Slashdot Mirror
The Twenty Most Critical Internet Security Holes
Ant writes: "A little over a year ago, the SANS Institute and the
National Infrastructure Protection Center (NIPC)
released a document summarizing the Ten Most
Critical Internet Security Vulnerabilities. Thousands of
organizations used that list to prioritize their efforts so
they could close the most dangerous holes first. This
new list, released on October 1, 2001, updates and
expands the Top Ten list. With this new release, we
have increased the list to the Top Twenty
vulnerabilities, and we have segmented it into three
categories: General Vulnerabilities, Windows
Vulnerabilities, and Unix Vulnerabilities."
Running IIS!
------
Random, useless fact: I type in startx entirely with my left hand.
Being Slashdotted
Default RedHat or Debian installation.
isnt every security hole important? seems like a pretty bad attitude..
No an oxymoron would be
"windows security"
or
"military intelligence"
or(ahem)..
"female logic"
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Here's Google's cache of the page. It's kind of tough to slashdot google : )w ww.sans.org/top20.htm+&hl=en
http://www.google.com/search?q=cache:dbJlh35mihk:
Remember, check those links, you don't want to be goatse'd....
Matthew P. Barnson
I learn what I think when I read what I write
Argh! Slashdotted, there's a security hole for you! :)
Google archive here.
That the top ten list of last year makes an appearance in the top 20 of this year?
Haven't we learned anything?
O.K. So some of them (no/weak passwords) are user related, but so many of them are admin related (bind vulnerabilities, IIS RDS vulnerabilities)
Don't any admins care about these?
Of course, inside a company network some of these problems can be ignored if that is the decision. R commands are useful, but I wouldn't want people using them across the internet to my machines... But at the very least firewall... Please.
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
id add
21. Hiring admin's with no clue about security
As far as the *nix vulnerabilities, I think that a large majority of Slashdot readers could name off NFS, Bind, Sendmail, rlogin/rsh as critical (and many have already disabled / blocked those services).
Just my $0.02
Ed
I certainly hope that "The Slashdot Effect" is high on the list. It definitely qualifies as a DOS attack for most webservers.
Including theirs.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
But rather the slacking sysadmins who do not keep up with the latest security patches. Like anyother form of security (i.e. virus scanning) they should be monitored and maintained on a constant basis.
I like fire ants. They are very spicy!
Oh so having the root password root is a BAD idea... oops, Cowboy Neal you're root password has been leaked
I'm surprised to see that this hole didn't make the list.
I only post comments when someone on the internet is wrong.
Intuitive Linux
-Malakai
A Dragon Lives in my Garage
Got Rhinos?
Looks like the feds are considering setting government standards, abcnews article is here. I'm not sure how helpful government standards could be, but I think I could welcome them. I'm sure that if my toaster lit on fire as often as my windows box crashes the government would do something about it, so why not hold software companies more accountable.
Help find a cure for cancer!
"G" stands for "general holes"
"W" stands for "Windows holes"
"U" stands for "Unix holes"
G1 - Default installs of operating systems and applications
G2 - Accounts with No Passwords or Weak Passwords
G3 - Non-existent or Incomplete Backups
G4 - Large number of open ports
G5 - Not filtering packets for correct incoming and outgoing addresses
G6 - Non-existent or incomplete logging
G7 - Vulnerable CGI Programs
W1 - Unicode Vulnerability (Web Server Folder Traversal)
W2 - ISAPI Extension Buffer Overflows
W3 - IIS RDS exploit (Microsoft Remote Data Services)
W4 - NETBIOS - unprotected Windows networking shares
W5 - Information leakage via null session connections
W6 - Weak hashing in SAM (LM hash)
U1 - Buffer Overflows in RPC Services
U2 - Sendmail Vulnerabilities
U3 - Bind Weaknesses
U4 - R Commands (rlogin, rsh, rcp)
U5 - LPD (remote print protocol daemon)
U6 - sadmind and mountd
U7 - Default SNMP Strings
MadCow
I used to have a sig, but I set it free and it never came back.
