Linux Worm Spreading, Many Systems Vulnerable

sverrehu writes "A GNU/Linux worm exploiting a bug in OpenSSL spreads through vulnerable Apache web servers, according to Symantec. The worm, which was first reported in Europe, targets several popular Linux distributions. See also the SecurityFocus vulnerability listing for the OpenSSL bug." sionide also writes: "Netcraft recently published a report which explains that a large portion of Apache systems are still unpatched (halfway down). To protect yourself please upgrade to OpenSSL 0.9.6g."

Finally

[SpanishInquisition]

Linux can compete with Microsoft.

Open Source Vulnerable Too

[P!erCer]

People need to know that Open Source is just as vulnerable to viruses and worms as proprietory software is... The hackers target the most widespread software, which is more often than not Windowware. Apache is one of the most widespread Linux programs, and its infection is a sign of things to come as more people leave Windows.

Re:Open Source Vulnerable Too

[delta407]

Just as vulnerable, perhaps. However, with open source software one has the ability to go in and fix the problem rather than waiting for some vendor to do it for you. That's where the power lies -- often, when a vulnerability is discovered, a report is sent out including exploit code and a patch to correct the issue.

That's what makes open source software overall more secure -- the turnaround time with patches is a lot faster.

Re:Open Source Vulnerable Too

[delta407]

Nothing can defend against admins who won't patch their software. They dig their own grave and sign the epitath of all the systems they run.

Re:Open Source Vulnerable Too

[chris_mahan]

Nobody ever said computer programming was easy. It's a difficult job, full of arcane knowledge and fraught with pitfalls. This is why not everybody can be one, and this is why the good ones ought to be paid well.

Airline pilots are highly trained and constantly upgrade their skills, and are highly paid.

Likewise, programmers who run enterprise-strength systems have heavy responsibilities. This is not something one ought to go into for the money, but rather, for the love and dedication to the craft. (not aircraft)...

As far as QA, I tell you what. If the system is designed correctly, it will need very little QA. I know this because some systems can never get it right, no matter how much QA go into them, because of fundamuntal design flaws.

And yes, designing computer software is hard. Like heart surgery. One slip of the old wrist and it's flatline.

Nice boiler-plate advisory

[Jeffrey+Baker]

The advisory at Symantec advises the reader to update their virus definitions and run a full system scan. Presumably they are talking about Symantec anti-virus products, but if they make such a product for Linux/x86, I could not detect it on their website.

Re:Nice boiler-plate advisory

[sheriff_p]

Mod parent down. Just because Mr Baker is too lazy or ignorant to find this: http://enterprisesecurity.symantec.com/products/pr oducts.cfm?productID=65
hardly seems to mean his post is in the least insightful.

...so?

[delta407]

Okay, so this vulnerability was published and corrected over a month ago. Of course it's still growing; a lot of people still haven't patched their servers. How is that newsworthy? It's been out for quite a while now, anyway, and nothing is different today from yesterday. Nothing horrible has happened, it's just continuing to do what it was designed to do.

Besides which, the impact is a lot less than, say, Code Red which affected a much larger number of machines -- it hit all unpatched IIS servers versus unpatched SSL-enabled Apache servers.

Again, I ask, how is this news? What has changed that made this story worth reporting again?

0.9.6e is good

[photon317]

Contrary to the slashdot post, you only need to be up to 0.9.6e to be safe. If you happen to just now be upgrading past this bug, 0.9.6g is even better, but if you're already running "e" you are safe. The article kinda alarmed me at first when I saw the "g", thinking there was a new exploit in "e" and I needed to upgrade again.

Yeah, So...?

[NetJunkie]

Most MS exploits that hit Slashdot are the SAME WAY. MS releases a fix 6 weeks before, most admins don't patch, and then the big exploit hits.

Welcome to the world of mainstream. :)

Re:Yeah, So...?

[GigsVT]

You are correct, but it's just a matter of time until MS's glacial turn around time, and outright refusal to fix certain bugs, combined with a "windows update" that often doesn't apply all the needed fixes, or installs patches that undo other patches.... I could go on...

Anyway, it's going to bite them, in a big way. Recently some "combination attacks" have formed, i.e. a series of non-critical security flaws that can be combined to gain total system access.

