Slashdot Mirror

"Personally I welcome *any* linux testing by windows, just take a look at the mindcraft fiasco! It was an unfair test, got a lot of attention and showed linux devs a problem that would have otherwise taken a lot longer to surface. If Microsoft wants to spend it's money helping linux devs then I say go fo it." - by Anonymous Coward on Sunday January 08, @01:55PM

Then 'go for it' I shall, & from a governmental agency for it, ok? Here, take a read from an ABSOLUTELY current test, this year, where Windows OS & softwares were found to have less bugs in them than Unix/Linux/MacOS X (all Unix derivants/knockoffs) vs. all the types of Win32 OS (in fact, iirc, not just NT-based ones but also older no longer supported 9x models (could be wrong here though) but also the softwares that run on them):

http://www.us-cert.gov/cas/bulletins/SB2005.html

That said, since you Linux/Unix fiends ALWAYS resort to that OLD test?

That's a NEW test, run & reported on only days ago here @ slashdot in fact!

That test & its results (results from the year 2005) shows how many MORE vulnerabilities were found on Linux, MacOS X, & UNIX (all Unix type OS variants (even BSD knockoffs which MacOS X largely is in its core kernel) vs. Windows 32-bit OS + softwares) this year!

So, argue with those numbers, current 2005 year end ones!

That's since you demanded (the oldest trick in the book 'show me the latest tests' I see network engineers/admins always try to pull, lol) it... easy enough to dispell & disprove, as usual, for anyone who stays current that is.

* :)

"However, have you looked at 99% of the "studies" done by (or for) Microsoft? Most (all?) of them *are* actually marketing ploys and *are* unfair. Then again, I see a lot of Linux fans doing their own tests which are generally as unfair as Microsofts." - - by Anonymous Coward on Sunday January 08, @01:55PM

LOL, read the above, & tell me different, ok? That's US-CERT Cyber Security that showed those results & Microsoft does NOT 'sponsor' those tests...

(NOT EVEN A NICE TRY, crybaby Linux penguin - this evidence shows your full of it period!)

LOL, your "mindcraft evidence" (even though MS OS' trashed Linux there as well) isn't current @ all...

Ah, yet again - more FUD attempts by the Linux penguins (ON your part as per usual).

LOL, this response from you, vs. those US-CERT findings I posted? I have to see... ought to be good for a laugh & 1/2!

APK

P.S.=> Above all, on this last note of yours I will quote:

"PS: Go learn some puctuation! Please, I hate punctuation/grammer nazies but some of your mistakes are really bad." - by Anonymous Coward on Sunday January 08, @01:55PM

If you can't read & understand someone's writing via the context in which it's used?? You've got the problem dyslexia man... or, is it a customer service rep replying here or some tech-support drone computer expert wanna-be noob rookie in your reply??

Well, I've got 2 points to make on it (in addition to your poor understanding of the english language since you can't understand someone's meaning via the context in which the terms in it are used, lol):

1.) Go learn to get CURRENT information & tests, ok? Especially since you asked that of myself & used 'mindcraft tests' the cry of the defeated Linux penguins as per usual...

&

2.) Care to prove to me that you have a PhD in English??

(Didn't think you had that degree... lol!)

Go back to your customer service or english teacher wanna-be role in life, ok?

AND, get some current facts, before you try to take me out with the "usual" (F.U.D. & b.s. from the penguins crew)... lol! apk

There is also more than 5 or 6 versioins Windwos. There were probably 6 versions of Windows 2000 alone counting the server lineup. They lumped in Linux/UNIX, but the total figure for it was also about 3 times higher (812 vs 2328) than the figure for windows.

Also, while I am at it, I did a grep -i | wc -l for "Firefox" and "Internet Explorer" and found that there were 150 vuls lited for Firefox and only 50 listed for IE.

The summaries in the article, and the one it links, are more messed than not.

One alert that lists six different vulnerabilities for Windows:
http://www.us-cert.gov/cas/techalerts/TA05-229A.ht ml

Another alert that lists two (or three) different vulnerabilities:
http://www.us-cert.gov/cas/techalerts/TA05-180A.ht ml

An alert that only summarizes previous vulnerabilities, but lists no new ones:
http://www.us-cert.gov/cas/techalerts/TA05-102A.ht ml

An alert that covers a product for three operating systems, and includes Linux by name:
http://www.us-cert.gov/cas/techalerts/TA05-224A.ht ml

Counting alerts as a measure of vulnerabilities in operating systems is illegitimate since there is no fixed relationship between the two.