Readable Perl
It would be a crime to forget the classic 'microsoft works'
Google Link:: www.sans.org/top20.htm+
http://www.google.com/search/?q=cache:dbJlh35mihk
Click here
I have worked for SANS in the past but I have to disagree with the way they compiled this list. The fact that there are a larger number of "vulnerabilities" for *NIX than Windows is misleading. I just bet the M$ people latch onto this "See, Windows is less vulnerable!" Even though most of the *NIX stuff is so old you rarely find it occuring in the real world.
What is more useful IMO is to have a ranking of these "vulnerabilities". Right now an unpatched IIS box can be hit even though you have it firewalled so only port 80 is open. With the *NIX stuff, the only way to hit a sytem via port 80 is bad CGI or a new exploit to the webserver software. And when was the last time an Apache exploit was released?
Look at the CVE numbers. That tells a tale of what is going on _now_. The number has the year and there are many of the *NIX exploits that are 2 years old or more. Many of the Win exploits are within the last year.
Do really dense people warp space more than others?
you scare me.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
Linux boxes are much more secure than any of the competitors. Solaris is getting better; UnixWare is pretty hopeless (see BUGTRAQ). NT is ... well, draw your own conclusions about NT. I feel much safer with a Linux server than with any other OS and the security just keeps getting better.
-sting3r
Until managers understand and treat computer security SERIOUSLY, the same basic weaknesses will remain.
One thing that helps is for companies to hire computer security specialists, and make this their primary job. Instead, many businesses that I work with expect their already-overburdened sysadmin or network administrator to "protect" the network, something he/she has never been trained to do. The average NT Administrator does NOT know much about network security. The new Win2K Security certification is a step in the right direction, but it is only a baby step.
-------------
"Against stupidity the gods themselves content in vain." - Schiller
% man wait(2)
Badly placed ()'s.
That's not flamebait, that's right.
;)
"Windows vulnerabilities" might be redundant, though.
And I suppose "running windows" is still an oxymoron.
-Puk
Man, there is nothing better than a good Microsoft joke. What a HUGE belly laugh!
Dude, you crack me up. This is easily the most clever, witty line I have ever seen in my entire life.
I nominate this post to get the first ever Score:6 moderation! Hell, make it Score:10!
In fact, I think it's clear that this is the joke of the year. Nay! The best damn joke ever told in the history of the whole goddamn world. Let's engrave it on a block of bronze 10 fucking feet high so that our progeny can continue to enjoy the brilliance of the joke.
All hale NewbieSpaz! All hale! All hale!
Not trolling here but, you have to notice that there are 7 general, 6 windows, and 7 unix vulnerabilities.
IIS is bad, but Unix admins that don't patch BIND and SendMail are worse. The IIS versions change every year or so and the patches come fast and furious, but SendMail and BIND have had stable versions and patches for a while.
Almost everyone reading this will admit that it takes a bit more expertise to get SendMail and BIND up and running than IIS (which is installed by default in Win2kSrv). Therefore the admins with more expertise should be held MORE accountable since they have greater responsibility by running BIND and SendMail.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Right. Thus "Windows vulnaerability" is redundant, not an oxymoron.
I just read over the list and there is nothing new here. We know Sendmail needs regular patching. We know BIND needs regular patching. We know never to run the R commands or IIS. We know we need firewalls. I can write down a list of common sense things to do, too. There is nothing new here.
I can't believe that the slashdot effect is number one. WOW! Congratz all around!
there are 2 kinds of people. those who divide people into 2 kinds, and those who don't.
We would however, be pleased to give you this gnu wave web address (including a year's free hosting), due to your interest in promoting the brave gnu world of open/honest communications/commerce, & your ability to follow simple directions.
djia hear the one about father williams' new ?software? mafia ?product? being InFactDead, PRIOR to ITs release? know?
