Slashdot Mirror
Don't Forget That Worms Happen Everywhere
friday2k writes "Securityfocus has a nice column on Worms and their origin in 1988. It explains what everybody should never forget. We have dealt with *NIX worms (Sadmind, li0n, ...) and they will come back again. Maybe then the MS fanatics will laugh and say: didn't we always tell you Open Source is insecure (too?) ..."
Except that linux distros don't install telnet by default. It would therefore require a user to explicitly ask for it to be installed. From what I understand, most of the IIS sites infected were cases where MS installed IIS by default.
And I think that redhat update lets me be a lot more lazy than any NT admin. 2 clicks, downloads and installs all the patches. Doesn't get much easier than that.
apt-get update
apt-get upgrade
Another great difference that should be accounted for is the ease of learning how to run Linux. Oh sure, it looks harder, but the information is available and it's SO MUCH EASIER to really know what you are doing than it is to trust a particular vendor. Greif, it's hard to keep a single MS box running. The cloud of BS that MS keeps its users under is awful and we should be nicer to those suffering there.
Friends don't help friends install M$ junk.
The use of ACLs on NT makes the security much more configurable than the simple user/group permissions on most variants of UNIX. Some Unices have ACLs, but that's hardly designed from the ground up is it?
The major issue is not whether Linux can have worms. The major issue is that Microsoft products seem to be of very low quality. Extremely poor security is only one aspect of that.
No Linux email programs or word-processing programs have the authority to take over the entire operating system. Microsoft products sometimes do.
Many of the security bugs in Microsoft products seem to come from sloppy programming. The open source world would have a difficult time being as sloppy.
The popular Linux programs give a general impression of quality, and of sincerely wanting to do a good job. Microsoft programs give the general impression (to me) that Microsoft wants to give as little as possible to the customer, so that the customer will feel motivated to upgrade.
Bush's education improvements were
Personally, I think most security problems are a factor of how little documentation you get/read with new PCs. I'm not quick to bash admins (some are ignorant and lazy but that includes every category of people) as this worm is more @home based than .com based.
Home users get a PC with the promise of easy to use blah blah and a handful of killer apps. It doesn't matter much if its Redhat or MS, if you don't understand the security aspects of being on-line you shouldn't be running a server.
This worm is pretty benign, no deleted system files or content just a big fat backdoor. Its all over the media but I'm really curious if the average @home user got any real message out of this. Maybe they just know to download the patch because its on Cnet and run IIS with one security patch. Ideally, the message should be to get ALL the patches if you're planning on running IIS and subscribe to MS's security list. From what I've read in the media, its probably the former.
I know what would get worms back into the media for a long time - a Warhol Worm. You want to read something scary about worms, go read that. Be sure to read the section "A Worst Case Warhol Worm". It gives me the shivers to think about it.
From the article: "A worst case Warhol Worm is truly frightening, capable of doing many billions of dollars in real damage and disruption. Since it can achieve complete spread in well under an hour, and could begin doing damage immediately on infecting a machine, human mediated responses offer almost no hope of stopping it. "
Complete spread in under an hour! Total destruction of infected servers!
Whee!
Watch for one of these coming out with the next major IIS exploit.
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Long before Microsoft entered into the scene with NT, Vendors such as Sun were selling UNIX servers and workstations. True, this mostly referred to hardware configurations rather that OS configurations, but that was simply reflective of the fact that they were hardware vendors rather than software vendors.
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
Ah. I think I know what you're talking about.
Got time? Spend some of it coding or testing
I highly recommend showing people how insecure telnet is -- in a dorm, for example, pop up ethereal on one machine and log in over telnet from a machine in a different room. Follow TCP stream, and point to your real password displayed on the screen. This is more effective than lecturing people about TCP/IP and ethernet, and I've only had one guy start asking dismaying questions about how to sniff other people's passwords.
Change your password after, of course. Now if only there were an equivalent way to get people to use PGP...
I once had an MCSE ask me, in all seriousness, why he couldn't type a fully-qualified hostname to choose a DNS server. It's a paper qualification; it implies no real skill or insight into the system's operation, or any sort of reasoning into consequences of limited design.
The Microsoft Certfied Systems Engineer certification does not claim to certify any knowledge of planning, implementing, configuring, or supporting DNS.
It tests a limited and well defined check list of skills, most having to do with installation and configuration. Only with the Windows 2000 series did the tests begin to measure planning and design skills.
The Windows 2000 and XP/.NET required tests - and the skills measured by each - are listed here:u lt.asp?PageID=mcp&PageCall=requirements&SubSite=ce rt/mcse&AnnMenu=mcse
http://www.microsoft.com/trainingandservices/defa
obviously no deficiencies vs. no obvious deficiencies
A *nix sysadmin is less likely to let a machine go unpatched, in the best of all possible worlds.
An NT/2000 sysadmin is a secretary who reboots when the internet thingy stop hoogjamajigging, in the best of all possible worlds.
Seriously, in tracking down a couple of thousand hosts on campus who had Code Red, I have never ran into such righteous indignation over a simple lecture on systems maintenance as patching. Of course, many of these users/sysadmins were dumbasses who installed Win2K server because they could, not because they had to. 3 machines in one room were being used as everyday workstations and not offering services for any particular use by the office. Mind you, the services were still offered. Hit the average Code Red machine with your web browser and you will see the default webpage.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Win2k comes with a telnet server, no? Sniff, sniff, ewwwww, what's that smell? Did someone step in MS again?
Friends don't help friends install M$ junk.
For example, Apple's Mac OS-X disables ALL remote services (apache, ftp, ssh deamon, AppleTalk sharing, etc) by default during install. And it's not possible to turn those on during install either, you have to go into System Properties (under an admin-enabled user after install is complete) to switch them on.
Mandrake linux (I'm sure other distros do this, but Mandrake is the only one I've ever installed, likewise to other unix-based OSs) takes a similar approach. While it is possible to choose certain services to open remote services at install time, there is a screen during install which advises you that you're allowing certain daemons to be enabled at install, and an oppurtunity to turn them off. Not the best way, but it's an improvement over MS.
The idea with both of these is that you are explicitly telling the OS to open services, as opposed to IIS which you are telling Windows to run implicitly by taking a default install. This allows an admin the ability to know exactly what services are running on a machine, as opposed to someone not knowing IIS even exists on their machine.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
The post referenced above is merely an attempt to point out the fact that any operating system is only as secure as the person using it. Period. Obviously too difficult a concept for you to grasp; L1NuX r00lz d00D! is probably more on your level. I'll also point out the fact that your definition of quality is not everybody's definition of quality; if your opinion was the only that mattered, you'd be the only one with mod points. And my original topic is neither offtopic nor flamebait. I notice that you make no attempt to refute my explanation, merely attack me personally. Well, I'm not going to waste any more time with what looks like a troll account, making such insightful statements as 'what if every security professional was paid 1 dollar per patch?' I will point out one more time that the patch caused Code Red, not vice versa. You cannot blame Microsoft for admins not installing patches.
