Slashdot Mirror

← Back to Stories (view on slashdot.org)

£10,000 Prize for Linux Virus Challenge Re-Issued

Posted by CmdrTaco on from the take-two dept.

mutantcamel writes "Eddie Bleasdale, the director of NetProject has been offering £10,000 to the first hacker to infect his Linux machine with a virus for the last two years, and so far no one has hit the jackpot. He's re-announced his challenge to virus writers following a Gartner report which told IT depts. not to trust MS server software because of recent worm attacks on their servers, but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."

20 of 296 comments (clear)

  1. Virus challenge ... by zangdesign · · Score: 3, Interesting

    So ... write a virus and get rewarded for it? What kind of world do we live in where criminals get rewarded?!

    I guess crime does pay ...

    --
    To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
    1. Re:Virus challenge ... by DumbSwede · · Score: 3, Insightful
      Yeah and don't forget those criminals Orville and Wilbur Wright who broke the law of Gravity.

      The point here isn't to encourage a plethora of Linux viruses, but to show how relatively safe Linux is compared to Micro-suck. Plus any security hole found, would no doubt be plugged much quicker than a Windows security flaw, which probably has to be reviewed by marketing and the legal department before a fix is forthcoming.

      --
      Letter To Iran
    2. Re:Virus challenge ... by kypper · · Score: 3, Insightful
      So ... write a virus and get rewarded for it? What kind of world do we live in where criminals get rewarded?!


      Wow... I'm sure that will get modded as troll, but he has an interesting point. I question whether some gov agency won't step in and try to arrest anyone who manages to do it.

      Remind you of the DVD-encrypt stuff? I know I am not stupid enough to try and prove to the world that I can wreak havok. Especially not now. That reward will go on unclaimed.

    3. Re:Virus challenge ... by firewort · · Score: 3, Insightful

      Just let Ashcroft call all virus-authors terrorists, then see what's criminal!

      the 4th Amendment- it was nice while it lasted...

      --

  2. Win the price by tcc · · Score: 3, Insightful

    And will you be called a "gifted programmer" a "security expert" or a "terrorist"?

    In these times and with all of what's happening with all the laws passed, I wouldn't even dare touching that kind of contest, sure it's gonna make a possible winner popular, but could be also seen as a prime suspect for writing trojan code, and since law enforcement at higher levels often tries to find someone to blame, well, you know the rest.... (as in wrongfully accused, lack of proofs and still convicted, etc etc).

    --
    --- Metamoderating abusive downgraders since my 300th post.
  3. This is Stupid by Anonymous Coward · · Score: 4, Interesting

    Keep in mind that default Redhat installation ships with many bugs that all need to be patched. Saying someone can't hack this kids linux box is a reason not to trust MS is just plain stupid. If IT dept. would patch their software and not open idiot attachments you couldnt infect MS BOXES EITHER. Its all about PATCHING, no matter which OS you use.

    Think about it, most MS bugs had patches before they went widescale. If you had taken time to install these patches you wouldn't have been infected. In addition, don't open EXE's that ask for your advice and its extremely hard to infect an NT system as well.

    You cant compare an upgraded and constantly patched linux box to a default Win2k installation.

    1. Re:This is Stupid by ryanr · · Score: 4, Informative

      The patches for holes that Nimda took advantage of had been available for months. The relevent BIDs can be found in here:
      http://aris.securityfocus.com/alerts/nimda/010921- Analysis-Nimda-v2.pdf

    2. Re:This is Stupid by BlowCat · · Score: 3, Insightful
      You cant compare an upgraded and constantly patched linux box to a default Win2k installation.
      I don't understand what you are rererring to. The Gartner report discourage using IIS on maintained systems. It is not about default installations.

      The guy just holds a contest. You can do the same with a Windows box. It won't mean that you are comparing patched Windows with the default Linux installation. It will only mean that you are testing how stable patched Windows can be.

      Too bad that a lot of slashdot moderators sympatize to M$ so much that they moderate up very weak arguments that just please them.