I like this sentence from the sans.org article: "Sendmail has a large number of vulnerabilities and must be regularly updated and patched." One might go further and suggest that switching to another mail transport is the best solution. On my small site, I use exim; other people like postfix or qmail.
In one credible place with annotations and links are the most common problems. Sure most of them aren't news to /.'ers but they're likely news to lots of other folks and exactly the thing to light a fire under the PHB's of the world. It's almost a checklist of "Are these implemented and if not *why* not?"-items for the semi-technical and as such is invaluable.
My thanks to the SANS Institute and the NIPC for releasing such a well-written & useful document.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Thus "Windows vulnaerability" is redundant, not an oxymoron.
The proper obscure word for it is tautology.
is windows, fo a system that crashed usually can't be hacked....
".Sig Stealer" was here
Maybe not on UNIX machines, where SNMP is generally turned off by default - but on Cisco devices where it is enabled by default with the common SNMP names . . .
SNMP on cisco devices is weak because of the default community string names (public, private and secret). To add to the situation, the secret string will allow you to bring interfaces up and down at will, all without a trace of intrusion in the logs. While the big guys like ATT and Wcom may fix these using default config files, may universities and smaller carriers dont even know it exists.
OpenBSD claims to be "secure by default" but it has failed to keep up with most of the common-sense security precautions taken by the Linux vendors. They spend all of their time auditing their code base from 1992 (the leftovers of 386BSD) instead of incorporating new features like jail(2), acls, and separation of privilege. Thus you are left with an architecture that is slightly less secure than Linux and a lot less functional.
I bet in certain cases Google's cache could be a big security hole too. One that springs to mind is how after 9.11 nuclear power plants removed a bunch of info off of their sites. I just checked, and these pages (now 404's) are still in Google's cache.
daed si luap
The most secure system is a Unix box run by a 40+ year old bloke who has seen the virtual deaths of more script kiddies than I've had hot dinners.
Actually Mainframe admins run pretty tight ships as well. Its a sad reflection on the new generation of admins that most of these are things the old school had never even thought of doing wrong. The current raft of virii are an example. The people hit had new school systems, the old school companies survived untouched.
Old blokes in a distant room of the organisation, possibly called "Gary" or "Dave" never seem to be doing much, but their network never fails.
An Eye for an Eye will make the whole world blind - Gandhi
Microsoft has announced a security program which will include automatic updating via Windows Update, providing free bimonthly patch packages, etc.
Strategic Technology Protection Program (STPP)
http://support.microsoft.com/support/kb/articles/Q 303/2/15.ASP
1.) Having your website posted on Slashdot. The most effective DoS know to mankind.
... in programs (setting aside administration issues such as passwords)
1. string.h
2. sprintf
3. system
4. char buff[255];
5. snprintf(buf,len,user_input);
Let's face it, C's string handling is the biggest cause of security problems on the Internet. Static strings are evil. Too bad there is no standard way to handle them in C.
Nearly a 1TB /home partition, damn that's a lot of pr0n!!
...is that, for the Unix vulnerabilities, most of them have long since been replaced by better, more secure alternatives. Where I work, nobody has used the word "telnet" or "rexec" for years. Nobody here runs sendmail, or sadmind, or SNMP stuff. It's basically a list of "don't ever use this ancient crap" tools.
But for the Windows vulnerabilities, they're all related to current, recent, flagship, "this is what you should be using" products. No alternatives within the Windows world.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
No, this won't work, either. The security officers will spend all their time in petty turf wars with sysadmins and power users.
Not to say there isn't a role for that - intrusion detection, firewall, virus scanning, etc. - but the sysadmins have to be held responsible for security, and *rewarded in practice for good security*, or things will never get anywhere.
I mean if someone is running his own computer with nothing important or valuable on it, why bother to lock down of every hatch and door?
