Don't Forget That Worms Happen Everywhere

friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."

Duh.

[wandernotlost]

Ummmm...That's why we're using Unix. The Unix world had its worms 10 years ago. Those holes have been patched, and now people know better.

Re:Duh.

[Tony-A]

Yeah, but for how much longer?

Re:Duh.

You're even more stupid and naive than most people here, except, of course, for whoever moderated you insightful. It's people like you -who don't know jackshit about security - that are the problem.

Don't worry about it you're still a Unix using bad ass hacker.

Re:Duh.

[11223]

And Windows had its viruses 10 years ago. Those holes have been patched, and now people know better.

Re:Duh.

Actually, according to usage statistics, an overwhelming majority of Slashdot readers use Microsoft Windows.

Re:I'm a heretic, baby

[rhavyn]

Except that linux distros don't install telnet by default. It would therefore require a user to explicitly ask for it to be installed. From what I understand, most of the IIS sites infected were cases where MS installed IIS by default.

And I think that redhat update lets me be a lot more lazy than any NT admin. 2 clicks, downloads and installs all the patches. Doesn't get much easier than that.

Re:It is all about the Admins

You are right, they could both be avoided by installing software... But you need time to do that...

Lets see... I was up till 2:30 AM after starting work at 6:00AM patching servers once code red hit. If I were to get every patch for every M$ security problem that comes out, as soon as it comes out. I would not have time to do anything else, as m$ seems to put out a patch or two a week. Keep in mind that, I also support 200+ users, a few Mail servers, the PBX, and a Cisco box or two... I also have about three projects that I am about a week late on...

As for running IIS, The pointed hair boss people are the ones who got to make that choice...

It's the platform.

[Tony-A]

Nope, it's the platform. With outbreaks of Code Red at Hotmail, FedEx, internally in Microsoft, Lucent, and possibly in Computer Associates, all of which can be presumed to be professionally administered, it's not the administrators, it's the platform. If the administrators can not or will not do the well-publicized patches it's the platform.

Re:Difference

[twitter]

Let's not be so mean to the secretary, shall we? "Patching" MS is a pain that often breaks unrelated services. Caution is not always folly or slopyness, but forced by inferior software. Upgrading Debian is a two command operation, that produces far fewer headaches:

apt-get update
apt-get upgrade

Another great difference that should be accounted for is the ease of learning how to run Linux. Oh sure, it looks harder, but the information is available and it's SO MUCH EASIER to really know what you are doing than it is to trust a particular vendor. Greif, it's hard to keep a single MS box running. The cloud of BS that MS keeps its users under is awful and we should be nicer to those suffering there.

Microsoft's fault

[telbij]

Hey, maybe if Microsoft embraced innovation and tried to outdo others instead of squashing the competition through monopolistic marketing and deployment tactics, people would stop writing so many worms/virii/exploits for Windows, and get back to their irc wars.

Re:Microsoft's fault

[AlgUSF]

But the Furor, Bill Gates said that Microsoft is innovating, and that other companies, and the government are trying to squash Microsoft's accomplishments. Let us list microsoft's innovations...
Web Browser..... No
GUI... No
TCP/IP *Laugh* No
Multitasking OS No
Protected Memory No
SMP No

Re:Microsoft + Worm = MCSE ?

[spongman]

Contrast this to Linux or any other UNIX variant, the whole model and concept of which was designed with user and process security and isolation from the ground up.

eh? on NT you can assign ACLs to registry keys. For example regular users have read-only access to HKEY_LOCAL_MACHINE\HARDWARE.

The use of ACLs on NT makes the security much more configurable than the simple user/group permissions on most variants of UNIX. Some Unices have ACLs, but that's hardly designed from the ground up is it?

Re:Microsoft + Worm = MCSE ?

Well I ask you, in all seriousness, why do you keep your logs in /etc?

Microsoft products seem to be of very low quality.

[Futurepower(tm)]

The major issue is not whether Linux can have worms. The major issue is that Microsoft products seem to be of very low quality. Extremely poor security is only one aspect of that.

No Linux email programs or word-processing programs have the authority to take over the entire operating system. Microsoft products sometimes do.

Many of the security bugs in Microsoft products seem to come from sloppy programming. The open source world would have a difficult time being as sloppy.

The popular Linux programs give a general impression of quality, and of sincerely wanting to do a good job. Microsoft programs give the general impression (to me) that Microsoft wants to give as little as possible to the customer, so that the customer will feel motivated to upgrade.

Re:except

[Magius_AR]

Let's not forget the issue is NOT microsoft's security hole. All oses have that, it's that the userbase is not up to date on installing the security fixes

That's not completely true either. If I released a bunch of faulty brakes and then _only_ started "fixing" them when people started dying from car accidents, I doubt I'd get away scot free without a fine or any fault, etc.

Firestone did a shitty job with their tires and they took a huge hit in lawsuits and recalls BECAUSE they released an inferior product. Is Microsoft different for some reason? This isn't a case of a simple random bug showing up. This is a time-earned incredibly buggy and insecure operating system. Firestone got nailed for ONE mistake. Microsoft gets away with practically DAILY exploits (big ones too). Why can't we hold Microsoft accountable?

Magius_AR

Re:Worms happen,

Yeah, of course linux people are smarter than nt people. That's why they will waste days at a time to compile crappy buggy open source software instead of plunking down a few bucks and buying a decent program.

It is all about not reading documentation

[gad_zuki!]

Personally, I think most security problems are a factor of how little documentation you get/read with new PCs. I'm not quick to bash admins (some are ignorant and lazy but that includes every category of people) as this worm is more @home based than .com based.

Home users get a PC with the promise of easy to use blah blah and a handful of killer apps. It doesn't matter much if its Redhat or MS, if you don't understand the security aspects of being on-line you shouldn't be running a server.

This worm is pretty benign, no deleted system files or content just a big fat backdoor. Its all over the media but I'm really curious if the average @home user got any real message out of this. Maybe they just know to download the patch because its on Cnet and run IIS with one security patch. Ideally, the message should be to get ALL the patches if you're planning on running IIS and subscribe to MS's security list. From what I've read in the media, its probably the former.

Re:Microsoft + Worm = MCSE ?

[argel]

Running Windows 2000 on my desktop is farcical - half my software won't work properly if I don't give my user account admin priviledges. It amazes me how many allegedly Windows 2000 compatible programs decide that they're going to attempt to store temporary information in the system registry instead of the roving user registries.

And just what software would that be? The only "application" I have run into that needs admin rights is the Adobe Gamma tool (comes with Photoshop) and it might need those rights. FYI, I'm in the Power Users group.

Re:RHN WAS a solution for that

[mvdwege]

Really, I don't think MOST people are willing to pay for this sadly necessary excercise in security. By charging for this functionality, Red Hat is reducing the security of a large portion of the installed linux servers.

Actually, this turns out to be not so much of a concern. From the Red Hat Network FAQ:

Registering with Red Hat Network is free and creating system profiles is free. Every customer receives a free Software Manager subscription for one system. Additional subscriptions are $19.95/month for each system.

So the idea that home customers need to pay for security updates is just a teensy bit misleading.

Mart

Re:Quit FUDing Red Hat

[Rick+the+Red]

I wasn't FUDing Red Hat. I wasn't FUDing Gateway, either. Funny how you thought I was FUDing one but not the other, when I said almost the exact same about both. Or did you think I was FUDing Gateway but didn't care?

Don't be so sensitive, this is /.

Re:except

[gupta]

Windows "sys admin" usually has lower IQ than *nix admins. that is what Windows is for.

Re:Regardless

[Azog]

I know what would get worms back into the media for a long time - a Warhol Worm. You want to read something scary about worms, go read that. Be sure to read the section "A Worst Case Warhol Worm". It gives me the shivers to think about it.

From the article: "A worst case Warhol Worm is truly frightening, capable of doing many billions of dollars in real damage and disruption. Since it can achieve complete spread in well under an hour, and could begin doing damage immediately on infecting a machine, human mediated responses offer almost no hope of stopping it. "

Complete spread in under an hour! Total destruction of infected servers!

Whee!

Watch for one of these coming out with the next major IIS exploit.

How do I secure my OS?

[mach-5]

Does anyone out there have any good sites for the common user to secure their PC's against this sort of thing? For Linux or Windows? Or just some general security tips other than the obvious "use anti-virus software"? Also, information for security if I'm running a webserver/mail/ftp, etc. TIA.

Re:How do I secure my OS?

[omega9]

You know, at first glance I thought this was one wiseass reply to what seemed like an honest question. But the more I think about it, even as I write this, he's completely correct.

Computers are not easy. To do things correctly you have to be involved with the system(s). And being involved with the system(s) means knowing as much as possible regarding it's functionality proportionatly to how you plan to use it. This just means that if you're an average, everyday AIMer then you're responsible for knowing how those programs work. And if you are planning on running public servers, you're just as responsible for knowing how those programs work.

And that doesn't mean just knowing how to publish a web page. It means knowing how to secure your server, how to be a good netizen, and how to keep up when things change. To put it bluntly, if you aren't capable of these things you have little business running server applications.

The point is that if you're serious about going "public" on the net, or want to learn more about security there is no single place that can tell you how to do it right. The more resources you have the stronger you are. And I can think of no better way to find those resources then the god of all search engines.

Re:How do I secure my OS?

Yeah.. http://www.google.com

Look for things like anti-virus, security, and firewalls. You'll learn eventually.. just like the rest of us had to do!

Re:Difference

[notasheep]

Have any data to back up your claim that *nix admins are less likely to let a machine to go unpatched?

I find it funny that most *nix advocates start with "our software is better" and end up with "er, I mean our admins are better" when it's shown their software isn't anywhere near perfect.

Re:Don't forget Morris!

[medcalf]

Ooops - I meant SunOS. Solaris was somewhat later. Sorry about that.

Re:different cultures...

[webmaven]

Notice that the "server" and "workstation" configurations themselves are Microsoft-isms. :-)

No they're not.

Long before Microsoft entered into the scene with NT, Vendors such as Sun were selling UNIX servers and workstations. True, this mostly referred to hardware configurations rather that OS configurations, but that was simply reflective of the fact that they were hardware vendors rather than software vendors.

similar vulnerabilities, different fixes

My Redhat 5 box was compromised a few years ago by a BIND worm. When Mediaone discovered that it was scanning for potential victims, they SHUT ME DOWN.

Fair enough.

When Code Red hit, the fix was not to disable the infected machines. They "fixed" it with their own denial of service. They shut down port 80.

So which worm is worse?

Re:I'm not paying to spread viruses

Yea, those nice poor people at SUN, ATT, IBM, ... wrote *nix for free for us, lets give them a break.

Face it, *nix sucks. It just sucks a little less than NT/2k

Worm Thoughts.

[Captain_Frisk]

Someone recently suggested the idea of writing a worm that patches security holes, rather than exploiting them. If a worm can get in, it can certainly bring the fix, fix it, then attempt to infect / fix other machines.

I don't have the technical know-how to do this, and I'll admit it, but if I did, what would the legal ramifications be? I write this worm / autopatcher, and set it loose. Can I be sent to jail?

More important to the legal ramifications, would the /. community be in favor of such a worm? Then the hardest question of all. If yes, would you still be in favor of it if Microsoft let it loose?

Captain_Frisk

Re:Worm Thoughts.

[3am]

the only advice that i have to give you is to not ask for legal advice on slashdot.

IANAL

Re:Worm Thoughts.

Well, with microsoft machines, patches require a reboot, and often break other things. I've heard that applying patches in certain order is necessary to ensure that things work correctly. One person at my institution mentioned that they downloaded the code red patch, then applied a different patch, but were still vulnerable to code red. The second patch somehow reversed the first, and the code red patch had to be reapplied.

So, it's a nice thought, but I would be pissed if someone rebooted my server when I was working on it, or changed binaries on my system without my permission. Even if they meant well....

Re:Difference btw. Unix and Windows Worms?

The only thing you really need for Unix administration is a higher level of egomania. You really are a legend in your own mind aren't you?

You admin a Unix box, shit you're right up there with Dennis fucking Ritchie and Ken fucking Thompson.

NT4 SP6-not-A

[leonbrooks]

it is extremely "easy" unless the system dies a horrible death by blue screen and has to be rebuilt.

Ah. I think I know what you're talking about.

Re:It can happen

[redzebra]

"You're absolutely right, which is why it's just as important for Linux distributions to come locked down tight as it is for Windows distributions to come locked down tight. Microsoft isn't listening; are RedHat and the others?" yep, you hit the nail ... for me it's been the main reason why I prefered an OpenBSD machine as my firewall. Gives me a cosy feeling, knowing that at least some guys checked out all those things I would have missed due to lazyness or ignorance. (of course no protection for myself messing it up :-)) Also not enabeling every possible deamon is a great way to learn lots about the things you really need. (how too enable /disable / configure/...) Anybody knows about some equivalent linux distro ? -- red.

Re:I'm a heretic, baby

[Chops]

I highly recommend showing people how insecure telnet is -- in a dorm, for example, pop up ethereal on one machine and log in over telnet from a machine in a different room. Follow TCP stream, and point to your real password displayed on the screen. This is more effective than lecturing people about TCP/IP and ethernet, and I've only had one guy start asking dismaying questions about how to sniff other people's passwords.
Change your password after, of course. Now if only there were an equivalent way to get people to use PGP...

Re:Microsoft + Worm = MCSE ?

[foo+fighter]

I once had an MCSE ask me, in all seriousness, why he couldn't type a fully-qualified hostname to choose a DNS server. It's a paper qualification; it implies no real skill or insight into the system's operation, or any sort of reasoning into consequences of limited design.

The Microsoft Certfied Systems Engineer certification does not claim to certify any knowledge of planning, implementing, configuring, or supporting DNS.

It tests a limited and well defined check list of skills, most having to do with installation and configuration. Only with the Windows 2000 series did the tests begin to measure planning and design skills.

The Windows 2000 and XP/.NET required tests - and the skills measured by each - are listed here:
http://www.microsoft.com/trainingandservices/defau lt.asp?PageID=mcp&PageCall=requirements&SubSite=ce rt/mcse&AnnMenu=mcse

Re:Cmdr Taco?

They wouldn't be so bad if they weren't all so fucking stupid.

Worm Stats

[Bubblesculpter]

Does anybody have a source on the number of servers that the code red worm affected?

I'm curious what the numbers are, how many are left, along with ways of tracking them down...

Re:Worm Stats

Easiest way to track them down? ALl of them? Rewrite the worm to send email to you whenever it infects a host...

Ok not quite what you wanted.

I've configured my firewall to notify me of hits on port 80. As I do not run a web server, and nobody therefor links to my machine I should have 0 hits in a day. I've had a few hundred since late Saturday. Each of those hits is a machine with the worm.

When that subsides to less than a hit a week (or, under the signal-to-noise ratio for script kiddies atleast) then there isn't much left to worry about on the Internet.

Of course, you could just write a routine to scan all local hosts for the hole. (Similar function as the virus, but look at the web response to the request).

Re:Worm Stats

[Keepiru]

A few Hundred? I'm getting about 2400 hits a day, of course, I'm on @home.

Incedently, I would have to say the blame for something like this lies with poor sysadmins and home users running NT and the like. MS has had patches out for quite a while, but too many people aren't patching, or don't eve know they need to. There is an argument that MS shouldn't be shipping systems with IIS running by default, but then, most Linux distributions come with apache running by default.

Re:Worm Stats

Yes. An internet magazine I sometimes write for dealing with ecommerce and such has an article about it. Here it is. Not as many servers and the mainstream media made it out to be, just a few high profile ones.

Re:Worm Stats

http://incidents.org/

That should answer your question.

Re:Worm Stats

[KaiserSoze69]

Easy way to track down the infected machines. Just look at your Apache logs! Mine get a few hundred hits a day. I just love the one from the bank. Makes me feel real secure that my money is safe ;-)

Difference

[The+Ape+With+No+Name]

A *nix sysadmin is less likely to let a machine go unpatched, in the best of all possible worlds.
An NT/2000 sysadmin is a secretary who reboots when the internet thingy stop hoogjamajigging, in the best of all possible worlds.
Seriously, in tracking down a couple of thousand hosts on campus who had Code Red, I have never ran into such righteous indignation over a simple lecture on systems maintenance as patching. Of course, many of these users/sysadmins were dumbasses who installed Win2K server because they could, not because they had to. 3 machines in one room were being used as everyday workstations and not offering services for any particular use by the office. Mind you, the services were still offered. Hit the average Code Red machine with your web browser and you will see the default webpage.

Re:Difference

[blang]

"our software is better" and end up with "er, I mean our admins are better"

And what is the controversy here? In the open source software world, the software and the admins and the developers are one and the same. The basic fact is that the users have a vested interest in the software. A Linux user is not a passive consumer. When something is broken, the users will look around patches and bug reports. They might even debug the problem, fix it, and submit their own bug fix. Or if they're good at that particular application, they might write their own version and release it to the community.

If something breaks in MicroSoftie land, the user or admin is pretty much screwed, and even if they were qualified to troubleshoot the bug, their only meaningful course of action, is to kick their machine, and send some prayers or curses to Redmond, and wait for a fix, that hopefully does not break everything else. The average MS user knows about mouse, excel , and Solitaire, maybe even nethood, shared drives and printers - after friggin 10 years of using the crap.

A Linux user might know how to set up a pop or imap server, can tell you what an MX record is, knows how to fix routing problems, and how to compile a kernel. Most of that stuff should be possible to pick up in a couple of years. It's not because Linux user's are complete geeks, but because they are allowed to have a look under the hood, and can learn it inside out instead of outside in.

Re:Difference

[MeNeXT]

The question he raised was that an office with W$ will not hire an admin but appoint one. The typical admin in a small business is one who knows most about computers and not one who has studied computers. This is due to the marketing that is comming out of M$ sales shops. It's easy. Fact is that securing a system is an ongoing thing and not always easy. Time and money needs to be invested constantly. How much depends on the admin.

Re:Difference

[magnumjohnson]

Do you not realize that there is a difference between Unix System Administrators and Free Software/Unix Advocates? One big difference is that most Unix sysadmins don't go to slashdot every 2 hours to bicker back and forth with MS drones about which operating system is better. Most likely because they are busy doing thier jobs, you know, administrating and patching thier servers.

=]

Re:Difference

when it's shown their software isn't anywhere near perfect.

Nobody said "perfect." Just "better." And it's probably both, good software and good admins.

Re:IRC Wars..

[telbij]

Doh, guess it has been about 10 years since I set foot on irc. Back then irc wars meant impersonating a regular on a popular channel to get ops, then demoting everyone and spouting inane gibberish until everyone left or the net split.

PHP script to count code red

[Corby911]

For those interested:

a log of code red attacks on beehzive.com is available at http://www.beezhive.com/~mike/red.php (please be patient it takes a second or two to load). Last count: 1273 attacks. Source code is up at http://www.beezhive.com/~mike/red.phps.

Re:It can happen

[purplemonkeydan]

XP Home will also automatically enable a firewall. It's fairly basic, but blocks incoming packets reasonably well (doesn't do anything for outgoing packets, though)

XP Home also takes care of file sharing security; it doesn't bind the MS Network Client to the Internet facing adapter, and file sharing controls are vastly simplified.