Vintage computer games and RPG books available. Email me if you're interested.
Considering telnet is essentially a security hole that you could drive a Ben-Hur chariot race through (user and root passwords passed in plaintext? yum!), and has been recognized as such since... well, forever, by Unix admins, and even is not installed by default on recent RedHat releases, I'd say that there's deeper problems than "telnetd has an exploit." Installing telnetd on a unix machine is about the same as shipping Windows boxes with back orifice and code red already installed.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
I think that the real reason that MS systems were hit so hard by Code Red and it's descendents is that there is a real difference in the culture of the respective developer communities.
There is no reason why all those home systems and corporate desktops should have IIS running in the first place. There is also no reason (generally) for a home linux system to be running, say, BIND or wu-ftpd.
So why does Microsoft encourage the installation of unneccessary software on it's systems, and why doesn't it make it easier to not install those services in the first place?
It comes down to culture. Unix-like operating systems are minimalist and modular, because the development communities appreciate elegant code (not neccessarily elegant interfaces).
Whereas Microsoft prizes a DWIM (Do What I Mean) approach, which encourages adding functionality 'just-in-case', as Microsoft seems to think that actually asking a user to install a component is a failure on their part.
In the long run, elegant, minimalistic code is easier to understand, and therefore easier to secure (examples are Sendmail vs. qmail, or BIND vs. djbdns).
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
Generally, the UNIX biodiversity has helped prevent viruses from spreading, until "here! run this perl script!" catches on. Right now there aren't any non-proof-of-concept Linux viruses.
Who should we send the wormsign spotting bonus to?
Dammit, where are those carryalls??!?!?!
InigoMontoya(tm)
This signature is self-referential.
Don't forget that they are released under GPL so that the source also has to be available to 2nd generation worms that are built apon the original code.
most of the IIS sites infected were cases where MS installed IIS by default
Indeed. NT Server asks to install IIS during its installation, and it's "yes" by default. Then, Index Server is a component of IIS, also installed by default (default choice: yes).
It was Index Server, not IIS, that was attacked by Code Red.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Take a look at the SANS Institute's "Ten Most Critical Internet Security Threats" here.
Notice that the level of representation of MS products is quite low. Consider that the Open Source Community's conventional wisdom is that closed source leads to insecurity. I am risking the almighty flame when I say so, but here it is: Monoclonal OS prevalence is the issue, not open source versus closed source.
What I am saying is that the OS with the greatest market share attracts the hackers the most because they get the most "bang for the buck."
But two conclusions can be drawn about this observation, one good, one bad:
The good: the move towards an "OS ecosystem" of various flavors of OS is the healthiest for the Internet. Because if something like Code Red were to reappear, only a minority portion of the pie chart of OS prevalance would succumb, as opposed to the majority slice. I use the biological allegories "monoclonal" amd "ecosystyem" because you can say the same thing about crop resistance to insect/ bacterial/ fungal/ viral pests: the more the genetic similarity of crops, the greater the risk of one solitary biological pest taking out all of the Midwest as opposed to one cornfield.
The bad: Microsoft, having the greatest exposure to exploits now, is getting the most experience with dealing with exploits. Dealing with them at a business, PR, and technical level. The more you fight a war, the better you get at it, and Microsoft will only get better and better at it, the general public will only grow more and more confident with their fight, and less and less exploits will be discovered. Other OSs haven't borne the brunt of the kind of hacker attention yet that fosters this kind of improvement, unfortunately for us all, who live in the ecosystem of the Internet.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Install RedHat 6.2 lately? Telnet's there. Know how many folks are still using 6.2 because they have software that is only certified for it? Besides, the advantage of ssh is that traffic is encrypted, and sniffers can't pick up passwords, there have been vulnerabilities found before in sshd.
This is a futile argument. Linux is not inherently more secure than NT and NT is not inherently more secure than Linux. OOTB they both have to be considered insecure, maybe not today, but there's going to be a wu-ftpd, iis, bind, or heaven forbid, sshd exploit after release.
Listen up people, this is important and you will be tested on it at some point: A MACHINE IS ONLY AS SECURE AS IT'S ADMIN IS VIGILANT! Your machines are not secure today. They can be compromised. Someone may not have discovered the vulnerability yet, but they will.
Which is exactly what happened with Code Red. The pach was available months before. It all comes down to reliable admins who keep up with patches and security alerts. Platorm and dick size have nothing to do with it.
'Same speed C but faster'
If as many people tried to comprimise UNIX systems as often as they do Microsoft systems, you can bet that we'd be seeing some pretty serious UNIX viruses.
Your basic premise is correct that there are more people trying to break MS systems than Unix/Linux systems, but U/L will never be as vulnerable for a number of reasons:
1.) There are several flavors of Unix and dozens/hundreds of distributions of Linux, not to mention all the different version numbers of each of those. This would dramatically impede the spread of any worm. Almost every MS-based site has IIS 5.0 and it is this homogeneousness the allows things like Code Red to spread so quickly and effectively.
2.) Unix/Linux systems in general are easier and safer to patch. Almost every MS patch requires a system restart and it is not at all unusual for the patch to break something else. I have never had a security update break anything on my Debian systems, nor have I ever had to restart the whole system. The service updated (such as the recent Horde/IMP updates) is restarted and the user doesn't even know, even if he/she is using the system at that moment (I know this because I did it as a test case here at work. Someone was reading their email on our IMP system while I upgraded the system. Yeah, a bit dangerous, but we're a small company and no one would have gotten in trouble. Regardless, she didn't even know anything had happened).
3.) Security holes are much more frequent on MS systems. We all have heard about the fact that the last known remote root exploit for Apache was over 3 1/2 years ago. There have been a few security patches since then, but nothing nearly so troublesome as Code Red. I read somewhere that there have been over 40 serious holes in IIS this year alone, although I don't remember where I read it and it may be apocryphal.
Bottom line is that while it may be true that if as many people who are attacking MS systems starting attacking Unix/Linux systems, we might see more issues on U/L, it is also true that Unix & Linux are better engineered from the start, easier to upgrade and more varied, all of which make them much more secure inherantly than MS solutions.
Cheers...........
I'm waiting for the time when a worm comes out that exploits a vulnerability that has yet to be 'discovered' yet.
All that has to happen is for a worm writer to be the first person to find a vunerability. Then (assuming that this person is malicious) thier worm would have a tremendous advantage. They would be garanteed that every single server running that particular OS would be open to attack. If they took the time to write a really nasty worm (say it's set to replicate itself 10 times and then try and erase everything it can reach on the networks it has access to, except itself) this would quite assuredly bring a large proportion of the internet to a grinding halt.
And you know it's got to happen some day...