This is combined with their aggressive end-of-life program which EOLs software that is still in widespread use, completely dropping even critical security bugfix support for said software. As Windows 2000 nears EOL in a couple years, that is when we will really see the shit hit the fan. Hell, my girlfriend got a contract job to migrate systems from NT4 to 2000 last week. With no compelling reasons to upgrade, a lot of people are going to be running unpatchable systems in a couple years. Of course this is MS's whole strategy, to force people to upgrade their software just to get critical bugfixes.

RedHat 7.3 fix already in openssl-0.9.6b-24?

[leighklotz]

According to the Symantec report cited in the story, the bug in openssl is this which is reported as RHSA-2002-155, for which the the fix is openssl-0.9.6b-24.i386.rpm for RedHat 7.3 i386 (plus some other RPMs for other versions, or other RPMS for other versions of RedHat). Maybe the 'g' build from openssh.org is necessary, but RedHat seems to think they've already fixed in in their "b-24" release.

Re:RedHat 7.3 fix already in openssl-0.9.6b-24?

[Wdomburg]

> Maybe the 'g' build from openssh.org is
> necessary, but RedHat seems to think they've
> already fixed in in their "b-24" release

Red Hat typically backports security fixes from later releases to the version they shipped with the distribution release to avoid introducing unrelated changes.

Note that RHSA-2002-155 is now superceded by RHSA-2002-160, which additionally addresses CAN-2002-0659.

Matt

Linux is losing an important edge

[JaredOfEuropa]

Of course, it was only a matter of time before hackers showed an interest in this OS. Most parts being open source, perhaps that means that holes in the OS or applications are easier to find, but that goes for both the hackers and for people on the up-and-up. I'm surprised it took so long, and it will certainly happen again. The real question is: how will the admins of the affected or vulnerable servers act, and how many are aware of the issue?

And that is where Linux is starting to lose its edge on Windows: the quality of the sysadmins. With the risk of being accused of making a crass generalisation, I'd say that many, many Windows sysadmins are of the point-and-click Mickey Mouse variety. Worse, not just the admins, but the infrastructure architects as well. After all, all you need to set up a domain is to complete one easy wizard, right? I have seen the result in all its ugly glory. Linux on the other hand required an admin who knows what he is doing, since there were no easy wizards. Much configuration was by editing files, with the how-to printouts in hand.

I say "required" in the past tense, since Linux is becoming easier and easier to set up. Some distros are close to the point where I'd be happy to give the CD to my mom and have her set up her own desktop. That is not a bad thing. Yet, I already have seen a few (very few, thankfully) "sysadmins" setting up Linux boxes for database or web services, without really knowing what they are doing. When we get to the point where managers themselves can set up Linux, they will be tempted to hire less and less qualified staff, as has already happened to a large degree with Windows NT.

My fear is that Linux servers will be run by less qualified people in the future, and that it will cause the proliferation of aggressive and effective Linux virii.

Re:Linux is losing an important edge

[madenosine]

it was only a matter of time before hackers showed an interest in this OS

hackers? interested in linux?! no way!

...it had to be said

Wrong Answer for Red Hat Linux

If you follow the stoopid /. suggestion, and compile/install the new OpenSSL you are going to leave RPM nirvana and enter "random untracked apps linked against random untracked libraries" hell.

The correct solution is to run:

up2date -u

OR, if you don't use the free Red Hat Network., run:

rpm -Fvh ftp://updates.redhat.com/X.Y/en/os/i386/mod*
rpm -Fvh ftp://updates.redhat.com/X.Y/en/os/i386/apache*
r pm -Fvh ftp://updates.redhat.com/X.Y/en/os/i386/openssl*
rpm -Fvh ftp://updates.redhat.com/X.Y/en/os/i686/openssl*

Of course, replace X.Y with your version such as 7.0, 7.1, 7.2, 7.3, etc.

PEOPLE! Package management is GOOD. You should get and apply the updated packages from your vendor/distro. Slashdot editors/submitters should get a clue instead of recommend solutions that ultimately fsck stuff up.

Re:Wrong Answer for Red Hat Linux

[yem]

Retrieving ftp://updates.redhat.com/7.3/en/os/i386/openssl-0. 9.6b-28.i386.rpm

So RedHat doesn't have the latest version on the ftp site?

Don't worry. Redhat has an irritating policy of backporting fixes into previously released versions of each package. Its the revision number that counts. Check the date on that file.