Let's also not forget

[JoshuaDFranklin]

That hundreds of thousands of machines weren't effected just because they thought that having a web site sounded cool and a friend has a copy of Win2k Server. "I already use Windows, how hard can it be?"

Or that no UNIX vendor runs apache as root by default just so you can use some authentication if necessary (that's basically what IIS does--please, MS, put it in user-space!), leaving machines wide open to stuff like Code Red II(+) that gives anyone full control.

Re:Let's also not forget

[nm42]

IIS doesn't run as system(root) by default.
I forget the user name, but it's equivelent to nobody on *nix. You have to go screw it up yourself before it runs as root.

If you're gonna spread FUD, at least get it right!

Re:Let's also not forget

[aenea]

No, not really. IIS the service(s) run as system which is as root-y as you can get. Non-authenticated web sessions connect as IUSR_blah which doesn't get you many rights, that's why you see buffer exploits, the point is to run in the context of the service.

Re:It is all about the Admins

easy, it's called a firewall.

Nah, you are a spreader of faith

[twitter]

Win2k comes with a telnet server, no? Sniff, sniff, ewwwww, what's that smell? Did someone step in MS again?

Re:Cmdr Taco?

[MakinWaves]

Wow, could it be possible you have two accounts and moderator points on one of them today? This is the second boneheaded comment I've seen by you that been moderated as "Insightful". Either that or somebodies passing out free crack to all the moderators running IE.

If you M$ zealots hate it so bad here why don't you start your own "news" site? Would you dare post all the Security updates that come out for M$? When would you have time for anything else?

Re:not exactly an MS fanatic, but...

[Sell0ut]

Apache has (had?) the largest market share, it was open source, and secure.

Also, it's a lot eaiser to spot the security flaws in open source. Just because there are less known flaws for a closed source project, does not make it more secure.

Worms

[colk99]

Well all I know is theirs been over 2000 requests to my webserver for default.ida

Default services

[jeffy124]

I believe the best model to make a system secure at the through the default install is to close off services by default and not be able to turn services on at install time.

For example, Apple's Mac OS-X disables ALL remote services (apache, ftp, ssh deamon, AppleTalk sharing, etc) by default during install. And it's not possible to turn those on during install either, you have to go into System Properties (under an admin-enabled user after install is complete) to switch them on.

Mandrake linux (I'm sure other distros do this, but Mandrake is the only one I've ever installed, likewise to other unix-based OSs) takes a similar approach. While it is possible to choose certain services to open remote services at install time, there is a screen during install which advises you that you're allowing certain daemons to be enabled at install, and an oppurtunity to turn them off. Not the best way, but it's an improvement over MS.

The idea with both of these is that you are explicitly telling the OS to open services, as opposed to IIS which you are telling Windows to run implicitly by taking a default install. This allows an admin the ability to know exactly what services are running on a machine, as opposed to someone not knowing IIS even exists on their machine.

Re:Default services

[inquisitor]

The idea with both of these is that you are explicitly telling the OS to open services, as opposed to IIS which you are telling Windows to run implicitly by taking a default install.

Not on NT4 Workstation or Win2K Professional - you have to install it through Add/Remove. And you are allowed to uncheck the box marked "Internet Information Server" using Win2K setup - it's even on the main screen.

Re:Default services

[ariux]

I agree.

If you know enough to run network services safely, you know enough to be able to turn them on yourself.

Re:Cmdr Taco?

[SuiteSisterMary]

The post referenced above is merely an attempt to point out the fact that any operating system is only as secure as the person using it. Period. Obviously too difficult a concept for you to grasp; L1NuX r00lz d00D! is probably more on your level. I'll also point out the fact that your definition of quality is not everybody's definition of quality; if your opinion was the only that mattered, you'd be the only one with mod points. And my original topic is neither offtopic nor flamebait. I notice that you make no attempt to refute my explanation, merely attack me personally. Well, I'm not going to waste any more time with what looks like a troll account, making such insightful statements as 'what if every security professional was paid 1 dollar per patch?' I will point out one more time that the patch caused Code Red, not vice versa. You cannot blame Microsoft for admins not installing patches.

Re:I'm a heretic, baby

[1010011010]

Considering telnet is essentially a security hole that you could drive a Ben-Hur chariot race through (user and root passwords passed in plaintext? yum!), and has been recognized as such since... well, forever, by Unix admins, and even is not installed by default on recent RedHat releases, I'd say that there's deeper problems than "telnetd has an exploit." Installing telnetd on a unix machine is about the same as shipping Windows boxes with back orifice and code red already installed.

Re:Evolving worms would be neat AI

[The_Messenger]

That's like putting a monkey in front of a computer and waiting until it programs an editor: highly probable, if you are willing to wait a few thousand years.

Isn't that how GNU Emacs was developed?

different cultures...

[webmaven]

I think that the real reason that MS systems were hit so hard by Code Red and it's descendents is that there is a real difference in the culture of the respective developer communities.

There is no reason why all those home systems and corporate desktops should have IIS running in the first place. There is also no reason (generally) for a home linux system to be running, say, BIND or wu-ftpd.

So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?

It comes down to culture. Unix-like operating systems are minimalist and modular, because the development communities appreciate elegant code (not neccessarily elegant interfaces).

Whereas Microsoft prizes a DWIM (Do What I Mean) approach, which encourages adding functionality 'just-in-case', as Microsoft seems to think that actually asking a user to install a component is a failure on their part.

In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).

Re:different cultures...

[pmz]

So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?

Artificially generated market share and market domination (why install "Brand X" if something similar is already installed?).

Whereas Microsoft prizes a DWIM (Do What I Mean) approach,...

I prefer to think that Microsoft has a WKWYWBTYD (We Know What You Want Better Than You Do) approach.

Re:different cultures...

[The_Messenger]

Notice that the "server" and "workstation" configurations themselves are Microsoft-isms. :-)

The problem with Red Hat is that it emulates all of Windows' poor security -- without emulating the excellent user interface, extensive component support, and server libraries/interfaces. Red Hat is, literally, the worst of GNU/Linux combined with the worst of Windows 98. No thank you!

Re:different cultures...

[frleong]

IIS is not installed by default, nor comes it is factory installed on desktop computers. Sure, during Setup, the system asks you whether you want to install or not IIS (but only on W2K server), but if he/she says yes, it's the user's problem, especially for home computers hooked on a cable modem. It's a mystery how they got W2K servers installed on personal computers in the first place (piracy?). Most of these cable modem users mindlessly answer yes to everything and they are the very ones who don't know that they need security patches because they are simply unaware that they are hosting a web site!

For W2K professional, it really takes an extra step in Add/Remove to add IIS and therefore it should have been a deliberate action. However, many people do not have a habit of subscribing to security mailing lists (well, why should they?) and if it were not the mass media reporting Code Red, most of them would have not even noticed that their machines had been hacked.

Re:different cultures...

[sheldon]

"Unix-like operating systems are minimalist and modular"

It would have been curious to hear you make that same statement back in 1992, when I first started working with Linux and having 16 Megs of RAM to run X11 was considered a luxury.

You know Windows 2000 comes with a telnet server? It's installed, but not started by default.

Can you say the same about most Unix distributions? No.

Furthermore Redhat for the longest time went off and installed a whole load of services by default. My Solaris install at home has sendmail running by default. Do I need sendmail? No.

I think you'd like to believe what you are saying. But I really don't find a whole lot of evidence to support it as fact.

Re:different cultures...

[Pinball+Wizard]

Last time I installed Red Hat Apache, Sendmail, BIND, ftpd and telnet were all installed and enabled by default.

Is that the culture of Unix imitating Microsoft systems(KDE, Mono, etc.) that Red Hat is following, because I didn't really notice much minimalism.

Ah screw it. Its so much easier and more fun to bash MS and pretend Linux could never make the same mistakes.

Re:different cultures...

Oh, pleaze. Both Microsoft and Unix come from the exact *same* "I don't give a shit about security" developer culture. (just think nfs, nis, sun-rpc, etc, etc. more terrible than the MS crap.)

It's just that the Unix world started to wake up about five years ago, where Microsoft only has been coming around for the last year or two.

Re:different cultures...

[webmaven]

Last time I installed Red Hat Apache, Sendmail, BIND, ftpd and telnet were all installed and enabled by default.

Was that a server configuration, or a workstation configuration?

Re:different cultures...

[smack_attack]

So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?

IIS gets installed silently with certain packages OR if you are upgrading to Windows 2000 from anything with MS PWS on it.

Re:different cultures...

[The_Messenger]

Oh, come on, I was just kidding. NT Workstation, NT Server, RH Workstation, RH Server... one of the joys of GNU/Linux is the lack of such distinctions. Decide you want to run ten websites off your desktop PC? Linux won't stop you. But Red Hat is cleary released with Windows users in mind, and wants them to have a familiar environment.

Re:Linux antivirus software

[11223]

Most Linux antivirus software scans emails to eliminate the latest Microsoft email viruses as they go by.

Generally, the UNIX biodiversity has helped prevent viruses from spreading, until "here! run this perl script!" catches on. Right now there aren't any non-proof-of-concept Linux viruses.

Re:"M$ Fanatics"?

They teach spelling in your school?

Worms first spotted in 1988

[InigoMontoya(tm)]

Good eye, spotter.

Who should we send the wormsign spotting bonus to?

Dammit, where are those carryalls??!?!?!

InigoMontoya(tm)

Just one thing...

[arkham6]

I would like to point out that it was unix in the 80's that helped illustrate fundemental security issues. We learned from our lessions. Why do these things have to happen again?

Don't for get that they are released under GPL

[flatrock]

Don't forget that they are released under GPL so that the source also has to be available to 2nd generation worms that are built apon the original code.

Re:Don't for get that they are released under GPL

[Have+Blue]

And don't forget that the GPL is evil, and any program you write with it is like a virus. Hey, wait a minute.. :P

Re:I'm a heretic, baby

[1010011010]

most of the IIS sites infected were cases where MS installed IIS by default

Indeed. NT Server asks to install IIS during its installation, and it's "yes" by default. Then, Index Server is a component of IIS, also installed by default (default choice: yes).

It was Index Server, not IIS, that was attacked by Code Red.

All you Linux users are more annoying than usual

[evilviper]

I hear all this jive about how the security of an OS doesn't matter if the admin doesn't patch every week. Mostly, it's all you who show-boat Linux security, then excuse your fav OS by saying security is subjective. I can end this entire arguement with my single favorite word...

'OPENBSD'

With no remote root exploits in the default install for over 4 years now, it's one hell of a trick to make a successful OpenBSD worm, even in a pool of billions of OpenBSD users.

Even RMS doesn't trust Linux. If he did he'd be using Linux on his server rather than FreeBSD. I doubt anyone can make a decent arguement for linux over OpenBSD on a server of any kind.

Re:Regardless

[TrollMan+5000]

Unfortunately, the news media prefers to report on the mainstream, the common. Linux stories just don't generate the ratings since it does not affect the mainstream Joe Sixpack.

Ask someone on the street, "What is Linux", and it's likely you'll get a confused, puzzled look.

Re:Cmdr Taco?

[SuiteSisterMary]

Why the fuck is it that everybody assumes I have multiple accounts? Guess what! Post as often as I do, and you're going to get modded up. Don't like it? Get mod points and mod me down. Christ. All I'm trying to point out is that Taco's been NOT towing the party line lately; pointing out the Slashdot that worms aren't unique to IIS, an editorial about rabid linux fans giving them a bad rep, and so on, and I think it's great. And you know what? I'm not a M$ zealot. I'm a truth zealot.

not exactly an MS fanatic, but...

[circletimessquare]

Take a look at the SANS Institute's "Ten Most Critical Internet Security Threats" here.

Notice that the level of representation of MS products is quite low. Consider that the Open Source Community's conventional wisdom is that closed source leads to insecurity. I am risking the almighty flame when I say so, but here it is: Monoclonal OS prevalence is the issue, not open source versus closed source.

What I am saying is that the OS with the greatest market share attracts the hackers the most because they get the most "bang for the buck."

But two conclusions can be drawn about this observation, one good, one bad:

The good: the move towards an "OS ecosystem" of various flavors of OS is the healthiest for the Internet. Because if something like Code Red were to reappear, only a minority portion of the pie chart of OS prevalance would succumb, as opposed to the majority slice. I use the biological allegories "monoclonal" amd "ecosystyem" because you can say the same thing about crop resistance to insect/ bacterial/ fungal/ viral pests: the more the genetic similarity of crops, the greater the risk of one solitary biological pest taking out all of the Midwest as opposed to one cornfield.

The bad: Microsoft, having the greatest exposure to exploits now, is getting the most experience with dealing with exploits. Dealing with them at a business, PR, and technical level. The more you fight a war, the better you get at it, and Microsoft will only get better and better at it, the general public will only grow more and more confident with their fight, and less and less exploits will be discovered. Other OSs haven't borne the brunt of the kind of hacker attention yet that fosters this kind of improvement, unfortunately for us all, who live in the ecosystem of the Internet.

Re:not exactly an MS fanatic, but...

[spookyfluke]

"Microsoft will only get better and better at it, the general public will only grow more and more confident with their fight, and less and less exploits will be discovered."

IMO, this isn't a bad thing. It's really a "catch 22" your talking about here, isn't it? MS, over time, churns out an OS that is more secure than the rest and as a result becomes the OS of choice. Not likely.

I don't believe this would lead to a "Monoclonal OS prevalence" on the internet because people do learn from other peoples mistakes. That's what places like this, this and, this are for.

Re:I'm a heretic, baby

[trcooper]

Install RedHat 6.2 lately? Telnet's there. Know how many folks are still using 6.2 because they have software that is only certified for it? Besides, the advantage of ssh is that traffic is encrypted, and sniffers can't pick up passwords, there have been vulnerabilities found before in sshd.

This is a futile argument. Linux is not inherently more secure than NT and NT is not inherently more secure than Linux. OOTB they both have to be considered insecure, maybe not today, but there's going to be a wu-ftpd, iis, bind, or heaven forbid, sshd exploit after release.

Listen up people, this is important and you will be tested on it at some point: A MACHINE IS ONLY AS SECURE AS IT'S ADMIN IS VIGILANT! Your machines are not secure today. They can be compromised. Someone may not have discovered the vulnerability yet, but they will.

Re:At least with unix...

[Fizzlewhiff]

Which is exactly what happened with Code Red. The pach was available months before. It all comes down to reliable admins who keep up with patches and security alerts. Platorm and dick size have nothing to do with it.

CERT of course Was:Don't forget Morris!

[HiredMan]

cnet or cert?

CERT of course, you're right....
CNet was created by a virus! Or is that ZDnet? ;)

VERY COOL byte by byte dissection of the "Morris-Internet" worm in Usenix of that time BTW. Used a couple of backdoors and everyone's favorite - unchecked input to overflow the stack. (Unbounded char255 input never checked whether the incoming String was more than 255 characters.)
Almost the SAME vulnerability as the current Code Red worm.

The Morris worms were 'supposed to' kill themselves if another worm was present. A last minute mod added a programming bug meant there was a 25% chance that a individual worm would become eternal and ignore all others. These eternal worms would eventually overwhelm the machine. That was the real problem.

=tkk

PS Still remember the joke from the college newspaper, "Number 1 lie: That a worm could make Unix any slower." Ah shared undergrad account machines.

Microsoft fanatics???

[Paladeen]

Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."

Why would people want to become MS fanatics? I don't think I've ever met one. At most, professional people think Windows is OK. Nobody fucking likes it. The only OS fanatics I know stem from Linux and Mac groups, respectively.

Re:Microsoft fanatics???

[WildBeast]

I like it, we could say I'm an MS fanatic. I like Linux to but don't talk to me about Mac OS, beurk.

Re:Microsoft fanatics???

[TheAwfulTruth]

Ok, I like it. So you can strike the word "nobody" from that statement.

Re:Microsoft fanatics???

[tritiumsys]

Yes, I know how you feel: With all the misguided bigotry in the Linux camp, how could there be fanaticism left for those other guys? *gasp* Yes, people can and do like Windows for their own reasons, and you should respect them for that. If you can't respect that other people have differing opinions, you prove to be just another hypocrite.

Re:Microsoft fanatics???

Have you Linux-heads ever taken an economics class. Oh yeah, you haven't graduated high school (or junior high for that matter) yet. I love the Microsoft platform.

Not quite

[matty]

If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.

Your basic premise is correct that there are more people trying to break MS systems than Unix/Linux systems, but U/L will never be as vulnerable for a number of reasons:

1.) There are several flavors of Unix and dozens/hundreds of distributions of Linux, not to mention all the different version numbers of each of those. This would dramatically impede the spread of any worm. Almost every MS-based site has IIS 5.0 and it is this homogeneousness the allows things like Code Red to spread so quickly and effectively.

2.) Unix/Linux systems in general are easier and safer to patch. Almost every MS patch requires a system restart and it is not at all unusual for the patch to break something else. I have never had a security update break anything on my Debian systems, nor have I ever had to restart the whole system. The service updated (such as the recent Horde/IMP updates) is restarted and the user doesn't even know, even if he/she is using the system at that moment (I know this because I did it as a test case here at work. Someone was reading their email on our IMP system while I upgraded the system. Yeah, a bit dangerous, but we're a small company and no one would have gotten in trouble. Regardless, she didn't even know anything had happened).

3.) Security holes are much more frequent on MS systems. We all have heard about the fact that the last known remote root exploit for Apache was over 3 1/2 years ago. There have been a few security patches since then, but nothing nearly so troublesome as Code Red. I read somewhere that there have been over 40 serious holes in IIS this year alone, although I don't remember where I read it and it may be apocryphal.

Bottom line is that while it may be true that if as many people who are attacking MS systems starting attacking Unix/Linux systems, we might see more issues on U/L, it is also true that Unix & Linux are better engineered from the start, easier to upgrade and more varied, all of which make them much more secure inherantly than MS solutions.

Cheers...........

Re:Not quite

[DrSkwid]

there is also one extra big difference

IIS runs as root by default (or it did last time i looked - nt4)

What happens when there isn't a patch ready?

[BortQ]

If you patched your systems on a quarterly basis, you would not have been vulnerable to a single one of the Linux worms.

I'm waiting for the time when a worm comes out that exploits a vulnerability that has yet to be 'discovered' yet.

All that has to happen is for a worm writer to be the first person to find a vunerability. Then (assuming that this person is malicious) thier worm would have a tremendous advantage. They would be garanteed that every single server running that particular OS would be open to attack. If they took the time to write a really nasty worm (say it's set to replicate itself 10 times and then try and erase everything it can reach on the networks it has access to, except itself) this would quite assuredly bring a large proportion of the internet to a grinding halt.

And you know it's got to happen some day...

Re:What happens when there isn't a patch ready?

[Sarin]

yup you are totally right there.
I think most security experts and bug testers aren't of the malicious kind, but some are however.
But reconsider your actions if you want to write your godzilla worm: some governments are likely to take advantage by of this by making it an excuse to restrict the internet instead of falling for open source solutions.

Re:What happens when there isn't a patch ready?