I'm still running default RedHat 7.1 installation with ADSL and have never been hacked. If I am, I'll just reformat everything and start with a clean installation. It's much easier than trying to keep all the security holes patched up.
"Why is that dangerous?" I hear you ask? As we drive more and more traffic to a small number of ports (read: everything on port 80) because of draconian firewall and proxy servers, and even driving all traffic to one protocol (read: http) a large number of services will still be running, but will now be undetectable without traffic analysis, which is mostly voodoo technology right now. The bugs and security holes are still there, but now they are hidden from us because we've conditioned everyone that non-80 is firewalled (see SOAP and Microsoft's dotNET -- in order to avoid firewalling, they are basically going to do RPC over port 80 using HTTP!)
I agree that unused services need to be shut down, but at the source of the problem and not at the firewall. We need to encourage new protocols to make use of new ports so that we can manage thus stuff -- the more we drive traffic away, the harder our job will be. Please, if you are in charge of a firewall, take time to think about what you are doing to everyone else when you institute strict policies that only make you safer in the very short term. Not only are you hurting yourself, but you're giving your users and network a false sense of security.
Besides, the attacks de jour of late have all propogated over SMTP and HTTP, haven't they?
The wheel is turning, but the hamster is dead.
Imagine how long it will take to fsck that ext2 partition... or are they running an experimental file system (ReiserFS)?
Does anyone has any idea what the slashdot effect looks like ??? I have no idea how many we are clicking on those links but it must hurt.
-Linux is SO fast it does an infinite loop in 5 seconds.
(Score:5, Insightful)
Internet Information Server
~ now you know
MS is clearly the villain here. They're so negligent in the design of their security-less products that now there are many people who have been financially harmed who don't even use MS software. Not only is the time right for the govt to impose security standards on careless software vendors, but perhaps it is also time for those who have been harmed to start organizing class-action product liability lawsuits against the offenders.
On a similar note, it is also time to demand exhaustive sourcecode audits on existing software products that were written largely by foreign programmers (who were employed at lower pay, and as "temporary" employees so that their employer could weasel out of paying proper benefits). Do you trust such software for your mission-critical systems? Who knows what time-bombed or surreptitious code has gotten placed into those products and slipped past the slip-shod lame excuse of quality control?
Equally negligent are broadband vendors that give away connection hardware, but can't be bothered to include a firewall or software that will check for open ports. These vendors won't make the simplest effort to insure the product they are selling is secure, yet will not take the responsibility when their service dies due to DOS attacks. These DOS attacks are largely possible because of the massive number of wide-open computers created by their broadband connections.
This is not a rant; this is a statement of reality. Vendors can not, and should not, expect the consumer to be skilled enough to provide adequate levels of security. This is why houses and cars come with locks. Sometimes consumers lock themselves out, but that is a minor inconvenience. As an extreme example, many shoes now have Velcro, and most cars, at least in the U.S., have automatic transmissions.
No stream of security patches, warnings, and news items will solve the problem. The consumer is not skilled enough to keep up. Until the default configuration is secure, until vendors are forced to take monetary consequences for their defective products, and until the consumer is trained to suffer the imposed inconveniences, we will continue to see the same sort of problems.
-- MarkusQ
- DDOS attacks, etc. that use your machine to do the dirty work,
- Net worms which may be propagated from an insecure machine
- back doors: perhaps you will do something useful, valuable, or important on your computer in the future, only to get clobbered or ripped off by whoever's bug installed the backdoor, not to mention the loss of your time to recover your valuable work (if you even can) or to reinstall and reformat.
- remote keyboard monitors... first time you use your credit card to make an online purchase, and bam, script kiddie has your cc # and can attempt to use it or sell it to even less scrupulous folks,
- and my personal favorite reason: to make it less worth the script kiddies time to try to take down yours, mine, and everybody else's machines for kicks and giggles. Think about the bragging rights between "hey my new ultra-virus took down four machines, or "hey, my new ultra-virus took down 200,000 machines..."
