Slashdot Mirror
Don't Forget That Worms Happen Everywhere
friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."
Ummmm...That's why we're using Unix. The Unix world had its worms 10 years ago. Those holes have been patched, and now people know better.
I highly recommend showing people how insecure telnet is -- in a dorm, for example, pop up ethereal on one machine and log in over telnet from a machine in a different room. Follow TCP stream, and point to your real password displayed on the screen. This is more effective than lecturing people about TCP/IP and ethernet, and I've only had one guy start asking dismaying questions about how to sniff other people's passwords.
Change your password after, of course. Now if only there were an equivalent way to get people to use PGP...
A *nix sysadmin is less likely to let a machine go unpatched, in the best of all possible worlds.
An NT/2000 sysadmin is a secretary who reboots when the internet thingy stop hoogjamajigging, in the best of all possible worlds.
Seriously, in tracking down a couple of thousand hosts on campus who had Code Red, I have never ran into such righteous indignation over a simple lecture on systems maintenance as patching. Of course, many of these users/sysadmins were dumbasses who installed Win2K server because they could, not because they had to. 3 machines in one room were being used as everyday workstations and not offering services for any particular use by the office. Mind you, the services were still offered. Hit the average Code Red machine with your web browser and you will see the default webpage.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
I think that the real reason that MS systems were hit so hard by Code Red and it's descendents is that there is a real difference in the culture of the respective developer communities.
There is no reason why all those home systems and corporate desktops should have IIS running in the first place. There is also no reason (generally) for a home linux system to be running, say, BIND or wu-ftpd.
So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?
It comes down to culture. Unix-like operating systems are minimalist and modular, because the development communities appreciate elegant code (not neccessarily elegant interfaces).
Whereas Microsoft prizes a DWIM (Do What I Mean) approach, which encourages adding functionality 'just-in-case', as Microsoft seems to think that actually asking a user to install a component is a failure on their part.
In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
Unfortunately, the news media prefers to report on the mainstream, the common. Linux stories just don't generate the ratings since it does not affect the mainstream Joe Sixpack.
Ask someone on the street, "What is Linux", and it's likely you'll get a confused, puzzled look.
Which is exactly what happened with Code Red. The pach was available months before. It all comes down to reliable admins who keep up with patches and security alerts. Platorm and dick size have nothing to do with it.
'Same speed C but faster'
If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.
Your basic premise is correct that there are more people trying to break MS systems than Unix/Linux systems, but U/L will never be as vulnerable for a number of reasons:
1.) There are several flavors of Unix and dozens/hundreds of distributions of Linux, not to mention all the different version numbers of each of those. This would dramatically impede the spread of any worm. Almost every MS-based site has IIS 5.0 and it is this homogeneousness the allows things like Code Red to spread so quickly and effectively.
2.) Unix/Linux systems in general are easier and safer to patch. Almost every MS patch requires a system restart and it is not at all unusual for the patch to break something else. I have never had a security update break anything on my Debian systems, nor have I ever had to restart the whole system. The service updated (such as the recent Horde/IMP updates) is restarted and the user doesn't even know, even if he/she is using the system at that moment (I know this because I did it as a test case here at work. Someone was reading their email on our IMP system while I upgraded the system. Yeah, a bit dangerous, but we're a small company and no one would have gotten in trouble. Regardless, she didn't even know anything had happened).
3.) Security holes are much more frequent on MS systems. We all have heard about the fact that the last known remote root exploit for Apache was over 3 1/2 years ago. There have been a few security patches since then, but nothing nearly so troublesome as Code Red. I read somewhere that there have been over 40 serious holes in IIS this year alone, although I don't remember where I read it and it may be apocryphal.
Bottom line is that while it may be true that if as many people who are attacking MS systems starting attacking Unix/Linux systems, we might see more issues on U/L, it is also true that Unix & Linux are better engineered from the start, easier to upgrade and more varied, all of which make them much more secure inherantly than MS solutions.