The summaries in the article, and the one it links, are more messed than not.

One alert that lists six different vulnerabilities for Windows:
http://www.us-cert.gov/cas/techalerts/TA05-229A.ht ml

Another alert that lists two (or three) different vulnerabilities:
http://www.us-cert.gov/cas/techalerts/TA05-180A.ht ml

An alert that only summarizes previous vulnerabilities, but lists no new ones:
http://www.us-cert.gov/cas/techalerts/TA05-102A.ht ml

An alert that covers a product for three operating systems, and includes Linux by name:
http://www.us-cert.gov/cas/techalerts/TA05-224A.ht ml

Counting alerts as a measure of vulnerabilities in operating systems is illegitimate since there is no fixed relationship between the two.

The summaries in the article, and the one it links, are more messed than not.

One alert that lists six different vulnerabilities for Windows:
http://www.us-cert.gov/cas/techalerts/TA05-229A.ht ml

Another alert that lists two (or three) different vulnerabilities:
http://www.us-cert.gov/cas/techalerts/TA05-180A.ht ml

An alert that only summarizes previous vulnerabilities, but lists no new ones:
http://www.us-cert.gov/cas/techalerts/TA05-102A.ht ml

An alert that covers a product for three operating systems, and includes Linux by name:
http://www.us-cert.gov/cas/techalerts/TA05-224A.ht ml

Counting alerts as a measure of vulnerabilities in operating systems is illegitimate since there is no fixed relationship between the two.

The summaries in the article, and the one it links, are more messed than not.

One alert that lists six different vulnerabilities for Windows:
http://www.us-cert.gov/cas/techalerts/TA05-229A.ht ml

Another alert that lists two (or three) different vulnerabilities:
http://www.us-cert.gov/cas/techalerts/TA05-180A.ht ml

An alert that only summarizes previous vulnerabilities, but lists no new ones:
http://www.us-cert.gov/cas/techalerts/TA05-102A.ht ml

An alert that covers a product for three operating systems, and includes Linux by name:
http://www.us-cert.gov/cas/techalerts/TA05-224A.ht ml

Counting alerts as a measure of vulnerabilities in operating systems is illegitimate since there is no fixed relationship between the two.

have at it

http://www.us-cert.gov/contact.html

Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.

You should look at the list. http://www.us-cert.gov/cas/bulletins/SB2005.html Hardly any are "rarely used games", unless "Multiple Vendors Linux Kernel Asynchronous Input/Output Local Denial Of Service" is the latest FPS...

All the bugs I find and report which result in Advisories are as a result of source code auditing.

It looks like I made the CERT list a couple of times, e.g. uw-imapproxy.

But these bugs are trivial things in applications which are either "extra", or not typically installed.

Fixing bugs in programs is important, but having a list of 500 simple buffer overflows in rarely used games (for example) on Linux says nothing about the relative security of Linux vs. Windows.

The worlds are too different, comparing every application included in Debian, say, against Windows would only make sense if you installed every single shareware/freeware/optional piece of software on the windows machine - and that clearly isn't a real world scenario.

These aggregate numbers are meaningless. That being said, US-CERT made pretty clear that this was simply a list of reported vulnerabilities, not any sort of analysis, so I blame the news sites with taking the meaningless numbers and trying to create a news story that will get Windows and Linux/UNIX/MacOS X fans all excited to read and post (and generate ad revenue).