But let me offer a different perspective. What if the security holes in your machine allowed big gov't, or someone else to snoop on what you were doing online all the time? Would you think about closing the security holes in your machine then?Course, if those four machines were the front end machines for M$, that might be worth a brag or two ;-)
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
watashi is the feminine version, "watakushi" is a more formal but gender neutral version, and "boku" is the more masculine but less polite version of the English word "I".
Looks like he/she fixed the "no" to "wa" though.
BTW, I'ved seen Japanese chars (presumably via unicode in some /. sigs now that I have Japanese language support enabled, any one know where I can get more info on how to enter unicode chars into HTML, etc. from a regular PC?
Atleast i learned that not even the services that have 'secure' in their name are to be trusted completely :-)
A year and a half old advisory, and sites still refuse to fix it. http://www.cert.org/advisories/CA-2000-02.html
Some of you will remember the problems with Hotmail relating to cross site scripting. Newsflash, it affects your site too!
-- these are only opinions and they might not be mine.
pronoblem
"Windows vulnerability" is technically a tautology.
[look that up in your Funk & Wagonals.]
try { do() || do_not(); } catch (JediException err) { yoda(err); }
(place some signature here)
Linux boxes are much more secure than any of the competitors. Solaris is getting better; UnixWare is pretty hopeless (see BUGTRAQ). NT is
Bullshit. You're lying to yourself. One OS is not automatically more secure than another. Notice the first problem they noted: Default installations of operating systems and applications. They meant all operating systems, they didn't say 'RedHat and Debian are pretty good, you'll probably be okay with them, or at least more okay than someone using Windows.' Not only is this the most important point of the article, all other vulnerabilities stem from it. They all exist because of complacency with the current state of security of a system.
Security is not determined by OS. Period.
A systems security depends on the administrator's vigilance in keeping up to date on patches. Sure, windows has had a lot of exploits lately, but how many of these exploits were not patchable? Hmm. Conversly, Linux and other Unix systems have been not as widely or at least as publically attacked lately. Is this because they have less holes? Redhat 7.1, about 6 months old has 23 security alerts listed. 7.0 and 6.2 both have over 60. So, there's likely likely more out there in 7.1. Many of these are critical and involve remote root exploits. Feel safe? I hope not.
(Li||U)nix can be attacked with the same efficiency of what we've seen happen to Windows systems in the past few months. Administrators aren't simply better because they admin unix boxes, that's proven in the article that 50% of the copies of BIND that were running in mid 1999 were vulnerable. It would make sense that a similar percentage of other security risks exist as well.
I'm not bashing Unix, and I'm certainly not saying that Windows is a more secure OS. Its a moot point. What I'm saying is that people who blame the OS for their mistakes are wrong. They're using windows as a scapegoat, and ignoring the real problem behind this.
Unix will be hit by one of these sometime or another, and it will be just as publicized because it will likely use the same distrubution methods as before, email.
Go back, read the article again, paying close attention to the generic problems they mention. These are the basic things that any admin has to look at, every day. A machine is never secure. You can be sure of that.
Fundamental architectural things like user accounts that cannot trash the system, files dont become executable solely based upon their names, and unix documents typically dont carry virii.
Would we have even heard of email virii if a unixlike system was the world's desktop- I doubt it.
"Intuitive" is not a scientifically definable absolute independant of the observer, it's a subjective cultural bias in fact. For example, the other day one workstation was bluescreening with disk errors, unable to write to c: After Ghost copying everything to a new disk it did the same, exact thing. The had user put this thing call "Go Back" (from Adaptec) on it so that if any changes to Windows wipes out everything, you can 'go back' to the config you had before it got trashed. Due to many years experience working with Msft prods, my INTUITION says, "This is a software problem". And then I had to use Linux fdisk to delete the GoBack partition because the Win98 fdisk couldn't! (to wipe the disk and reinstall everything) It takes over your disk somehow.