Cheers...........
I'll say it yet again, since this is just another way of drudging up the Code Red issue. The problem isn't the platform, it is the administration of the platform. If Unix can be counted on to be mismanaged then an exploit will surely surface. In short, if the Unix world ever finds itself in the state of the Windows NT world, where boxes aren't administered and patched, we too will be nailed. I anyone surprised? No. Okay, lets let this tired topic die already.
-- Solaris Central - http://w
When speaking about CodeRed? Just because the networks have stopped talking about it, doesn't mean it's gone away.
I don't know about anyone else, but I'm still getting hundreds of CodeRed attacks every week.
I gotta get a tight tension on...
I once had an MCSE ask me, in all seriousness, why he couldn't type a fully-qualified hostname to choose a DNS server. It's a paper qualification; it implies no real skill or insight into the system's operation, or any sort of reasoning into consequences of limited design.
/etc/ directory, the file everything.conf, with the permissions -rw-rw-r--. What if you decide that you don't want Joe User to see your firewall configuration? Make everything.conf readable only to sys admins? Then, all of a sudden, all of the daemons have to have admin priviledges just to see their configuration. Urk. Kludge. Messy, dangerous kludge.
.ini files to SYSTEM and Administrator... Of course you wouldn't. You obviously spend a lot more time bawling about imagined wrongs in Windows than you do learning about it. MCSEs learn all about that stuff, though. Fancy that.
This is limited to MCSE's only? No other subset of users can make this kind of error?
Therefore, I consider MS fanatics to be, for the most part, a self-limiting reaction
What is a MS Fanatic? Is that anything like a Linux fanatic? I don't see many people saying "Screw RedHat, screw FreeBSD, MICROSOFT RULES!". On the contrary, I see a LOT of OS bigotry from self-proclaimed *nix professionals, who naysay and poo-poo an operating system just because it comes from a particular vendor. A true professional evaluates the problem, and figures out what OS/software best fits the situation. There has been plenty of times that we've thrown out Solaris/SCO/Linux in favor of Windows, because Windows offered the best solution for what we were doing.
I think the more relevent question is with regards to the operating system's track record. With the exception of the recent blight of Red Hat 7.0, Linux has probably had far less documented bugs, and because of the UNIX user permissions model, the damages are minimum.
Your analysis is flawed. Willie Sutton robbed banks because that's where the money is. Microsoft OS's get so much focus because they're so widely used. The recent slew of RedHat hacks that have emerged is due to the RedHat distro being the most popular. It follows that a popular OS is going to get attention. NT/2k also has a user permission system. I'm sure any professional who has worked with NT before would be aware of this. When the permissions are applied as documented and recommended by Microsoft the damages are as minimal as on a Unix sysytem.
Compare this to Windows. Bugs all over the place, some more serious than those in Linux, some less serious.
That's a highly astute observation there. Tell me, can a bug in Windows be of equal seriousness as a bug in Linux? I see an awful lot of exploits for Linux. Can you back up your claim of "bugs all over the place" for Windows with any kind of numbers, or are you just speaking from the heart? Linux certainly has a pretty good library of bugs and exploits.
Where most machines are running 9x/Me with *no* user/process security whatsoever, malicious code can run rampant
Actually, ALL Win9x/ME machines have no user process security. But those OS's weren't designed to have that. If you want user process security, use NT/Win2k. 9x/ME were designed as a consumer platform, not for business. Microsoft doesn't recommend using Win9x the corporate environment.
NT/2000 is an improvement, but it's not designed into every aspect of the operating system's historical architecture.
Actually, it is. You're arguing from a point of igonrance. Try actually USING the operating system for a while, for something other then launching telnet. All processes in NT/Win2k run under the contect of the user that spawned it.
Windows has been one patch to DOS 1.0 after another, and the final result is such a kludge and so many processes are running with full administrative priviledges that the task of exploiting a bug remains trivial.