Why do I say that the aggregate numbers are meaningless?
1) They count "updates" to vulnerability reports as vulnerabilities, so there are many vulnerabilities that appear to be counted 5-10 times in the "UNIX" list, and 2 times in the "Windows" list. My guess is that these "updates" are individual OS reports, meaning that a single vulnerability in a cross-platform application would be reported as 2 Windows vulnerabilities and 10 UNIX vulnerabilities. CERT should break out each OS into its own counts in order to correct for this. Eliminating duplicate reports isn't good enough, because there are many OS-specific reports, and it doesn't make much sense to count vulnerabilities specific to Solaris AND Mac OS X AND Linux AND HPUX etc., in a single number, since you run only one OS as a time. :-)
2) They count reports of multiple vulnerabilities as a single vulnerability, which means that OS's that release fewer updates, each of which patch multiple vulnerabilities (e.g. Apple, Microsoft) as having far fewer vulnerabilities than OS's that release specific patches for each vulnerability. Strangely, this punishes OS vendors that rapidly address and release patches for vulnerabilities, and reports vendors that are less responsive. CERT should count a single announcement that covers multiple vulnerabilities as if each vulnerability were reported individually.
3) They include third-party application vulnerabilities in the counts, and the number of those reports dwarfs the number of actual OS vulnerabilities (90-95% of the vulnerabilities listed aren't in the OS's). CERT should separate bugs in the OS's from optional third-party application bugs. Many of the vulnerabilities are in extremely obscure applications, and while uses of those applications might want to know about these issues, it's hardly a reflection on the OS' security if there's a 'Wojtek Kaniewski EKG Insecure Temporary File Creation & SQL Injection' in some project's "contrib" directory, which is hardly comparable to 'Sun Solaris ARP Handling Remote Denial of Service' or 'Microsoft DirectX DirectShow Arbitrary Code Execution'.
4) Their OS coverage is quite spotty. For example, if an application runs on all OS's (e.g. Mozilla, bzip) and has a vulnerability that applies to all OS's, sometimes they're reported only for Windows, sometimes only for UNIX, sometimes for both, sometimes with many repetitions and sometimes only once. While this would require CERT to do some analysis (i.e. actually read the reports), they should consistently recognize cross-OS issues and remove them from the OS-specific lists and report them in the multiple operating system list.

Since each of these issues appears to introduce error rates that are an order of magnitude larger than the useful data, there's nothing meaningful data left.

Of course, people have pointed these problems out about these CERT reports for many years. Still, since we have these same pointless discussions every year, CERT should make some basic changes to make these reports somewhat meaningful. Their previous years' list (http://www.us-cert.gov/cas/bulletins/SB2004.html) were more useful, because they at least made it clear which issues were high risk, and which application or OS each vulnerability was associated with, and they avoided the misleading totals. Let's hope that next year they at least go back to the 2004 report format, even if they don't bother to do any meaningful analysis.

I mean c'mon, like this one:
Windows:

A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example.
Risk: LOW

link
Its also easy to notice that most of the unix/linux (say, why not throw a few others in that bunch as well, huh ?) are marked as high risk.

Is there any file format that you cant infect or use to otherwise totally break/hang the system on windows ?

TXT files dont count.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

From what I have seen, the Unix/Linux list contains security pertaining to:

FreeBSD

Debian

OS X

Apache

Adobe Acrobat

Freeciv (???????)

Gentoo

Gnome

Emacs

xine

Together with AIX, HP-UX, KDE, Mozilla, and a whole bunch of others.

Tell me, What is the point of this list if it shoves AIX, HP-UX, OS X, Solaris and a number of variants of Linux together? Just this short list constains 4+ operating systems developed by separate companies. Not to mention all the applications as well.

Want one example? The CM Cyrus IMAP server sure as heck isn't installed on my Mac OS X system, and I doubt I'd ever install it. I don't think I'd install it on my Linux box, either. If I did install it, and there was a bug in it, I sure as hell wouldn't consider that bug an "OS" problem, would you ?

And I'd be willing to make the same distinction for Microsoft, as well, at least so long as the application error isn't in a default-installed DLL or in an always-installed application, like... oh, Internet Explorer, for example. I'm not so sure I should fault Windows because the Eternal Lines web server has some sort of issue. There's the OS, then there are the apps that run on top of the OS.

So really, the counting and analysis are so broken that it's hard to even discuss. Call me back when individual distros and specific OS kernel builds are broken out into separate counts. Call me back when non-default-installed or at least not-commonly-used applications are broken out ( i.e. I'll give you web servers and browsers normally used with any platform as part of the OS ), but I don't think Linux in general is less secure because Joe's Custom Server has a bug in it. I'd like to see some *useful* summary of this information, please...

I think 3-1 is pretty damn good when you consider that the "Unix/Linux" category contains more than 5 Operating Systems!

