Slashdot Mirror
Windows Security Holes Go Mostly Unexploited
murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
Yeah just imagine the chaos if all of these flaws were exploited.
of these holes are exploited by adults who are quiet about it instead of big-mouth children?
It's Christmas everyday with BitTorrent.
Thousands of people are in dark alleys every day and rarely are any shot, raped, mugged or sodomized.
Banaaaana!
Unexploited == unpatched?
I know the difference, but I'm wondering what percentage of the unexploited are also currently unpatched?
Perhaps all the black hats are just saving up for, MWHahahaha, World Domination.
outlook. nuf'said.
someone forgot their virus statistics.
because they don't notice these viruses.
Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.
Tons of people are infected with viruses and spyware (now that shit should be illigal, god damn) but they never notice or care, as long as their computers keep working.
autopr0n is like, down and stuff.
That's because there are SO many exploits to choose from. Nobody has the time (or need) to exploit all of them :-)
As a contractor doing technical support for an ISP, I will attest to the fact that home users are hit very hard by problems such as Klez.
It's an epidemic.
On the other hand, we know of surprisingly few cases where machines were exploited on the network for other types of obvious security holes.
"We know of" being the key phrase.
The article mentioned does not specifically discuss Windows security holes (as the title of this thread suggests), but rather security holes in general, and goes on to mention the Linux Slapper worm in particular.
I find this typical of the slanted, Microsoft-bashing nature of posts here on Slashdot!
Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.
The problem is that the article fails to mention that if the holes are not fixed, sooner or later the so called malicious hacker will find it and exploit it *quietly*. This is dangerous thing.
IMHO, better to expose it and then *quickly* fix it rather than do nothing.
The problem is now that Microsoft knows (or being told) about the holes but often takes a very long time to fix it and sometimes ditch the bugs as "unimportant". This is even worse as this *will* give a plenty opportunity for the hackers to implement the exploit.
--
Error 500: Internal sig error
They seem to go mostly unaffected because first off..they never check their email(or dont know how) and secondly they wouldnt even know if they had it.
You know for being a virus, I'd think the authors would want to give it a cool name, like Infectita or Shadowbyte, I dunno SOMETHING cool. Instead, it's Klez, which sounds like a freeware puzzle game that sucks ass but has a lot of bright colors.
Cloud City Digital: DVD Production at its cheapest/finest
Its so bad, that if you install win98 on a fresh machine, password protect and share the C drive, and connect to the internet, you can get this variant within 5 minutes. Opaserv exploits a shared drive password flaw, and has full access to the machine. Then it will ruin the CMOS and main hard drive partitions.
From my tech support experience, this year has been the worst for exploits.
Quite interesting indeed. Just imagine the impact if every computer user running windows would be affected! ;)
My girlfriend's Windows 2000 machine was hacked about a month ago by script kiddies exploiting one of the recent exploits in a Microsoft product. They then installed 2 apps, a ghosting app that hides any application from the Taskbar and Tasklist, and mIRC with hacked up startup scripts to allow remote control when connected. They used the ghost app to hide itself and mIRC. Whenever she turned on her computer, it would load mIRC, hide it, then connect to EFNet. Then shortly after someone who would see it connect, would use it to mass-ping hosts in an attempt to DoS someone.
Needless to say, for the week this was going on, I noticed serious network problems at home. And pinpointed them to every time she turned on her computer, the network would lag to a stop. Finally after researching it I discovered what was going on.. I found the channel these guys hung out in, and she wasn't the only victim. They had a few hundred hacked users they could control.
So when I see reports like this, I suddenly get a whiff of steaming horse shit.
..There's a-dooin's a-transpirin'
why does this headline sound like an invitation?
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
I'm sysadmin at a public library with public dialup access. They get Klez by the dozens every month so I wonder where the writer is looking for 'typical users'? I'm sitting in a rural parish (county for the rest of the US) in LA and have a pretty typical bunch of 'end users' in our population with the one exception that I try as hard as I can to educate them as to the evils of Outlook (which falls on deaf ears) and pass out CD-ROMS and setup manuals documenting Netscape for web & E-Mail (which they ignore, whining about having problems getting Outlook Expresss configured.). The only concession to unsafe computing is that I do give detailed configuration steps on getting IE past our federally mandated filtering system because I know that a lot of sites and third party software depends on IE.
Democrat delenda est
Aside from pissing off the odd script kiddy in IRC or on some online game, why would anyone feel the need to hack or exploit my PC? There's nothing there of any import. And I doubt there is on 99.9% of all home PCs out there.
What are they gonna do? Edit someones Sims save file to make them 6 year old girls? I've been DDOS'd and had various exploits tried against me in the past. The worst they could do is annoy me.
I mean, rock-solid security on your OS is all fine and good.. But I don't wear a bulletproof vest either, and it's ok, because I hardly ever get shot at.
I don't need no instructions to know how to rock!!!!
Gotta go write some new hacks for the k1dd14z to get busy with.