[telbij]

The only thing is that the ratio of competent programmers looking at the code is probably 1000 hackers/1 cracker.

Re:What happens when there isn't a patch ready?

[sheldon]

Shutting down the index server and renaming default.ida would result in no benefit.

The problem was with the index ISAPI filter, and you had to either delete that, or just remove it .ida and .idq mappings from your IIS website.

There are many of us who didn't have problems with Code Red specifically because we had made these changes last year before there was a known problem, patch, exploit, etc.

Microsoft has also learned from that mistake, and supposedly IIS6 in XP doesn't install this crap by default.

Re:What happens when there isn't a patch ready?

[1010011010]

You watch. And if the service with the hole is non-critical, you turn it off.

For instance:
Code Red looked specifically for default.ida, which invoked index server. So, shut down index server if you don't need it. If you do, rename or delete default.ida and hope and watch until a patch comes out.

Re:What happens when there isn't a patch ready?

[colk99]

One of the easiest ways to take the internet down is to write a virus that infects the routers at MAE-East or west, because most of the internet traffic is routed through their.

Re:no

Umm, the patch for the Code Red vulnerability was also released *BEFORE* Code Red happened, idiot.

Monty Python and the Holy Server

"Was that a server configuration, or a workstation configuration?" (BridgeGuardian) "!? I don't know - AAAAAAaaaaaaahhhh.........." (SirRobin looks at Webmaven in amazement) "How did you know THAT?!?"

Re:there should be 911 for security...

[Zero__Kelvin]

Perhaps you haven't heard of Phone Phreaks. Back in the day it was kewl to hijack lots of Ma-Bells numbers, and yes 911 systems have been exploited with great success. The problem is the same. Make a '911' system for viruses and Black Hats will exploit it. Basically there are two dynamics at play here:

1) We are talking about the impossible. Like it or not, malicious code is a fact of life. It doesn't matter if you draw the parrallel from the Biological or Social domain. In either case, they carry over, and there is no panacea. Sorry 8^{

2) The greater the education of the masses, the less advantage that malicious people have. Again, it all comes down to education.

Like minded people can disagree, of course 8^}

Cheers again!

Zero__Kelvin

Re:As long as nobody builds the perfect worm...

[Have+Blue]

It would not be able to take over the net. Even a perfect virus is vulernable to various things it has no control over:

• Dual-booting. Shell scripts may be cross-Unix but they sure aren't cross-OS. Boot your box back into Windows or Mac OS Nonstandard installs. The vast majority of vulnerabilities rely on the system matching the virus's expectations in some way. Change your system configuration in such a way as to break the virus's infection engine (for Code Red, you could move or rename cmd.exe).
• Read-only media. Reformat and install from a CD. It can't survive that and it can't stop you from doing it.

One more thing: All viruses have undisclosed actions. A virus's actions are only discovered when someone at a security firm reverse-engineers it. It's not like virus writers issue press releases...

Re:Microsoft + Worm = MCSE ?

[krogoth]

The interesting thing about the article is that it implies that unix worms are written by very smart people, unlike the script kiddies who target windows. Maybe this means it's a bit harder to write a unix worm?

My two cents...

[pi_rules]

Summary: IIS alone is providing holes for the MS platform at a rate that exceeds -every- popular *nix based product right now

Do I have any numbers for this? Nope... I'll leave that for somebody else to dig up. I'm a BugTraq reader, and I'm amazed at the sheer number of serious IIS eploits that have recently been coming out. I haven't seen anything new in the past few weeks, which is good, but take a look at the sheer number of buffer overflows alone that have been found in IIS lately. I bet it's more, or really close, to the total number of buffer overflows found in things like sendmail, bind, apache, and event telnetd in the same time span.

As a programmer I'm appauled here by IIS. Buffer overflows are old, but they keep coming back up. IIS is a new product, most likely written entirely in C++, which should be making the string handling much simpler than the C counter parts. These IIS holes are coming but due to either laziness, incompetence, or indifference in the MS coders parts. Theese aren't obscure either. You request a long URL and you overflow a buffer? 'Cmon here. The URL is coming from untrusted users -always-. Access point #1 into the system isn't even being looked at for possible holes... over and over.

One would think (read: hope) that MS has got a slew of people over-looking all areas of IIS for possible buffer overflows right now. Maybe they'll actually fix some before they're found? Doubtful... given their track record of re-active security.

Justin Buist

Clueless Author

[Slothrup]

The author writes

Excepting the Morris worm, before which nobody cared much about Internet security, all of these worms have one thing in common: the exploited holes were discovered months before the worm, and official patches for the affected packages were widely available.

This was true for the Morris worm as well. Both the sendmail and fingerd issues being exploited by the worm were fairly well-known at the time of the exploit. If I recall correctly, part of the reason that Morris wrote the worm was because of his frustration over the continued presence of these security holes, and paradoxically, part of the reason that he released it prematurely was because one of holes had suddenly gotten extra attention.

Re:Not a good idea

I'd call it an antibody, as that is what I think we need.

It's worse than that

[leonbrooks]

Some newer server software like Exchange integrates a lot of functionality in ways it hasn't been done in the past.

The big issue with Exchange is that it appears to have evolved, conceptually at least, from Microsoft's ancient single-user-OS mailer programs. As with most Microsoft software, when things go wrong, they go totally wrong (the wings fall off rather than the engines simply stopping).

PostFix (to pick a competing service that I use daily) is the exact opposite: it has been componentised almost to excess, no piece trusts another (to say nothing of the trust not accorded to information from the outside world), no piece runs with more privs than it needs, no piece does anything it doesn't need to, sharing is painfully minimalist, and finally it understands timesharing and user separation from the core outwards. Best of all, you don't need to lose these layers of safety to add something like calendaring to it (just add another delivery method).

When was the last time you heard of an exploitable root vulnerability - or even a read-everyone's-mail vulnerability - in PostFix?

Found on BSD box first, doh!

So much for you FUDHEAD

RHN WAS a solution for that

[Jeppe+Salvesen]

Red Hat Network was the Red Hat answer to apt-get in Debian. I am not going to argue that all people should install Debian - it's not a total newbie distrobution.

However, a nightly apt-get against security.debian.org is a VERY good way to patch your system for holes. Debian is really good about releasing quick fixes to their packages.

Red Hat Network may or may not be good about keeping your system completely up to date. I don't know, because I am not willing to shell out a monthly amount of money for keeping my free system up to date.

Really, I don't think MOST people are willing to pay for this sadly necessary excercise in security. By charging for this functionality, Red Hat is reducing the security of a large portion of the installed linux servers. It is simply going to create a bad rep for all of the linux community when worms start to work they way around linux servers using old vulnerabilities. Users with systems that automatically patch themselves will sleep fairly soundly (of course, there is a 24 hour time frame between every time you patch yourself. In the meantime, someone MIGHT have found an exploit and created a worm that utilizes that exploit).

I realize they are in the money-making business. However, they are also representatives for linux. I think they need to be gently prodded to either make red hat network a one-time fee, or totally free. .NET has not yet made people used to paying for software subscriptions.

Oh - and I DO know that patching alone is not enough. You also need to use secure services, and as few services as possible with explicit firewall rules for controlling who can access those services, plus making a good security policy altogether (most important).

Re:Actually...

all of whom shouldn't be running network servers anyway as they violate the @Home AUP.

If I can ping you, you have just violated @Homo's AUP! Seriously. You served me with a reply to a request (ala a server).

Re:Microsoft + Worm = MCSE ?

[argel]

But of course if they are written properly (I'm not inplying that they aren't), you'd only have to give permission to write directly the disk and not need total Administration privaliges. IIRC there is a way to do just that in Windows 2000, but I don't know how you'd go about doing it.

It would have to be done for the user, not the application, but it should be possible. Figuring out which obscure right you need to grant is another story....

Under W2K it is also possible to run applications as a different user, either via a checkbox for a shortcut (double-clicking the shortcut brings up a requestor asking who to run it as) or the runas command line tool. Some stuff works fine that, others do not (only issue I have seen is with some installers/uninstallers).

System Fix vs Maintenance

[SEWilco]

I agree. Poor maintenance/administration can be what causes problems for an individual system of any type. It becomes worse the more systems which have the same problem. If a problem can be fixed in the system level by a manufacturer, then the problem is solved for that type of system -- but it's then not fixed in an individual machine until the fix is installed.

With Unix vs MS-DOS systems, the problem at the system-typ level is in the security philosophy. Unix requires that users (including the system) be isolated from each other (with some exceptions permitted). MS-DOS requires that vital hardware be accessible by all programs.

That's why the virus industry flourished under MS-DOS/Windows. Malicious programs could not be controlled on MS-DOS. The Unix security policy has allowed weaknesses to be closed because a malicious program has to violate the isolation policy.

Any malicious program on Unix has to work within the isolation security policy, or the hole it uses will be repaired at the system-type level by creators of kernels and distributions. After such a fix has been published, it's a matter of individual system maintenance whether the fix gets installed.

Re:System Fix vs Maintenance

Are you new to computers?

at the risk of being redundant

[ragnar]

I'll say it yet again, since this is just another way of drudging up the Code Red issue. The problem isn't the platform, it is the administration of the platform. If Unix can be counted on to be mismanaged then an exploit will surely surface. In short, if the Unix world ever finds itself in the state of the Windows NT world, where boxes aren't administered and patched, we too will be nailed. I anyone surprised? No. Okay, lets let this tired topic die already.

Re:at the risk of being redundant

[The_Messenger]

This guy knows what he's talking about. He admins a Sun box, hosting about 120 sites, and in the past year and some odd months that I've been on this box, it has only been down once, and that was for a planned hardware upgrade.

(Hi Duane!)

And, of course, he's right. And I happen to think that a lot of the blame lies in NT's "ease of use." I hate to sound elitist, but there are a lot of people running IIS that have no fucking business administrating a webserver, but NT makes it easy... so we get into situations like we're in today where thousands of NT boxes are running, unpatched and poorly configured, because the "admins" are clueless. I'm not saying that all NT people are clueless, but because NT is easier to use, there's a much, much larger percentage of morons running NT servers.

Case in point: A company called FrontServe offers Window hosting. I wonder if he has any idea that those are Sun boxes in that photo. This fucktard also has Alliare JRun installed... with all projects in the same namespace, so that anyone can delete anyone's website, and mapping servlets to your site's document root is impossible. FrontServe is a prime example of a moron with an NT box loaded with software that he doesn't understand.

In the UNIX world, such a situation could never happen, because a basic level of computing and networking knowledge is required to even set up Apache. I worry that dumbed-down clones like GNU/Linux will change this, but for the time being, you can still rest assured that your UNIX admin isn't some sort of FrontServe guy.

Re:at the risk of being redundant

[DoubleD]

Simple good advice in theory. In practice updating a windows box is not always as easy as is should be. Let me rephrase that, it is extremely "easy" unless the system dies a horrible death by blue screen and has to be rebuilt. Microsoft patches are a sort of mystical fix (no source) that you apply on their word that it will not trash your system. Most linux and specifically unix style patches target the problem more directly with open code and even in a worst case dont trash the OS if they fail.

Why use the past tense...

[kitmarlowe]

When speaking about CodeRed? Just because the networks have stopped talking about it, doesn't mean it's gone away.

I don't know about anyone else, but I'm still getting hundreds of CodeRed attacks every week.

Re:Why use the past tense...

I just got a message this morning from our security guy on campus. I quote "For tuesday, Aug 14th, we saw a sustained 160 Code Red probes per second entering our network"

I'm not paying to spread viruses

[SirSlud]

The idea of *nix worms are far more easy to digest, since those who wrote the software with said vulnerability arn't living in huge mansions and driving fast cars. They tried their hardest, and wern't profiting as much for demonstratably insecure software.

The OS argument always seems to be about quality, but I'm also interested in the esotaric aspects of it - if you're gunna get rich off something, than it had better damn well work; if you do it out of the kindness of your heart and/or scientific curiousity and research, well .. worms will always exist, but I'd rather the software I didn't have to pay for be guilty than the software I did.

Re:Home-based BIND

[coyote-san]

Go for it, dude.

Meanwhile, while you're downloading your cracking tools you might want to reread my comment. I know that it's possible to break past a masquerading firewall, but I doubt I can do much to stop someone with that much technical expertise anyway.

You might also want to look into modern package managers, especially <tt>apt-get update</tt>. It's not that hard to check for security patches once a week, or whenever I learn of a new release.

Re:It can happen

[Col.+Panic]

Yes, *nix presents at least as much of a target as Win boxes, if not more since the services running on a default install are likely to include daemons like ftp and telnet. However, it is also really easy to run a perl script like Bastille to tighten security fast and with little technical know-how. Try that on an NT box.

Re:except

Okay, you've really got my curiosity up now. Do any of you people have any fucking clue what you're talking about? If you do, how about displaying it sometime, okay? Even if just for shits and giggles?

Re:Speaking of historical trends

You are marketing this incorrectly.

Get Real

[MakinWaves]

Yes of course we remember the *nix worms. Here's another thing to remember. *nix will never be the veritable screen door of security holes that M$ products are. I find "Whistler" to be aptly named.

I wonder what would happen if IT professionals were paid $1 per machine for each security update. Guess TCO with M$ products would go through the roof eh? One particular week this year would have netted me $600.

Re:Microsoft products seem to be of very low quali

[MakinWaves]

Ya Right, run as root *and* run untrusted code. Sounds like a typical windows user executing an email attachment to me. Informative my ass...more like typical M$ thinking

This is why we create user accounts. This is why we run suspicious code in that account in the first place. You gonna send the code with that VIM?. How are you gonna hide the exploit? Geez...I'll bet you're one of those accessing Slashdot through IE right?

Re:Microsoft + Worm = MCSE ?

[TheCabal]

I once had an MCSE ask me, in all seriousness, why he couldn't type a fully-qualified hostname to choose a DNS server. It's a paper qualification; it implies no real skill or insight into the system's operation, or any sort of reasoning into consequences of limited design.
This is limited to MCSE's only? No other subset of users can make this kind of error?

Therefore, I consider MS fanatics to be, for the most part, a self-limiting reaction

What is a MS Fanatic? Is that anything like a Linux fanatic? I don't see many people saying "Screw RedHat, screw FreeBSD, MICROSOFT RULES!". On the contrary, I see a LOT of OS bigotry from self-proclaimed *nix professionals, who naysay and poo-poo an operating system just because it comes from a particular vendor. A true professional evaluates the problem, and figures out what OS/software best fits the situation. There has been plenty of times that we've thrown out Solaris/SCO/Linux in favor of Windows, because Windows offered the best solution for what we were doing.

I think the more relevent question is with regards to the operating system's track record. With the exception of the recent blight of Red Hat 7.0, Linux has probably had far less documented bugs, and because of the UNIX user permissions model, the damages are minimum.

Your analysis is flawed. Willie Sutton robbed banks because that's where the money is. Microsoft OS's get so much focus because they're so widely used. The recent slew of RedHat hacks that have emerged is due to the RedHat distro being the most popular. It follows that a popular OS is going to get attention. NT/2k also has a user permission system. I'm sure any professional who has worked with NT before would be aware of this. When the permissions are applied as documented and recommended by Microsoft the damages are as minimal as on a Unix sysytem.

Compare this to Windows. Bugs all over the place, some more serious than those in Linux, some less serious.

That's a highly astute observation there. Tell me, can a bug in Windows be of equal seriousness as a bug in Linux? I see an awful lot of exploits for Linux. Can you back up your claim of "bugs all over the place" for Windows with any kind of numbers, or are you just speaking from the heart? Linux certainly has a pretty good library of bugs and exploits.

Where most machines are running 9x/Me with *no* user/process security whatsoever, malicious code can run rampant

Actually, ALL Win9x/ME machines have no user process security. But those OS's weren't designed to have that. If you want user process security, use NT/Win2k. 9x/ME were designed as a consumer platform, not for business. Microsoft doesn't recommend using Win9x the corporate environment.

NT/2000 is an improvement, but it's not designed into every aspect of the operating system's historical architecture.

Actually, it is. You're arguing from a point of igonrance. Try actually USING the operating system for a while, for something other then launching telnet. All processes in NT/Win2k run under the contect of the user that spawned it.

Windows has been one patch to DOS 1.0 after another, and the final result is such a kludge and so many processes are running with full administrative priviledges that the task of exploiting a bug remains trivial.

This is bullshit again. If you have so many processes launching under Administrator, I would suggest not having your services run under that account, and stop logging in as Administrator on your system. Do you log in as root on your Unix systems regularly? Best practices for both OS's say not to use root/Administrator unless something calls for special permission that superuser account has.

Running Windows 2000 on my desktop is farcical - half my software won't work properly if I don't give my user account admin priviledges.

Bullshit again. Normal client software doesn't require Administrator access to run. Installing software on a Win2k/NT box requires superuser permissions, but HEY! That's a security feature, and Windows doesn't have that, right? Lazy people who don't want to configure they systems properly run their services under a superuser account, and we all know what THAT means. Even in a Linux world. I certainly don't need Administrator permission to launch Office, Explorer, or any other normal user process. Unless your system is SO badly configured, a user started process CANNOT just run as Administrator simply because it wants to, unless it's a service which has been configured to run as Administrator (in which it's your fault for doing so), or you're logged in as Administrator.

It amazes me how many allegedly Windows 2000 compatible programs decide that they're going to attempt to store temporary information in the system registry instead of the roving user registries.

Because software installed on a Windows sytem is system-wide. If you want to prevent someone from launching a particular application, use POLEDIT and edit their profile to stop them, or *GOSH* maybe change the NTFS permissions to prevent someone from accessing the executable? Don't tell me that you don't use chmod in the Unix world?!

The single system registry is dangerous, too. Imagine, in your *NIX /etc/ directory, the file everything.conf, with the permissions -rw-rw-r--. What if you decide that you don't want Joe User to see your firewall configuration? Make everything.conf readable only to sys admins? Then, all of a sudden, all of the daemons have to have admin priviledges just to see their configuration. Urk. Kludge. Messy, dangerous kludge.

Of course, nobody would expect you to know that you could set permissions on individual Registry keys, and restrict .ini files to SYSTEM and Administrator... Of course you wouldn't. You obviously spend a lot more time bawling about imagined wrongs in Windows than you do learning about it. MCSEs learn all about that stuff, though. Fancy that.

Contrast this to Linux or any other UNIX variant, the whole model and concept of which was designed with user and process security and isolation from the ground up.

Yeah, fancy that Microsoft wouldn't consider that. I guess the Internet Guest account can launch any damn process it wants, or any user on a Terminal Server can stop any other process, even if it doesn't belong to him. Not. IUSR_ cannot simply just add itself to the Domain Admins group, just because someone is using a directory traversal exploit(which wouldn't be a problem in itself if the admins simply INSTALLED THE DAMN PATCHES) because OH MY GOD! That process cannot be spawned by a non-Administrator account!

As a bonus, the added complexity of administering multiple accounts to the average user is a pain in the butt. They want point-and-drool, everything clean and simple and familiar.

Point-and-drool? Do you really hold your users in such low regard?