This is bullshit again. If you have so many processes launching under Administrator, I would suggest not having your services run under that account, and stop logging in as Administrator on your system. Do you log in as root on your Unix systems regularly? Best practices for both OS's say not to use root/Administrator unless something calls for special permission that superuser account has.
Running Windows 2000 on my desktop is farcical - half my software won't work properly if I don't give my user account admin priviledges.
Bullshit again. Normal client software doesn't require Administrator access to run. Installing software on a Win2k/NT box requires superuser permissions, but HEY! That's a security feature, and Windows doesn't have that, right? Lazy people who don't want to configure they systems properly run their services under a superuser account, and we all know what THAT means. Even in a Linux world. I certainly don't need Administrator permission to launch Office, Explorer, or any other normal user process. Unless your system is SO badly configured, a user started process CANNOT just run as Administrator simply because it wants to, unless it's a service which has been configured to run as Administrator (in which it's your fault for doing so), or you're logged in as Administrator.
It amazes me how many allegedly Windows 2000 compatible programs decide that they're going to attempt to store temporary information in the system registry instead of the roving user registries.
Because software installed on a Windows sytem is system-wide. If you want to prevent someone from launching a particular application, use POLEDIT and edit their profile to stop them, or *GOSH* maybe change the NTFS permissions to prevent someone from accessing the executable? Don't tell me that you don't use chmod in the Unix world?!
The single system registry is dangerous, too. Imagine, in your *NIX
Of course, nobody would expect you to know that you could set permissions on individual Registry keys, and restrict
Contrast this to Linux or any other UNIX variant, the whole model and concept of which was designed with user and process security and isolation from the ground up.
Yeah, fancy that Microsoft wouldn't consider that. I guess the Internet Guest account can launch any damn process it wants, or any user on a Terminal Server can stop any other process, even if it doesn't belong to him. Not. IUSR_ cannot simply just add itself to the Domain Admins group, just because someone is using a directory traversal exploit(which wouldn't be a problem in itself if the admins simply INSTALLED THE DAMN PATCHES) because OH MY GOD! That process cannot be spawned by a non-Administrator account!
As a bonus, the added complexity of administering multiple accounts to the average user is a pain in the butt. They want point-and-drool, everything clean and simple and familiar.
Point-and-drool? Do you really hold your users in such low regard?
Actually, administering a NT/Win2k mixed domain is quite easy, and I use the command line a lot. But you're expecting regular everyday users (who probably just use a PC at home for email and pr0n surfing) to suddenly have knowledge of a 20 year Unix engineer simply because you're in the building. There's no need for GUIs in Linux, no siree. Things line KDE and Gnome are simply figments of my imagination. Windows domains don't require a person to have multiple accounts. Microsoft has stressed from the beginning the "unified login", where one account is sufficient. Sounds like you really need the services of an MCSE.
The beauty of the complexity of Linux/UNIX versus Windows is that it weeds out the chaff who aren't capable of managing a box.
Complexity can come and bite itself in the ass. Is complexity always a good thing? We've chucked out Linux and Unix solutions in favor of Windows simply because it Didn't Work. Linux isn't the Wonder Platform that a lot of people try to make it out to be.
I'm sure the programmers and architects at M$ see the problems and comparisons I'm drawing. To be designing an operating system, you must love computers and a sense of a job well done, so I'm sure it pains them that they have to deal with such kludges day in and day out. I'm sure they'd dump the whole thing and fix it if they could, but the marketing guys won't let them implement it.
I hope you're sending your resume to Microsoft right after reading this. Actually, I don't, since you haven't the first clue about Windows or its security model. Instead of the usual Windows-bashing, why not take a few minutes out of the day and actually LEARN the OS? It sounds like your workstation needs to be reconfigured anyway.
I've administered many Windows domains, both NT and Win2k, that are directly connected to the Internet, and have a large internal userbase. And I've never ONCE had any major security problems. Maybe I'm a "gifted" MCSE, or The One who will bring balance to the Force, but to me, none of your arguments hold water.