  4. Does it have to be a virus? by neema · · Score: 5, Funny

    Does he just want his linux box destroyed or does it have to be a virus? He can give me his address, I'll gladly fly down to his house and smash up his linux box with a bat for 10,000 pounds (that's around 14,534 dollars and 22 cents).

  5. Re:'tardy' sysadmins by Skapare · · Score: 3, Interesting

    I do find myself somewhat agreeing with Microsoft on this. Bugs happen. Open source may have fewer of them, but they happen with open source, too. Very few open source systems are secure "out of the box". Any admin that assumes otherwise, for BSD, or Linux, or Microsoft Windows, is a retard. Comparing an improperly administered system of one class to a tightly secured system of another is really pointless. It's comparing a retard to someone who knows what they are doing, and cares.

    --
    now we need to go OSS in diesel cars
  6. If businesses want to make their networks secure by Skapare · · Score: 4, Insightful

    If businesses want to make their networks secure, they need to hire someone who cares and knows how, and pay well to get that person. Then don't hinder them with petty things like bureaucracy. They should report directly to the CTO or CIO, or actually be the CTO or CIO.

    --
    now we need to go OSS in diesel cars
  7. Have you ever worked as a real sysadmin? by dustpuppy · · Score: 5, Insightful

    I agree that some of the responsibility lies with the sysadmin, but then again, the OS should be designed well enough that the patches are minimal.

    I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.

    Sure, we try to patch systems when we find out about security holes, but there comes a time when you cannot simply afford to take your systems down every week to apply new patches. Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending. This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.

    1. Re:Have you ever worked as a real sysadmin? by InsaneGeek · · Score: 3, Insightful

      Not to start a flame war, but your argument is fairly week. This same argument would apply Linux distros, if you went by the shear number of security issues they have had over the past years. So far this year Redhat alone has had over 54 vulnerabilities (which is more than the 42 that Windows has had so far). And don't get me started on the 2.4 kernel fiasco, it's one thing to release early and release often, but it's another to have multiple kernels get released within mere days of each other because they introduced new bugs due to sloppy code.

      I've seen a whole lot of sloppy code coming out of Unix centrix projects (gives me shivers at night). But I think that the problem that MS has is less with sloppy code (I think their code really isn't any more sloppy than the rest of the world), but their OS design around one user instead of multiple users. MS has a much better file level security model then most unix platforms (throw ACL's and you've got a contender), but everything & everybody pretty much has to have hooks as an admin user. It's really the equivalent of having Grandma sitting in front of a Linux system as a root user; if Microsoft could take the single user admin privilege (for both the user and the apps) away then the issue would really start to go away.

    2. Re:Have you ever worked as a real sysadmin? by warpeightbot · · Score: 5, Informative
      I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.
      WHAAAT?!?!

      When I worked at a certain Very Large Airplane Company, we had a very simple procedure for emergency upgrades:

      • Patch the backup server (you do have a backup server, don't you?)
      • Fail over to the backup server (you do have a failover procedure, don't you?)
      • Patch the main production server
      • Fail back to main
      Sometimes several days would elapse between the patch/failover/patch and the fail back.... because we had capacity planned the failover host to be able to run the production floor at full speed, and there was no use slamming things around without necessity. Besides, it was a good test for the failover machine to run for a day or three as production just to see....

      Yes, most system incursions are preventable with good patching and good firewalling. Yes, this applies across ALL OSen. Yes, Microsoft code is crappy and the number of security updates is thru the roof, but that's not the point of this argument.

      The point is that if you can't get an outage to apply a critical patch whose absence may cost you a full reinstall and a weeks' downtime, you have a management problem and a design problem, not a vendor problem or a sysadm problem..... and you need to be thinking (a) what's the best way to fix this, and if that doesn't give you any good answers (b) where do I want to work next. Because sooner or later somebody's going to 0wN j00, and if your ass isn't grass you'll wish it were.

  8. Windows Update? by sharkey · · Score: 5, Insightful

    Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.

    So the admins responsible for Windows Update are considered 'tards by Microsoft? After all, windowsupdate.microsoft.com was reportedly "hacked by Chinese" this summer.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  9. Responsible by error0x100 · · Score: 3, Redundant

    What happens if someone is successful and unleashes a particularly nasty linux virus on us?

