£10,000 Prize for Linux Virus Challenge Re-Issued

mutantcamel writes "Eddie Bleasdale, the director of NetProject has been offering £10,000 to the first hacker to infect his Linux machine with a virus for the last two years, and so far no one has hit the jackpot. He's re-announced his challenge to virus writers following a Gartner report which told IT depts. not to trust MS server software because of recent worm attacks on their servers, but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."

This is Stupid

Keep in mind that default Redhat installation ships with many bugs that all need to be patched. Saying someone can't hack this kids linux box is a reason not to trust MS is just plain stupid. If IT dept. would patch their software and not open idiot attachments you couldnt infect MS BOXES EITHER. Its all about PATCHING, no matter which OS you use.

Think about it, most MS bugs had patches before they went widescale. If you had taken time to install these patches you wouldn't have been infected. In addition, don't open EXE's that ask for your advice and its extremely hard to infect an NT system as well.

You cant compare an upgraded and constantly patched linux box to a default Win2k installation.

Re:This is Stupid

[ryanr]

The patches for holes that Nimda took advantage of had been available for months. The relevent BIDs can be found in here:
http://aris.securityfocus.com/alerts/nimda/010921- Analysis-Nimda-v2.pdf

Does it have to be a virus?

[neema]

Does he just want his linux box destroyed or does it have to be a virus? He can give me his address, I'll gladly fly down to his house and smash up his linux box with a bat for 10,000 pounds (that's around 14,534 dollars and 22 cents).

If businesses want to make their networks secure

[Skapare]

If businesses want to make their networks secure, they need to hire someone who cares and knows how, and pay well to get that person. Then don't hinder them with petty things like bureaucracy. They should report directly to the CTO or CIO, or actually be the CTO or CIO.

Have you ever worked as a real sysadmin?

[dustpuppy]

I agree that some of the responsibility lies with the sysadmin, but then again, the OS should be designed well enough that the patches are minimal.

I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.

Sure, we try to patch systems when we find out about security holes, but there comes a time when you cannot simply afford to take your systems down every week to apply new patches. Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending. This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.

Re:Have you ever worked as a real sysadmin?

[warpeightbot]

I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.

WHAAAT?!?!

When I worked at a certain Very Large Airplane Company, we had a very simple procedure for emergency upgrades:

• Patch the backup server (you do have a backup server, don't you?)
• Fail over to the backup server (you do have a failover procedure, don't you?)
• Patch the main production server
• Fail back to main

Sometimes several days would elapse between the patch/failover/patch and the fail back.... because we had capacity planned the failover host to be able to run the production floor at full speed, and there was no use slamming things around without necessity. Besides, it was a good test for the failover machine to run for a day or three as production just to see....

Yes, most system incursions are preventable with good patching and good firewalling. Yes, this applies across ALL OSen. Yes, Microsoft code is crappy and the number of security updates is thru the roof, but that's not the point of this argument.

The point is that if you can't get an outage to apply a critical patch whose absence may cost you a full reinstall and a weeks' downtime, you have a management problem and a design problem, not a vendor problem or a sysadm problem..... and you need to be thinking (a) what's the best way to fix this, and if that doesn't give you any good answers (b) where do I want to work next. Because sooner or later somebody's going to 0wN j00, and if your ass isn't grass you'll wish it were.

Windows Update?

[sharkey]

Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins.

So the admins responsible for Windows Update are considered 'tards by Microsoft? After all, windowsupdate.microsoft.com was reportedly "hacked by Chinese" this summer.

Hope people have read the Gartner report...

[SmileyBen]

Before people start slamming the Gartner report again, I hope they've read it. People seem to be under the impression that Gartner said that IIS simply wasn't secure and that other things are better - and that the response to this is 'duh, any machine which isn't updated isn't secure'. That isn't a valid response at all, because what Gartner very specifically said was not that IIS couldn't be secured, but that it is simply uneconomical because of the time and effort it takes to update IIS.

I.e. Just what they are saying is 'We all know you need good sysadmins to make sure systems are up to date with security patches, but in the case of IIS you'll have to employ someone to spend all their time doing this, and that simply isn't the least expensive way to go'....