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
- Dual-booting. Shell scripts may be cross-Unix but they sure aren't cross-OS. Boot your box back into Windows or Mac OS Nonstandard installs. The vast majority of vulnerabilities rely on the system matching the virus's expectations in some way. Change your system configuration in such a way as to break the virus's infection engine (for Code Red, you could move or rename cmd.exe).
- Read-only media. Reformat and install from a CD. It can't survive that and it can't stop you from doing it.
One more thing: All viruses have undisclosed actions. A virus's actions are only discovered when someone at a security firm reverse-engineers it. It's not like virus writers issue press releases...Do I have any numbers for this? Nope... I'll leave that for somebody else to dig up. I'm a BugTraq reader, and I'm amazed at the sheer number of serious IIS eploits that have recently been coming out. I haven't seen anything new in the past few weeks, which is good, but take a look at the sheer number of buffer overflows alone that have been found in IIS lately. I bet it's more, or really close, to the total number of buffer overflows found in things like sendmail, bind, apache, and event telnetd in the same time span.
As a programmer I'm appauled here by IIS. Buffer overflows are old, but they keep coming back up. IIS is a new product, most likely written entirely in C++, which should be making the string handling much simpler than the C counter parts. These IIS holes are coming but due to either laziness, incompetence, or indifference in the MS coders parts. Theese aren't obscure either. You request a long URL and you overflow a buffer? 'Cmon here. The URL is coming from untrusted users -always-. Access point #1 into the system isn't even being looked at for possible holes... over and over.
One would think (read: hope) that MS has got a slew of people over-looking all areas of IIS for possible buffer overflows right now. Maybe they'll actually fix some before they're found? Doubtful... given their track record of re-active security.
Justin Buist
The author writes
Excepting the Morris worm, before which nobody cared much about Internet security, all of these worms have one thing in common: the exploited holes were discovered months before the worm, and official patches for the affected packages were widely available.
This was true for the Morris worm as well. Both the sendmail and fingerd issues being exploited by the worm were fairly well-known at the time of the exploit. If I recall correctly, part of the reason that Morris wrote the worm was because of his frustration over the continued presence of these security holes, and paradoxically, part of the reason that he released it prematurely was because one of holes had suddenly gotten extra attention.
The difference between theory and practice is that, in theory, there is no difference between theory and practice.
The big issue with Exchange is that it appears to have evolved, conceptually at least, from Microsoft's ancient single-user-OS mailer programs. As with most Microsoft software, when things go wrong, they go totally wrong (the wings fall off rather than the engines simply stopping).
PostFix (to pick a competing service that I use daily) is the exact opposite: it has been componentised almost to excess, no piece trusts another (to say nothing of the trust not accorded to information from the outside world), no piece runs with more privs than it needs, no piece does anything it doesn't need to, sharing is painfully minimalist, and finally it understands timesharing and user separation from the core outwards. Best of all, you don't need to lose these layers of safety to add something like calendaring to it (just add another delivery method).
When was the last time you heard of an exploitable root vulnerability - or even a read-everyone's-mail vulnerability - in PostFix?
Got time? Spend some of it coding or testing
Red Hat Network was the Red Hat answer to apt-get in Debian. I am not going to argue that all people should install Debian - it's not a total newbie distrobution.
.NET has not yet made people used to paying for software subscriptions.
However, a nightly apt-get against security.debian.org is a VERY good way to patch your system for holes. Debian is really good about releasing quick fixes to their packages.
Red Hat Network may or may not be good about keeping your system completely up to date. I don't know, because I am not willing to shell out a monthly amount of money for keeping my free system up to date.
Really, I don't think MOST people are willing to pay for this sadly necessary excercise in security. By charging for this functionality, Red Hat is reducing the security of a large portion of the installed linux servers. It is simply going to create a bad rep for all of the linux community when worms start to work they way around linux servers using old vulnerabilities. Users with systems that automatically patch themselves will sleep fairly soundly (of course, there is a 24 hour time frame between every time you patch yourself. In the meantime, someone MIGHT have found an exploit and created a worm that utilizes that exploit).
I realize they are in the money-making business. However, they are also representatives for linux. I think they need to be gently prodded to either make red hat network a one-time fee, or totally free.
Oh - and I DO know that patching alone is not enough. You also need to use secure services, and as few services as possible with explicit firewall rules for controlling who can access those services, plus making a good security policy altogether (most important).
Stop the brainwash
I'll say it yet again, since this is just another way of drudging up the Code Red issue. The problem isn't the platform, it is the administration of the platform. If Unix can be counted on to be mismanaged then an exploit will surely surface. In short, if the Unix world ever finds itself in the state of the Windows NT world, where boxes aren't administered and patched, we too will be nailed. I anyone surprised? No. Okay, lets let this tired topic die already.
-- Solaris Central - http://w
When speaking about CodeRed? Just because the networks have stopped talking about it, doesn't mean it's gone away.
I don't know about anyone else, but I'm still getting hundreds of CodeRed attacks every week.
I gotta get a tight tension on...
The idea of *nix worms are far more easy to digest, since those who wrote the software with said vulnerability arn't living in huge mansions and driving fast cars. They tried their hardest, and wern't profiting as much for demonstratably insecure software.
.. worms will always exist, but I'd rather the software I didn't have to pay for be guilty than the software I did.
The OS argument always seems to be about quality, but I'm also interested in the esotaric aspects of it - if you're gunna get rich off something, than it had better damn well work; if you do it out of the kindness of your heart and/or scientific curiousity and research, well
"Old man yells at systemd"
Go for it, dude.
Meanwhile, while you're downloading your cracking tools you might want to reread my comment. I know that it's possible to break past a masquerading firewall, but I doubt I can do much to stop someone with that much technical expertise anyway.
You might also want to look into modern package managers, especially <tt>apt-get update</tt>. It's not that hard to check for security patches once a week, or whenever I learn of a new release.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Yes, *nix presents at least as much of a target as Win boxes, if not more since the services running on a default install are likely to include daemons like ftp and telnet. However, it is also really easy to run a perl script like Bastille to tighten security fast and with little technical know-how. Try that on an NT box.
Yes of course we remember the *nix worms. Here's another thing to remember. *nix will never be the veritable screen door of security holes that M$ products are. I find "Whistler" to be aptly named.
I wonder what would happen if IT professionals were paid $1 per machine for each security update. Guess TCO with M$ products would go through the roof eh? One particular week this year would have netted me $600.
---Most Definitely not a Karma Whore---
Ya Right, run as root *and* run untrusted code. Sounds like a typical windows user executing an email attachment to me. Informative my ass...more like typical M$ thinking
This is why we create user accounts. This is why we run suspicious code in that account in the first place. You gonna send the code with that VIM?. How are you gonna hide the exploit? Geez...I'll bet you're one of those accessing Slashdot through IE right?