OT: Anyone care to elaborate on why apache 2.0.40 requires at least openssl 0.9.6e? I modified the configure script to accept 0.9.6c and it was happy enough...

Re:Wrong Answer for Red Hat Linux

[devnullkac]

Well, I've been keeping my RedHat 7.3 up2date and I got hit. I didn't know it until I read this post, but last night TicketMaster Brasil (of all places) pinged my server one minute before the characteristic /tmp/.uubugtraq file appeared. The only thing that saved me was that the link phase of the worm compilation failed due to missing libraries (specifically, RC4 and MD5).

I agree that package management is good, but it looks like RedHat is running behind on this one. I'll be closing down the SSL port on my firewall for now :-(

Although I never saw it actually operating, you can probably clear the worm from your system via the following command (though you'll have to take measures to ensure it doesn't come right back):

killall -9 .bugtraq

The worm itself is nicely commented; it even has a disclaimer that the author isn't responsible for any harm:

Peer-to-peer UDP Distributed Denial of Service (PUD)
by contem@efnet

<snip>

I am not responsible for any harm caused by this program!
I made this program to demonstrate peer-to-peer communication and
should not be used in real life. It is an education program that
should never even be ran at all, nor used in any way, shape or
form. It is not the authors fault if it was used for any purposes
other than educational.

Doubt the disclaimer will keep him out of jail for life, though

Re:Wrong Answer for Red Hat Linux

[ajs]

Redhat has an irritating policy of backporting fixes into previously released versions of each package.

Debian and FreeBSD among many others do the same thing.

I hate to say it

[ealar+dlanvuli]

But don't a decent amount of the readers here make statments like "At least us linux admins patch our boxes regularly". And "There is a patch avadiable that night, and most linux admins patch asap; whereas MCSE's never patch".

I hope I never see another post stating that again, ok? Especially not a god damned +5 one.

What about...

[seanadams.com]

...non-Linux systems running Apache/OpenSSL?

I realize the binary may not run on FreeBSD/OSX/etc., but the vulnerability itself is not Linux-specific, right? Could the virus be ported?

Sorry, I'd RTFA but it's slashdotted.

Competence closes this hole too...

[rainmanjag]

It seems to me that some basic precautions close this hole before you are even vulnerable... first, only root should be able to run gcc... and second, the webserver daemon should not be running as root anyways... I've never administered an apache server, only AOLServer, and it won't even *let* you run it as root... so if you can't get the server to run code as root and only root can run gcc, then you've got no problems...

-jag

How Do We Solve The Lazy Admin Problem?

[Carnage4Life]

The primary thing that has concerned me the most about most web based worms is the fact that they usually infect systems using exploits that have long since been patched. This is true for both *nix and Windows worms.

Unfortunately given human nature, we can't rely on sys admins and end users to patch their boxen. Almost every mechanism I can think of to automate this process either calls for automatically updating machines (which sucks if a patch breaks an untested scenario and also may need some legal exemptions) or some similar mechanisms to enable computers to help themselves.

Any Slashdotters have any thoughts about this?

Re:How Do We Solve The Lazy Admin Problem?

[Hanno]

Easy. Hire an admin. Pay him to do it.

And then: Don't forget to get a new admin if your old admin leaves the job.

Those machines that have an admin are usually taken care of. But most security issues I see are with clients who have a server that some guy did the setup for some two or three years ago, then left a year later and since then nobody looked after the machine.

As one ad's catchphrase put it correctly you never talk about the server until it fails.

Being the guy in my little company who's responsible for updating the clients' servers, I often experience how clients have a hard time understanding that software support, updates and log checks are necessairy -- because from their perspective this is work without "results".

They can't check if I really did something when I give them a month's bill with x hours for security updates on their machine.

I often explain to them that this server care is a bit like toothbrushing... (Which, btw, is the actual name of that task we use in my company.)

Re:How Do We Solve The Lazy Admin Problem?

[Hanno]

That's what distributions are for... But currently, distributions rely that users check for updates every once in a while. Maybe distributions need an automated security upgrade status check whenever a system goes online.

I could imagine a ip-up.d script (for dialups) or cron job (for dedicated lines) that connects to a distribution mirror site, then asks for a current status of available security upgrades (using signed communication to avoid man-in-the-middle attacks).