Just breezing through the list I see:

• Linux
• HP-UX
• AIX
• OSX
• SCO OpenServer and UnixWare
• Solaris

And i'd imagine there are probably more. I'd take those odds over Windows any day.

If you read the actual list, a lot of the vulnerabilities are listed multiple times with an (updated) notation. So the 2,328 number isn't exactly "correct".

Linux is only a kernel. I would be interested to see a comparison between the amount and severity of security flaws found in Linux compared to the amount found in the NT kernel.

It is hard to get real information, even the recent CERT report:

http://www.us-cert.gov/cas/bulletins/SB2005.html

Lumps not only OS Vulnerabilities, but every vulnerability from every piece of software that runs on the OS. So if Joe Blow Developer at IceWarp for example writes insecure crap code it gets listed as a 'Windows' Vulnerbility.

Even if you parse these lists, there is no distinction between kernel and non-kernel vulnerbilities.

At the very least lists like this should be by platform, then organization for products they produce, and not lump everything into what OS the software runs on.

Also note that they list 'updates' and not vulnerbilties, for example a single 'vulnerbility' for OSX is:

Apple Mac OS X Multiple Vulnerabilities

And if you click on the detail, you find that it was not a single vulnerbility but a single 'update' that addressed 50 vulnerbilities.

So if you extrapolated out all the OS level listings from the CERT list, you would find that a single Patch on one line for like Windows addressing one vulnerability is considered to be equal to a Patch for OSX that addressed 20 vulnerabillties.

And yet people try to take a report like this and say *nix is more secure or OSX is more secure or Windows is more secure, when in fact this list is nothing but crap data that is poorly assembled.

I think every OS vendor should do an honest year end report that has to be submitted, and detail, OS, OS Kernel, OS Layers, OS bundled applications, etc...

Security reporting drives me about as nuts as security issues themselves.

How about claiming the counts massively inflate Linux bugs by duplicating distributions, when in fact the actual list does nothing of the sort. Scroll down to the Linux section, and notice how nearly all have "multiple vendors", when the bug impacts mulitple distributions.

As someone pointed out earlier, the updates were counted though, and which does inflate the linux sum quite a bit.

Just try this :
#!/bin/bash


lynx --dump http://www.us-cert.gov/cas/bulletins/SB2005.html > stats.tmp

{

echo "Windows"

sed -e '/ \* Windows Operating Systems/,/Unix\/ Linux Operating Systems/ !d' \
-re 's/^[ \t]+//' \
-e '/^[\*\+] \[[0-9]+\]/ !d' \
-e 's/\[[0-9]+\]//' stats.tmp | uniq -c \
|awk '{sum ++ ; entries += $1 ; print ; } \
END {print "\n\n Sum :\t\t\t "sum "\n Number of entries :\t " entries "\n Sum/Number of entries : "sum/entries "\n\n" }'

echo "Linux/Unix"

sed -e '/Unix\/ Linux Operating Systems/,/Multiple Operating Systems/ !d' \
-re 's/^[ \t]+//' \
-e '/^[\*\+] \[[0-9]+\]/ !d' \
-e 's/\[[0-9]+\]//' stats.tmp | uniq -c \
|awk '{sum ++ ; entries += $1 ; print ; } \
END {print "\n\n Sum :\t\t\t "sum "\n Number of entries :\t " entries "\n Sum/Number of entries : "sum/entries "\n\n" }'

echo "Any"

sed -e '/Multiple Operating Systems/,$ !d' \
-re 's/^[ \t]+//' \
-e '/^[\*\+] \[[0-9]+\]/ !d' \
-e 's/\[[0-9]+\]//' stats.tmp | uniq -c \
|awk '{sum ++ ; entries += $1 ; print ; } \
END {print " Sum : "sum "\n Number of entries : " entries "\n Sum/Number of entries : "sum/entries }'

} | more

http://www.us-cert.gov/cas/bulletins/SB2005.html

Summary does not even bother to link the original article!

(sorry about the spacing - can't find any way of doing it)

greatly reducing the proportion of Unix/Linux vulnerabilities

very interesting -- according to the http://www.us-cert.gov/ (Readiness, not Response) web site, the problem was pointed out to them by the good people at http://www.blackboxvoting.org/ -- has this not been discussed already on /. -- is that possible?