Actually, administering a NT/Win2k mixed domain is quite easy, and I use the command line a lot. But you're expecting regular everyday users (who probably just use a PC at home for email and pr0n surfing) to suddenly have knowledge of a 20 year Unix engineer simply because you're in the building. There's no need for GUIs in Linux, no siree. Things line KDE and Gnome are simply figments of my imagination. Windows domains don't require a person to have multiple accounts. Microsoft has stressed from the beginning the "unified login", where one account is sufficient. Sounds like you really need the services of an MCSE.

The beauty of the complexity of Linux/UNIX versus Windows is that it weeds out the chaff who aren't capable of managing a box.

Complexity can come and bite itself in the ass. Is complexity always a good thing? We've chucked out Linux and Unix solutions in favor of Windows simply because it Didn't Work. Linux isn't the Wonder Platform that a lot of people try to make it out to be.

I'm sure the programmers and architects at M$ see the problems and comparisons I'm drawing. To be designing an operating system, you must love computers and a sense of a job well done, so I'm sure it pains them that they have to deal with such kludges day in and day out. I'm sure they'd dump the whole thing and fix it if they could, but the marketing guys won't let them implement it.

I hope you're sending your resume to Microsoft right after reading this. Actually, I don't, since you haven't the first clue about Windows or its security model. Instead of the usual Windows-bashing, why not take a few minutes out of the day and actually LEARN the OS? It sounds like your workstation needs to be reconfigured anyway.

I've administered many Windows domains, both NT and Win2k, that are directly connected to the Internet, and have a large internal userbase. And I've never ONCE had any major security problems. Maybe I'm a "gifted" MCSE, or The One who will bring balance to the Force, but to me, none of your arguments hold water.

Re:except

[japhmi]

You can't blame apathy on MS.

Ahhh... but this is slashdot, I can blame anything and everything on Microsoft! They caused the Franco-Prussian War!

Re:Microsoft + Worm = MCSE ?

[BigBlockMopar]

The interesting thing about the article is that it implies that unix worms are written by very smart people, unlike the script kiddies who target windows. Maybe this means it's a bit harder to write a unix worm?

I would think that to write one which would propagate despite the myrid configuration options in UNIX which simply aren't available in Windows, as well as having to find a way for the malicious code to break out of the process' user rights and get root access, would substantially raise the bar in any attempt to make one that is substantially destructive.

Re:As long as nobody builds the perfect worm...

[KC7GR]

From: The Brain, C/O Acme Labs

To: jneves on Slashdot

Re: Your post of 16-Aug-01

Dear {$GENDER}

It has come to my attention that your recent post on the web site 'Slashdot' contains the exact specifications for our soon-to-be complete Internet worm that will enable me to (finally!) Take Over The World!

Because of the sensitive nature of this project, I must insist that you retract your post immediately. In return for your cooperation, I am prepared to offer you the position of Governor of New Zealand, a fifteen-foot high Tesla coil, and a lifetime supply of food pellets.

Yours in World Domination,

The Brain

(POIT! TROZ!)

(Quiet, Pinky...!)

If you're gonna spread FUD

[Tony-A]

Front Page extensions run as a nobody?
You are thinking about IUSR_machine-name, for Internet Server Anonymous Access. Probably some things in IIS do run as that user. IIS runs as user SYSTEM which is rather rootier that Administrator.
BTW, Apache runs as root. It has to run as root to attach to port 80. The child processes, the ones that do the work, run as nobody or apache or some such.

The reason why Microsoft OS and mail....

[imagineer_bob]

The reason why Microsoft OS and mail are attacked the most is simply because they are the most popular.

Everywhere--USENET newsgroups, internal company mailing lists--I see Mac and Linux zealots gloating that their OS doesn't have virus problems.

The real reason why fewer people write viruses for the Macintosh is that it wouldn't spread nearly as fast because Over the past few months, rabid Linux users have become indistingishable from Mac users in their zeal! It is for that reason that I switched my Un*x platform to FreeBSD!

Re:The reason why Microsoft OS and mail....

[Philbert+Desenex]

The reason why Microsoft OS and mail are attacked the most is simply because they are the most popular.

Rubbish. That's simply not true. Microsoft did illegally leverage its monopoly to get its products almost everywhere, that much is well known. But Microsoft also puts very few features in either OS or Outlook or IIS that could confer some sort of "immunity" on the host computers.

Suppose that someone discovers a buffer overflow in a server process that runs on almost all Unix platforms. Hey, wait! "telnetd" runs on almost all Unix platforms, and it's enabled by default almost everywhere. "telnetd" has just such a buffer overflow. Knowledge about the buffer overflow is everywhere, yet we don't see a worm resulting. Why not? Several factors - fractured hardware base. The exploit in question can crash Solaris and NetBSD SPARC telnetd, but can't really be used to start a root shell. HP's HP-PA architecture doesn't support executing code on the stack, so it's pretty much immune. The exploit works on x86 FreeBSD, Linux and NetBSD boxes, but not on OpenBSD boxes. A software "monoculture" doesn't exist, even amongst the same "group" of OSes. That goes double for "chainmails" like ILOVEYOU or SirCam or Mellissa - many, many email readers exist, and they all act differently. Most Unix mail readers aren't dumb enough to "launch an application" by mere double-clicking, either.

What it comes down to, is that MSFT has put in place a "monoculture", and any flaw can be used to infect virtually every member of that monoculture's population. Unix, Linux, *BSD all comprise a "multiculture" both from software and hardware viewpoints. This amounts to vastly greater "resistance" to infection. And epidemiology shows us that infections don't become epidemics unless rate of infection vs rate of disinfection passes a certain level. Even the mild resistance of user IDs and permissions has kept Unix file infector viruses from any kind of prevalence.

Re:The reason why Microsoft OS and mail....

[JimPooley]

How about we don't see a telnet worm because nobody in their right mind puts telnet where it's visible to the internet!!!

It's high time that Telnet was retired, with extreme prejudice.

Re:Sendmail? Elegant? Minimalistic?

[webmaven]

That's the first (and hopefully only) time I ever hope to see the words "elegant", "minimalistic", and "Sendmail" together in the same sentence.

I guess I wasn't clear that Sendmail and BIND weren't minimalistic, and that qmail and djbdns were (at least by comparison), and therefore more secure.

Re:worms depend on MA/OS

[mrm677]

A little surfing proved my hunch correct. Buffer-overflow attacks destroy the stack return address, and place rogue code on the stack as well

So the diversity of UNIX certainly has its advantages.

Re:Secure by Default

Something you butt-nuts haven't looked into: how come nearly every IP address which I have been hit by looking for default.ida, is not accessible via port 80. This means Code Red, or the IIS, did not hit them. It means that you 7th graders have so stupid kiddy script which you are using to make it look like the virus is still going around. Of couse, the liberal media does not report this

Re:It is all about the Spelling

Completely off topic (hence the AC post), but there is no excuse for poor spelling.

Go to www.spellonline.com and check your work.

As long as nobody builds the perfect worm...

[jneves]

Here are the specs:

- Plugin architecture for exploits.
- P2P sharing of exploits and vulnerability identification and hidding tricks.
- Polymorphic and stealth behaviour.
- 2 year incumbation time.
- Operating system independent (this means shell code for most used operating systems and probably a small scripting engine)
- Learning engine for exploits (should be simple for buffer overflow exploits)
- Action: undisclosed.

The result: not a worm, but a single distributed system with the objective of taking control of the net, and the ability to do it faster than any legislation...

Re:As long as nobody builds the perfect worm...

[The+Ape+With+No+Name]

Brother, you just spec'd out Windows....

Re:Worms happen,

Incompatible types in assignement: Cannot cast from expertise to sysadmin :P

Worm can and will penetrate any OS

[mordorian]

I don't think that Linux or Windows is inherently more secure against worms. They both have motivations to close holes up and release secure OS's. MS has the $ of the consumer. Linux distributions have competition with MS, and principle.

The simple fact remains that so matter what your motivation or methods there will be unforeseeable exploits in any large piece of software, due to the complexity of the system.

Re:Home-based BIND

[TheAwfulTruth]

The question is: Did you patch it? Or are you now a sitting duck for several known BIND root hacks? And after patching. Have you continuously kept up with security news to make sure that you don't get hit with a new exploit? It's a LOT of work and responsibility to run virtually any kind of server. It's almost like there should be a license for it (as in driver's), with tickets given out to people that slack off and become infected. :)

Re:except

Due to the compitition in the unix market, security holes do not lend themselves well to pesstilent level infections.

What surprises me is that decpite apache's popularity it was not the target of a worm.

Perhaps there is something to this Open Source is better argument.

Re:Secure by Default

[itachi]

Well, open up terminal.app, you're running a BSD right there. I haven't had much chance to play with OS X, but it's very BSD. Also, most of the Macs that run OS X will also run OpenBSD. If you're interested in trying out OpenBSD (or NetBSD, for that matter) it shouldn't be too difficult to set up a dual boot on your mac.

itachi, who is planning on getting a new powerbook just for that dual-boot combo

Re:Microsoft + Worm = MCSE ?

[BigBlockMopar]

Some Unices have ACLs, but that's hardly designed from the ground up is it?

Fine. I learned something new.

But I still question the suitability of Windows in a networked environment (which, of course, included AOL on a dial-up modem).

The facts are as follows:

• Windows configuration, filesystem and overall structure are based on interoperability with a single-user operating system where security wasn't an issue (DOS).
• Windows grew out of DOS with patch after patch after patch to the basic concepts.
• When you put a nail through your tire, a patch is probably okay. When there are sufficient patches that they're overlapping, it's probably a good idea to replace the tire.
• Networking and security are afterthoughts which were patched on long after the design of many core features.
• Code base never gets mature because the marketing department is always too concerned with adding new features which have to be highly integrated into the operating system.

By contrast:

• UNIX was designed from the ground up in a day where computers were so expensive that they had to support several users at once in order to be economically viable.
• Multi-user operating systems have to be capable of effectively isolating user processes and files from each other and the system.
• Networking virtually originated on UNIX.
• A multi-user operating system is especially at home in a networked environment.
• It's only within the past ten years or so that commodity desktop computers have grown to sufficient power to be able to support the features and overheads of UNIX in a practical way.

Now, considering all those points, I can't imagine why an informed person would choose to attempt to run mission-critical network services on an operating system without the foundations to handle it.

Windows architecture is like building the Empire State Building on a sand dune.

Moron

[tlhf]

There was a patch for the default.ida exploit literally months before Code Red.

So what's your point?

Re:Every system-thing has administrator rights

[Fizzlewhiff]

You simply change the user that the service logs in as on the Log On tab.

Agreed with comments...

[crisco]

The bad: Microsoft, having the greatest exposure to exploits now, is getting the most experience with dealing with exploits. Dealing with them at a business, PR, and technical level.

I read this and think of the 'ping of death' or WinNuke attacks that plagued Windows in early '97. As I recall, there were two or three relatively similar vulnerabilities in the TCP/IP stack or winsock and maybe related software, one was widely exploited to lock up and BSOD machines. MS suffered a little over that, maybe drove some of us to Linux but in the long run it didn't make much difference one way or the other.

Dealing with them at a business, PR, and technical level.

Obviously they haven't quite gotten the hang of them at a technical level. Winnuke wasn't the only one, weren't there a few Front Page vulnerabilities back in '97 or '98 as well? But then the OSS community hasn't either, we continually have our share of buffer overflow pain and other security problems.

The worm that takes everyone offline will exploit multiple holes in multiple operating systems and network services. It may very well operate in a stealth mode, trying to stay under the radar for as long as possible instead of defacing web sites and leaving obvious back doors. It may make a coordinated search of the IP space as described in a recent article.

We are cursed to live in interesting times...

Re:Agreed with comments...

[sheldon]

Actually as I recall one of the really popular 'ping of death' attacks affected Linux as well. Teardrop I think it was called. You sent some sort of fragmented packet at the machine and it just got lost trying to deal with it.

The sad thing is, these were fixed almost immediately in all the respective OSes, but it took quite a while for people to apply the patches.

Pre-emptive move: Cascaded DDoS prevention

[leonbrooks]

Predicated on the idea that someone installed a few hundred thousand backdoors for a reason, you might also want to put a canary out by adding a PHP script to /scripts/root.exe on your own webserver which contacts the calling machine and shuts it down (if it's IIS). Remember to keep a record of who hit you and only respond every few minutes, finally giving up after (say) 3 to 5 tries so that your own server can't be provoked into DoS-like activity.

worms depend on MA/OS

[mrm677]

I could be wrong here, but if a Worm exploits a buffer over-run, then code would have to be written for that exact hardware and operating system. With Windows2000, you know exactly what hardware the server is running on (x86), and you know that exact OS of course. But with UNIX, you really don't have a good idea what hardware is running, do you? Linux could be running on PPC. Unix could be running on SPARC, MIPS, or x86.

Even if you do know and could find out easily, everything is not uniform. Having uniform hardware would seem to increase the risk for widespread infection.

Re:It can happen

[Col.+Panic]

Windows 2000 has a set of security policies included

Yeah, I have used them. Impressive auditing too, I must admit. But we are discussing home users, most of whom are not running Win2K Adv. Server.

Re:Linux worms have quick fixes.

In the code red case, the fix was out a month before the worm appeared.

sadmind is Solaris

[leonbrooks]

And lots of things scan port 111 (RPC).

Home-based BIND

[coyote-san]

Actually, I particularly enjoy having BIND running locally. Since I fired it up:

1) I haven't had outages because my @home DNS servers have gone to lunch, and

2) I've gotten rid of a lot of junk after setting up some bogus entries for doubleclick.{net|com} and x11.com.

I agree that there's no reason for most home users to have a BIND system visible to the net at large, but there are some pretty good reasons for one if it can be located behind your firewall.

Re:Home-based BIND

The question is: Did you patch it? Or are you now a sitting duck for several known BIND root hacks? And after patching. Have you continuously kept up with security news to make sure that you don't get hit with a new exploit? It's a LOT of work and responsibility to run virtually any kind of server. It's almost like there should be a license for it (as in driver's), with tickets given out to people that slack off and become infected. :)

He probably doesn't bind BIND (pun intended) to the ethernet, I would suppose.

Re:no

Sorry kid, but your little Linux thing is some seriously buggy shit. Go look at all the patches needed for just the latest Debian or Redhat releases. Fuck that.

Not a good idea

[TrollMan+5000]

Check out a previous /. story on "beneficial" viruses to combat malevolent ones. It wasn't really a good idea.

Re:Not a good idea

[VladTheBad]

It wouldn't be a good idea to spread it yourself... but if you limit the benificial worm to only spreading to systems that try to attack it.... maybe have it NOT patch the system... but instead open a window upon startup saying "Your system has the code red worm, it sent an attack to a system with this anti-code red progam. Click "I don't give a damn" to leave the code red virus on your computer, or click "Protect me" to remove the virus and install the patch.

THEN people would be fixing their own system..... since it would patch their system after removing the virus, they'd not only be safe, but then if they were attacked, the attacker would see the pop-up window... (in windows, like an error message)

YES... I agree just making a new virus that patches the old one wouldn't be a good thing, but IF the new virus did it in such a manner so that users would have an option... I can picture so many people that bought computers for an office, or even for home with windows 2000 and may not even know they have IIS running, let along know how to remove the virus...

also, if the beneficial virus maybe deleted itself after say, 4 days with no code red attacks... so if no attacks come for 4 days, it deletes itself... in this manner the net would slowly disinfect itself and then the beneficial virus would delete itself.

Re:except

[linuxpng]

Microsoft released the patch 2 weeks before the worm got serious.. In either case, it has been available the entire time. Where were the admins and users then? You can't blame apathy on MS.

GPL

[the_ph0x`]

I feel that my code could be benefitial to the comunity so I GPLed my worm.

Feel free to to use the source code in your own project just make sure you give me credit for the borrowed code. ^_^;;

.ph0x

Re:except

[goldspider]

Everyone likes to crap on Microsoft and the repeated demonstrations of their security shortcomings. However you have to keep in mind that these worms are targeted specifically at Microsoft systems, so it should be assumed that they won't affect a UNIX system.

If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.

...and wrong... (-:

[leonbrooks]

The problem isn't the platform, it is the administration of the platform.

Tony-A's answer was succinct, but I'd like to add that you're ignoring both the frequency and the quality of vulnerabilities on each system. More of the Unix holes are mere DoSes and/or extremely difficult to exploit than is the case for Windows, and when an exploitable hole is more than a DoS it often either requires local access and/or only gives you the provs of the user running the service (e.g. `apache' or `nobody') rather than open slather.

Those are big differences and largely independent of administration.

Re:Microsoft + Worm = MCSE ?

I think it is apparent to anyone who has used Windows that you can't type in a host name. What the poster was trying to get across is that, while being an MCSE, someone who is suppost to know what they are doing, doesn't understand how DNS works and that's why he didn't know why putting a hostname in for DNS makes no sense.

This has nothing to do with Windows vs. Linux, it has all to do with clueless admins.

Re:Microsoft products seem to be of very low quali

[Fizzlewhiff]

Windows was also late coming to the table with the internet. Unix is much more mature in this area. I remember a few years back some nasty holes in sendmail that caused a lot of grief. That is where Microsoft is today and I think they're doing a good job learing.

For example, Service Pack 2 for Windows 2000 was recently released. Now look at all the fixes found since SP2. Yeah, there's a buttload of problems there, much more than need be but they're all fixed.

Re:It is all about the Admins

[randombit]

If you look at the latest worms, Red Hat's and MS's, they could BOTH be avoided by updating software.

But of course. However, it's quite rare that an update for a Unix system will break major functionality (NT 4.0 SP6 anyone?). A lot of people can't update their systems, because some major piece of functionality, which their business depends on, will break if they do.

Re:It can happen

[stikves]

You're right. Once our department's server was hacked. It had a line:

60000 tcp nowait root /bin/sh contained in /etc/inetd.conf (the format may not be correct). The sysadmin was not able to catch that for a long time.

(NO! I did not hack the machine. I juct found out it was hacked).

Not only an avarage user, but also experienced sysadmin may fail to secure their systems.

Quit FUDing Red Hat

[twitter]

First, I'll wager there are just as many or more Red Hat with Apatche run by someone who does not even know it's there. I know, because I ran one that way. The boogey men did not come and get me for the month or two I had it that way. Why? Because Red Hat 6.2 had far fewer holes by rational design than MS trash which is driven by marketroids.

Second, they have tightened things up. 7.1 comes with a graphically configurable firewall, and bugs you about it on install. That's a big step from the "Everything" install of long ago. It may not be as tight as Debian, and really I must recomend Debian too, but it's not nice to FUD unless you are sure of what you say.

All of the Linux distros are doing good things for teaching their users security. It's in the design and philosopy of free and open software to teach users. If man pages, online help and Slashdot are not enough, you can always fall back to the stone age dead tree intructions.

It is all about the Admins

[cansecofan22]

No matter if it is a DOS attack or a worm or any other kind of attack. No matter what OS you are supporting and using if you as an Admin dont have the proper service packs and updates installed then your OS will be a victim sooner or later. Having competinent people running the shop is where it is all at. If you look at the latest worms, Red Hat's and MS's, they could BOTH be avoided by updating software.