If the system is found to run outdated packages, it could warn the user. If it runs dangerously insecure packages, it could even stop the insecure services, maybe even disconnect the machine.

In today's case, after dial-up the upgrade status check would stop any https-related services and tell the user how to update. If no update was available, it would allow the user to reactive the service but only after a stern warning that he should better wait for the updated packages.

Just a thought...

Re:How Do We Solve The Lazy Admin Problem?

[Garin]

It isn't lazy admins. It's lazy management. There is one exception -- home servers. In that case, it's a lazy (or ignorant) user-turned-admin.

Security is about risk management. It's about process, procedure, and diligence. Security is not a technology problem, and it is not solved by geeks.

You can have a secure server farm running virtually any kind of software out there (including M$ products). How? By having a tight, auditable system. You carefully install the systems, documenting your procedure and following best practices (even if you develop them -- the important thing is to have a process). You maintain them on a schedule, leaving nothing to chance. You document the configuration thoroughly, and you enforce rigorous change control.

You might not even have OpenSSL upgraded even though it's vulnerable! You have to decide how much risk is acceptable and worthwhile, but the trick is to consciously and deliberately evaluate the risk, and decide how you're going to deal with it.

This applies to everything. You don't leave it up to your sysadmins to decide whether or not they should upgrade -- it's a part of a checklist that must be done, and can be independently verified at any time. It's part of a procedure that will allow new upgrades to be thoroughly tested and carefully rolled out to avoid downtimes due to unexpected incompatibilities between new and old versions. Imagine someone unwittingly upgrading apache from 1.3 to 2.0, without full testing on a major production system or even realizing that there may be configuration differences.... Nightmarish.

The only way to truly run a secure system is to realize that it has to be extremely carefully planned and managed. It's a hell of a lot of work, and it costs a lot of money. So it quickly becomes an exercise in traditional risk management. This is where the suits and the high-priced consultants often come in. You have to find out how much everything is worth, and what kind of risk you're willing to tolerate (or conversely, how much security you can afford given your environment). You will never be 100% mathematically inpenetrable, but you can reduce your risk to a level that you're comfortable with.

Obviously, this kind of thing scales. If you have a simple system, your plans and procedures can be fairly simple as well. As long as you have a solid verifiable plan, and you stick to it, you'll be fine. If you have a complicated system, your security management is going to be complicated as well.

Security Lists

[Q2Serpent]

This is why I subscribe to the Mandrake Security mailing list. I got an e-mail about this a little while back, did a "urpmi --auto-select", saw ssl in there, and bang. No more problem for me.

-Serp

Incidents.org just released an advisory as well...

[McCow]

Seems a bit more detailed.

Here is the alert:

published: 2002-09-13
OpenSSL, the collection of libraries and programs used by many popular
programs, has had a number of security problems recently. It looks like
the problems are not over yet.

It has been discussed on several mailing lists, that aside from the
exploit known for openssl 0.9.6d, there are exploits available for
even the most recent version (0.9.6g).

As a precaution, we recommend to disable programs that use openssl as
much as possible. The exploits available so far focus on apache, which
is probably the most common exposed service that is using openssl.
As a precaution, we recommend disabling SSLv2, if you have to run an
Apache server with mod_ssl enabled. The magic configuration lines
are:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LO W:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

One of the openssl apache exploits was found to install a DDOS agent
called 'bugtraq.c'. It uses port 2002 to communicate and can be used
to launch a variety of DDOS attacks. This program uses UDP packets on
port 2002 to communicate, not necessarily to attack.

- //cow
cow's go muu~

Re:only Intel systems?

[Mr+Z]

Actually, the stacks are usually pretty similar. (On most Linux boxes, stacks grow towards lower addresses, except on Alpha, IIRC. Heaps depend on the libc implementation, not the CPU.) As a result, the structure of a buffer flow vulnerability doesn't change much from machine to machine.

The big difference that keeps this 'sploit tied to x86 is the instruction set. You can't run x86 instructions on other CPUs by default. (Ignoring FX!86 on Alpha, since it's not likely to step up to bat on your shellcode anyway.)

--Joe

...and opens another one!

[devphil]

first, only root should be able to run gcc...

Thank you, try again.

While are you are correct in saying that a limited subset of users should be permitted to run the compiler, that subset should never be the superuser. Compilers have security holes too, and gcc has been no exception. (was it 2.7 or 2.8? don't recall, too tired)

Never do your compiling as root.