From the article:
"In the computer security game, you can't be an Edward Jenner and come up with a vaccine for electronic smallpox that will put you in the history books and eventually result in the complete eradication of the disease," George Smith said. "You can only be the guy that spots the electronic poison ivy and suggests people either steer clear or buy calamine."
That's not true. If you could come up with a vacine that eradicated Microsoft, the disease would disappear along with it!
"If I could live to be several hundred
I could take a walk and really wander, really wonder."
Most Chevy Geo's are not broken into or stolen, so it would be OK for GM to just use the same key on them all, giving the owners the illusion of security.
I'm an American. I love this country and the freedoms that we used to have.
woah!
I had to completely restore Windows installations for one family member and one friend who both got hit by Klez...
- Steal the HS research paper on crop circles
- Grab secret financial information
- Use as a proxy to hide the hackers identity*
- Part of a DDOS attack*
Now, lets think of all the benefits of hacking a server/websiteAlso note the last 2 reasons for hacking a home computer are really for working with servers. The truth is, not too many people really care about hacking your computer, unless its a means to an end.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
As we speak, someone is changing the news options on the RIAA website. However, they don't seem to be stopping them from doing it. I did grab a shot of a particularly amusing one though.
Oh, and just so everyone knows.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I left for a week for christmas and I left my linux box and win xp box on the whole time. The linux box was fine. The Xp box had like 25 Windows popped up all advertisements, half of them advertising a service to block such ads. Had to click OK through all of them. Was fucked up.
each year, I might as well leave my front door unlocked, right? Or better yet, if I am a builder of homes, there is no reason to install those locks at all.
sure, most desktop holes go unexploited. it's not the personal desktop that crackers go after. let's face it, compromise one desktop, get one CC#. compromise a server, get hundreds, thousands, etc. the cost of windows server holes, glitches, etc., is untold millions. how many extra hours have been spent (and charged!!) to patch and then reconfigure, then repatch and reconfigure, update and reupdate, install, reinstall, because some gaping hole in IIS, Exchange, etc. plus, how about the downtime, and all the other problems that windows servers have cost businesses. and really, desktop exploits go untapped. gee, really. and how mny problems were caused by some worker bee opening up that j-lo.exe file in Outlook? this if FUD.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
I am then subjected to dozens of e-mail scanning auto-responders telling me I have a virus, auto replies from people I've never heard of, and the occasional jerk who thinks they know everything screaming at me in e-mail telling me I am stupid for letting myself get infected.
The fact I am also the postmaster admin to 13,000 users means I get users contacting me in a panic thinking they have a virus because one of the three above things happens to them. This, despite a faq and notices on intranet etc etc that this thing is out there.
Klez is probably the primary reason I am starting to hate Microsoft. It doesn't matter if my computer and all computers I am responsible for are completely patched and that my mail gateway blocks it, I still get to be a victim indirectly, and I doubt we'll ever see the entire planet fully patched.
Microsoft secretly loves Linux because OSS development sucks all the brainpower away from malicious anti-Windows activities and focuses it on innocuous projects that can do them no harm. Why crack Windows when you can get the same peer respect and feeling of civil disobedience by developing for Linux?
I've had DSL for 6 months now, and have been running my computer 24/7 since. In total my logs show less than a dozen attacks in that whole time. When I first got it I got port scanned hourly, but I haven't seen one in the past month that I can recall.
Before I got DSL (and a static IP) I was warned that they usually get a lot of hack attempts. Maybe I'm the exception, or maybe I'm being hacked at such a high-level that my scanners or firewalls haven't caught it.
But overall, running Win2000 the whole time, I haven't had a problem.
...Also, I didn't know Buggalo could fly.
They may say that, but the truth is 99% of the time, exploits are only written when full disclosure of the bug is given (+ example code in most places).
Who's worse? The "security" researchers who plulicise the information, or the little shits who code the viri?
Most virus writers are sad idiots who can only write in visual basic... Not the sort who could actually find their OWN exploits in programs!
So the megabytes and megabytes of Klez-type spam in my inbox are "little impact"? The fact that even my mother almost infected her machine because the mail seemingly came from one of her friends, in spite of the fact that I told her not to run any attachments, is little impact? ILOVEYOU, Melissa etc. had little impact? Well, if so, I don't want to know what the deep impact is. They must be referring to extinction level events. And you know why we haven't had one of these yet? Because most virus programmers are just kids who want to try something new and not evil "cyberterrorists". Except for the 911 dialing virus, most viruses and worms have not really explored the realm of possibility. To therefore dismiss the risk of security exploits is frivolous, preposterous, stupid, arrogant, ignorant, foolish -- adjectives fail me. Why did this piece of PR crap get linked? And why hasn't Michelle Delio been fired yet for writing it?
Despite the thousands of known exploits and virii...
Public Memo:
Its "viruses", not "virii". Repeating, "viruses".
Did you also get the memo about the TPS report cover sheets?
Skiers and Riders -- http://www.snowjournal.com
God Bless American AntiVirus companies and their Anti-Terrorist business campaign!
You could be transmitting your IP address right now for hackers to lock-in on! Buy some protection for you and your loved ones before they wipe out your hidden porn collection!