True story from the McSE file.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
They're not even security holes! Like "G3 - Non-existent or Incomplete Backups". This is not a "hole". If you do not do backups, it does not leave you at higher risk of being "hacked", it only means that if you are hacked, the consequences are more severe. This should be in a seperate section entitled "risk prevention". "G6 - Non-existent or incomplete logging" is the same.
G1 and G2 are too vague. They are simply good security guidelines, not specific holes.
"G4 - Large number of open ports" is also idiotic. I could have written a daemon which listens on a thousand different ports, but that doesn't make it a security hole.
Other than that, the list is pretty informative, in usual SANS fashion. But if you're actually trying to talk about security vulnerabilities, you shouldn't just pad the list out with good practice guidelines to reach 20. While those issues should be highly publicized, I don't think this is the way to go about it.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You forgot the most obvious one of all:
Microsoft Works.
XML is like violence. If it doesn't solve the problem, use more.
They forgot an important one that I know has nipped all of us at one time or another. An ex-girlfriend (boyfriend for you female admins out there) knowing your root password. Now that's a pain in the ass! You dump her for one reason or another and take your copies of Starcraft and Dialo with you when you go and you nuke her e-mail account on your co-lo. She gets pissed and tells her HaX0R brother or new boyfriend your root password and he put a kiddie pron site up on your server or bastardizes your computer. Royal pain in the ass. Moral of the story: Men, get computer-illiterate women.
MY_NET=1.2.3.4/5
INT_DEV=eth0
EXT_DEV=eth1
# 1. Any packet coming into your network must not have a source address of your internal network
ipchains -A forward -i $EXT_DEV -j DENY -s $MY_NET
# 2. Any packet coming into your network must have a destination address of your internal network
ipchains -A forward -i $EXT_DEV -j DENY -d ! $MY_NET
# 3. Any packet leaving your network must have a source address of your internal network
ipchains -A forward -i $INT_DEV -j DENY -s ! $MY_NET
# 4. Any packet leaving your network must not have a destination address of your internal network.
ipchains -A forward -i $INT_DEV -j DENY -d ! $MY_NET
# 5. Any packet coming into your network or leaving your network must not have a source or destination address of a private address or an address listed in RFC1918 reserved space. These include 10.x.x.x/8, 172.16.x.x/12 or 192.168.x.x/16 and the loopback network 127.0.0.0/8.
ipchains -A forward -i $EXT_DEV -j DENY -s 10.0.0.0/8
ipchains -A forward -i $EXT_DEV -j DENY -s 172.16.0.0/12
ipchains -A forward -i $EXT_DEV -j DENY -s 192.168.0.0/16
ipchains -A forward -j DENY -d 10.0.0.0/8
ipchains -A forward -j DENY -d 172.16.0.0/12
ipchains -A forward -j DENY -d 192.168.0.0/16
### REMOVE the next 3 rules for masquerading systems
ipchains -A forward -i $INT_DEV -j DENY -s 10.0.0.0/8
ipchains -A forward -i $INT_DEV -j DENY -s 172.16.0.0/12
ipchains -A forward -i $INT_DEV -j DENY -s 192.168.0.0/16
# 6. Block any source routed packets or any packets with the IP options field set.
# This is done at the kernel level under Linux, and is usually set by default.
I can't believe Microsoft's Unicode bug. Everybody implementing Unicode has been warned about the possible security problems with allowing illegal sequences. This issue was addressed in the specifications for God sake! And when this issue came to light, there would've been a big stink. Why was it ignored? Clearly Microsoft does not care about producing usable software.
They did not mention one exploit that was cross site scripting, even though there have been many many advisories from CERT.
Protecting input from being executed on the server side does not help here. It is also not at all limited to cgi applications. In some cases, it's been the web server itself, in others, it's been the app server. It's also not limited to "user input", which many programmers seem to consider to be the form fields. It really any input values that can be passed to program from the external world. paths, id's, options, etc.. Also, a common place where these holes show up is in error messages spit back to users.. Hardly a place where people look for patching.