Maybe the stats aren't as bad as they think...

[orius_khan]

"Almost half of the 22 million Apache HTTP sites found by the survey are running Apache/1.3.26, whilst only around a quarter of the Apache SSL sites are running this version, which fixes the chunked encoding vulnerability."

Does this statistic take into account that some Linux distros (for example, RedHat) backport the bugfixes to earlier versions of Apache/OpenSSL/etc.??

All of our servers are running Apache 1.3.23, but it's 1.3.23 release 14 which DOES include the fixes for the bugs mentioned on that page. If they are simply going by the Apache version number reported, then they may be over-estimating the number of vulnerable web servers by several million...

But you all know what they say about statistics anyway...

Re:Maybe the stats aren't as bad as they think...

[schon]

That's a good philosophy if you know you'll never need to compile anything on them and the machines are purely dedicated to being webservers.

Ahem, did you READ what you're replying to?

Many Linux boxes though run more than just Apache and many people need gcc

Again, try READING the post, then attempt to understand what he's saying.

Here, I'll summarize for you:

PROPERLY CONFIGURED PRODUCTION MACHINES SHOULD NEVER HAVE COMPILERS ON THEM

YOU COMPILE STUFF ON NON-PRODUCTION MACHINES, AND INSTALL WITH A PACKAGE MANAGER

many people need gcc

Not on production boxes they don't.

if they've gained access to your box, what stops them from pulling down a GCC package for your architecture

This is a good question; simply put, because it would be lots and lots of work, that can be undone very easily.

It's not a big deal for a hacker to root a box and do something like that, but it's a HUGE deal for a worm to do it - according to the bugtraq discussion, this current version of the worm frequently gets the attack wrong, because it misidentifies the Apache version and platform, and gets the injection vector wrong. Now imagine if it had to identify not just the Apache version, and the archetecture, but the whole machine environment so that it can come up with a working build environment?

Imagine coming up with a way to identify every possible platform out there, and then obtaining or compiling a version of GCC for each one, and then storing it, so that the worm can automatically retrieve it. (GCC - with all of the includes, libraries, etc. is quite large.)

Then you have to make the worm available to download the correct version of GCC - which means that you either have to identify yourself (you put it on your own server), or you have to put it on a compromised server, and hope that the admin doesn't notice the gigabytes of tarballs now being served by his machine.

And regardless of which way you choose, you've just made it ridiculously simple to negate all the hard work you've just done: once the white hats find out where the data is coming from, they just notify that server's upstream connection, and your work is for naught.

What to look for in your logs

[GT_Alias]

I noticed some strange stuff a week or two ago in my Apache logs, watch out for this stuff in your ssl_engine_log file:

[27/Aug/2002 20:02:19 23525] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_ MASTER_KEY:key arg too long
[27/Aug/2002 20:02:22 24087] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_ MASTER_KEY:key arg too long

Thing is though, that "key arg too long" error is part of the July patch to OpenSSL, so you won't see it if you aren't patched. Hopefully this log signature doesn't become as familiar as nimda scans.

Not overrated.

[Cardinal]

How many webserver administrators have the skills to look at the Apache sourcecode (or in this case, the OpenSSL sourcecode), find the bug, and fix it?

All the skill it should take is to apt-get upgrade or up2date, or whatever the distro in question uses for updates. Debian woody had the patch posted immediately. So the skills needed to update your Apache system are no different from those needed to patch code red (Which, a year after its creation, is still roaming around)

The often tauted ability to "go in and fix things" or even to simply "contribute" is highly overrated. Who found and fixed this bug? Was it some random user, or one of the original developers?

Well, judging by the advisory from the OpenSSL team (Dated July 30, btw, this is hardly a new issue) and a cursory glance over the developer list, the advisory issue was not found by anyone on the development team. So, I'm going to have to go ahead and disagree with you. I consider the ability of users to find and patch security vulnerabilities to be a benefit of free software that simply cannot be overstated.

Having said that, I'll concede the obvious. Most end users are not skilled in the ways of finding or fixing bugs. However, there are zero end users of proprietary tools who even have the option of patching security holes in the software upon which they depend.