Sorry about the spelling, I really need to get a spell checker plugin for /. posts!

Re:It is all about the Admins

[malelder]

hehe, but who does that? (: I use apps and services on my machines...thats 99% of the fun (; Your mileage may vary (:

The key point is as numerous people have mentioned before, as long as the Admin does what he/she is paid to do, a lot of these issues wouldn't occur. As far as home user's being the cause of worm propagation, well, thats what ME was for...Windows for Dummies (:

Re:It is all about the Admins

[malelder]

yeah, clicking Start and clicking Windows Update and checking the boxes and hitting download is soooo hard. Maybe I'm just extraordinarily competent.

And since my 2k box takes about 1/5 the time to reboot than my RedHat box takes, I don't find that a real issue either :/

Re:It is all about the Admins

[Jason+Earl]

The problem with Windows is that it requires you to have extraordinarily competent systems administrators to keep it secure. Patching RedHat systems is as easy as paying attention to one mailing list and running:

rpm -Uvh foo.rpm

ocassionally. Debian systems are even easier to patch, apt does all of the work. Apt happily will decide which packages that you have installed need updating, download them, install them, and restart the corresponding daemons. Windows systems, on the other hand, are much more difficult to secure. Service packs invariably make so many dramatic changes that extensive testing is required, and sorting through individual patches is difficult and time consuming. Worse yet, you almost certainly are going to have to reboot, probably multiple times.

In other words, while worms are possible with both Linux and Windows, Linux's updating tools are far superior to their Windows equivalents.

Re:It is all about the Admins

1/5th the time? *snicker* Running bare loads on similar machines kindof disproves that. Get a grip.

Re:It is all about the Admins

[_Sprocket_]

A friend of mine once referred to hardening a Windows box as "breaking it gracefully".

Unix systems tend to allow for various services and libraries to be installed and/or removed as neccessary (which doesn't prevent a developer from deciding to require an insecure library or function, but that's another issue). Windows does strange things when you remove what would seem to be unrelated components. A good hardening guide, where someone else has already traversed that minefield, is priceless.

Re:It is all about the Admins

[MeNeXT]

No matter if it is a DOS attack or a worm or any other kind of attack.

In regards to DOS attacks it's more likely that they consume your bandwidth rather that bringing your systems down. I would like to see a great admin stop that and not be a victim.

Re:It is all about the Admins

[MeNeXT]

What?????? Please explain how a firewall will stop a DoS. This I got to hear....

Re:It is all about the Admins

[Nemesis][]

Exactly. Security is an ongoing process not a product.

A good admin checks at LEAST once a day for possible patches/upgrades and/or exploits to services they're running. (And they SHOULD know what services they are running, some unamed products actually try to hide *gasp!* that information!)

Oh we all walk the wibberly wabberly walk...

Re:I'm a heretic, baby

[MadHobbit]

Which is, of course, the source of the problem. People running Linux boxes and using telnet are really not a lot different than people running IIS Index Server and not applying service packs. They're people content with the default setup, with a configuration that lets you do what you want, and they don't worry about anything past that.

If Linux/BSD/*nix becomes more mainstream, this won't change. They'll install Mandrake, or Red Hat, or Slackware, or Debian, or whatever, and as soon as it works, leave it alone. Telnet is weak and bind has a hole, but you can get SSH and a patch. NT has security holes; MS issues patches, hotfixes, and service packs. If you WANT to keep your system secure on either platform, you can. The problem isn't the inherent security of the platform, it's the willingness of people to deal with it.

From that perspective, NT even be could be considered better, because it makes it easier for lazy people to keep updated. Every once in a while MS releases a service pack or combined patch that fixes a whole bunch of security holes and bugs all at once. It's more likely that a lazy admin grabs the new ultrapatch once in a while, than it is that he checks to see if he's running bind x.xx or another of the many, many components that might have holes in them.

The Mad Hobbit

They will not be laughing

[sjonke]

They will be too busy trying to figure out the self-checkout line at the local Microsoft grocery store. Not to mention what that strange new itch is.

Re:the holy hand grenade

[cecil36]

I always enjoy serving up Zookenade while playing Worms. Who needs all that fancy weaponry when a simple grenade will work wonders.

Re:Worms known before 1988

[disappear]

Yeah, I've had multiple e-mails on the subject of "there were worms before the Morris worm" but what I'd intended to say (unfortunately not what I wrote) is that the Morris worm was the first Internet worm.

Mea culpa

44% applicable exploits, 25% of servers, not good

[leonbrooks]

Also, there's a world of difference between 1999 and 2001 in security terms - as CodeRed illustrates. At peak, an IIS box here would have been broken every three minutes per IP (so if it owned a Class C subnet, every 0.7 seconds).

New Linux boxes hitting the net aren't arriving with known superuser vulnerabilities (except one in Samba, difficult to exploit, not installed by default, configured unusably by default even if installed, and you'd have to be a bean-head to expose SMB to the Internet anyway; I get SMB probes several times per hour per IP during the quiet periods); new Win2k boxes hitting the net are arriving with known superuser vulnerabilities.

The more you fight a war, the better you get at it, and Microsoft will only get better and better at it, the general public will only grow more and more confident with their fight, and less and less exploits will be discovered.

You left off a qualifier: ``by Microsoft.'' Crackers will continue to find exploits, and one day, one of them will release the worm-to-end-all-worms for IIS. I favour one which installs Linux, copies across the existing services, and sets up shop as a P2P server for its children to download from. Wouldn't it be fun to see all of the penguins popping up on the screens in a Windows server farm? (-:

telnet exploiot stats

Where are the statistics that tell us how many systems are being exploited by sniffing of plain text passwords ?

Is this really a problem ?

There is a technical solution

[why-is-it]

This is a social problem, not a technical problem, and it requires a social solution.

While I agree that there is a social element to this problem, I think that there is definitely a technical solution: firewalls.
Personally, I would never attach a computer to the internet unless it was a firewall, or was protected by a firewall. It does not have to be a hardware solution (although that is preferable, and those black-box firewall devices are ideal for home use), PCs can run personal firewall code as well.

Being behind a firewall is no guarantee that you won't get 0wned, and is no substitute for secure-by-default operating systems, but it is an important part of securing your system.

Re:There is a technical solution

[Grail]

One of the memorable quotes from alt.sysadmin.recovery:

For their next act, they'll no doubt be buying a firewall running under NT, which makes about as much sense as building a prison out of meringue.

-- Tanuki

How many people are going to listen to the advice "get a firewall" when they're out shopping? They have a budget of, say, $1000 for a computer. Are they going to buy a $300 firewall, and only spend $700 on their desktop computer? No, at best they're going to spend $925 on their computer, and buy a "Personal Firewall" product for $50.

Re:Ahem...

[webmaven]

Home systems (like mine) DO need bind. I can cache lookups here and browse quickly, or wait forever for my @home name server to respond. BIG difference.

But you don't need BIND for this.

Check out dnscache which is part of the djbdns package.

Re:This ignores an important issue or two

[austad]

Hello, I am a recruiter for Microsoft. Please post your contact information, I am interested in offering you a job as a software engineer, possibly a management position.

Re:I'm a heretic, baby

[Lxy]

This is probably irrelevant but I'm going to spout on, basically because the telnetd exploit does nothing to my boxen. Putting aside the exploit, telnet is completely insecure from the ground up. Ever su into a box over telnet? Guess what, you're not the only one with your password now. For those of you who haven't switched to SSH yet, you were asking for it. This just gives you another reason to switch.

Re:It can happen

[roystgnr]

A Red Hat Linux 7.1 system doesn't start any network services by default, and installs a firewall by default.

I was quite happy to see both of these things, by the way; keep up the good work.

7.2 will be even better.

Um... doesn't this contradict your previous sentence? Or will 7.2 start -1 network services, and physically unplug your ethernet cable?

Re:Don't forget Morris!

[MarkusQ]

Interestingly enough, at the time enough admins knew each other that most of the information on fixing the problem was spread by phone calls.

I used to miss the days when we'd all just call each other. Well, not all, even then of course, but if I knew someone who knew someone who knew someone who might have an idea/patch/kludge/obscure document it pretty much felt like it.

Then I had the oportunity to work with the "technical" staff at a few ISPs, most of who seemed to have learned their problem solving skills by watching The Matrix about 137 times, and their user interaction skills from listening to rap. The idea that they might want to share information with other admins or (even worse) admit that they didn't know something by asking another admin a question was so abhorrent to then that I realized why those days are gone. And, when I reflect on who "everyone" is these days, I guess I'm glad.

-- MarkusQ

Re:*nix admins better than NT admins?

[Tony-A]

Right, like the professional admins at HotMail, Microsoft, FedEx, Lucent, Computer Associates?

Worms known before 1988

[bartash]

Works were known about before Morris unleashed his. I used to work on a project that had worms as a programming model.

A program in Equus was a constructive variety of "worm" program that sought out computing resources and adapted to changing environments.

See

T. Kindberg, A.V. Sahiner and Y. Paker (1987). Worm Programs, Distributed Operating Systems, Theory and Practice, Y. Paker, J-P. Banatre and M. Bozyigit, eds., NATO ASI Series F, vol. 28, 1987, pp. 335-379.

or

Equus: an Environment for Reconfigurable Distributed Computations, Tech. Report no. 591, Queen Mary & Westfield College Dept. of CS, 1992.

Re:no

[4n0nym0u$+C0w4rd]

Go look at the known bugs of Windows 9x and NT (I suggest you only read the first few THOUSAND pages for EACH OS) then try and find a patch for each and every one of them (not a good way to stay sane....but u might not have anything to worry about). The fact that Linux Distro's admit they make mistakes and post patches BEFORE something like Code Red happens is what makes it MORE secure and LESS buggy. BTW most of the patches/updates listed on the Redhat site are NOT fixing bugs, look carefully....all the patches that fix bugs say "This fixes...." the rest are just optional updates that add more features....features you get for free instead of paying more for them.....what a novel concept.

Re:Kewl, a URL

[RubberDuckie]

Or try this CNN story about the incident. Complete with pictures, and ugly popup ads.

Re:there should be 911 for security...

[Zero__Kelvin]

Maybe now would be a good time to work out emergency infrastructure to deal with an emergency like that instead of waiting until it happens.

Or then again, maybe they did that quite a few years ago!

The real problem is - as always - education. I am not picking on you, but the real problem is that there are so many people thinking the above, who are totally unaware of the Computer Emergency Response Team (CERT)

Cheers!

Zero__Kelvin

Re:Linux worms have quick fixes.

[L-Wave]

Your correct that it doesnt force people to install it, but those of them that install it sooner than later, help prevent faster spread of the worm.

Don't forget Morris!

[HiredMan]

On November 2, 1988 the "Morris Worm" was unleashed on the net. It jumped from college to college (that was most of the net then) and, because of a bug in the code, would reproduce itself within the machine until it ran the machine into the ground as it tried to infect others.

Imagine Code Red in which almost all servers are NT/IIS and there is no web, no central authority, no "experts"...
It caused the Inet as it was to cease to function. People had to pull their boxes off-line to keep from getting repeatedly infected.

The confusion and panic that followed lead to the creation of CNet and was the start of most of the big, early Inet security organizations that exist today.

<old codger>
You young whippersnappers don't know from worms. We used to create worms on punch cards and you had to mail them around to get infected! Those were the days!
</old codger>

I suddenly feel old and have to go lie down....

=tkk

Re:Don't forget Morris!

[ch-chuck]

We used to create worms on punch cards and you had to mail them around to get infected!

Actually there WAS a game in the mid 70's that reproduced itself on UNIVAC's with tapes that were send around; details here.

Re:Don't forget Morris!

[zmooc]

...The Christmas Tree Exec was not self spreading however...

Isn't the main difference between virusses and worms that worms are self spreading and virusses are not? Following your description of The Christmas Tree Exec, I'd say it's a virus.

Re:Don't forget Morris!

[gorilla]

Of course the Morris worm was not the first worm. The Christmas Tree Exec was December 1987, bringing down both BITNET and the IBM network, almost a year before the Morris worm. The Christmas Tree Exec was not self spreading however, it relied on users executing the email attachment- very similar to the I Love You and successors. I belive the George Santayana had some comments on this problem.

Re:Don't forget Morris!

[medcalf]

Yeah, that was a Solaris (and VAX?) worm. It hit our engineering network gateway box (the only Solaris system we had) and we were offline for about 3 hours (in the middle of the night) while we cleaned it out. Interestingly enough, at the time enough admins knew each other that most of the information on fixing the problem was spread by phone calls. (Some was also by email and USENET, but those were effectively disrupted for many people.)

-jeff

Re:Don't forget Morris!

[Lord+Omlette]

cnet or cert?

Slashdot requires you to wait 20 seconds between hitting reply on comments.pl and submitting a comment. It's been 9 seconds since you hit 'reply'!

God forbid people type fast.

Re:Don't forget Morris!

[inburito]

Nah.. That is called a trojan. Virus' and worms replicate without user intervention. Trojan requires users to explicitly run the software (maybe posing as useful).

Re:Linux antivirus software

[mrfrostee]

Maybe most people write their own. I did when the local "authorities" insisted that I must install software to scan for Windows viruses in order to hook up a Linux computer:

#cat wrightAntiVirus
find $1 $2 $3 -iname \*.exe -or -iname \*.doc -or -iname \*.xls -ok /bin/rm -f () \;

Re:But But... -- But No Cigar

[xrayspx]

That's close. You don't have to shut down IIS to close this hole. All you really have to do is UNMAP any extensions you don't use. If you make use of htm, html, asp, pl, and you go into application mappings in IIS, and see anything besides htm, html, asp, pl, you should delete them. Now. That should be among the first things a web-admin does.

This worm comes down to laziness, no more no less. I'm betting that, at the absolute most, between 5% and 10% of sites need things like .ida/.idq/.stm, and all the other crap filters that get installed by default.

Re:Worms dont happen to Mac servers running WebSta

Thats because no one hardly knows of or cares about servers running WebStar. Would the potentioal worm write rather write his worm for Apache/IIS (popular) or WebStar?
Apache/IIS worm in the news: "New internet worm deletes files and spreads itself to other servers running "
Webstar worm in the news: "New internet worm affects webservers running WebStar. However, computer experts are not too worried because Webstar is run on a minority of computers"

Microsoft + Worm = MCSE ?

[BigBlockMopar]

Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?)

I once had an MCSE ask me, in all seriousness, why he couldn't type a fully-qualified hostname to choose a DNS server. It's a paper qualification; it implies no real skill or insight into the system's operation, or any sort of reasoning into consequences of limited design. Pass the test, get the certificate. Therefore, I consider MS fanatics to be, for the most part, a self-limiting reaction. They go away on their own. They kinda drop off the 'Net (maybe because of all the "Server Not Found" errors...). But with all the community colleges and business schools, they breed like bunnies.

As for worms, yeah, of course, any operating system has vulnerabilities. And if they're common and documented well enough, a worm or virus would be trivial for the right person to develop.

I think the more relevent question is with regards to the operating system's track record. With the exception of the recent blight of Red Hat 7.0, Linux has probably had far less documented bugs, and because of the UNIX user permissions model, the damages are minimum.

Compare this to Windows. Bugs all over the place, some more serious than those in Linux, some less serious. Where most machines are running 9x/Me with *no* user/process security whatsoever, malicious code can run rampant. NT/2000 is an improvement, but it's not designed into every aspect of the operating system's historical architecture. Windows has been one patch to DOS 1.0 after another, and the final result is such a kludge and so many processes are running with full administrative priviledges that the task of exploiting a bug remains trivial. Running Windows 2000 on my desktop is farcical - half my software won't work properly if I don't give my user account admin priviledges. It amazes me how many allegedly Windows 2000 compatible programs decide that they're going to attempt to store temporary information in the system registry instead of the roving user registries.

The single system registry is dangerous, too. Imagine, in your *NIX /etc/ directory, the file everything.conf, with the permissions -rw-rw-r--. What if you decide that you don't want Joe User to see your firewall configuration? Make everything.conf readable only to sys admins? Then, all of a sudden, all of the daemons have to have admin priviledges just to see their configuration. Urk. Kludge. Messy, dangerous kludge.

It makes me wonder what Microsoft was planning back when they designed the registry scheme. Sure, a centralized configuration database is a great idea, but not one if you're planning on building an operating system for the security risks of running it on the broader Internet. Yet, forgive me if I'm wrong here, but Windows NT 3.51 was the first M$ operating system to get away from /etc/-style distinct text configuration files (WIN.INI, SYS.INI, etc.), and they did that in 1994 with a badly flawed vision of the registry.

Contrast this to Linux or any other UNIX variant, the whole model and concept of which was designed with user and process security and isolation from the ground up.

As a bonus, the added complexity of administering multiple accounts to the average user is a pain in the butt. They want point-and-drool, everything clean and simple and familiar.

The beauty of the complexity of Linux/UNIX versus Windows is that it weeds out the chaff who aren't capable of managing a box.

I'm sure the programmers and architects at M$ see the problems and comparisons I'm drawing. To be designing an operating system, you must love computers and a sense of a job well done, so I'm sure it pains them that they have to deal with such kludges day in and day out. I'm sure they'd dump the whole thing and fix it if they could, but the marketing guys won't let them implement it.

Re:Microsoft + Worm = MCSE ?

He's a Microsoft zealot. Don't bother him with facts.

Re:Microsoft + Worm = MCSE ?

[TrollingKarmaWhore]

Your facts are shortsighted and wrong.

The lead architect for Windows NT was Dave Cutler who was the lead architect on VMS, which had all the features you list for UNIX long before UNIX did.

Virtual memory, shared object libraries, system level ACLs all appeared on VMS many years before UNIX.

Also part of the Microsoft team was Butler Lampson who invented the security monitor, ACLs and much of the rest of the security infrastructure we take for granted.

Windows NT does not and never has shared code with DOS. The Windows GUI code and some of the libraries are shared from 95 on, but the code was developed from scratch for the purpose.

Networking and security are both relatively recent additions to UNIX. Until Sun wrote NFS UNIX did not have anything like the VMS cluster concept. And NFS sucked real bad until about five years ago. Until five years ago at least one major UNIX vendor was shipping a version of Sendmail that had major security holes in it that had been known for three years.

In short, until Windows NT and Linux showed up to give the complacent UNIX vendors some competition UNIX was a real sucky operating system, and an expensive one at that.

Re:Microsoft + Worm = MCSE ?

[mini+me]

But of course if they are written properly (I'm not inplying that they aren't), you'd only have to give permission to write directly the disk and not need total Administration privaliges. IIRC there is a way to do just that in Windows 2000, but I don't know how you'd go about doing it.

It is true that there are some programs that wont run as regular or guest users under Windows 2000. These are mostly programs that were designed on Win9x and they didn't take into consideration the NT line. These programs usually try to write into thier own directory for instance but obviously the program directory should be read-only (to prevent viruses, etc.) These programs are also trublesome when you try to use them with multiple accounts. Since they don't store thier files in the users home directory, all the data is shared across all users, which is annoying. Just imagine all your Linux programs storing thier user settings in /usr/bin instead of ~/!