--
Power to the Peaceful
Do we doubt that there are malicious, destructive and/or idiotic people out there? Do we doubt that there are enough relatively easy-to-exploit bugs out there that can have amazingly destructive consequences?
While I would love for there to be a more holistic approach to security, as long as the majority software platform (with all of it's variants) is rife with holes and the security repair falls exclusively to the same people who built it bad in the first place, I'll take point-by-point/line-by-line review any day of the week and twice on Tuesday.
That story seemed a little too pro-micro$oft for me. Luckily four articles ahead, there's a micro$oft = satan article. I was getting confused there for a minute, and thought I was in Bizarro World.
riding round the world on an old motorcycle
Use a Mac. Not one remote exploit ever existed!
Consult BugTraq if you do not believe me.
Thousands of entries for all other OSes exist but not one for mac.
I am talking about MAc OS 8.x through the latest 9.2.2 not the BSD UNIX Mac OS X (which has already had many exploits so far.
There are millions of macs, and Google.com measures accurate click persentages showing the massive mac user base but no mac users in 5 years or more, no web server at least, has ever had an issue.
There was a 3rd party product addon in 1997 that added an exploit but that was it.
Thats why the US Army gave up on linux, and windows and used macs after being defaced too many times in one year once.
There are many technological reasons macs do not have a single remote exploit. Lack of a command line and lack of a super user "root" are only 2 of the many reasons.
http://www.riaa.org/admin/press_and_news.html You can modify or post ANY news on the site now, the front page has GOATSE on it. http://www.riaa.org/ Do your worst :P
Who wants to own a Windows box anyway ? Is there anyway to upgrade it to Linux after you get in ?
What is needed is a remote, unattended install of Linux so the system security can be fixed while giving the cracker something more useful to use. It might even be considered charitable, the new system admin could maintain the system for free and the users might not even notice if you gave them an autologin with a message telling them their kid installed a cool new desktop theme!
One thing that bugs me a bit about this article is that it defines an exploit as a security hole. While this is true, the tone of the article makes it sound worse than it really is.
I mean, think about what an exploit really is: Somebody has taken a feature of Windows and turned it against the user or the user's machine. The problem I see here is that you can't have a totally secure machine and have all those fancy features you like.
I'll give you an example: I use Outlooks's to do list to keep track of my tasks. There's a feature where you can attach shortcuts to each task. I've found this handy, whenever I need to do my time sheet I just pull up the task and double click the shortcut inside of it. Now, in order to 'crack down' on security on my computer, I turned off a bunch of those handy-dandy features and found myself unable to launch that shortcut anymore!
Now, before you start saying "Oh, MS could easily fix that...", instead think about the real problem here. Either I don't use that feature at all, or MS has to think of every single malicious use of a feature and only allow the non-dangerous ones. Sorry, that's not a good solution. You're holding MS (or anybody else) responsible for other people's creativity.
I'm not saying that MS is unfairly given a bad rap for this whole topic. I think their default choices are ill-thought and have caused serious damage. However, it needs to be considered that there is always an inherent risk with any piece of software you use. It's not a matter of security holes, it's a matter of deciding whether or not it's worth the risk.
I, for one, would never underestimate people's creativity. I read about an insurance scam once where this guy got fire insurance for each of his cigars, over $1,000 a piece. Then he smoked them. He took the insurance company to court, and the judge reluctantly ruled that the insurance company had to pay the guy $12,000. Fortunately for the insurance company, though, they were able to charge him with arson. Heh he got a hefty fine ($10,000 ish? I don't remember..) and served jail time.
Now, if you think about this insurance company, you probably wonder why they didn't a policy about cigars or items that were meant to work with fire? Well, it's simple: They never imagined that somebody'd do that. The only way they could be fraud proof is if they were to clearly define the rules for every ridiculous outcome they can think of. Know what'd happen then? There would be people unable to redeem fair claims because their unusual case strayed outside the boundaries that are clearly defined. There would also be that one guy who figures out a creative way to buck the system anyway. The insurance company is far better off coming up with ways to deal with the eventual fraud instead of over-relying on their policies and laws to protect them.
So where does that leave us computer people? Well, it's simple: Using a computer is risky. Take a few risks but protect yourself. Worried about people stealing your credit card info on-line? My answer is not: "well don't use one then!" Instead, my answer is: "Get a credit card with a company that'll protect you in that event." Worried about data loss? Make backups once in a while. Worried about hackers breaking in on your always on connection? Use a firewall, but use common sense too. A firewall is the equivalent of shutting a few windows, it's not a structural reinforcement.
Total security is a pipe dream. Instead of blaming Microsoft, take some sensible precautions to minimize the damage done. The benefit here is that you protect yourself from damage that can happen outside of the exploit world. (Lightning strikes, hardware failure, children...)
Nobody who is serious about threatening computer security is after home users. They have more to worry about ad/spy ware than viruses. There are 4 things any home user can do to avoid all viruses/trojans. In order of effectiveness
1. Don't download e-mail attatchments. Avoid attatchments to e-mails entirely if possible, use IM file transfers instead.