---Most Definitely not a Karma Whore---
I forget the user name, but it's equivelent to nobody on *nix. You have to go screw it up yourself before it runs as root.
If you're gonna spread FUD, at least get it right!
I once had an MCSE ask me, in all seriousness, why he couldn't type a fully-qualified hostname to choose a DNS server. It's a paper qualification; it implies no real skill or insight into the system's operation, or any sort of reasoning into consequences of limited design.
/etc/ directory, the file everything.conf, with the permissions -rw-rw-r--. What if you decide that you don't want Joe User to see your firewall configuration? Make everything.conf readable only to sys admins? Then, all of a sudden, all of the daemons have to have admin priviledges just to see their configuration. Urk. Kludge. Messy, dangerous kludge.
.ini files to SYSTEM and Administrator... Of course you wouldn't. You obviously spend a lot more time bawling about imagined wrongs in Windows than you do learning about it. MCSEs learn all about that stuff, though. Fancy that.
This is limited to MCSE's only? No other subset of users can make this kind of error?
Therefore, I consider MS fanatics to be, for the most part, a self-limiting reaction
What is a MS Fanatic? Is that anything like a Linux fanatic? I don't see many people saying "Screw RedHat, screw FreeBSD, MICROSOFT RULES!". On the contrary, I see a LOT of OS bigotry from self-proclaimed *nix professionals, who naysay and poo-poo an operating system just because it comes from a particular vendor. A true professional evaluates the problem, and figures out what OS/software best fits the situation. There has been plenty of times that we've thrown out Solaris/SCO/Linux in favor of Windows, because Windows offered the best solution for what we were doing.
I think the more relevent question is with regards to the operating system's track record. With the exception of the recent blight of Red Hat 7.0, Linux has probably had far less documented bugs, and because of the UNIX user permissions model, the damages are minimum.
Your analysis is flawed. Willie Sutton robbed banks because that's where the money is. Microsoft OS's get so much focus because they're so widely used. The recent slew of RedHat hacks that have emerged is due to the RedHat distro being the most popular. It follows that a popular OS is going to get attention. NT/2k also has a user permission system. I'm sure any professional who has worked with NT before would be aware of this. When the permissions are applied as documented and recommended by Microsoft the damages are as minimal as on a Unix sysytem.
Compare this to Windows. Bugs all over the place, some more serious than those in Linux, some less serious.
That's a highly astute observation there. Tell me, can a bug in Windows be of equal seriousness as a bug in Linux? I see an awful lot of exploits for Linux. Can you back up your claim of "bugs all over the place" for Windows with any kind of numbers, or are you just speaking from the heart? Linux certainly has a pretty good library of bugs and exploits.
Where most machines are running 9x/Me with *no* user/process security whatsoever, malicious code can run rampant
Actually, ALL Win9x/ME machines have no user process security. But those OS's weren't designed to have that. If you want user process security, use NT/Win2k. 9x/ME were designed as a consumer platform, not for business. Microsoft doesn't recommend using Win9x the corporate environment.
NT/2000 is an improvement, but it's not designed into every aspect of the operating system's historical architecture.
Actually, it is. You're arguing from a point of igonrance. Try actually USING the operating system for a while, for something other then launching telnet. All processes in NT/Win2k run under the contect of the user that spawned it.
Windows has been one patch to DOS 1.0 after another, and the final result is such a kludge and so many processes are running with full administrative priviledges that the task of exploiting a bug remains trivial.
This is bullshit again. If you have so many processes launching under Administrator, I would suggest not having your services run under that account, and stop logging in as Administrator on your system. Do you log in as root on your Unix systems regularly? Best practices for both OS's say not to use root/Administrator unless something calls for special permission that superuser account has.
Running Windows 2000 on my desktop is farcical - half my software won't work properly if I don't give my user account admin priviledges.
Bullshit again. Normal client software doesn't require Administrator access to run. Installing software on a Win2k/NT box requires superuser permissions, but HEY! That's a security feature, and Windows doesn't have that, right? Lazy people who don't want to configure they systems properly run their services under a superuser account, and we all know what THAT means. Even in a Linux world. I certainly don't need Administrator permission to launch Office, Explorer, or any other normal user process. Unless your system is SO badly configured, a user started process CANNOT just run as Administrator simply because it wants to, unless it's a service which has been configured to run as Administrator (in which it's your fault for doing so), or you're logged in as Administrator.
It amazes me how many allegedly Windows 2000 compatible programs decide that they're going to attempt to store temporary information in the system registry instead of the roving user registries.
Because software installed on a Windows sytem is system-wide. If you want to prevent someone from launching a particular application, use POLEDIT and edit their profile to stop them, or *GOSH* maybe change the NTFS permissions to prevent someone from accessing the executable? Don't tell me that you don't use chmod in the Unix world?!
The single system registry is dangerous, too. Imagine, in your *NIX
Of course, nobody would expect you to know that you could set permissions on individual Registry keys, and restrict
Contrast this to Linux or any other UNIX variant, the whole model and concept of which was designed with user and process security and isolation from the ground up.
Yeah, fancy that Microsoft wouldn't consider that. I guess the Internet Guest account can launch any damn process it wants, or any user on a Terminal Server can stop any other process, even if it doesn't belong to him. Not. IUSR_ cannot simply just add itself to the Domain Admins group, just because someone is using a directory traversal exploit(which wouldn't be a problem in itself if the admins simply INSTALLED THE DAMN PATCHES) because OH MY GOD! That process cannot be spawned by a non-Administrator account!
As a bonus, the added complexity of administering multiple accounts to the average user is a pain in the butt. They want point-and-drool, everything clean and simple and familiar.
Point-and-drool? Do you really hold your users in such low regard?
Actually, administering a NT/Win2k mixed domain is quite easy, and I use the command line a lot. But you're expecting regular everyday users (who probably just use a PC at home for email and pr0n surfing) to suddenly have knowledge of a 20 year Unix engineer simply because you're in the building. There's no need for GUIs in Linux, no siree. Things line KDE and Gnome are simply figments of my imagination. Windows domains don't require a person to have multiple accounts. Microsoft has stressed from the beginning the "unified login", where one account is sufficient. Sounds like you really need the services of an MCSE.
The beauty of the complexity of Linux/UNIX versus Windows is that it weeds out the chaff who aren't capable of managing a box.
Complexity can come and bite itself in the ass. Is complexity always a good thing? We've chucked out Linux and Unix solutions in favor of Windows simply because it Didn't Work. Linux isn't the Wonder Platform that a lot of people try to make it out to be.
I'm sure the programmers and architects at M$ see the problems and comparisons I'm drawing. To be designing an operating system, you must love computers and a sense of a job well done, so I'm sure it pains them that they have to deal with such kludges day in and day out. I'm sure they'd dump the whole thing and fix it if they could, but the marketing guys won't let them implement it.