Re:Microsoft + Worm = MCSE ?

[Big+Brass+Balls]

As for worms, yeah, of course, any operating system has vulnerabilities. And if they're common and documented well enough, a worm or virus would be trivial for the right person to develop.

More specifically, every operating system is as vulnerable as the dumbass using it. If people didn't at least practice a little common sense (ie. if you don't know where it's been, don't [put it in your mouth/poke your finger in it/open it on your computer]), then they fully deserved the consequences.

Re:Microsoft + Worm = MCSE ?

[BigBlockMopar]

And just what software would that be? The only "application" I have run into that needs admin rights is the Adobe Gamma tool (comes with Photoshop) and it might need those rights. FYI, I'm in the Power Users group.

Here's a good one, for example. Asus Probe, which does hardware monitoring, just opens a blank window if it's not run as Admin. Nor will it detect and warn with fan stalls. Obviously, it was preferable to run myself as a regular user. When it didn't work, I moved up to Power User, then Admin.

Another one which has given me problems was Nero 5, can't remember the sub-version, I'd check but I dual-booted into Solaris. It wouldn't burn without Admin, though it's designed for 2000.

And finally, as if ATI could ever actually make any software work anyway, MultiMedia Center 7 (my All-in-Blunder TV program) won't display the TV window. I know several TV stations in my area which use these cards for on-air monitors for their news producers and executives, and Windows 2000 as their desktops. It's self-defeating for them all to run as Admin.

While the problems seem to primarily affect those applications which are pretty hardware intensive, there's no intelligent reason why, for example, Asus' hardware monitoring can't pass the data from an administrative service to a user-level display service.

Whether it's defective design on the part of the software developers or Microsoft user-level security which defaults to *too restrictive* (unlikely, given their many previous security blunders), the net effect is the same: to be useful, I have to run my computer as Admin.

With my Linux, BSD or Solaris boxes, however, I rarely have to log in as root.

Re:Microsoft + Worm = MCSE ?

"why he couldn't type a fully-qualified hostname to choose a DNS server"

You fucking liar. Under NT, you cannot use anything but numeric characters to fill in the DNS field.

But since you are just another linux-happ fuckwad without a real clue how the IT world works, I don't suppose you knew that. Hence, your bullshit little jerkoff message.

Re:Microsoft + Worm = MCSE ?

[WickedLittleSlaveBoy]

maybe not MCSE, but MCSE + Internet and MCP + Internet most certainly did...and anyone else who took TCP/IP as an elective....and it was the most popular elective. however, to be fair the test itself was more geared towards NetBIOS over TCP/IP and WINS was more important than DNS in the NT4 name services scheme, at least according to the test.

it's too bad MS seems to have deleted all of the objectives for the retired tests.

Cramsession's objectives

what's going on with /. lately...seems like there are quite a few touchy MCSE's here lately.

Re:Microsoft + Worm = MCSE ?

[krogoth]

My point exactly, which I softened at first to avoid flames :)

If it's harder to write worms, that makes unix more secure. But then there's the other side - the people who do manage to make a succesful worm will be able to make more dangerous worms.

Re:Microsoft + Worm = MCSE ?

[tlhf]

Both Asus Probe and Nero needs administration privilidges because it has access directly to the hard disk for some of their more powerful functions.

Granted, they could work with limited functionality under lesser accounts, but even then it's their decision to do that. You can hardly blame Microsoft for that.

Re:Microsoft + Worm = MCSE ?

[anshil]

I don't see many people saying "Screw RedHat, screw FreeBSD, MICROSOFT RULES!"

Oh I see and hear them all the time, most times it are people that grew up windows, never touched a *nix system and are simply fearthe unknown/new and would prefer it to go away quickly before they would have to learn something new.

Look at slashdot right here, in almost every software related thread you'll find comments like this..

Evolving worms would be neat AI

[Coq]

This is slightly off topic, But I've been thinking about it for a while. What if someone made a worm that behaved like an unitelligent life form. It would send some random (but predetermined) instructions to the processor, then make some judgement on whether it has more RAM than other instances of the program to survive. If it does, It would spawn more instances that are like itself, but altered slightly in the random instruction portion. Eventually, one may randomly "figure out" how to copy itself to another computer on the network.

I realize it would take millions of generations before this happened, but once it did, it might become a very robust worm, and one that eats a lot of memory. All it would take is a few dedicated computers and some incredible Darwinian selection methods for it to occur.

Re:Evolving worms would be neat AI

There is a whole field of research devoted to this. The most prominent was the Tierra project. I don't have any URLs but hunting on Google should turn up more than a few hits.

Re:Evolving worms would be neat AI

[AlXtreme]

That's like putting a monkey in front of a computer and waiting until it programs an editor: highly probable, if you are willing to wait a few thousand years

Thats the problem with chance. some things are possible, but highly unlikely within a human lifespan

besides, you'll be paying a fortune on banana's... hmz... getting slightly ot :)

but on a more serious note: If your worm could learn from its mistakes (and successes) it could work (make a useful program, that is. Using a network, and exploit holes, are a little far-fetched), and maybe even eventually work faster that a normal programmer. But you'll need heaps of CPU-power and diskspace, so that worm wouldn't go unnoticed (but it would be a kewl idea for an AI research project, keeping this in mind...)

No

[CentrX]

It's very easy to patch security holes. In fact, in some distributions of Linux, it's as easy as apt-get update && apt-get upgrade It is Microsoft's security hole. There was a security hole in Microsoft IIS, that's Microsoft's security hole. Now, after they released the patch, it was the stupidity of the Windows sysadmins that allowed the propagation of the Code Red worms.

Re:no

[Economist]

I rather install many patches with short intervals then installing one big *fix-it-all* patch with long intervals. I like it better if a lot of patches are available, it proves that there are people actually working to remove the bugs and security holes.

Re:no

You're living in a fantasyland. Since you have such an idiotic login name it probably won't help if I explain things further, so please just shut up.

Re:No

[egarff]

So how do you explain the fact that Microsoft's own admins didn't update some Hotmail boxes, and some MS web servers? Is that just laziness? The patch had been around before the worm, yet MS still had pie in the face from that one.

Re:I'm a heretic, baby

[Mongr]

uh....there is plenty of notices of eploitable telnetd.....but anybody with half a brain is running OpenSSH anyway. I don't think there is that many exploited boxes. Of course I could be wrong.

If that happens...

[SpanishInquisition]

We just have to claim that Linux worms :

• are faster
• are more portable
• use less ressources
• can be more easily modified since you have access to the source
• Aren't tied to a single vendor

That should make the point of the superiority of Linux worms over Windows worms and end all the FUD.

Re:Cmdr Taco?

[MakinWaves]

Why the fuck is it that everybody assumes I have multiple accounts?

Because this particular comment is -1 Offtopic and -1 Flamebait, yet it shoots right up to +5 insightful? Quantity does not equal quality. And you know what? I'm not a M$ zealot. I'm a truth zealot.

Ya right, that would explain your complete ignorance here

Re:except

[Cryptnotic]

The problem is that Microsoft has a reactive security policy. They wait until a worm is created, and then they create a patch to fix it.

Many open source operating systems (e.g. Linux, FreeBSD, OpenBSD, NetBSD) and open source projects (e.g. Apache, mySql, OpenSSH, PGP, Samba) take a proactive approach. When a theoretical flaw is discovered in one of these open source projects, a patch is created and distributed, even before a worm that takes advantage of the flaw is implemented.

Cryptnotic

"M$ Fanatics"?

[Wakko+Warner]

You mean, there are people who actually love, not just use or like Microsoft products?

Re:"M$ Fanatics"?

Absolutely! Find another platform with such functionaly out of the box. Oh yeah, graduate school first, then you might get rid of the liberal brainwashing which your professors have put upon you.

A better solution

Interesting idea, but I can't see it working.

If somebody you did not know came up to you on the street and said "You are sick, take this blue pill and you will be okay." you would have to be out of your mind to take that pill.

The only way a "anti-virus" like this would work is if it went out and automatically fixed the target system with out asking for permission, much like the way that silly Australian guy rescues alligators and snakes against their will (in fact, if anybody writes such a anti-virus think about calling it "CrocHunter" ;)).

A better solution is to write a script (or something) that detects the virus in the email and sends a detailed letter telling them that they are infected and how to fix it. Make sure to include lots of reputable sources in the message and only send one message to a target per day (lets not add to the bandwidth problem).

Re:Regardless

[sulli]

When was the last time you heard Linux referred to on the local news

When IBM sprayed SF sidewalks with Linux graffiti (some is still there)

freedom to innovate (n/t)

no text.

It can happen

[huh_]

You all say that Unix admins know more, or that open source programs have patches out faster, but what about all those people who know little about linux and install it. They can just as easily leave their computers unpatched, running 24/7 using some cable provider. More and more people are trying out linux, it doesn't mean all of them are smart. So of course the same thing can happen.

Re:It can happen

[mefus]

Windows 2000 has a set of security policies included...

Can someone please tell me why it is always the next version of Windows that is always promised to solve all the problems with Windows?

Re:It can happen

[Fred+Ferrigno]

The various "home" versions of Windows (the 9x series) have all be fairly secure out of the box. They have no remotely accessable or exploitable services. It's only when users do stupid stuff like enable file sharing or run strange executables that problems develop. I don't see how'd you tighten them up more than that without OS-level security policies. And since the home version of XP is going to be similarly single user, so that's out too.

About the best the OEMs are willing to do is bundle Norton Antivirus and maybe a software firewall.

Re:It can happen

[hearingaid]

there are other things. perhaps it will have a better firewall config. or perhaps it will merely have its configs in general tweaked for security: fewer exploits. that kind of thing.

then again, I'm not sure I would ever consider RedHat to be a secure distro. but that's me. :)

Re:It can happen

[bero-rh]

Improved firewall config during installation.

Re:It can happen

[Qube]

Windows 2000 has a set of security policies included that can quickly set things up to your desired security level. Basically the same thing.

Re:It can happen

[bero-rh]

Microsoft isn't listening; are RedHat and the others

Yes. A Red Hat Linux 7.1 system doesn't start any network services by default, and installs a firewall by default.
7.2 will be even better.

Similarily, up2date finally runs in text mode so you can keep unattended systems up to date using cron jobs.

Re:It can happen

[Rick+the+Red]

You're absolutely right, which is why it's just as important for Linux distributions to come locked down tight as it is for Windows distributions to come locked down tight. Microsoft isn't listening; are RedHat and the others?

Also, Microsoft is supposed to be open to XP configuration changes by the hardware vendors. Does that extend to default security settings? If so, we can only hope that PC Magazine and the rest will rate new computers on how secure they are out-of-the-box. Are Dell, Compaq, Gateway, and the others listening? Is the computer press listening? If I know Dells come secure but Gateways ship Microsoft-default-wide-open, I'll recommend Dell to my friends and family. If I know Debian comes secure but RedHat installs wide open I'll recommend Debian. But only if I know, and I'll only know if the press does their job and tells me.

This is a social problem, not a technical problem, and it requires a social solution. That means that everyone in the society must play their part -- the companies, the press, and the consumers. If Microsoft won't be a good citizen, bad on them. But why should they be a good citizen if their enemies are not, and especially if their friends are not?

Re:It can happen

[clare-ents]

Lots of home users are running Win2K Advanced Server though.

Many of them have borrowed it from the office, thinking it must be a better version of Win2K.

That accounted for all of the hacks on our DSL service [a small service admittedly]. Maybe Code Red was merely a pirate Win2K detector?

But But...

[tre]

The fact that worms are cross platform doesn't change the fact that ultimately with closed source programs, a user is left waiting for a vendor to supply a patch, which in many cases is too late which leads them to having to either:

A: Run vulnerable sh*t
or
B: Stop running that program. Code Red tries to exploit a file called default.ida and it would require the shutdown of the IIS web server to deny access prior to patch release. Good luck getting the boss to ok that in a production environment...

There's inherint problems in all software available now. At least with some software you are allowed to see why and how for youself.

Re:But But...

[Fizzlewhiff]

The fact that worms are cross platform doesn't change the fact that ultimately with closed source programs, a user is left waiting for a vendor to supply a patch, which in many cases is too late which leads them to having to either:

And with open source you have to wait for someone to write a patch or write one yourself. Not everyone can write a patch and few people can eyeball code and say "oh look, an exploit waiting to happen". And even with closed source, there are watchdog groups that look for potential problems and report them to the vendors just as there are people who look through open source looking for problems. Vendors like Sun, Apple, and Microsoft are just as quick to get patches out from what I can see. True, with open source you can pull down a source tree and rebuild Apache if a bug is found, but how many "admins" can do that? In fact, how man admins can install RedHat and pick Apache and then go download the latest Apache tarball and get it to work? Many would wait for RedHat to release a new RPM.

Re:But But...

[einhverfr]

I get my latest RPMs from Apache....

Of course I use tarballs too.... But RPMs make the package management a little easier and avoid the --force command later....

Code Red

[briggsb]

Talked about his experience as a worm. In the interview here. It has some advice for newer worms and viruses.

WindowsWorm:Whitehouse.gov::LinuxWorm:??

[Jucius+Maximus]

If the big Windows worm attacks Whitehouse.gov, does that mean that the big Linux worm, whenever it arrives, will attack Whitehouse.com?

Talk about biting the hand that feeds you!

Re:WindowsWorm:Whitehouse.gov::LinuxWorm:??

[glitch!]

If the big Windows worm attacks Whitehouse.gov, does that mean that the big Linux worm, whenever it arrives, will attack Whitehouse.com?

No, it will first register a hotmail email account, then use that hotmail address to send stupid tech support questions to AOL and MSN.

The real issue...

[dutky]

is not whether or not worms can be written for one system or another, but whether or not the system explicitly defines primitives that directly enable the functioning of said worms.

In the case of the internet mail worm, the function of the worm was based on unanticipated behaviors of both the worm code (the author had intended the worm to limit its speed of propagation) and the internet mail system (the author was exploiting a bug in the mail transfer agent). Clearly, this sort of situation, while a threat to security, is easily remedied once the exploit is known. The remedy can even be implemented with little or no effect on daily operations, since the erroneous behavior of the program will not have been used as part of any applications.

In the case of the various Outlook worms, however, the situation is reversed. The worms rely on explicit features of the Outlook suite for their functioning. These same features have been incorporated into all sorts of applications built upon the Outlook suite, which means that in order to disable the worm, many production applications must be modified or discarded.

This is a design issue, at its heart. There are some cultural effects involved (e.g. the MS assumption of a monoclonal computing environment leads to the expectation, and exploitation, of features that would not be reliably present in a heterogeneous enviornment.) but the central problem is the explicit decision by Outlook program managers to include features that were inherently insecure. (Consider that, while Sun may have a similar monoclonal outlook to Microsoft, Java was designed for both security and provision of a wide and reliable feature set)

The question is not "can worms be written for systems other than Microsoft's?" -- to which the answer must always be 'yes', even if only because we can't rule out the possibility entirely -- but, rather, "is it easier or harder to write worms for Microsoft systems than for other systems?" The answer is, pretty clearly, that Microsoft's design decisions make worms far easier to implement on MS platforms than on other platforms.

Good book on one of the first VMS worms....

[jerkychew]

It was posted on Slashdot back in January, so I figured I'd point to it here. Suelette Dreyfus' book "underground" is available in its entirety online. Read the book (or download it to your palm) at this page

Re:Microsoft products seem to be of very low quali

[anshil]

HOWEVER it's not fair to snicker if the 'other' operating system got stroken by a worm. There were many unix based worms also, remember the buffer offerflow hole 'bind' had?

So what happens if the BSD TCP Stack is found to have such an overflow error? This would automatically infect ALL systems I can think of, who doesn't use BSD's stack today?

no

[4n0nym0u$+C0w4rd]

Windows NT (Or any version of Windows for that matter) is a decent program? You must see the irony in defending Windows by claiming other OSs are buggy, be honest with yourself and admit which is the buggier OS, Linux or Windows. If you conclude that Windows is less buggy, explain why there are Linux users measure their uptimes in weeks while Windows users measure them in hours......yet the average numbers of Linux uptimes are still larger than they average numbers of Windows uptimes (such as 30 weeks compared to 24 hours). It sounds like you think all Open Source software is "crappy and buggy".....I guess your right, I mean what are the odds that there are some good programmers out there who code for FUN. As for a "few" bucks, let's see.....company with 1500 computers needs an OS, Linux = FREE and more reliable (there are stats to prove this, look them up), NT = EXPENSIVE and less reliable. The only reason NT is widely used is because companies want to increase employee productivity (Like Fred the Janitor/Visual Basic Programmer/NT Admin). If you want to know the intelligence of MOST NT admins, just consider the amount of Code Red infestations and how long the patch has been out, NT admins expect the OS to do everything but wipe their ass (this feature is expected in XP), Linux/Unix admins generally LIKE their jobs and are INTERESTED in the computer world....thus they INSTALL patches (that are produced much quicker than closed source patches I might add). Seriously, try Linux for 1 month (Honestly try it, which means learn the commands) I am absolutely sure that after learning how to use Linux and gaining experience with it you will realize the truth about which OS is crappy and buggy.

Re:Microsoft products seem to be of very low quali

[SuiteSisterMary]

No Linux email programs or word-processing programs have the authority to take over the entire operating system.

Really? Great! I'm going to email you a new version of vim. Make sure you run it as root. Don't worry, it won't have the authority to take over the entire operating system.

This ignores an important issue or two

[blakestah]

There are REALLY important issues that interact with this one.

1) A box should come with only absolutely absolutely necessary web services running. Anything else should require the admin manually to turn the service on. This would prevent about 90% of all worm cracks.

2) The providers of a distro have a responsbility to ensure that security updates get to all people affected - not just those who subscribe to mailing lists. They have a responsibility to ensure that fixes are easy to get and easy to apply. Debian probably has the best security model in this regard due to apt-get.

Microsoft fails on all fronts. They ship NT server and Windows2000 server with IIS enabled by default. They do not push publicity out about worms that impact their systems - they make a low key effort to acknowledge that they have a problem only when they have a fix.

Redhat has also been particularly poor in this regard in the past - more recent installs seem not to enable internet server software by default, and to include warnings when you enable things.

Whereas Microsoft software is buggier and less secure than any other software, they also fail to enable their users when security fails. For this the blame goes squarely on the shoulders of a giant that banks $1 billion per month for avoiding bad publicity in order to help their users.

Re:This ignores an important issue or two

Whereas Microsoft software is buggier and less secure than any other software

Wrong! About 4 years ago I built a toy web server that makes IIS look like a work of genius. You could grab someones password file with a URL like:

http://www.foo.org/~fred/../../../etc/passwd

Last time I checked IIS didn't let you get away with that!

Re:Secure by Default

[jeffy124]

yeah, i realize by using OS-X that it has a FreeBSD core. Very nice thing is that I'm able to take programs written for Linux/BSD/Other Unix and compile them on my machine to have it work like any other unix app. All the good gnu and unix stuff is there, and Apple even made gui warppers for some tools, like traceroute, ping, and top, which is very cool. A co-worker has set up his machine for OS-9, -X, and Linux.