2. Don't use Outlook.
3. Don't visit untrustworthy websites. like warezprontrojanforyou.com
4. Use a firewall if you are on a LAN.
Anti-virus software is almost useless for a home user, unless they are incredibly stupid. All it does is interfere with other programs and waste memory. Seriously if you are a home user who the crap wants to crack into your pc? You probably haven't even configured it properly so it can't even have enough uptime to get anything useful from it.
And do hax0rz really want to steal your family photo album? The best they can hope for is your quicken files or your credit card number. They can get thousands of CC#s by cracking a business database better than getting home users through windows holes. Computer security is somethign only business have to worry about.
The GeekNights podcast is going strong. Listen!
1. Home users have nothing worth stealing...
;)
2. 99%+ of corporate theft is from insiders and ex-employees, not outsiders.
So yea, the conclusions of the article are rather obvious. Alot of things, like say a firewall are also useless in almost all cases since the damage is from INSIDE the organization.
But hey, we all make money selling all that useless stuff in the meantime
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
they are windows machines, is there anything really valuable on them? oh pls mister hacker man don't pirate my version of microsoft office suite!
Also Microsoft is probably fully aware that their security needs a LOT of work, but for older versions of Windows, I doubt they care if the problems really are the end of the world or not.
Think about it... they can turn poor security into a reason to upgrade. ("Windows 2003 has better security...buy now!")
-- laws are the opinions of politicians --
I think they hit a very high percentage of all windows machines world wide. More is that most people dont know they are infected, how many scriptkiddies you know who have a bunch of subseven boxes ? wonder how they get those....dream on..
but maybe i am wrong lets read the wired article now.
For every person who gets megabytes and megabytes of virus spam and has a mother who gets the same, there are many more Windows users don't have that problem. Both I, my mother, and Michelle Delio live on that planet.
Mod the parent up and go ahead and fsck with the RIAA webpage...
I noticed that someone already deleted the article queue:
http://www.riaa.org/admin/reprint_admin.html
It's true for the script-kiddies who run these attacks too you know.
They'll get around to it.
Is this truly the only Earth I can live on?
A lot of the potential exploits would fall at the first two hurdles above. For instance, by setting Outlook (Express) to use the Restricted Zone, you've already plugged several holes.
This is not to excuse Microsoft for creating the holes in the first place. Particularly odious are those related to allowing scripting to be performed in places where it makes no sense whatsoever, eg. Windows Media files. That is not a case of sloppy coding, that is bad design from the get-go.
Sad to say, even if Microsoft fixed all the outstanding holes tomorrow, you will still need to have a firewall and anti-virus software, because the malware will continue regardless, until such time as we all move to a platform that is secure by design. (And, no, in truth that platform doesn't exist yet)
-MT.
So instead of hyping every 2-bit "hole" in a web browser perhaps stories like these would make it to the front page and keep everyone informed. I may be a bit jaded here, but it seems that a hole, DOS and remote exploit in open source software are not really that. They're just "temporary issues" that are "quickly patched".
Just like "issues" with Microsoft software. Yay open source!
They could care less what you have on your machine. They only care that it IS a machine connected to the Net. They can use it to attack other people, use it as a safe exchange point for warez/porn (especially illegal stuff like kiddie porn). They can run IRC bots on it. They use them as 'currency' to trade for more desirable things like the latest exploit scripts, etc. All script kiddies strive to maintain a stable of zombies to be used as needed.
Democrat delenda est
Likewise, every remote root exploit makes it technically possible for this to happen. Even if relatively few people are being hacked by script kiddies today, that says nothing about the odds of a highly skilled attacker pulling off a single massively devestating attack.
This report is no reason for complacency.
If you cut off the vector, the virus won't survive.
.zip, txt, gif or jpg.
We've got the Exchange server punting any attachments that don't end in
We've got parts of the workstation's registries locked out from normal user modification, and Trend Officescan is installed on all worstations and automatically updated from the server.
We've got an agressive firewall policy. (e.g. no tftp from funny locations.)
We haven't had ANY recient virus attacks. Short of having someone brnig something minor in on a floppy, virus attacks just haven't happened. I don't think we'll see many more as time goes on as all of the easy vectors have been plugged.
"Draco dormiens nunquam titillandus."
We had a security exposure, we didn't "patch" it - does that mean it wasn't dangerous that we left the doors open? No, it just meant we hadn't been ripped off yet.
I've been working in a computer repair store for the past six months, and I can tell you that many, many people have been infected with one virus or another. It's been a staple of the business - no matter what a machine comes in for, we scan it for viruses, and almost 65% of the machines are infected with something. (About 75% of the 65% is the Klez/Elkern combination, and 10% recently is the BugBear.) Most of the time, fixing the virus fixes their problems.
The only reason it could be said that people don't think that such viruses and exploits are no big deal is because people don't realise that their machines are supposed to be fast and not crash. Only after the machine is thoroughly infected and it's all but useless do they do something about it. It's kinda sad, actually, that people are so conditioned to machines working poorly that they don't even know how much power their machines truly have.
libertarianswag.com
Check out www.riaa.com to see their news script hacked...
see a Text Widget
No shit, it's illegal to exploit a hole.