So, while some may say "But any user can find/fix security holes when it's free software!" I'll simply say "But any user has the freedom to find/fix security holes when it's free software!" Whether or not the user has the skills is irrelevant, what's important is that the option is there.

Nobody is Answering

[Arandir]

Okay, no one is answering the obvious question: Is this an OpenSSL bug, a Linux bug, or a GNU bug?

The submission states "A GNU/Linux worm" and "a bug in OpenSSL". But OpenSSL runs on a heck of a lot of systems that aren't Linux. Does this exploit only affect Linux systems running OpenSSL, or does it affect any system running OpenSSL?

some earlier are ok too -- vendors have backported

[Xylantiel]

In Debian, at least, the fixes were backported to 0.9.6c. Updated packages fixing this problem were released almost a month an a half ago for all major distributions. (July 30 for Debian., packages numbered 0.9.6c-2.woody.0)

Also as mentioned by another poster, the netcraft report about the number of unpatched apache servers is complete nonsense. This is an openSSL bug, which has nothing to do with the apache version number, which what they measure and use to conclude people haven't updated.

(presumably older apache versions don't work with the newer openSSL libraries. Guess what... that's why the fixes were backported!)

Re:Glad to see Redhat helping out...themselves

[zulux]

Microsoft doesn't charge for updates, patches, and service packs.

Funny that, I thought I paid Microsoft $135 for Windows 98. Perhaps I'm just imaging it. Oh well, I look forward to receiving the free versions of Windows that you seem to think are out there.

Oh wait. Then I realise that your just full of BS. Hell, even Office 2000 SP2 disables installations of Office 2000 that are useing known "pirated" instalation keys. So much for "free."

Jesus, I just drank half a bottle of wine, fucked my girfriend, fired up the Thinkpad and noticed your BS, and I still make more sense than you.

That's a bit arrogant, dontcha think?

[the_skywise]

It's not a "lazy" admin problem.

There've been too many admins who've been burned by a "security patch" that broke the system in some other way. When your computers need to be up 24-7, and you can have, at most, about 4 hours of down time, you're going to be VERY selective about what patches get added to the system. Or from another viewpoint, I just got burned by an XP "security patch" that for some reason broke my autodial functionality so that my routing table went straight into my local network. I had to reinstall Windows XP to get the functionality back... I'm not about to start putting those security patches back on. I don't like it, but my system works. (I run firewall and antivirus software as well, so its not like my butt is completely uncovered, either)

Admin's are not only responsible for the computers and OS's themselves, but the network communications layer, hard drive resources, ALL of the apps on those boxes (and their associated patches), plus help desk support, new computer setups, and old computer shut downs, and let us not forget software licensing management issues.

IT Admins also painfully understand the one part of Software Engineering that Software Engineers don't. Any change to the program WILL have functional differences.

Automating updates can work because it takes the load off of the admin. But as you point out, there are legal issues, plus there's the above issue where you don't necessarily want to install all of these patches because your system works "as is". On the flip side, Norton's LiveUpdate for their anti-virus software runs pretty well. But NAV is a very distinct application and purpose, and doesn't have ripple effects throughout the rest of the computer system.

Also there's an apple and oranges comparison to Microsoft and Linux problems here. Microsoft got its bad press not from legitimate security issues, but because Outlook allowed the very ACT of receiving an email a vector for running a virus/trojan horse through the preview pane. Because Word allowed any document to take control of the users hard drive and begin deleting files, grab the email address book and replicate itself. That's a whole different ballgame than exploiting IIS through stack overflow issues, or exploiting this loophole in OpenSSL. There's a difference between "defeating/exploiting security" and "leaving the doors wide open.". But now, thanks to Microsoft PR to spin their problems and Linux PR to make Microsoft look bad, ALL exploits are equal so that the least exploit is just as important as a truly criticial one and THAT adds to the Admin's workload, and leads back down the road of not getting these patches installed.

In the end, the power and the responsibility lie with the Sys Admin. Which is where it should be.

Re:Linux is No Match For Microsoft !

[allolex]

point one

I know this is Slashdot, but some evidence for Symantec's anti-Linux bias might be useful and relevant.

point two

And in reference to some other posts about GNU/Linux not being Apache and Microsoft Windows not being IIS, remember that IIS and Windows are ostensibly developed by the same company, whereas GNU/Linux and Apache are separate open source projects. Blame can be distributed much more broadly in the GNU/Linux world.