I hope you're sending your resume to Microsoft right after reading this. Actually, I don't, since you haven't the first clue about Windows or its security model. Instead of the usual Windows-bashing, why not take a few minutes out of the day and actually LEARN the OS? It sounds like your workstation needs to be reconfigured anyway.
I've administered many Windows domains, both NT and Win2k, that are directly connected to the Internet, and have a large internal userbase. And I've never ONCE had any major security problems. Maybe I'm a "gifted" MCSE, or The One who will bring balance to the Force, but to me, none of your arguments hold water.
The interesting thing about the article is that it implies that unix worms are written by very smart people, unlike the script kiddies who target windows. Maybe this means it's a bit harder to write a unix worm?
I would think that to write one which would propagate despite the myrid configuration options in UNIX which simply aren't available in Windows, as well as having to find a way for the malicious code to break out of the process' user rights and get root access, would substantially raise the bar in any attempt to make one that is substantially destructive.
Fire and Meat. Yummy.
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
The worm that takes everyone offline will exploit multiple holes in multiple operating systems and network services. It may very well operate in a stealth mode, trying to stay under the radar for as long as possible instead of defacing web sites and leaving obvious back doors. It may make a coordinated search of the IP space as described in a recent article.
We are cursed to live in interesting times...
Bleh!
Predicated on the idea that someone installed a few hundred thousand backdoors for a reason, you might also want to put a canary out by adding a PHP script to /scripts/root.exe on your own webserver which contacts the calling machine and shuts it down (if it's IIS). Remember to keep a record of who hit you and only respond every few minutes, finally giving up after (say) 3 to 5 tries so that your own server can't be provoked into DoS-like activity.
Got time? Spend some of it coding or testing
Yeah, I have used them. Impressive auditing too, I must admit. But we are discussing home users, most of whom are not running Win2K Adv. Server.
And lots of things scan port 111 (RPC).
Got time? Spend some of it coding or testing
Actually, I particularly enjoy having BIND running locally. Since I fired it up:
1) I haven't had outages because my @home DNS servers have gone to lunch, and
2) I've gotten rid of a lot of junk after setting up some bogus entries for doubleclick.{net|com} and x11.com.
I agree that there's no reason for most home users to have a BIND system visible to the net at large, but there are some pretty good reasons for one if it can be located behind your firewall.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Microsoft released the patch 2 weeks before the worm got serious.. In either case, it has been available the entire time. Where were the admins and users then? You can't blame apathy on MS.
Tony-A's answer was succinct, but I'd like to add that you're ignoring both the frequency and the quality of vulnerabilities on each system. More of the Unix holes are mere DoSes and/or extremely difficult to exploit than is the case for Windows, and when an exploitable hole is more than a DoS it often either requires local access and/or only gives you the provs of the user running the service (e.g. `apache' or `nobody') rather than open slather.
Those are big differences and largely independent of administration.
Got time? Spend some of it coding or testing
First, I'll wager there are just as many or more Red Hat with Apatche run by someone who does not even know it's there. I know, because I ran one that way. The boogey men did not come and get me for the month or two I had it that way. Why? Because Red Hat 6.2 had far fewer holes by rational design than MS trash which is driven by marketroids.
Second, they have tightened things up. 7.1 comes with a graphically configurable firewall, and bugs you about it on install. That's a big step from the "Everything" install of long ago. It may not be as tight as Debian, and really I must recomend Debian too, but it's not nice to FUD unless you are sure of what you say.
All of the Linux distros are doing good things for teaching their users security. It's in the design and philosopy of free and open software to teach users. If man pages, online help and Slashdot are not enough, you can always fall back to the stone age dead tree intructions.
Friends don't help friends install M$ junk.
No matter if it is a DOS attack or a worm or any other kind of attack. No matter what OS you are supporting and using if you as an Admin dont have the proper service packs and updates installed then your OS will be a victim sooner or later. Having competinent people running the shop is where it is all at. If you look at the latest worms, Red Hat's and MS's, they could BOTH be avoided by updating software.
/. posts!
Sorry about the spelling, I really need to get a spell checker plugin for
"If ignorance is bliss, why aren't there more happy people in the world?"
Yeah, I've had multiple e-mails on the subject of "there were worms before the Morris worm" but what I'd intended to say (unfortunately not what I wrote) is that the Morris worm was the first Internet worm.
Mea culpa
New Linux boxes hitting the net aren't arriving with known superuser vulnerabilities (except one in Samba, difficult to exploit, not installed by default, configured unusably by default even if installed, and you'd have to be a bean-head to expose SMB to the Internet anyway; I get SMB probes several times per hour per IP during the quiet periods); new Win2k boxes hitting the net are arriving with known superuser vulnerabilities.
You left off a qualifier: ``by Microsoft.'' Crackers will continue to find exploits, and one day, one of them will release the worm-to-end-all-worms for IIS. I favour one which installs Linux, copies across the existing services, and sets up shop as a P2P server for its children to download from. Wouldn't it be fun to see all of the penguins popping up on the screens in a Windows server farm? (-:
Got time? Spend some of it coding or testing
This is a social problem, not a technical problem, and it requires a social solution.
While I agree that there is a social element to this problem, I think that there is definitely a technical solution: firewalls.
Personally, I would never attach a computer to the internet unless it was a firewall, or was protected by a firewall. It does not have to be a hardware solution (although that is preferable, and those black-box firewall devices are ideal for home use), PCs can run personal firewall code as well.
Being behind a firewall is no guarantee that you won't get 0wned, and is no substitute for secure-by-default operating systems, but it is an important part of securing your system.
*** Where are we going? And what's with this handbasket?
Check out dnscache which is part of the djbdns package.
The real Webmaven is user ID 27463. I don't rate an imposter, because my ID is such a lame-ass high number.
Hello, I am a recruiter for Microsoft. Please post your contact information, I am interested in offering you a job as a software engineer, possibly a management position.
Need Free Juniper/NetScreen Support? JuniperForum
This is probably irrelevant but I'm going to spout on, basically because the telnetd exploit does nothing to my boxen. Putting aside the exploit, telnet is completely insecure from the ground up. Ever su into a box over telnet? Guess what, you're not the only one with your password now. For those of you who haven't switched to SSH yet, you were asking for it. This just gives you another reason to switch.
There is no reasonable defense against an idiot with an agenda
:wq
A Red Hat Linux 7.1 system doesn't start any network services by default, and installs a firewall by default.
I was quite happy to see both of these things, by the way; keep up the good work.
7.2 will be even better.
Um... doesn't this contradict your previous sentence? Or will 7.2 start -1 network services, and physically unplug your ethernet cable?
Imagine Code Red in which almost all servers are NT/IIS and there is no web, no central authority, no "experts"...
It caused the Inet as it was to cease to function. People had to pull their boxes off-line to keep from getting repeatedly infected.