Buffer overflows are only a problem when the buffer exists on the stack. In the heap, buffer overflows will result in a crash, or possibly undefined behavior.

There are plenty of buffer overflows in the heap that lead to exploits:

• TA04-315A-Buffer Overflow in Microsoft Internet Explorer
• CVS Heap Overflow Vulnerability

A quick Google search for "heap overflow vulnerability" returns 475,000 hits.

But on the modern PC, it would be impossible to use a buffer overflow in the heap to reliably execute arbitrary code.. Unless the coder in question was doing something really, really stupid (like executing code from an arbitrary instruction buffer in their structure, which you conveniently just overwrote).

Breaking news: there are plenty of really, really stupid coders! You might want to revise your advice. Buffer overflows in the heap are definitely possible and many times exploitable.

Buffer overflows are only a problem when the buffer exists on the stack. In the heap, buffer overflows will result in a crash, or possibly undefined behavior.

There are plenty of buffer overflows in the heap that lead to exploits:

• TA04-315A-Buffer Overflow in Microsoft Internet Explorer
• CVS Heap Overflow Vulnerability

A quick Google search for "heap overflow vulnerability" returns 475,000 hits.

But on the modern PC, it would be impossible to use a buffer overflow in the heap to reliably execute arbitrary code.. Unless the coder in question was doing something really, really stupid (like executing code from an arbitrary instruction buffer in their structure, which you conveniently just overwrote).

Breaking news: there are plenty of really, really stupid coders! You might want to revise your advice. Buffer overflows in the heap are definitely possible and many times exploitable.

"So the dog has spoken, at the end of the day the question remains, who the hell fracking cares?"

Corporations, as mentioned in the article. For the reasons given in the article, which sound valid enough to me. Duh. Example of what the authors were talking about, from US CERT Current Activities (http://www.us-cert.gov/current/) though page content may change by the time anyone wants to visit it:
-----
Multiple Vulnerabilities in Skype
added October 26, 2005
  US-CERT is aware of several buffer overflow vulnerabilities in Skype that may allow a remote attacker to execute arbitrary code.
  The most critical of these issues can be exploited by sending a specially crafted packet to a vulnerable Skype installation. More information about this vulnerability can be found in the following US-CERT Vulnerability Note:
VU#905177 - Skype vulnerable to heap-based buffer overflow
  The other two vulnerabilities can be exploited by accessing a specially crafted VCARD or Skype URI. More information about these vulnerabilities can be found in the following US-CERT Vulnerability Notes:
VU#668193 - Skype VCARD handling routine contains a buffer overflow
VU#930345 - Skype URI handling routine contains a buffer overflow
  Skype has released the following Security Bulletins to address these vulnerabilities:
  SKYPE-SB/2005-003 to address VU#905177
  SKYPE-SB/2005-002 to address VU#668193 and VU#930345
  US-CERT encourages Skype users to upgrade to the latest fixed version of Skype as soon as possible.
-----
I take it you have limited experience in a corporate network environment?

I believe US-CERT falls under DHS

This is the first time I've been to the US-CERT website, so please forgive my enthusiasm.

This document on viruses should be required reading for anyone who uses a computer.

http://www.us-cert.gov/reading_room/virus.html

Most common malware can be stopped with the same virus-avoidance techniques listed in this brief document.

As for this initiative, it's not explained very well, that's for sure. It seems like a simple naming convention for viruses as well as a central location for all virus information. I'm not big on the government taking away such a role from private industry, but with the threat of viruses affecting everyone, it makes sense that the government provide a baseline starting point for all antivirus companies to start from. It is not in the best interest of the public to have a single private company hoard virus information.

US-CERT, the Federal "Computer Emergency Readiness Team" (cybersecurity) announced right before last November's elections (2004) a backdoor in Diebold's central tabulators:
" Diebold GEMS Central Tabulator Vote Database Vote Modification

A vulnerability exists due to an undocumented backdoor account, which could a local or remote authenticated malicious user modify votes.