That's close. You don't have to shut down IIS to close this hole. All you really have to do is UNMAP any extensions you don't use. If you make use of htm, html, asp, pl, and you go into application mappings in IIS, and see anything besides htm, html, asp, pl, you should delete them. Now. That should be among the first things a web-admin does.
.ida/.idq/.stm, and all the other crap filters that get installed by default.
This worm comes down to laziness, no more no less. I'm betting that, at the absolute most, between 5% and 10% of sites need things like
I like music
This is slightly off topic, But I've been thinking about it for a while. What if someone made a worm that behaved like an unitelligent life form. It would send some random (but predetermined) instructions to the processor, then make some judgement on whether it has more RAM than other instances of the program to survive. If it does, It would spawn more instances that are like itself, but altered slightly in the random instruction portion. Eventually, one may randomly "figure out" how to copy itself to another computer on the network.
I realize it would take millions of generations before this happened, but once it did, it might become a very robust worm, and one that eats a lot of memory. All it would take is a few dedicated computers and some incredible Darwinian selection methods for it to occur.
Information wants Coq
You all say that Unix admins know more, or that open source programs have patches out faster, but what about all those people who know little about linux and install it. They can just as easily leave their computers unpatched, running 24/7 using some cable provider. More and more people are trying out linux, it doesn't mean all of them are smart. So of course the same thing can happen.
don't most UNIX admins need to know something about the OS other than the size of the install base therefore actually patching their security holes in a reasonable amount of time. Let's not forget the issue is NOT microsoft's security hole. All oses have that, it's that the userbase is not up to date on installing the security fixes. We just hope everyone who bashes MS will patch their own holes come unix worm time.
its the popularity of the OS. Windows is so popular that nearly everyone who, to put it bluntly, can simply not use a computer uses windows. I'm not saying that there arent competent Windows system administrators and knowledgable users, what I am saying is that most people are using computers for a long time before they discover alternate operating systems, and usually need a little knowledge to switch.
:)
:P), and the problem was patched within a couple of days. With the code red worm, most users didnt even know they had a web server, and even now I am getting hundreds of XXXX requests in my apache logs.
This means that there are going to be more people using windows who dont know what a security hole is, let alone how to patch it.
Another problem with popular operating systems is just that. They are popular and have many more users. If 10% of all users (a simplification here) are vulnerable to an attack, then most of them will be windows users.
Possible solutions? Maybe microsoft could sell windows in a pink box and charge $2000, making it instantly less popular and having less users vulnerable to exploits
Seriously though, take for example the Morris worm of 1988, infected a network run by competent system administrators (the fact that it was UNIX is besdies the point.. or is it?
And now linux is gaining popularity... NOOOOOO.. shoo.. shoo.. we dont need more users...
Well, I agree with you, but you should add something to that. Too often MS is accused of propaganda against open source, against the GPL, and against linux. It's so easy to point out the vulnerabilities in MS products and they exist and are quite common, but it also needs to be said that there are patches for them and most of the problems come from users and admins that don't know enough to patch stuff. Why is this? Because MS designs their products to be user-friendly, intuitive, and very easy to use. They're marketing to newbies too, something that Microsoft beats linux on any day. Nobody really can argue that linux is simpler than Windows for an inexperienced user. Sure, the vulnerabilities are more exploited in Microsoft products, but they're not the only products with problems. Seems like the slander Microsoft is accused of, the open source community is running a campaign of slander right back at them. Does the word 'hypocrite' come to mind?
guk is gay
I'm not a very close observer to any of these things, but it seems like the recently noticed telnetd exploit has really screwed over more sites than Code Red has, which seems more of a bandwidth hog. I mean, a years-old simple string buffer overflow giving root access on so many linux boxes is inexcusable for people trying to "sell" Linux on its general security and reliability...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death