The confusion and panic that followed lead to the creation of CNet and was the start of most of the big, early Inet security organizations that exist today.
<old codger>
You young whippersnappers don't know from worms. We used to create worms on punch cards and you had to mail them around to get infected! Those were the days!
</old codger>
I suddenly feel old and have to go lie down....
=tkk
Bill Gates - Creationist?!?
Maybe most people write their own. I did when the local "authorities" insisted that I must install software to scan for Windows viruses in order to hook up a Linux computer:
/bin/rm -f () \;
#cat wrightAntiVirus
find $1 $2 $3 -iname \*.exe -or -iname \*.doc -or -iname \*.xls -ok
That's close. You don't have to shut down IIS to close this hole. All you really have to do is UNMAP any extensions you don't use. If you make use of htm, html, asp, pl, and you go into application mappings in IIS, and see anything besides htm, html, asp, pl, you should delete them. Now. That should be among the first things a web-admin does.
.ida/.idq/.stm, and all the other crap filters that get installed by default.
This worm comes down to laziness, no more no less. I'm betting that, at the absolute most, between 5% and 10% of sites need things like
I like music
This is slightly off topic, But I've been thinking about it for a while. What if someone made a worm that behaved like an unitelligent life form. It would send some random (but predetermined) instructions to the processor, then make some judgement on whether it has more RAM than other instances of the program to survive. If it does, It would spawn more instances that are like itself, but altered slightly in the random instruction portion. Eventually, one may randomly "figure out" how to copy itself to another computer on the network.
I realize it would take millions of generations before this happened, but once it did, it might become a very robust worm, and one that eats a lot of memory. All it would take is a few dedicated computers and some incredible Darwinian selection methods for it to occur.
Information wants Coq
That should make the point of the superiority of Linux worms over Windows worms and end all the FUD.
Je t'aime Stéphanie
---Most Definitely not a Karma Whore---
When IBM sprayed SF sidewalks with Linux graffiti (some is still there)
sulli
RTFJ.
You all say that Unix admins know more, or that open source programs have patches out faster, but what about all those people who know little about linux and install it. They can just as easily leave their computers unpatched, running 24/7 using some cable provider. More and more people are trying out linux, it doesn't mean all of them are smart. So of course the same thing can happen.
Talked about his experience as a worm. In the interview here. It has some advice for newer worms and viruses.
Talk about biting the hand that feeds you!
In the case of the internet mail worm, the function of the worm was based on unanticipated behaviors of both the worm code (the author had intended the worm to limit its speed of propagation) and the internet mail system (the author was exploiting a bug in the mail transfer agent). Clearly, this sort of situation, while a threat to security, is easily remedied once the exploit is known. The remedy can even be implemented with little or no effect on daily operations, since the erroneous behavior of the program will not have been used as part of any applications.
In the case of the various Outlook worms, however, the situation is reversed. The worms rely on explicit features of the Outlook suite for their functioning. These same features have been incorporated into all sorts of applications built upon the Outlook suite, which means that in order to disable the worm, many production applications must be modified or discarded.
This is a design issue, at its heart. There are some cultural effects involved (e.g. the MS assumption of a monoclonal computing environment leads to the expectation, and exploitation, of features that would not be reliably present in a heterogeneous enviornment.) but the central problem is the explicit decision by Outlook program managers to include features that were inherently insecure. (Consider that, while Sun may have a similar monoclonal outlook to Microsoft, Java was designed for both security and provision of a wide and reliable feature set)
The question is not "can worms be written for systems other than Microsoft's?" -- to which the answer must always be 'yes', even if only because we can't rule out the possibility entirely -- but, rather, "is it easier or harder to write worms for Microsoft systems than for other systems?" The answer is, pretty clearly, that Microsoft's design decisions make worms far easier to implement on MS platforms than on other platforms.
HOWEVER it's not fair to snicker if the 'other' operating system got stroken by a worm. There were many unix based worms also, remember the buffer offerflow hole 'bind' had?
So what happens if the BSD TCP Stack is found to have such an overflow error? This would automatically infect ALL systems I can think of, who doesn't use BSD's stack today?
--
Karma 50, and all I got was this lousy T-Shirt.
Vintage computer games and RPG books available. Email me if you're interested.
There are REALLY important issues that interact with this one.
1) A box should come with only absolutely absolutely necessary web services running. Anything else should require the admin manually to turn the service on. This would prevent about 90% of all worm cracks.
2) The providers of a distro have a responsbility to ensure that security updates get to all people affected - not just those who subscribe to mailing lists. They have a responsibility to ensure that fixes are easy to get and easy to apply. Debian probably has the best security model in this regard due to apt-get.
Microsoft fails on all fronts. They ship NT server and Windows2000 server with IIS enabled by default. They do not push publicity out about worms that impact their systems - they make a low key effort to acknowledge that they have a problem only when they have a fix.
Redhat has also been particularly poor in this regard in the past - more recent installs seem not to enable internet server software by default, and to include warnings when you enable things.
Whereas Microsoft software is buggier and less secure than any other software, they also fail to enable their users when security fails. For this the blame goes squarely on the shoulders of a giant that banks $1 billion per month for avoiding bad publicity in order to help their users.
I use OS-X at work for networks research. I have a PowerBook G4 laptop w/ dual monitors (a regular monitor + the laptop screen), 500 MHz, 256 MB ram, 20 GB HD, 10/100 ethernet, 2 USB ports, 1 firewire port, 56K modem (which is thus far unused).
if you want to get a powerbook, wait about a month. OS-X.1 is in beta, and is expected in September. I work a company Apple considers a "Primier Developer," hence we get pre-releases and betas and all the other good stuff, and X.1 delivers on what it promises. X.1 makes a ton of serious improvements over X.0.4, the current patch. They made a lot of improvements to the GUI allowing the OS and programs running on it to be more responsive to user interactions. Plus several other enhancements like DVD support (which I have not yet tried)
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
If even one of them is professionally administered, your point is made. Inconvenient facts are the terror of grand and popular theories. (-:
Got time? Spend some of it coding or testing
Of course I use tarballs too.... But RPMs make the package management a little easier and avoid the --force command later....
LedgerSMB: Open source Accounting/ERP
don't most UNIX admins need to know something about the OS other than the size of the install base therefore actually patching their security holes in a reasonable amount of time. Let's not forget the issue is NOT microsoft's security hole. All oses have that, it's that the userbase is not up to date on installing the security fixes. We just hope everyone who bashes MS will patch their own holes come unix worm time.
The lead architect for Windows NT was Dave Cutler who was the lead architect on VMS, which had all the features you list for UNIX long before UNIX did.
Virtual memory, shared object libraries, system level ACLs all appeared on VMS many years before UNIX.
Also part of the Microsoft team was Butler Lampson who invented the security monitor, ACLs and much of the rest of the security infrastructure we take for granted.