-- these are only opinions and they might not be mine.
Awesome to see something useful posted to slashdot for a change. ;-)
I've been wanting to clean up my firewall a little but I just seem to have a hard time wrapping my head around the structure for IPChains. That's a nice mini-tutorial script there.
but good advice none the less. If you want to delete hidden directories in /tmp, *DONT* do
/tmp
.*/
cd
rm -rf
Believe me, I tried.
AC
Using software of doubtful quality is irresponsible
Then don't use software. There's no such thing as software that is bug free, and certainly no such thing as an OS that is secure.
You're ignoring the entire point. If you don't maintain a system it is just as hackable as any other non-maintained system. Since you seem to like unrelated anaolgies let me give you this one: Say you have a boat, it has a hole in it the size of a quarter. The other guy has a hole the size of a softball. Sure he's going down quicker, but if you don't plug your hole you're going to the same place.
Its fscking stupid to choose an OS because you think its more secure than another. Choose it because it's easier to maintain, because it has more features, is easier to use, is cheaper, whatever, but don't lie to yourself and say its more secure.
Give me three servers installed two years ago, RedHat 6.2, Windows NT, and Solaris and left to sit. Which is more secure? Doesn't matter. They've all got huge holes just waiting to be exploited. Now set up these machines today, maybe the Solaris one wins out today, but without maintainence, they're all screwed.
You can't backup the assertation that (LI||U)nix is less prone to problems than Windows. If you go back 6 months that might appear to be the case, but go back years, and you see a huge number of exploits on Unixes.
I've been adminning boxes of all varieties for years now. I had a RH 6.2 box compromised because of a WU-FTPd exploit about a year ago. When this happened I acknowledged in the report that it was because I had not patched WU-FTPd. Not because WU-FTPd had a hole. There was no excuse for the hole not to be patched, because the patch was out and RedHat had issued an advisory, I had simply screwwed up.
Finally, your entire argument makes no sense.
No, this is a fact, you provide no evidence whatsoever to the contrary, just a silly anaology that makes little sense. What isn't smart is thinking your OS is somehow immune to attack.
Here's a real Security Hole for you!
As I said:
IF I GET HACKED, I'll reformat and install a clean installation.
Man, the MS trolls have really taken over when this crap is "Insightful"
As Bruce Schniidreifeirerer (could never get that last name right) says (in some manner):
there will still be some idiot with their password written on a post it on their computer, so no matter how much you fix and patch, there is always a dumber user.
There are some odd things afoot now, in the Villa Straylight.
Yes, it will work! Computer security is a SPECIALTY that must be learned. It is not a general skill that all computer professionals possess, like how to reboot an NT workstation. Until business managers recognize this fact, and hire well-trained computer security professionals to care for their networks, the problem will continue.
It is possible for a SysAdmin with good management skills in a large network to take ultimate responsibility, if he agrees to oversee the job performed by the actual security specialist. This is similar to "computer managers" in some companies who themselves are not highly skilled programmers, or aren't the best at troubleshooting hardware glitches, but just oversee those who do. To hold a SysAdmin responsible is just giving managers a scapegoat for when problems arise.
But to dump the responsibility on the sysadmin will not work. This has been failing miserably for almsot 30 years.
----------
"Against stupidity the gods themselves contend in vain." - Schiller
many rootkits replace standard utils (ps, top, etc..) or modify utmp/syslog facilities or just basically WHATEVER it takes so that YOU DON'T know that you've been hacked.....whatta moron
Of course a less drastic solution is for C to implement a standard library that fixes the problem (but you still have all those pointer casts...UGH!).
... and if it were in common use it would improve rapidly.) This can generate C code which has all the normal virtues of a portable assembler. And there are other advantages, like builtin garbage collection, and builtin documentation, and design by contract features. Which you can turn off when the development is done, and you want to speed things up.