    Then the particular exploit will be patched, people will learn from the experience, and Linux will be a better, more secure system as a result.

    If we discourage people from trying to break systems, we end up with weak systems.

    Making Linux more secure today may result in some costly damage today - but will result in a more secure Linux, which will (as more and more people install and rely on Linux) almost certainly prevent orders of magnitude more damage several years from now. If we allow systems to become "weak", but continue installing millions more such systems, sooner or later someone will write a truly malicous virus, and the damage will be far greater in that case. Think man.

  10. Hope people have read the Gartner report... by SmileyBen · · Score: 5, Informative

    Before people start slamming the Gartner report again, I hope they've read it. People seem to be under the impression that Gartner said that IIS simply wasn't secure and that other things are better - and that the response to this is 'duh, any machine which isn't updated isn't secure'. That isn't a valid response at all, because what Gartner very specifically said was not that IIS couldn't be secured, but that it is simply uneconomical because of the time and effort it takes to update IIS.

    I.e. Just what they are saying is 'We all know you need good sysadmins to make sure systems are up to date with security patches, but in the case of IIS you'll have to employ someone to spend all their time doing this, and that simply isn't the least expensive way to go'....

  11. RedHat next best thing to Microsoft by Felinoid · · Score: 3, Interesting

    Your right about RedHat. They throw together the worst Linux destro.
    RedHat has lost track of the whole idea of a destro. It's a "value added" Linux.. a better Linux than you'd get if you did it yourself.
    Not RedHat..

    The whole point is you shouldn't need to patch it.
    The defects found in RedHat and Windows are really stupid.
    Yeah don't run attachments.. smart idea.. Let's rember that this is a FEATURE Microsoft ADDED. It's not a defect. Windows was made this way.
    Give Microsoft a break for the first virus. Ok done.. Need the first infection to learn. Well great but the stupid patch is on the human side.

    Let's also remember that Windows is designed to be "user friendly" in other words users don't know better. Linux is made with the os develupers in mind.. not the avrage user. So before you could run an e-mail virus you'd have to know enough about Linux to recognise the virus for what it is.

    Now before we get ferther on the "RedHat".. RedHat is not Linux... RedHat is one single destro that compeates with Microsoft for the title of "the most bugs"... and last I heard RedHat held the title.. Not Microsoft.

    Going into the past there have been many brown bag Unixes that were far worse than anything Microsoft put out. It's not like Microsoft or RedHat has ever achived the title of "all time most buggy".
    But those companys went away. Pushed under by Sun Microsystems long before Linux saw the light of day.

    Yes you can pick out a Linux destro that is as bad if not worse than Microsoft.. I know RedHat isn't the only brain dead destro.
    So you can't just buy the first Linux destro on the shelfs any more than you could buy the first used car you see.

    But you can't shop around for a better Windows.

    Finnaly as I understand Windows admin are fearful of Microsoft patches. They are worried the fix will be worse than the disease...
    That fear dosen't seem to be shared by Linux counterparts.

    Ideally a Linux destro should be fine out of the box needing no patching. Not all destros have this advantage so you do need to shop around.

    A lot more preferable to patching Windows and hoping the patches don't make things worse.

    Basicly for Linux you need to train users there is no way around this.
    If you want Windows to work correctly you have to train the users as well.

    Now what advantage did Windows have over Linux? Not needing to train anybody.
    Oh.. yeah well I guess thats not the case anymore.

    There aren't any viruses for Linux at the moment.
    If you want to argue the future fine be my guest but let's leave it at right now Windows has the lead in viruses. Linux won't catch up even if we wanted it to...

    --
    I don't actually exist.
  12. Makes me wonder... by trilucid · · Score: 3, Insightful


    I have to admit that *some* (okay, maybe a lot/most) of the infections were purely due to poor server administration. The story doesn't stop there though.