Windows NT does not and never has shared code with DOS. The Windows GUI code and some of the libraries are shared from 95 on, but the code was developed from scratch for the purpose.
Networking and security are both relatively recent additions to UNIX. Until Sun wrote NFS UNIX did not have anything like the VMS cluster concept. And NFS sucked real bad until about five years ago. Until five years ago at least one major UNIX vendor was shipping a version of Sendmail that had major security holes in it that had been known for three years.
In short, until Windows NT and Linux showed up to give the complacent UNIX vendors some competition UNIX was a real sucky operating system, and an expensive one at that.
Bet you wish you thought of this nym first
I think there are 2 real points to the fact that *NIX systems are more secure. First of all, UNIX is more mature than MS software, therefore they have already been through the more trivial problems with holes. The second point is that because of Open Source customers get to choose what part of the software gets the most development. Security gets attention when those affect by bad securty get to decide.
Im not here now... Im out KILLING pepperoni
To a Lisp hacker, XML is S-expressions in drag.
Right now there aren't any non-proof-of-concept Linux viruses.
I can just see it:
Hi! How are you?
I send you this perl script that must be run as root in order to have your advice
See you later. Thanks
*** Where are we going? And what's with this handbasket?
And Windows had its viruses 10 years ago. Those holes have been patched, and now people know better.
Securityfocus has a nice column on Worms and their origin in 1988.
Okay, if worms appearded in 1988, then what the hell ate all the dead bodies in the thousands of years ago?
OpenBSD's record is for that many years (I can't remember the total number) without a root exploit.
that is, no root exploits, at all, in the default install. local or remote. it's pretty crazy. does make it a popular firewall os though. (though I use FreeBSD for mine. but I respect the hairiness of the OpenBSD folks.)
your university requires you to use M$ Office? hey, that's what OS X is for. :)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
And just what software would that be? The only "application" I have run into that needs admin rights is the Adobe Gamma tool (comes with Photoshop) and it might need those rights. FYI, I'm in the Power Users group.
Here's a good one, for example. Asus Probe, which does hardware monitoring, just opens a blank window if it's not run as Admin. Nor will it detect and warn with fan stalls. Obviously, it was preferable to run myself as a regular user. When it didn't work, I moved up to Power User, then Admin.
Another one which has given me problems was Nero 5, can't remember the sub-version, I'd check but I dual-booted into Solaris. It wouldn't burn without Admin, though it's designed for 2000.
And finally, as if ATI could ever actually make any software work anyway, MultiMedia Center 7 (my All-in-Blunder TV program) won't display the TV window. I know several TV stations in my area which use these cards for on-air monitors for their news producers and executives, and Windows 2000 as their desktops. It's self-defeating for them all to run as Admin.
While the problems seem to primarily affect those applications which are pretty hardware intensive, there's no intelligent reason why, for example, Asus' hardware monitoring can't pass the data from an administrative service to a user-level display service.
Whether it's defective design on the part of the software developers or Microsoft user-level security which defaults to *too restrictive* (unlikely, given their many previous security blunders), the net effect is the same: to be useful, I have to run my computer as Admin.
With my Linux, BSD or Solaris boxes, however, I rarely have to log in as root.
Fire and Meat. Yummy.
Actually, I didn't mean that there was no planning going on for the case of an emergency. Although I did blather on about a lot of stuff that I probably shouldn't have.
What I did mean is that we should work out a simple (from the user perspective) solution for any really terrible security emergency. Something where the user can open a terminal window and type one simple easy to remember word and have the problem delt with.
That's the beauty of 911. Even a small child can remember it. It's easy. It's fast. Any emergency that you have the person on the other end of the line knows how to deal with.
Vendors/Distributions should all provide this functionality.
err...
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
With code red there were 2 problems. People didn't install the patches when they were released and also the patches didn't entirely fix the problem.
With debian it's pretty easy to install patches regularly by typing apt-get update and apt-get upgrade.
But code red could have been much more serious than it was. It could have used a new exploit instead of a known one. And it could have spread much faster. As it was some people were still infected before they could download the patch. A third way it could have been worse is if it had used a more common application than IIS, for example apache.
Maybe now would be a good time to work out emergency infrastructure to deal with an emergency like that instead of waiting until it happens.
Something simple to type that's the same across all distributions that shuts down everything and downloads a patch and installs it automatically. Apt-get is fine for normal patches but it some people could become infected before they downloaded the patch. What I have in mind is more along the lines of slashdot posting something like "type emergencyUpdate" and every single linux user, regardless of distribution, who saw that would type it and within 10 seconds they would be safe from infection because their computer would shut down and then the patch would install itself and they could go back to surfing.
Also don't forget to use/support other web servers besides apache. You can find lots of them on freshmeat.net.
Yes, worms can happen everywhere. That's because practically all network software is written in C (or its perverse descendent, C++).
If we were coding our network software in a secure ("safe") language (one without buffer-overflow "capabilities") such as Java, O'Caml, (or even scripting languages like Python, to an extent) we would greatly reduce our security risk. Given that these languages also typically increase productivity, it seems like a clear win to me...
Microsoft realizes the contribution C and C++ make against stability and security; they've recently hired up a lot of famous programming language folks to work on new language technologies. Microsoft knows that large projects written in languages without sophisticated modularity constructs (ie C, C++) tend to get out of hand quickly. They're working to fix this! They're even working on technologies to improve the stability of device drivers through language technologies (see the Vault project, for instance).
However, C has always been the UNIX platform's language. Will UNIX stay in the 60s as even Microsoft moves on? If so, I say it will be the "wormy" operating system family of the 21st century...
Home systems (like mine) DO need bind. I can cache lookups here and browse quickly, or wait forever for my @home name server to respond. BIG difference.
UNIX Small? I have a 512 MB system and starting Gnome it still needs to use swap space. 10 instances of nautilus, 11 MB each, are running right now. Call that small? My Win system is a paragon of minimalist excellence by comparison. Not knowcking *nix, but let's be realistic.
Michael PS In the cases you mean, it's "its", not "it's". :)
---
BDOS ERR ON A:>
its the popularity of the OS. Windows is so popular that nearly everyone who, to put it bluntly, can simply not use a computer uses windows. I'm not saying that there arent competent Windows system administrators and knowledgable users, what I am saying is that most people are using computers for a long time before they discover alternate operating systems, and usually need a little knowledge to switch.
:)
:P), and the problem was patched within a couple of days. With the code red worm, most users didnt even know they had a web server, and even now I am getting hundreds of XXXX requests in my apache logs.
This means that there are going to be more people using windows who dont know what a security hole is, let alone how to patch it.
Another problem with popular operating systems is just that. They are popular and have many more users. If 10% of all users (a simplification here) are vulnerable to an attack, then most of them will be windows users.