I use OS-X at work for networks research. I have a PowerBook G4 laptop w/ dual monitors (a regular monitor + the laptop screen), 500 MHz, 256 MB ram, 20 GB HD, 10/100 ethernet, 2 USB ports, 1 firewire port, 56K modem (which is thus far unused).

if you want to get a powerbook, wait about a month. OS-X.1 is in beta, and is expected in September. I work a company Apple considers a "Primier Developer," hence we get pre-releases and betas and all the other good stuff, and X.1 delivers on what it promises. X.1 makes a ton of serious improvements over X.0.4, the current patch. They made a lot of improvements to the GUI allowing the OS and programs running on it to be more responsive to user interactions. Plus several other enhancements like DVD support (which I have not yet tried)

One clear observation kills many a fine theory

[leonbrooks]

all of which can be presumed to be professionally administered

If even one of them is professionally administered, your point is made. Inconvenient facts are the terror of grand and popular theories. (-:

Kewl

[steveo777]

Have you got a URL?

Re:Kewl

[sulli]

No, but you can search SF Gate (the SF Chronicle) for articles on this. Slashdot also talked about it a bit, I think in Quickies.

Hammer, Nail, and Head

[Genoaschild]

Microsoft makes more money on Upgrades then it does on the actual OS. So, if you work for Microsoft and make the perfect program, never crashes, supports every hardware and FS out their, excellent multitasking, and security people would buy it ... once. Most people would only get another copy when they got a new computer. Their would be no reason to upgrade this OS. What would be Microsoft's incentive.

Economically, it doesn't make sense for Microsoft. If no one ever upgrades because the previous version is "just as good", Microsoft is out of some money.

For open source developers, they are more likely to get it right the first time around and make more money with upgrades by adding "features."

Most people think they should get a free upgrades for bug fixes. Most of Microsoft's "Upgrades" are a combination of bug fixes and adding new bugs so that they have to upgrade again and charge money for it. It is a vicious cycle that Microsoft is in. They are rich because of it. :-)

Re:except

keep in mind that these worms are targeted specifically at Microsoft systems, so it should be assumed that they won't affect a UNIX system

well, duh

If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.

sheesh. *nix system compromises are *everywhere* but you have to consider the purpose of the compromise. mail-propogated worms target home (mostly windows) users because GUESS WHO USES EMAIL! system backdoors are more interesting on servers, which are often *nix systems ...

Re:except

[estes_grover]

It may be the case the windows sysadmins' bosses have lower IQ that *nix sysadmins' bosses. It's suprising how a PHB can make a sysadmin run in circles over stuff like budgets and special click-click projects, etc., all of which detract from quality admin time.

except

[linuxpng]

don't most UNIX admins need to know something about the OS other than the size of the install base therefore actually patching their security holes in a reasonable amount of time. Let's not forget the issue is NOT microsoft's security hole. All oses have that, it's that the userbase is not up to date on installing the security fixes. We just hope everyone who bashes MS will patch their own holes come unix worm time.

Re:except

[gupta]

hackers had attacked Unix many years ago, probably before you were even born.

Re:except

[NetJunkie]

A patch for the exploit that let Code Red run wild was out before the worm.