    I offer up as proof of what follows my Apache logs on my home machine for the last month. It's amazing how many machines out there seem incredibly interested in files such as "cmd.exe" and "root.exe", which (gasp!) don't exist on my Linux box. What's funnier is the fact that the vast majority of these attacks came from the BellSouth DSL network and various cable networks. I actually got to the point where I was ready to write a Perl script to grep up the nefarious log entries, nmap 'em automatically, and ship the results off to BellSouth's abuse department every 12 hours...

    The point I'm trying to make is simply that the biggest vector for the spread of this crap is home machines. MS can yap all day long about how poor admin'ing causes this, while they fail to admit that they've put horribly insecure web server software in the hands of average Joe and Jane Consumer. Now, I'm not saying it's all MS's fault; Joe and Jane are very much to blame too for not bothering to click "Start -> Windows Update" every once in a while.

    But I won't accept that MS can claim any sort of innocence on this. What about other /.'ers? How have your logs looked recently? Were the attacks on your network(s) mostly from commercial servers, or home-based machines?

  13. So wrong, where do I start? by ttfkam · · Score: 3, Interesting
    Customers asked for an easy-to-use installer. Who delivered? Debian? Not even close. Debian is great for administration after it's installed, but getting it on the box in the first place has historically always been much harder than it needed to be.

    "The defects found in RedHat and Windows are really stupid."

    You haven't programmed much have you? (At all? No, patching a C file a couple of times and writing some bash scripts does not count as programming much) Most programmers know that there will be (not might be) bugs in the code. As far as stupid defects, yes they've both had their share. However RedHat is nowhere near Windows in terms of sheer volume of severe bugs. I don't know where you got your data. The last one that I saw was clearly biased (they counted general Linux bugs and RedHat-specific bugs together even though there was significant overlap).

    Also note that RedHat uses newer versions of programs than most other Linux distributions. They don't hide this fact. I applaud them for it. Why? Because if they didn't, glibc2 would not have been adopted as quickly as it was. And what about the "broken" compiler that came out with RedHat 7? People railed and hollered because they couldn't compile their kernels. Actually they could, but people conveniently forgot that RedHat posted notices in big letters that they have to use the older version of the compiler to compile (oh no! you have to use kgcc instead of gcc! how will users ever figure that out, especially if RedHat explicitly tells them that they have to). Yes there were bugs in the compiler. It was patched, but the kernel still didn't build. Why not? Because there was code in the kernel that was not compliant with the C99 standard. People's C++ code wouldn't compile anymore. Why? Because a lot of C++ code is plainly incompatible with the ISO98 standard of C++. You know that thing that Slashdotters are always railing about: STANDARDS. Or do you advocate ignoring standards when they don't suit you? Wouldn't that make you like Microsoft? These are standards that were ratified and publically announced two and three years ago. How can you say that they snuck up on you?

    What does C99 give you?

    void myfunction ( int size ) { char foo[size]; }
    Allocated on the stack so no need for malloc or free (and less corresponding bugs) and basically eliminates the hacks out there to accomplish them same like alloca.

    What does ISO98 C++ give you? The Standard Template Library. 'Nuff said.

    These are examples, but are indicative of a general trend.

    1. New library or suite that is noticeably better comes out
    2. RedHat recognizes that it is better, includes it in their distribution, tests, and releases
    3. People bitch and moan about how it breaks things that don't come with the distribution
    4. Everyone blames RedHat for doing a horrible job
    5. Because it is being used, the library in question gets a shakedown and most bugs are worked out quickly
    6. People reluctantly fix their programs to work with the updated library/suite so that they can run on RedHat
    7. In the course of fixing, people come across the advantages of the new library/suite and herald its arrival
    8. People deride the older version
    9. People forget it was RedHat that drove the newer, better library/suite into general use
    10. Goto 1 because geek memories appear to be very short
    If you want a closer-to-perfect RedHat box, install a copy from two versions ago and install all of the associated patches for it. This will be about the equivalent of a standard Debian install: very secure, but quite out of date. If you run Debian unstable or testing, while having more up-to-date software, you find that many of those "stupid defects" find their way into that distribution as well.

    --

    - I don't need to go outside, my CRT tan'll do me just fine.