Most unlocked doors and windows don't result in a burglary, either, but for everyone to ignore the issue is a bad idea when there are bad guys running around out there who can just walk in at will.
Of course most vulnerabilities don't get exploited, it's just a matter of volume.
My mother-in-law got a variant in which the Elkorn virus that Klez drops off actively deleted antivirus program files when they were executed.
/debug revealed DOS memory 640K...).
At the time it seemed curious when she kept asking me that she installed NAV2002, but it never seemed to be able to run.
Finally, I looked into it. Something definitely was amiss (mem
Luckily, I had just recently gotten rid of a new Klez infection on my work computer, so that was the first thing I checked for on the NAv website.
Other odd behaviours: I could not run taskman.exe. It would start and disappear...
OK, on-line info about Klez indicates that Elkorn can kill off processes named taskman.exe, among others. OK, make a copy of taskmgr.exe, call it tm.exe. Cool, now I can see what's running.
Reinstall NAV2002. Funny thing is, when it finished installing, I got a "program not found".
OK, go to a command window. make a copy of the NAV executable files somewhere. Run one of the exes. Ohmygod, the executable I just tried to run just got deleted...
Followed the steps to kill off active KLEZ/Elkorn virus.
Reboot. Rinstall NAV. OK. Thing has been running OK since.
Something to consider...
yea i had to change my hotmail acount cuz it kept filling up with bs klez files. I never would open them of course..but it still kept filling up my free box that i use to avoid my regualr email getting junk/spam/virus email.
The only way to bust a doper--is when you yourself become a smoker!
Wired should recognize the Mac security record. Especially when discussing remote exploits.
:
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 exploits and potential exploits ) I am talking about current Mac OS 9.x and earlier.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool in 1995.
8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event or a rouge 3rd party CGI tool ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc. They few mistaken defacements recently attributed to Mac OS are actually Mac OS X (unix) events.
I think its quite amusing that there are over 200 or 300 known remote exploit vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD! Each month vulnerabilities in XP arise.
Not one remote exploit. And that includes Webstar and other web servers on the Mac.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX. but all of his unix methods will find little to exploit on a traditional MacOS server.
BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
BugTraq concurs! As does the WWW consortium.
Most companies were taken off guard by several of the major viruses and worms over the past 4-5 years. ILoveYou, Nimda, CodeRed, etc. But after each major hit things were done not just reactively, but also proactively.
Virus scan engines were updated, email servers had attachment blocking filters installed, patches were installed, etc.
There has been a slew of updates made available to applications like Outloook, Outlook Express, IIS and so forth which disable many of the features that these exploits took advantage of. The Outlook 2k security update, default permissions in OE 6.0, IIS Lockdown wizard, URLScan, etc.
Then you have a whole slew of administrative utilities such as HFNetChk from Microsoft/Shavlik to test systems for patches and various tools(HFNetChk Pro) to do reports on large numbers of machines and push out patches.
I do agree that the security finders tend to overstate the impact, but it's still important to react to the issues. The conclusion that wired really should be making is that we've learned lessons and learned how to better prepare and respond. That's why their are fewer major problems.
Download and us on your Windows friends!
Users haven't been hard hit by Internet vandalism. Even online identity theft--while a serious problem, only affects a small minority of the population.
A security concern is a hole in your system that allows attacks.
A security problem is an attack that actually affects you in a deletorius way. And frankly, the majority of people haven't had a security problem. And the number of people who simply took minimum precautions (updates, not running strange code) and had a security problem is vanishingly small.
So, no, the hassle of Linux (as compared to the minimum precautions approach) is not worth it for most individuals.
And frankly, Microsoft is now light-years ahead of Linux on security concerns for one simple reason. Microsoft boxes update simply and automatically out of the box.
No Linux distribution matches that ease. And frankly, the majority of computer users are, and always will be, uninformed about their machines. Microsoft is manufacturing systems that are relatively harmless in the hands of an idiot. Linux is not. That is a security hole, and it will remain a hole because the Linux community has never been especially responsive to the needs of the computer-illiterates.
Hmm.
*checking mail logs*
According to my mail server's logs, I have gotten FORTY virus/worm-infected emails since midnight.
No effect on home users? Someone hit this guy with a cluebat.
Just my $.02...
Have almost no offect on home users? Funny, I just got a call from a friend this morning - her system had just been infected by a virus (likely Klez), and it was able to both disable Norton Antivirus AND exploit her Outlook Express address book. If a removal tool doesn't work, she'll likely have to reformat her system.
I'd say Windows security vulnerabilities have a significant impact on home users, how about you?
Mac web servers are immune.
Use a macintosh running Mac OS 8.x through 9.2.2 (last 5 years). Not one exploit in history. Mac OS X is unix (freeBSD) and has already had many exploits.
If you use a mac you can use mass market "shrinkwrapped" software and still be secure.
Hmm. Bondage lesbians....
A keygen? Seriously, what's that?
No exploits exist in Mac OS 7.6 through 9.2.2 so long as you have auto-update system code feature disabled (a new feature idiots can turn one).