Possible solutions? Maybe microsoft could sell windows in a pink box and charge $2000, making it instantly less popular and having less users vulnerable to exploits
Seriously though, take for example the Morris worm of 1988, infected a network run by competent system administrators (the fact that it was UNIX is besdies the point.. or is it?
And now linux is gaining popularity... NOOOOOO.. shoo.. shoo.. we dont need more users...
I have read a lot of posts in this discussion (and similar discussions in the past) talk about how *nix is better than NT. Then, some of the more level-headed among us pipe up and remind us that no OS is truly secure, and that the difference lies not with the system itself but with the system administrators. Thus, it follows that *nix admins are better than NT admins.
I most heartily disagree. Sure, there are *some* *nix admins that mop the floor with NT admins... but the opposite is also true.
I think we are all forgetting exactly what an "admin" is. An admin is *not* any JoeBlow@aol.com that stands up a web server! A system administrator is an IT professional who researches his work and prides himself on keeping his machines running smoothly.
If you think about it a little, I believe that you'll agree that the major cause of the whole Code Red problem is not the NT admins out there, but rather the JoeBlow@aol.com's who really don't know what they're doing. Ignorance, people... ignorance is our enemy! Not Bill Gates, not MS, not closed source! It's ignorance and apathy.
It's always a long day... 86400 doesn't fit into a short.
I'm not a very close observer to any of these things, but it seems like the recently noticed telnetd exploit has really screwed over more sites than Code Red has, which seems more of a bandwidth hog. I mean, a years-old simple string buffer overflow giving root access on so many linux boxes is inexcusable for people trying to "sell" Linux on its general security and reliability...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
It would be easy to say that "Open source provides faster fixes!", but that is not true. Alot of the *NIX worms were designed to exploit closed source *NIX systems (Solaris, VAX, etc).
The difference is in the technical competency of the systems administrators. A UNIX administrator is far more capable of detecting and fixing a compromise, whereas an NT administrator, for the most part, is far less literate when it comes to dealing with a security compromise.
Please note that this is a generalization, and holds true due to the fact that administering a UNIX server requires a higher level of competence than an NT server.
Feed the need: Digitaladdiction.net
Wrong. Any operating system with a concept of 'root' has problems. Any operating system with things like passwords has problems. VMS, for example, has it's 'root' accounts split across four separate people. But guess what? The one with 'physical disk' access can alter the security database and add himself to whatever he'd like. I said 'useing' when I should have said 'admining.' For the purposes of this conversation, I.e. with people using Linux, *BSD and NT/2K at home, they're one in the same. Trusted Solaris my ass, by the way. Go work on a B1 or higher rated system. :-)
Vintage computer games and RPG books available. Email me if you're interested.
There is another issue that the article takes a nice cheap shot about at the end. Some newer server software like Exchange integrates a lot of functionality in ways it hasn't been done in the past. Exchange allows email which, was once just used to send text messages around, to do a lot more. I don't forsee this trend reversing. There's likely going to be a lot of new types of services made available by servers. Even though there's security issues involved users like having access to those services. I expect this means that there's going to be a lot of work for security consultants in the future. No surprise there huh?
Windows (NT/2000) has some good security features in the kernel, the problem is that they are not properly used by the operating system as distributed by Microsoft. Locking things down would break too much stuff.
UNIX/Linux has an archaic security model that hasn't changed in decades.
Both operating systems suffer from being implemented in C, an unsafe language. It is possible to write secure code in C, but most people have neither the expertise nor time to do it correctly.
Mea navis aericumbens anguillis abundat
Mandrake is something I'm trying to install on my home machine as a second OS to Win98. My university almost requires me to use MS Office, particularly with profs of non-CS classes. But for the vast majority of advanced CS classes, they want us to use their dept's sun box. Many people use their own linux machines to do the work, then transfer the source and compile code there. While I am not currently one of those students, I hope to be soon. Plus they teach the OS classes using Linux, so it'll be good for me to teach myself some basics ahead of time :)
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
as far i know linux now also used a bsd based stack.
--
Karma 50, and all I got was this lousy T-Shirt.
"Sooner or later" is effectively a LIE because whether it's sooner or it's later makes a huge difference in securityville. You're also ignoring the ``quality'' of the intrusion (such as carte blanche versus mere DoS).
Me for later, much later. While I could do even better, I use Mandrake 8.0 for production work. It's a bit bleeding edge in some ways - and I pay for that - but it comes with two massive advantages over many Linux distros: it installs reasonably securely unless you tell it not to (warns you when you install world-visible services and if you choose a "high security" install even disables those), and it can automagically update itself. Debian users in particular have long had these comforts.
All Linuces have at least five huge additional advantages over Windows:
Yes, administration makes a big difference, but all OSes are a loooooong way from interchangeable when it comes to vulnerability.
Got time? Spend some of it coding or testing
If you find any infected machines, put a text file on the desktop (called something like YOU_HAVE_A_VIRUS.txt) with a warning in it (and the URL of your favourite Linux distro), and shut the machine down. If you want to get fancy, add a command to one of the startup methods to remove root.exe from the scripts directory.
You will be doing them (and everyone else) a favour by reducing the number of potential DDoS attackers available, and by closing a hole to destructive visitors.
Passive method (although I'm now down to less than one hit per IP per day):
Got time? Spend some of it coding or testing
So?
The fix being out there doesn't make anyone go and patch their machine. Your statement is largely (but not totally) irrelevant.
BilldaCat
I'm sure other distros do this, but Mandrake is the only one I've ever installed, likewise to other unix-based OSs
/. links, the site can be found at http://www.openbsd.org)
If you are interested in an OS that is secure by default, check out OpenBSD.
(For those of you who fear
Compare the number of security advisories that affect OpenBSD versus the number that affect m$ products, and the value of a secure OS is obvious.
*** Where are we going? And what's with this handbasket?
Media shys away from what the consumer doesn't know about because they fear that Mr. and Mrs. Average are going to lose intrest.
This sig isn't original enough, it's time to come up with something witty...
Seems to me like Cmdr Taco is getting fed right up with Slashdot filling up with OSS and Linux anklebyters. Good to see. Slashdot's slowly turning into 'propaganda for nerds. Two Minutes Hate that matter.'
Vintage computer games and RPG books available. Email me if you're interested.
$$$ are only a motivation to get more systems out there, vulnerable or not.
And I have to say this: QED!
Got time? Spend some of it coding or testing
Granted, they could work with limited functionality under lesser accounts, but even then it's their decision to do that. You can hardly blame Microsoft for that.
I don't see many people saying "Screw RedHat, screw FreeBSD, MICROSOFT RULES!"
Oh I see and hear them all the time, most times it are people that grew up windows, never touched a *nix system and are simply fearthe unknown/new and would prefer it to go away quickly before they would have to learn something new.
Look at slashdot right here, in almost every software related thread you'll find comments like this..
--
Karma 50, and all I got was this lousy T-Shirt.