... pity there's no way for Python to get the speed up of compiled code.)
The solution that I prefer is to code in, say, SmallEiffel, and have the compiler generate the C code. The Eiffel code is calls to library routines that have been checked. (Well, almost well enough
Plus, if you really need to, you can drop into C for a small routine that's too cumbersome in Eiffel. (This part is easier in Python, though
I think we've pushed this "anyone can grow up to be president" thing too far.
Yeah right. security is a four letter word in
these kinds of places. At best you'll get a jr.
sysadmin who looks at the logs and makes sure
that snort and amavis are working correctly.
It seems like all of these things stem from the OS. Shouldn't we be creating distro's that are meant to do one thing, and do it well and secure.
It seems like someone could make some money by putting out the "Tomcat" distro. Nothing but what is needed, that's it. You could have your firewall wide open and it wouldn't matter, all that would be open is port 80/443.
You could even create a web application to manage the whole thing. Sure there could be an exploit with it, but it will get found in testing if it's open, and everyone is scared to death of them.
Locking a network out is easy (any moron can do that, hey look, you just did), but you obviously have never worked in the industry. Companies NEED to have some services available, the trick for any security pro is to STILL keep the network that he/she is paid to protect secure AFTER the suits have determined what the NEED to have running, or in some cases (where they don't listen to their IT guys) just plain THINK that they need to have running.
You like to talk a hell of a lot.
You can decry my analogy all you want, but it _IS_ relevant. Sure you must keep your system up to date no matter which system it is, but that is no excuse for the shoddy craftsmanship of Microsoft's offerings. For anyone with a major need to keep there systems secure, Microsoft is the fools option.
To say that the choice of Operating System does not matter in system security is a joke and flies in the face of established practices. Why do you think the NSA absolutely refuses to use Microsoft's software? By your reasoning the NSA should have no qualms with Microsoft because the only important thing is keeping up with security patches. Give me a break.
Another case in point, why do you think the insurance industry has higher premiums for covering Microsoft Software. They have no interest other than monetary and there experience is that Microsoft Software breaks more often than other options. Either it is the software or the administrators or both. No more excuses please.
Your little hole in the boat analogy does not change the fact that the person with the larger hole is going to go down faster, by your own admission. I would add that if any experienced sailor were to go to sea for any length of time they, it would be a wise decision to take the most seaworthy boat, ie the boat least likely to develop holes!
You see I actually picked apart your little analogy without just dismissing it as not appropriate or silly. You are not fooling anyone.
I understand that you are trying to stress the need for good system administration, and I am telling you that _choice of software_ is absolutely one of the primary factors.
It's too bad misguided people somehow think that C is a good language to write security-critical network apps in. In fact, it's very nearly the worst language to write such apps in.
The fact of being automatically buffer-overflow free alone should make people drool over the prospect of using a high-level, safe language. Not to mention better productivity, code reuse, and even sometimes performance.
What mindset drives this crazy practice?
was pretty much ``get the latest version,'' IIRC.
It's not like sendmail, BIND and IIS became highly secure packages in the interim. Did you really think that there would be no holes found in these three (just to pick on a few easy targets) over the year following the publication of the original list?
You might start with the versions of these programs that that OpenBSD team has gone through. What bugs or weaknesses exist in them? (Let's stick to weaknesses that are not inherent to email or DNS, i.e. weaknesses that qmail and djbdns have fixed for you.)
I wouldn't not recommend anything by DJB, but let's not carried away with invective.
Unlimited growth == Cancer.
I did a default install of OpenBSD 2.7, and the RPC daemon was listening.
BTW, RPC daemon is for NFS mounts.
Isn't that approach sort of like getting treated for the flu after you have given it to all of your friends, instead of getting a flu shot first and never passing the flu bug on?
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
> Nearly a 1TB /home partition, damn that's a lot of pr0n!!
;-)
Not really.