:
consult bugTraq if you DOUBT ME!
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 exploits and potential exploits ) I am talking about current Mac OS 9.x and earlier.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"
2> No Root user. All Mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The Mac avoids C strings historically in most of all of its OS. In fact even its ROMs originally used Pascal strings. As you know Pascal strings (length prefixed) are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool in 1995.
8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.
Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.
One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event or a rouge 3rd party CGI tool ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc. They few mistaken defacements recently attributed to Mac OS are actually Mac OS X (unix) events.
I think its quite amusing that there are over 200 or 300 known remote exploit vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD! Each month vulnerabilities in XP arise.
Not one remote exploit. And that includes Webstar and other web servers on the Mac.
A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX. but all of his unix methods will find little to exploit on a traditional MacOS server.
BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
BugTraq concurs!
So I guess under this logic it would be perfectly fine to install doors and windows in your house with no locks at all because your neighborhood doesn't have home break-ins or invasions?
It's really a disservice to try to make a point using only anecdotal evidence. This is much worse when your anecdote is fictional.
This is the sort of crappy reasoning that states that since most people don't get wacked by the Mob, the Mob doesn't mean much. In NYC for years everyone payed a 1 percent Mob tax. That was the amount prices were inflated to cover corprate losses to the Mob. If you wanted to build a building the cement was controlled by the Mob. Then you had, and have, labor rackettes.
If a company is hacked and blackmailed they often don't report it. But the cost is passed along to the consumer.
The enterprising hacker will take the cracked machines and tune it up, fixing other holes as you suggest, and mabe turning disk dma on or something. Some owners will notice (maybe not consciously) that when left online, their machine runs better than it did before, and so they will leave it online longer.
There will be an economic point where it is becomes easier for hackers to tune a system and hopefully "reward/train/evolve" the owner into leaving the system on, that it will be for the hacker to find another new system to hack.
That's when the hacker can easily install hidden, tune-up kits (found at tuneupkit.org).
If we act now, and buy that domain, think of all the ads we can sell!
The biggest hole is the end user. Tight network security means nothing if the end user can run a trojanized screensaver sent to him by email or downloaded from Joe Blow's Web Emporium and infect his own machine.
And I have heard claims that as many as 90% of security breaches go undetected. Think about it. How many of even you Linux users actually run tripwire on your personal system? What percentage of people do you think even check the md5sum against their downloads before compiling as root? It is small I guarantee. I once posted the wrong md5sum for a release of an open source project and it was downloaded hundreds of times without anyone saying anything.
Another reason they go undetected is that many trojans are customized. If you were going to plant a keystroke logger on a target's computer would you use one that is found by McAfee antivirus? No. You'd compile your own; changing the signature, different size, different port, different protocol, and only use that particular version in that one instance.
Of the breaches that are detected, many are not reported. What bank or online retailer wants people to know that their personal data was stolen? So just because there hasn't been a Code Red lately doesn't mean all is well.
Waaaaay back in 1997, there was a problem with a version of Lasso (a 3rd-party database-access CGI) that could be exploited. I believe it was discovered during a 'hack this Mac web server and get $10,000' sort of contest-- it was so long ago, I don't really remember the details, but it has been done. This hole was closed very quickly with an update to Lasso.
People just using the web service built into the Mac OS, however, have never had anything to fear. Unlike IIS, Personal Web Sharing and the AppleShare IP Web Service were always airtight.
~Philly
Given the large number of exploits that have rained upon us in recent years a hacker can pretty much choose the one he see as suitable and efficient for his purpose. The holes is there to use and just because no one has made a virus exploiting them doesnt mean that hackers doesnt use them.
Come to think about it, how could the hacker community have exploited every hole and still have had time to hack things? Maybe that is the answer? Give the hackers so many holes that they are occupied writing exploits for them. That way they dont have time using them.
HTTP/1.1 400
You no finally someone actually understands and sees the real problem. Too many geeks are in corporate IT security. We are still waiting for security to be integrated in the products. Unix certainly does not have it, Windows at least reports a whole lot better than unix and that's half the battle.
I don't hire security experts because of their bug hunting ability, I want tangible results.
I'm starting to think that "I only use WinBlow$ for games" is like "I only read Playboy for the articles".
Why the fuck do you need Visual Basic on a games-only partition? Jesus, kids, when in doubt, dike it out.
The most important info we keep on most home computers is who we are. Get that and we have idenity theft. When home system's get hacked what happens is either they get set to be used as DDoS drones, or the attackers are looking to get enough info to steal your idenity. Even if only 1 percent of home users get used this way that is still millions of people, since when is this not a problem.
klez doesnt affect most ms users cuz they dont even know how to use outlook or anything else except aol :/
My Daughter uses a Windows OS. We are behind a NAT routing switch so I haven't been two concerned about exploits. However, I finally got around to installing virus protection software and sure enough she had two worms on her system!
I never would have known about it except for the anti-virus software.
The race isn't always to the swift... but that's the way to bet!
Huh?
Don't you mean that hijackers have traditionally had little problem with the US airline industry?
A Pirate and a Puritan look the same on a balance sheet.