Re:An early Unix worm

Dude, you suck. But at least you're creative.

~~~

Re:Documented MCSE Stupidity

[sethgecko]

an MCSE: singular. MCSEs: plural.

He said forgive him for feeling superior to an MCSE.

Or perhaps this would make it clearer.

#include stdio.h
main(){
printf("superior to an MCSE");
}

Did my butchered C make it any clearer? Or do you need it in VBScript?

Documented MCSE Stupidity

[BigBlockMopar]

It tests a limited and well defined check list of skills, most having to do with installation and configuration. Only with the Windows 2000 series did the tests begin to measure planning and design skills.

Installation and configuration, huh?

I had another one - employed at a major international airport, no less - ask me how to solve a BSoD on a FIDS computer. Note that this is one of several hundred displays running Windows 95 (I don't want to get into why).

I had to lead him through all the steps. The fault was in VMM.VxD, so it looked right off the bat like bad hardware. Of course, his reflex instinct - reinstall Windows - will automagically repair a bad transistor on the address decode logic of a RAM chip.

Step one, check that the fans are spinning properly. Two, check that the cards, processor and memory are properly seated. Three, run a good memory test. The machine was removed from the suspended ceiling about the flight display monitors it served.

Step Three caused the problem. I gave him a DOS troubleshooting program, and told him that he had to create a system disk and run it without any extended memory drivers loaded. I specifically told him to open a command prompt, stick in the diskette, type "sys a:", then dump the contents of the ZIP file I gave him onto the disk.

Of course, he ignored my instructions, and used the Add/Remove Programs - Create Startup Disk feature in Windows, then dumped the ZIP to it.

Predictably, when the machine started up, HIMEM.SYS was loaded, and trying to start the memory testing program caused only error messages.

He came back to me, walking all the way from the International Departures area to Domestic Arrivals, telling me that it didn't work. Note that, including code-shares, that airport handles over 2,000 flights a day - big airport, long walk. When I saw why it didn't work, I had to remind him that HIMEM.SYS was being loaded because he didn't follow my instructions.

"So, uhh, I have to format the disk and start over?"

Intrigued like a witness to a particularly gruesome lawnmower accident, I led him through a series of questions. How do you control real-mode drivers loaded during startup of DOS and legacy Windows? (CONFIG.SYS, he didn't know)

How do you ensure that no real-mode drivers are loaded up? (Delete CONFIG.SYS, or REM them all out)

Will DOS run without CONFIG.SYS? (Yes, he said no.)

If you edit CONFIG.SYS to remove the line that refers to HIMEM.SYS, will Troubleshooter stop complaining that there's an extended memory driver loaded? (Yes, but he answered no.)

What's another quick and dirty way to stop HIMEM.SYS from loading? (Delete or rename it. Blank, confused stare.)

He eventually deleted it and got it working, but he looked pretty scared at a command prompt. Rather than trusting him to interpret the results of the memory test, I told him to save them to a log file on the diskette. Intermittently bad memory, and knowing what SIMMs were in the machine and doing a bit of quick calculation, I blew him away by even telling which bank had the bad RAM. Oddly enough, Windows was right for once - one of the addresses in the BSoD's core dump was the same as Troubleshooter gave.

Configuration, huh? AUTOEXEC.BAT, CONFIG.SYS and HIMEM.SYS are pretty much the foundations of everything which has happened since. I would pay money to see him sitting in front of the Windows 2000 Recovery Console.

Now, you will, of course, forgive me for feeling superior to an MCSE.

Re:Documented MCSE Stupidity

[Floofnargle]

And because this one idiot was an MCSE therefore all MCSEs are idiots? Maybe you should review your basic set theory before you start feeling too superior...

Re:Linux worms have quick fixes.

Yeah that's good. But what if the worm spreads fast, not like the lumbering Code Red random pot shot approach. This guy's theoritical Warhol worm thinks it could do it faster. Now that's scary. Let's just hope this one doesn't end up like the Morris worm. I really hope these guys who write these worms ,for just pure research, take the same care that biohazard researches use. Because these contaminants would spread at light speed.

Wrong.

Good thing the patch for what Code Red exploited was out MONTHS before it hit, huh? No, it's the stupid administrators, not the vendors, please try again.

The Point Is

[Catskul]

I think there are 2 real points to the fact that *NIX systems are more secure. First of all, UNIX is more mature than MS software, therefore they have already been through the more trivial problems with holes. The second point is that because of Open Source customers get to choose what part of the software gets the most development. Security gets attention when those affect by bad securty get to decide.

Re:The Point Is

Yes, but variants of *NIX are build on totally different code bases - so each of them has *Different* problems.

Code Red won't die..

[Havokmon]

You seem to think that the only worm out there now is Code RedI/II/III.

I get daily reports of port scans on 111 (from portsentry), which, if I remember correctly is sadmind, the Linux Worm.

These things ARE NOT going away folks.

And it's worse for MS. What if XP DOESN'T get released? People will be installing the same old unpatched IIS on new machines, and maybe not installing the latest fixes.

At least if you grab the latest ISO, the older holes are closed. Without an all-inclusive MS upgrade, people will just keep getting infected by Code Red.

I dunno...

[Hassman]

We just can't win.

Use windows, you have the virus problem to deal with due to the popularity of the OS.

Use linux, you have the hacker problem to deal with due to the fact that those people have no lives and think they are so cool cuz they can do things to my box. I just think about what "Lowtax" would say in the situationa and I pee myself laughing.

Oh well...what can you do?

Re:I dunno...

What can you do..? Hmm... Doesn't Apple make some kind of computer or something..?

Re:Yeah maracuyeah

[Nastard]

Not quite. I've had three of four firsts today (logged in). I hit the karma cap, so I wanted to burn a few points and work my way back up.

And yes, I am that bored.

MS defense: UNIX would have the same problems if..

[Bogatyr]

In regards to the recent Code Red/Sircam hoorah, a very pro-Microsoft acquaintance of mine said the Code Red hassle "demonstrated the enormous user base of MS as far as Internet sites go. As with anything that could achieve that level of user-base, security holes are ineveitable just as with linux, only they aren't as publicized due to the smaller user-base" (his words).

Sendmail? Elegant? Minimalistic?

[alispguru]

In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).

That's the first (and hopefully only) time I ever hope to see the words "elegant", "minimalistic", and "Sendmail" together in the same sentence.

Re:Cmdr Taco?

[MakinWaves]

It's so easy to point out the vulnerabilities in MS products and they exist and are quite common, but it also needs to be said that there are patches for them and most of the problems come from users and admins that don't know enough to patch stuff.

I guess that would explain why M$ itself got hit. Wake up...not even Microsoft can keep up with the staggering amount of patches they put out. Now I see there is a update scanner out. Guess what!?! It's a command line tool...BAHAHAHA. They badly needed to clean up their mess on their own network and didn't have time to wrap a pretty GUI around it. Please don't cut yourselves trying to use it.

Re:Difference btw. Unix and Windows Worms?

[Fizzlewhiff]

I agree. I think most Solaris, HP/UX, AIX admins out there have far better skills than most NT or Linux admins.

Re:Worms happen,

and once it's compiled and paid for, they usually have to wait several months (or years) to purchase another recompiled copy.

Any day now...

[why-is-it]

Right now there aren't any non-proof-of-concept Linux viruses.

I can just see it:

Hi! How are you?
I send you this perl script that must be run as root in order to have your advice
See you later. Thanks

Re:Ahem...

There are other nameservers besides bind. Bind is a monster, and you sound like you need a simpler, pure-caching nameserver like dnrd.

Re:Worms dont happen to Mac servers running WebSta

Typical Mac user arrogance. This comment is like saying "internet worms dont affect Commodore 64's running Bobs HTTP daemon".

I would also like to know why then OSX is running Apache as the webserver instead of the high and mighty WebStar?

I've got a question...

[unformed]

Securityfocus has a nice column on Worms and their origin in 1988.

Okay, if worms appearded in 1988, then what the hell ate all the dead bodies in the thousands of years ago?

Linux antivirus software

[cyberformer]

Is there actually any Linux antivirus software available? All the big security software vendors seem to be ignoring it, and I don't see any open-source antivirus projects either.

Worms dont happen to Mac servers running WebStar.

Worms dont happen to Mac servers running WebStar.

EVER.

Thats why no reports of ANY exploit has ever been published regarding the secure Mac OS.

consult bugtraq if you doubt this.

This article is a sham.

Re:Secure by Default

[hearingaid]

OpenBSD's record is for that many years (I can't remember the total number) without a root exploit.

that is, no root exploits, at all, in the default install. local or remote. it's pretty crazy. does make it a popular firewall os though. (though I use FreeBSD for mine. but I respect the hairiness of the OpenBSD folks.)

your university requires you to use M$ Office? hey, that's what OS X is for. :)

Your full of it

It *DOES* come with Apache.
Quote from http://www.apple.com/macosx/server/

"Mac OS X already includes Apache, the world's most popular Web server, for personal Web sharing."

Re:The only good worm....

ah yes, the almighty moderator has too many points to waste.

Its a fucking joke. You know, humor? Fuck me, what an idiot.

Re:IRC Wars..

[Quazion]

Most virusses and exploits and even some worms, are used to put trojans on computers to use in IRC Wars like DDoS attacks on IRC servers ye hear all the time.. People with flood botnetworks with over 1000 computers they are out there i know...

I say its all the cause of humanity anyways ;P

Re:there should be 911 for security...

[Error27]

Actually, I didn't mean that there was no planning going on for the case of an emergency. Although I did blather on about a lot of stuff that I probably shouldn't have.

What I did mean is that we should work out a simple (from the user perspective) solution for any really terrible security emergency. Something where the user can open a terminal window and type one simple easy to remember word and have the problem delt with.

That's the beauty of 911. Even a small child can remember it. It's easy. It's fast. Any emergency that you have the person on the other end of the line knows how to deal with.

Vendors/Distributions should all provide this functionality.

Alas, poor Taco...

[talks_to_birds]

trolling again?

• "...Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."

Have ye truly fallen so low, oh, once mighty Taco?

t_t_b

At least we will use our own patches.

[Count]

Unlike Microsoft who didn't even patch thier own Hotmail servers with thier own patch that covers thier own security flaws.

HEY!

[Psmylie]

I resemble that remark!

err...

Re:Difference btw. Unix and Windows Worms?

LOL -- nice bait and switch :)

there should be 911 for security...

[Error27]

With code red there were 2 problems. People didn't install the patches when they were released and also the patches didn't entirely fix the problem.

With debian it's pretty easy to install patches regularly by typing apt-get update and apt-get upgrade.

But code red could have been much more serious than it was. It could have used a new exploit instead of a known one. And it could have spread much faster. As it was some people were still infected before they could download the patch. A third way it could have been worse is if it had used a more common application than IIS, for example apache.

Maybe now would be a good time to work out emergency infrastructure to deal with an emergency like that instead of waiting until it happens.

Something simple to type that's the same across all distributions that shuts down everything and downloads a patch and installs it automatically. Apt-get is fine for normal patches but it some people could become infected before they downloaded the patch. What I have in mind is more along the lines of slashdot posting something like "type emergencyUpdate" and every single linux user, regardless of distribution, who saw that would type it and within 10 seconds they would be safe from infection because their computer would shut down and then the patch would install itself and they could go back to surfing.

Also don't forget to use/support other web servers besides apache. You can find lots of them on freshmeat.net.

Blame the language

[Tom7]

Yes, worms can happen everywhere. That's because practically all network software is written in C (or its perverse descendent, C++).

If we were coding our network software in a secure ("safe") language (one without buffer-overflow "capabilities") such as Java, O'Caml, (or even scripting languages like Python, to an extent) we would greatly reduce our security risk. Given that these languages also typically increase productivity, it seems like a clear win to me...

Microsoft realizes the contribution C and C++ make against stability and security; they've recently hired up a lot of famous programming language folks to work on new language technologies. Microsoft knows that large projects written in languages without sophisticated modularity constructs (ie C, C++) tend to get out of hand quickly. They're working to fix this! They're even working on technologies to improve the stability of device drivers through language technologies (see the Vault project, for instance).

However, C has always been the UNIX platform's language. Will UNIX stay in the 60s as even Microsoft moves on? If so, I say it will be the "wormy" operating system family of the 21st century...

Ahem...

[mwillems]

Generally agree but a few remarks...

Home systems (like mine) DO need bind. I can cache lookups here and browse quickly, or wait forever for my @home name server to respond. BIG difference.

UNIX Small? I have a 512 MB system and starting Gnome it still needs to use swap space. 10 instances of nautilus, 11 MB each, are running right now. Call that small? My Win system is a paragon of minimalist excellence by comparison. Not knowcking *nix, but let's be realistic.

Michael PS In the cases you mean, it's "its", not "it's". :)

The problem isnt the OS itself...

[qwaszx]

its the popularity of the OS. Windows is so popular that nearly everyone who, to put it bluntly, can simply not use a computer uses windows. I'm not saying that there arent competent Windows system administrators and knowledgable users, what I am saying is that most people are using computers for a long time before they discover alternate operating systems, and usually need a little knowledge to switch.
This means that there are going to be more people using windows who dont know what a security hole is, let alone how to patch it.

Another problem with popular operating systems is just that. They are popular and have many more users. If 10% of all users (a simplification here) are vulnerable to an attack, then most of them will be windows users.

Possible solutions? Maybe microsoft could sell windows in a pink box and charge $2000, making it instantly less popular and having less users vulnerable to exploits :)

Seriously though, take for example the Morris worm of 1988, infected a network run by competent system administrators (the fact that it was UNIX is besdies the point.. or is it? :P), and the problem was patched within a couple of days. With the code red worm, most users didnt even know they had a web server, and even now I am getting hundreds of XXXX requests in my apache logs.

And now linux is gaining popularity... NOOOOOO.. shoo.. shoo.. we dont need more users...

*nix admins better than NT admins?

[Curien]

I have read a lot of posts in this discussion (and similar discussions in the past) talk about how *nix is better than NT. Then, some of the more level-headed among us pipe up and remind us that no OS is truly secure, and that the difference lies not with the system itself but with the system administrators. Thus, it follows that *nix admins are better than NT admins.

I most heartily disagree. Sure, there are *some* *nix admins that mop the floor with NT admins... but the opposite is also true.

I think we are all forgetting exactly what an "admin" is. An admin is *not* any JoeBlow@aol.com that stands up a web server! A system administrator is an IT professional who researches his work and prides himself on keeping his machines running smoothly.

If you think about it a little, I believe that you'll agree that the major cause of the whole Code Red problem is not the NT admins out there, but rather the JoeBlow@aol.com's who really don't know what they're doing. Ignorance, people... ignorance is our enemy! Not Bill Gates, not MS, not closed source! It's ignorance and apathy.

Re:Cmdr Taco?

[evil_spork]

Well, I agree with you, but you should add something to that. Too often MS is accused of propaganda against open source, against the GPL, and against linux. It's so easy to point out the vulnerabilities in MS products and they exist and are quite common, but it also needs to be said that there are patches for them and most of the problems come from users and admins that don't know enough to patch stuff. Why is this? Because MS designs their products to be user-friendly, intuitive, and very easy to use. They're marketing to newbies too, something that Microsoft beats linux on any day. Nobody really can argue that linux is simpler than Windows for an inexperienced user. Sure, the vulnerabilities are more exploited in Microsoft products, but they're not the only products with problems. Seems like the slander Microsoft is accused of, the open source community is running a campaign of slander right back at them. Does the word 'hypocrite' come to mind?

I'm a heretic, baby

[kisrael]

I'm not a very close observer to any of these things, but it seems like the recently noticed telnetd exploit has really screwed over more sites than Code Red has, which seems more of a bandwidth hog. I mean, a years-old simple string buffer overflow giving root access on so many linux boxes is inexcusable for people trying to "sell" Linux on its general security and reliability...

Re:I'm a heretic, baby

[trcooper]

That would be a large precentage of companies. A lot of companies purchase software, and support along with it. They only support a particular OS, and in many cases that's RH 6.2.

Beyond that 6.2 isn't old. Last year it was the current release, and when 7.0 came out it was shit. Believe it or not, in the real world we don't go out and get the newest revs all the time. We have to test, test and test again before it goes live. RedHat has had terrible luck with new releases, and no one in their right mind will go grab a new copy and put it live the day it's released.

Know how many companies are still installing NT instead of 2000? Same with 6.2

Re:I'm a heretic, baby

[The+Troll+Catcher]

Of course, the very fact that you're running telnetd at all means you don't give two craps about security.Do you have ANY IDEA how easy it is to sniff passwords from telnet? I tell you, it's scary. When someone rooted a box here a while back, I looked thru the sniffer log and found working root passwords for a number of HP-UX machines here...

Re:I'm a heretic, baby

[Karn]

Who in the hell is still installing Redhat 6? That's like asking if someone if they have installed Windows 95 lately..

Re:Linux worms have quick fixes.

[Tony-A]

Patch? Nah, too much trouble. Control Panel, Services, Shutdown (both Manual Startup and Stop) both Content Index and World Wide Web Publishing Service.

Difference btw. Unix and Windows Worms?

[Jailbrekr]

It would be easy to say that "Open source provides faster fixes!", but that is not true. Alot of the *NIX worms were designed to exploit closed source *NIX systems (Solaris, VAX, etc).

The difference is in the technical competency of the systems administrators. A UNIX administrator is far more capable of detecting and fixing a compromise, whereas an NT administrator, for the most part, is far less literate when it comes to dealing with a security compromise.

Please note that this is a generalization, and holds true due to the fact that administering a UNIX server requires a higher level of competence than an NT server.

Re:Difference btw. Unix and Windows Worms?

[OSgod]

Agreed -- Unix administrators IN THE PAST were trained professionals.

Today true Unix administrators are rare.

Tommorrow it's all script kiddies if you believe the Linux crowd.

At that point Linux is ripe for a virus.

non-proof of concept link

[onepoint]

here is an old link I had stored for some unknown reason.

http://antivirus.about.com/library/weekly/aa0328 01 a.htm?once=true&

onepoint

Every system-thing has administrator rights

[YellowSubRoutine]

At windows 2000, all services have administrator rights and priorities, I don't know a way to lower those permissions. (and I don't want to, actually)

Try this if you need to get in a system: boot the disk as non-system (eg, with a bootdisk, or in another machine) and replace the screensaver executable with a copy of cmd.exe. Boot the targetted machine, and you have a nice rootshell coming up (just wait long enough)

Cross-platform Super worm???

[snilloc]

Couldn't a virus/worm writer make the worm a lot more destructive if it was designed to exploit two different types of security holes on different systems? For instance, let's say Code Red-VII r00ts a Windows server. When Code Red-VII tries to replicate, it goes for similar exploits on Windows systems, but if it bumps into say, a Red Hat server running Apache, it tries to exploit something on THAT system, which in turn exploits other similar, and dissimilar systems...

Or maybe an Outlook Express virus is altered to also exploit something in Eudora (in the strange event that it actually finds a non Outlook Express user...)

I understand that somebody is unlikely to find two devastating exploits on dissimilar systems and manage to put out a worm/virus before some other idiot releases a virus for just one of those systems, but is something like this a possibility?

Re:Cmdr Taco?

[SuiteSisterMary]

Wrong. Any operating system with a concept of 'root' has problems. Any operating system with things like passwords has problems. VMS, for example, has it's 'root' accounts split across four separate people. But guess what? The one with 'physical disk' access can alter the security database and add himself to whatever he'd like. I said 'useing' when I should have said 'admining.' For the purposes of this conversation, I.e. with people using Linux, *BSD and NT/2K at home, they're one in the same. Trusted Solaris my ass, by the way. Go work on a B1 or higher rated system. :-)

There is another issue.

[flatrock]

There is another issue that the article takes a nice cheap shot about at the end. Some newer server software like Exchange integrates a lot of functionality in ways it hasn't been done in the past. Exchange allows email which, was once just used to send text messages around, to do a lot more. I don't forsee this trend reversing. There's likely going to be a lot of new types of services made available by servers. Even though there's security issues involved users like having access to those services. I expect this means that there's going to be a lot of work for security consultants in the future. No surprise there huh?

Blah. was Re:Let's also not forget

Oh yes?

http://uptime.netcraft.com/up/graph/?host=www.ib m. com

Re:Worms happen,

Why don't you pull your head out of your ass. Open Source doesn't imply nimble feet and just using Linux doesn't make anyone more of an expert. Please try to get that through your pea brain.

Re:Secure by Default

[jeffy124]

yup, they have an agreement with MS that gets the students a free copy of Office 2000 for Windows or 98 for Macs. They're gonna be giving out copies of 2001 for OS-X and XP for Windows sometime this semester. It's only real use for me is when I have a non-technical course (like Communication classes) where we need good desktop publishing stuff, or s class that requires a decent spreadsheet (like Probability & Statistics) where all the teacher knows is Excel. CS teachers dont care what we use, they'll take an essay that was written using a text editor.

They ALL Suck

[Detritus]

Debating whether Windows, Linux, BSD or UNIX is more secure is a waste of time. From a security point of view, they all suck. It's just a matter of degree.

Windows (NT/2000) has some good security features in the kernel, the problem is that they are not properly used by the operating system as distributed by Microsoft. Locking things down would break too much stuff.

UNIX/Linux has an archaic security model that hasn't changed in decades.

Both operating systems suffer from being implemented in C, an unsafe language. It is possible to write secure code in C, but most people have neither the expertise nor time to do it correctly.

Re:Secure by Default

[jeffy124]

I'm not much of a BSD person, but that's because of my own ignorance of BSD (iow, i've never tried nor felt the need to use BSD). I do know that OpenBSD prides itself on going 3+ years w/o remote holes (I think they're up to 4 years now?). I currently use OS-X at work, which is where I found out about OS-X's remote services installation/enabling model.

Mandrake is something I'm trying to install on my home machine as a second OS to Win98. My university almost requires me to use MS Office, particularly with profs of non-CS classes. But for the vast majority of advanced CS classes, they want us to use their dept's sun box. Many people use their own linux machines to do the work, then transfer the source and compile code there. While I am not currently one of those students, I hope to be soon. Plus they teach the OS classes using Linux, so it'll be good for me to teach myself some basics ahead of time :)

At least with unix...

[Skuld-Chan]

The patch will be out within minutes of the worms induction to the internet - in fact there's a good chance we'll get the patch (or fix) before the worm is even released.

I don't need no worms around me

I don't need to drugs to calm me

Re:Microsoft products seem to be of very low quali

[anshil]

as far i know linux now also used a bsd based stack.

NO NO NO NO NO NO NO NO NO NO NO NO NO NO NO!

[leonbrooks]

No matter what OS you are supporting and using if you as an Admin dont have the proper service packs and updates installed then your OS will be a victim sooner or later.

"Sooner or later" is effectively a LIE because whether it's sooner or it's later makes a huge difference in securityville. You're also ignoring the ``quality'' of the intrusion (such as carte blanche versus mere DoS).

Me for later, much later. While I could do even better, I use Mandrake 8.0 for production work. It's a bit bleeding edge in some ways - and I pay for that - but it comes with two massive advantages over many Linux distros: it installs reasonably securely unless you tell it not to (warns you when you install world-visible services and if you choose a "high security" install even disables those), and it can automagically update itself. Debian users in particular have long had these comforts.

All Linuces have at least five huge additional advantages over Windows:

1. There are significantly less holes to start with, because (among other reasons) they are generally implementation mistakes rather than systemic design flaws; and
2. If a hole opens, the damage that can be done is less because you don't automatically get ring-zero (better than administrator/root) privs; and
3. Patches tend to come out sooner and often involve no more than restarting a single service rather than downing the whole machine; and
4. Tricks like chrooting the whole service, and/or using the immute bit (chattr +i) plus running with a kernel incapable of removing it (patch or capabilities) and a chattr program/syscall that rings bells and flashes lights instead of ch'ing the attrs, and/or one-way capabilities patches are simple to do; and
5. Most distros arrive with secure remote administration, so dealing with a widespread attack (successful or not) is much easier; and (-:
6. for Win 9X/ME in particular :-) distinction is actually made between superuser and mere mortals

Yes, administration makes a big difference, but all OSes are a loooooong way from interchangeable when it comes to vulnerability.

Before RTM...

[anonymous+cupboard]

One of the largest p2p corporate networks in the eighties was Digital's Easynet. All you needed was an address and you could hook up. Most Digital staff had no idea of where nodes were and who ran them as addresses would be reused.

A guy I knew wrote a network mapper utility in the early eighties (maybe after the Parc worm so not the first). All it did was to go round looking at adjacent nodes, copying and submitting itself to each system as a network task running a shell script.

Of course, the corporate network was brought to its knees and default "Task" level access was turned off. A few days later, things were back to normal.

Management were not amused. Digital was already a well connected company and relying on the Easynet for day to day operations. The guy evenually admitted to it many years later and as he was by then a senior network consultant, there was't a lot they could do.

The thing worked because most people there were running a single OS, OpenVMS, which was left largely unprotected.

the real difference

[gol64738]

*NIX worms do exist, however, once it strikes, the world benfits from the world working on the problem, not a single company.

the world will not hide a new worm from itself, however, a single company (microsoft) can (and will, as history shows).

Re:Worms dont happen to Mac servers running WebSta

Worms dont happen to Macs because Mac programmers rarely have buffer overrun problems because mac apps typically NEVER use null terminated strings and intead use "pascal" style strings that have a bounds of 255 and a marker in the front.

Additionally mac programmers tend to know that there is no false sense of security because all code is running at supervisor level so programs, like Webstar, are careful not to do foolish things.

Mac programs and executables NEVER can run merely from a data file named with a suffix such as .exe because macintoshes do not have file suffixes. The mac OS (9,x and older) uses a four byte file type designator that the user never sees and cannot be set carelessly.

A further reason macs are more secure than unix (hundreds of documented exploits) and Win NT (almost as many exploits documented over the years), is because the mac does not have a command line shell and has no path to hijack. No command line and a modern type of interprogram communication prevent the silly weaknesses in other OSs.

Yet another reason the Mac is secure is vecause a mac program (either 68k or PowerPC) needs TWO files to execute and not one file. The second file is called the resource fork and it is genreally an invisible file kept tightly associated with a file. classic internet apps do not create or allow creation of these resource forks as side effects of merely storing data files. Macs are very secure from infiltration by dynamic creation of apps by rouge products on a server

Another reason macs have NEVER been broken into running the WebStar server is because the mighty Mac OS Webstar server, (which typically costs over 400 dollars unfortunately), avoids ever executing cgi code files from directories where they ought not to be. A clever set of directory and folder control prevent the webserver from being hijacked unlike earlier versions of apache.

The US army switched to Webstar webservers on macs when MS NT webservers kept getting hacked.

There are thousands of major webstar servers out there. I think many are colocated at reprahduce.com cages.

And mac NEVER get hacked. EVER. and NEVER have, even with public challenges and reward money.

Sure, there may be some defects that might get discoverred one day, and surely any mac not runnning mac os such as ppcLinux, or MAc OS X (freeBSD derivitive) are hackable.

But face it. Macs have NEVER been hacked and that is because of modern and sound design principles.

Myself and other mac programmers I know have NEVER shipped a product containing a single null terminated C string, and do lots of paranoid error checking as well.

Unix is hackable not because of open source, not because of popularity (both of which help) but because of all the things I mentioned here.

WAke up and quite being bigoted.

Re:They ALL Suck, yup try Mac OS with Webstar

C Language alone is not the sole reason but the types of STRINGs used in C certainly adds risk.

Worms dont happen to Macs because Mac programmers rarely have buffer overrun problems because mac apps
typically NEVER use null terminated strings and intead use "pascal" style strings that have a bounds of 255 and a
marker in the front.

Additionally mac programmers tend to know that there is no false sense of security because all code is running at
supervisor level so programs, like Webstar, are careful not to do foolish things.

Mac programs and executables NEVER can run merely from a data file named with a suffix such as .exe because
macintoshes do not have file suffixes. The mac OS (9,x and older) uses a four byte file type designator that the user
never sees and cannot be set carelessly.

A further reason macs are more secure than unix (hundreds of documented exploits) and Win NT (almost as many
exploits documented over the years), is because the mac does not have a command line shell and has no path to
hijack. No command line and a modern type of interprogram communication prevent the silly weaknesses in other
OSs.

Yet another reason the Mac is secure is vecause a mac program (either 68k or PowerPC) needs TWO files to execute
and not one file. The second file is called the resource fork and it is genreally an invisible file kept tightly
associated with a file. classic internet apps do not create or allow creation of these resource forks as side effects
of merely storing data files. Macs are very secure from infiltration by dynamic creation of apps by rouge products on
a server

Another reason macs have NEVER been broken into running the WebStar server is because the mighty Mac OS Webstar
server, (which typically costs over 400 dollars unfortunately), avoids ever executing cgi code files from directories
where they ought not to be. A clever set of directory and folder control prevent the webserver from being hijacked
unlike earlier versions of apache.

The US army switched to Webstar webservers on macs when MS NT webservers kept getting hacked.

There are thousands of major webstar servers out there. I think many are colocated at reprahduce.com cages.

And mac NEVER get hacked. EVER. and NEVER have, even with public challenges and reward money.

Sure, there may be some defects that might get discoverred one day, and surely any mac not runnning mac os such as
ppcLinux, or MAc OS X (freeBSD derivitive) are hackable.

But face it. Macs have NEVER been hacked and that is because of modern and sound design principles.

Myself and other mac programmers I know have NEVER shipped a product containing a single null terminated C string,
and do lots of paranoid error checking as well.

Unix is hackable not because of open source, not because of popularity (both of which help) but because of all the
things I mentioned here.

But I agree about the other OS's sucking. parts of the older Mac OS itself is written using pascal strings, in fact the original ROMs were written using only pascal compilers and some assembly, and no C.
But string overruna alone are not the ONLY reasons mac servers have never been hacked, (command line, dual fork, no extensions, etc etc).

http://X.X.X.X/scripts/root.exe?/c+dir

[leonbrooks]

If lynx -dump -head on that (yes, you do have to replace X.X.X.X with a real address) returns a MIME type ofapplication/octet-stream, you're in business.

If you find any infected machines, put a text file on the desktop (called something like YOU_HAVE_A_VIRUS.txt) with a warning in it (and the URL of your favourite Linux distro), and shut the machine down. If you want to get fancy, add a command to one of the startup methods to remove root.exe from the scripts directory.

You will be doing them (and everyone else) a favour by reducing the number of potential DDoS attackers available, and by closing a hole to destructive visitors.

Passive method (although I'm now down to less than one hit per IP per day):

gawk '/default\.ida\?XXXXXX/ { print $1 }' </var/log/http/access_log

Re:Cmdr Taco?

Linux update stories aren't really worthwhile. You get all the important info when you apt-get dist-upgrade anyway.

spork t. raper

Re:Worms happen,

[Chundra]

You're right, linux people are smarter. Instead the NT people pay for the "service" of letting someone else spend days compiling crappier, buggier, closed-source software.

Re:Cmdr Taco?

[Tony-A]

...the fact that any operating system is only as secure as the person using it.
Wrong. The security of VM/CMS has rather little to do with the security of the person using it. I would imagine that Trusted Solaris is much the same.
The user is one aspect of security, granted the major aspect on single-users systems.

Re:Linux worms have quick fixes.

[jjsjeff]

Not only that, but the people running these types of machines generally are more responsible about securing (or asking for help to secure) their systems.

-Jeff

Re:Linux worms have quick fixes.

[BilldaCat]

So?

The fix being out there doesn't make anyone go and patch their machine. Your statement is largely (but not totally) irrelevant.

The only good worm....

[Jailbrekr]

was worms Armageddon.

Secure by Default

[why-is-it]

I'm sure other distros do this, but Mandrake is the only one I've ever installed, likewise to other unix-based OSs

If you are interested in an OS that is secure by default, check out OpenBSD.

(For those of you who fear /. links, the site can be found at http://www.openbsd.org)

Compare the number of security advisories that affect OpenBSD versus the number that affect m$ products, and the value of a secure OS is obvious.

Regardless

[steveo777]

Just because Unix and Linux have worms written for their destruction/mahem, doesn't mean that the media is going to go into a foray about it. When was the las time you heard Linux referred to on the local news.

Media shys away from what the consumer doesn't know about because they fear that Mr. and Mrs. Average are going to lose intrest.

Re:Regardless

Yo, I think you want your sig to say 'greEnpeace'. Just some fyi.

Worms

[VladTheBad]

Now if only someone will make a virus that requires intervention... but then spreads a worm that removes code red 1&2 and then patches the machine... and then sends itself to any machine that tries to attack it.

Origin of Worms 1988?

[spagma]

Hey I remember going fishing with worms long before then, atleast by 1982.

Actually...

[Dimensio]

I've been going through the firewall log on my NAT router (which for some strange reason has been hit with thousands of rejected attempts at port 80 after being online for only three days) and when I attempt to access a website at the IP whence the rejected packet came I get a 403 -- this is the case on numerous IPs. I have IIS installed at work and I know what the default page looks like, so I'm wondering what is installed and how it is configured on these peoples' machines, all of whom shouldn't be running network servers anyway as they violate the @Home AUP.

On another, perhaps more related, note: I took it upon myself to ask the webmaster where I work if he had taken precautions against Code Red (the company uses all MS-based systems); his response was 'huh, what's that?'.

Cmdr Taco?

[SuiteSisterMary]

Seems to me like Cmdr Taco is getting fed right up with Slashdot filling up with OSS and Linux anklebyters. Good to see. Slashdot's slowly turning into 'propaganda for nerds. Two Minutes Hate that matter.'

I have an idea for our Microsoft problem...

[Nastard]

My dog had worms. We put it to sleep.

Hmm...

Worms happen,

[OpenSourcerer]

But if it does it will be killed before you know 1) Open-source= nimble feet 2) Linux sysdmin.expertise > NT.sysadmin

$$$ are not motivation to fix security holes

[leonbrooks]

$$$ are only a motivation to get more systems out there, vulnerable or not.

And I have to say this: QED!

not the same

[mj6798]

When worms were common for UNIX platforms, UNIX was a proprietary system, and the number of programmers with access to the UNIX source code was probably no larger than the number of programmers with access to the NT source code is today. Also, for Internet servers, UNIX was pretty much the only game in town.

Linux, BSD, and UNIX is in a different boat today. There are multiple Internet-capable operating systems, and the sources for Linux, BSD, and many UNIX utilities are widely available. I don't know what this will work out to, but we can't predict from the past: the UNIX community was vastly different then from the way it is now.

The best protection would be if there were a dozen or so common Internet operating systems and a dozen or so widely used implementations of Internet servers and clients. You know, like an efficient, free market with real competition. Unfortunately, it isn't happening.

It's not

You have been mislead.

Make that BSD license instead

So that microsoft can find some innovation

Re:Sendmail? Elegant? Minimalistic?

[alispguru]

My bad. Your sentence was clear enough - I just misread it. My only defense is that three moderators misread it too.

Let's see, how can you give back karma points received under false pretenses...