer on distributed.net for "Team AnandTech," a group sponsored by a hardware forum site which is still the second ranking contributor to the RC5 research project. A $1,000 prize goes to the individual contributor who recovers the RC5 encryption key. "McOwen placed a program on computers, that in his estimation would benefit him personally, including computers that has sensitive student financial and identity information without authorization," says Willard. "There is concern about the program itself compromising or providing the basis to compromise sensitive personal or financial information, there is the matter of Mr. McOwen's unauthorized activities on this computer, and finally there is the point that there was misappropriation of state property."

He was warned several times, and the software had repeatedly been uninstalled. This isn't the only article I've read that discussed this fact. I may not agree with the charge or the penalty, but he should have been fired for ignoring his supervisors continued requests.

Its been discussed on slashdot before, too. Don't you guys worry about these kinds of things? It's one thing to avoid upgrading, but it's another to brag about it in a public forum.

-Mike

Crap ? What about these bugsin kernel 2.2.x, x<=19 and 2.4.y, y<=9 that allow local Denial-of-Service and to gain root privileges locally.

Sorry to say this, but youre running a kernel that has known security problems. And I was talking about the 2.0.x, that had DoS problems till the 2.0.35.