They pointed out the real problems, like KLEZ. But that wasn't the point. The point was that out of the thousands and thousands of supposed security holes very few are ever exploited. They said nothing of the destructive power of the holes that were exploited.
Boobies never hurt anyone. - Sherry Glaser.
Coming from the front lines of the blackhat community, I can assure you all this is complete bullshit. People simply don't know they've been hacked. For us, the home user isn't a means to glory like goatse.cxing a high volume web page on an enterprise server. The home user is simply a means to an end. Rather than have 1000 DoS Slaves ready to go and worrying about the traffic being logged there each time I go back, I can find in 20 minutes 1000's upon 1000's of exploitable dial up boxes, use them once, and forget about them. Do you think Joe Sixpack know why "his internet thiny is slow"? No, he doesn't question it, it doesn't happen again (for awhile).
My point is that almost every remote exploit is used against the general online public every single day. We're just sneaky about it.
Although it is true that I enjoy hacking *nix boxes more than Windows, it's because of the challenge. For utility purposes though, a winbox is much more efficient to hijack.
Some of the holes in IE allow to install arbitrary code on a machine which visits a malicious website. This has been used very widely here to waylay modem users. The website clandestinely installs a dialer program and sets is as default internet connection. The new number is of course a very expensive 0190 pay number and depending on how soon the user notices, this can easily cost a few thousand euros. There is currently no viable defense: if your computer dials the number, then you have to pay (a new law is being considered, though). Since all phone bills are collected by a central instance (German Telekom) refusing to pay is not an option, because they will simply cut your telephone line.
People who run antivirus software and keep it up to date are almost completely immune to this nonsense. And it's not like they haven't been warned; anyone who thinks about this knows. Almost everything out there that's prevelant in the wild was patched by MS or put in everyone's virus definitions long ago.
Here's the virus count for my gateway since July 4 of this year:
717 WORM_KLEZ.H
120 WORM_SIRCAM.A
45 WORM_YAHA.E
11 PE_NIMDA.E
6 WORM_BUGBEAR.A
2 WORM_HYBRIS.B
1 JS_NIMDA.A
1 WORM_HYBRIS.C
1 WORM_KLEZ.E
This is the 3rd article (yes I am sure there are many more) I have read this year telling me how little attacks and infections are actually occurring. The media only wants to report the big ones like LoveLetter or Code-Red. If it doesn't effect 10 million systems and it can't really be that bad can it?
I am a security professional. I teach many security course including antivirus administration. I have done trainings for companies with 100,000s of desktops that have full time staff dedicated to the irradication of viri. According to this article these people are wasting their time because it isn't a problem. But when I walk in and have a room full of enterprise level employees all there to learn about how to manage (not clean mind you) viri then I know there is a problem. No company is going to spend money when they don't have to. I would suggest that all these authors go read up on some basics of risk management.
We haven't had a fire in my building in over 30 years. Why do we keep wasting money on sprinkler systems?
I am talking about MAc OS 8.x through the latest 9.2.2 not the BSD UNIX Mac OS X (which has already had many exploits so far.
So at one time, in the past, there was a narrow window during which the Mac was superior. So what?
Thanks to the 1990s and the popularity of on line services the Internet has grown by leaps and bounds it would have never seen if only government and academia were using the resource.
We have companies all over the place marketing how easy it is to use computers and connect to the "WEB"
We now have a lot of people on the network that have no idea what they are doing on their own computer(well they do know how to look at porn pictures and download their AOL spam) basically the majority of Internet users are morons.
Couple this with stores like BestBuy, Circuit City, and and CompUSA selling things like broadband services and wireless networking pieces to people Who have no idea what going on and we have a problem. These people don't update their Windows for security. Microsoft can release all the services packs in the world but it will have no effect. People still think that personal computers are like their home DVD players, once it's out of the box and working you don't have to do anything else to it.
Do some war driving of your own and see how many home networks are completely open. What happens when someone with any intelligence starts using these open points to threaten the political leaders? What about all the DdoS attacks that can be started from these insecure points?
I think that your situation shows how we all should PGP sign all our emails...
;-)
Being part of a mailing list, I too have had virus messages sent to people with my name (incorrectly) forged in the FROM field. I was very angry indeed. Unfortunately, I haven't had time to research into using PGP, but it'll be on my New Years list
$cat
Is that this doesn't seem to be a hack on the system (that may exist too). The problem is in bad programming. This link (if it's still there) was the main problem, as it was the tool to post news/press releases, and had no authentication. Direct link and you could control what went on there. There might have been other weakness' but that's the one I heard of. Now the funny part is, just before the site went down, somebody caused it to redirect to the infamous goatse.cx, and as a friend noted. when goatse.cx goes up, the owning is complete
If everyone leaves their windows open, what's the chance that a burglar picks your house?
i don't like style guides
Windows Security Holes Go Mostly Unexploited
Well let's get to work!
Proud member of the Weirdo-American community.
