Slashdot Mirror
Don't Forget That Worms Happen Everywhere
friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."
I know what would get worms back into the media for a long time - a Warhol Worm. You want to read something scary about worms, go read that. Be sure to read the section "A Worst Case Warhol Worm". It gives me the shivers to think about it.
From the article: "A worst case Warhol Worm is truly frightening, capable of doing many billions of dollars in real damage and disruption. Since it can achieve complete spread in well under an hour, and could begin doing damage immediately on infecting a machine, human mediated responses offer almost no hope of stopping it. "
Complete spread in under an hour! Total destruction of infected servers!
Whee!
Watch for one of these coming out with the next major IIS exploit.
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Fair enough.
When Code Red hit, the fix was not to disable the infected machines. They "fixed" it with their own denial of service. They shut down port 80.
So which worm is worse?
I'm waiting for the time when a worm comes out that exploits a vulnerability that has yet to be 'discovered' yet.
All that has to happen is for a worm writer to be the first person to find a vunerability. Then (assuming that this person is malicious) thier worm would have a tremendous advantage. They would be garanteed that every single server running that particular OS would be open to attack. If they took the time to write a really nasty worm (say it's set to replicate itself 10 times and then try and erase everything it can reach on the networks it has access to, except itself) this would quite assuredly bring a large proportion of the internet to a grinding halt.
And you know it's got to happen some day...
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
Do I have any numbers for this? Nope... I'll leave that for somebody else to dig up. I'm a BugTraq reader, and I'm amazed at the sheer number of serious IIS eploits that have recently been coming out. I haven't seen anything new in the past few weeks, which is good, but take a look at the sheer number of buffer overflows alone that have been found in IIS lately. I bet it's more, or really close, to the total number of buffer overflows found in things like sendmail, bind, apache, and event telnetd in the same time span.
As a programmer I'm appauled here by IIS. Buffer overflows are old, but they keep coming back up. IIS is a new product, most likely written entirely in C++, which should be making the string handling much simpler than the C counter parts. These IIS holes are coming but due to either laziness, incompetence, or indifference in the MS coders parts. Theese aren't obscure either. You request a long URL and you overflow a buffer? 'Cmon here. The URL is coming from untrusted users -always-. Access point #1 into the system isn't even being looked at for possible holes... over and over.
One would think (read: hope) that MS has got a slew of people over-looking all areas of IIS for possible buffer overflows right now. Maybe they'll actually fix some before they're found? Doubtful... given their track record of re-active security.
Justin Buist
The idea of *nix worms are far more easy to digest, since those who wrote the software with said vulnerability arn't living in huge mansions and driving fast cars. They tried their hardest, and wern't profiting as much for demonstratably insecure software.
.. worms will always exist, but I'd rather the software I didn't have to pay for be guilty than the software I did.
The OS argument always seems to be about quality, but I'm also interested in the esotaric aspects of it - if you're gunna get rich off something, than it had better damn well work; if you do it out of the kindness of your heart and/or scientific curiousity and research, well
"Old man yells at systemd"
Yes of course we remember the *nix worms. Here's another thing to remember. *nix will never be the veritable screen door of security holes that M$ products are. I find "Whistler" to be aptly named.
I wonder what would happen if IT professionals were paid $1 per machine for each security update. Guess TCO with M$ products would go through the roof eh? One particular week this year would have netted me $600.
---Most Definitely not a Karma Whore---
When IBM sprayed SF sidewalks with Linux graffiti (some is still there)
sulli
RTFJ.
Yeah, that was a Solaris (and VAX?) worm. It hit our engineering network gateway box (the only Solaris system we had) and we were offline for about 3 hours (in the middle of the night) while we cleaned it out. Interestingly enough, at the time enough admins knew each other that most of the information on fixing the problem was spread by phone calls. (Some was also by email and USENET, but those were effectively disrupted for many people.)
-jeff
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Yes, worms can happen everywhere. That's because practically all network software is written in C (or its perverse descendent, C++).
If we were coding our network software in a secure ("safe") language (one without buffer-overflow "capabilities") such as Java, O'Caml, (or even scripting languages like Python, to an extent) we would greatly reduce our security risk. Given that these languages also typically increase productivity, it seems like a clear win to me...
Microsoft realizes the contribution C and C++ make against stability and security; they've recently hired up a lot of famous programming language folks to work on new language technologies. Microsoft knows that large projects written in languages without sophisticated modularity constructs (ie C, C++) tend to get out of hand quickly. They're working to fix this! They're even working on technologies to improve the stability of device drivers through language technologies (see the Vault project, for instance).
However, C has always been the UNIX platform's language. Will UNIX stay in the 60s as even Microsoft moves on? If so, I say it will be the "wormy" operating system family of the 21st century...
Media shys away from what the consumer doesn't know about because they fear that Mr. and Mrs. Average are going to lose intrest.
This sig isn't original enough, it's time to come up with something witty...