Because they said "we are not aware of any exploits for this vulnerability", they rated the risk only "medium". Of course, when the machines were actually used live in November, it finally got a real world test, and no one knows (who's telling, anyway) whether any exploits "became known". There were, however, many opportunities, especially in Ohio, where thousands of people were cheated from voting by various techniques. And who would ever know if the "popular vote" was pumped up in states where the outcome was as expected, but not the expected margin?

Look at what's actually happening, from http://www.us-cert.gov/cas/bulletins/SB05-194.html #trends; Top Ten Virus Threats All Win32 Worms. Pick any security site, and look at the top 10 threats. Then tell me which OS is the most secure. We can argue all day about the reasons, the facts speak for themselves.

Department of Homeland Security appointments in the computer security area are disappointing. Amit Yoran, head of the "National Cyber Security Division" at DHS, quit in disgust. He was replaced by a lawyer and TV producer. The "National Cyber Security Division" seems to have been pushed down to a lower level of the DHS bureauracy.

"It's crap like this that makes me wonder at the possibility of Apple eating Microsoft's lunch on the OS front."

That's interesting considering that Mac OSX also has security updates released regularly.

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml
US-CERT, 2005-05-16: "Apple Mac OS X is affected by multiple vulnerabilities" describes the ten vulnerabilities addressed in Apple's most recent security update for Panther (Apple Security Update 2005-005, released last month http://docs.info.apple.com/article.html?artnum=301 528). The flaws include a healthy number of buffer overflows and integer overflows.

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

Bah, it's not just Windows. Mac OS X version 10.3.9 (Panther) and Mac OS X Server version 10.3.9 have holes too:

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

Of course, there are many many more Windows machines that can be infected, and maybe those OSX machines can't be used this way, but...

Is it even theoretically possible to embed computer code in a JPEG file and execute it through the viewer? No, this is not even theoretically possible.

I must have dreamed then when this came up.

Thanks for clearing that up Mr. Troll Coward, Sir.

"US-CERT (United States Computer Emergency Readiness Team), a partnership between the Department of Homeland Security and the public and private sectors, impartially tracks all manner of security issues in operating systems and major applications, such as browsers. US-CERT issues a bulletin every week, outlining the current crop of problem areas. You can access all past and current bulletins here; I urge you to take a moment, click on over to their site, open several bulletins at random, and scroll down the page. In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed."

Interesting, I was talking about aother group who is commonly referred to as CERT. Apparently they are US-CERT to be precise, I didn't know about the Carnagie Mellon group so I simply didn't think to add the US part

In fact, the Carnegie site directly references the US CERT site. I wouldn't be suprised if the Carnegie CERT was the brains behind the stuff on the US CERT site, US CERT certainly is a government agency and even has the .gov tld to "prove" it (like that really means much, I'm sure Verisign would sell me a .gov domain if I bribed, er, paid them enough)

I stand, perhaps not fully corrected, but certainly better informed. Thanks, Doc. I'll try to remember to double check my acronyms in the future.

The http://www.us-cert.gov/cas/signup.html#a "National Cyber Alert System Mailing List" looks like it does the same thing. Run by the US-CERT (Computer Emergency Readiness Team)

What are your credentials? Must lie in something other than computers and internet, since all of the nerds here can answer questions such as yours by doing a Google search. If you had bothered to so so, you'd have read that Clarke was chairman of Bush's Critical Infrastructure Protection (CIP) Board when he retired in 2003. He was also the first counter-terrorism coordinator. His office also released the US National Strategy to Secure Cyberspace, and he seems to be enough of an authority in the field to be interviewed by IEEE Security & Privacy. There is a lot more to his background, if one really cares to investigate.

So, I'd say that he's pretty well credentialed to comment on threats to US cybersecurity. Perhaps not from the perspective as a bits-and-bytes technologist, but certainly as someone who has expertise in assessing systemic strengths/weaknesses from the perspective of counter-terrorism.

The National Cyber Security Division participates in these programs and is working to expand them.

http://www.us-cert.gov/press_room/schlrshp_srvce.h tml

I cannot find anything on The Finnish Communications Regulatory Authority's WWW site about it, and (thanks to timothy not even looking articles he posts links to) the text in the story, "warned computer users against using Microsoft's Internet Explorer 6" links to an article which doesn't even *mention* the warning.

*If* the story is true, can some of the /. Powers that Be edit the story to link to an article that *is* about the story.