I really hope you mean this to be funny, because I got a chuckle. Its amazing how many mac users have a false sense of security because they don't see activity. Just because people don't spend as much time looking for exploits in macos, doen't mean they aren't there. Also, there have been security problems, they just don't have "MACOS SECURITY FLAW" in the header, the have much more innoculos headers, like "buffer overflow in zlib", or "DoS in BSD TCP/IP network stack"
On the other hand, if this was meant to be funny, I thought points 1, 2, 3, 5, and the second 4 were hilarious.
Oh, and a second note, stuff usually ends up on bugtraq only if a) the vendor doesn't respond or b) the vendor decides to put it there
After running up2date on my Redhat box I surfed on over to Slashdot and found a post about a Wired article on the rarity of exploits for Windows security bugs. Intrigued, I clicked through only to find that the linked article was about the exploitation of software bugs in general and only casually mentioned Windows in one instance. I'm sure that there must be another article dealing exclusively with Windows since "Windows" is in the title, the submitter mentioned it twice, and he even crafted a Google query on Windows exploits. Can anyone point me to the correct article? Thanks in advance!
this may be a redundant comment..but perhaps people are getting better at designing better rootkits. Not that it is so needed on a Win32 Systems, how many times have you really gone through your process list in Windows 2000?
:P
But the point still stands, perhaps hackers are just getting better at hiding themselves, I have seen a LOT of example code for hiding in a Win32 system, whether it's processes, files, directories, ports, etc...it can be done without too much effort.
just a thought
proxy
Who cares if ten security holes go unexploited if my system is regularly infected by a worm exploiting the 11th? That's like saying there are more faulty brake systems in cars than there are faulty brake systems that kill people. There are always more faulty products on the market than there are faulty products that end up killing people; Does this make you want to rush out and buy faulty products?
Microsoft is the soft underbelly of the computing world. You'd have to be out of your mind to suggest their operating systems are safe.
You really think these "flaws" are security holes? More likely that they are backdoors, so the FBI, CIA, and M$ can look into 94% of the computers in the world. For each "hole" that is plugged, a new door is probably opened.
Guns don't kill people, Americans kill people.
Windows exploits YOU!
Are the security problems less threatening because most hackers are actually peaceful and not interested in destroying other people's property?
I find that hard to believe, especially in the USA where people buy more and more guns although the crime statistics has been going down for years.
Are you leaving your door unlocked because it is not likely someone will try to steal something?
I don't see how this challenges anything. Security bugs need to be fixed ASAP, whether they are exploited or not.
Oops. s/little problem/few problems/
What I really want to know is how well would an Amiga web server do in the real world?
This seems a common sense. I don't think that anyone would be surprised that while the human body is vulerable to many things, most criminals prefer guns and knives. Were all lazy, or efficient depending on your point of view, and usually use the easiest method to acomplish the task at hand, if there is a well known and easily exploited hole, who should the cracker be expected to go find a new and completely different one just to 0wn j00?
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
Comment removed based on user account deletion
Security flaws in windows have done billions of dollars of damage. Somehow this fact is being astroturfed.
Users don't always know what caused their computers to crash. Even system administrators don't know, sometimes.
yes, it is true that microsoft has alot of security flaws and they get the appropriate amount of flame for it, but the irony is how the open source losers completely ignore all the flaws that are publically addressed regarding their own "kind" get dismissed on grounds of "who cares? its been fixed.", "it's not that significant, its open source!"
I'm running CowardOS (written by me), using CowardServer as my web server. There has NEVER been an exploit for either of these - check BugTraq!
Sheesh... MacOS... security through obscurity, just a different type of obscure.
Every thing that accesses the keychain at least does.
If Mail has been changed or tampered with, if AIM or ICQ or iChat, etc, etc, it asks me 'should I allow this program access to the keychain'?
Of course I dunno if this is robust or reliable, but it seems to exist.
GPL Deconstructed
antivirus software in the last 20 years of my work. To date, I've probably lost about 3 man months due to antivirus programs interfering with proper and efficient computer operation. I've lost two days to virus attacks. The only viruses that the programs have ever detected on any of my machines were in emails that I would never have opened and even that has only occured a half dozen or so times. When was the last time you read an article about the threat of viruses that was written by someone without a vested interest in your fear?
http://www.riaa.org/ is back up, but they still have the huge security hole: http://www.riaa.org/admin/index.html.
This post is made for informational purposes only.
Oh, sure. Tell that to all of the people that called me for help in getting rid of Klez.
"People are writing me, telling me that I have a virus. My Outlook keeps popping up weird messages, and things that I'm not sending keep leaving my Outlook. My Internet connection is slow!"
Every Windows user and their mom had Klez, and I had to deal with it. Speak for yourself.
At work we have to disable some users accounts on the wireless data networks who have viruses. They consume too much bandwidth, resource hogs. We run reports, and every day anyone who displays virus/trojan behavior, we shut them off.
We can tell from the users profile if its a p2p network program, or a virus, viruses dont portscan your entire network, or spam your smtp servers.
Many users have found things such as back orafice, or other remote programs. Lucky its easier to watch for this when you own the entire network, for an ISP, it would be much harder.
YMMV.
I notice how the article failed to note that, in 2002, there were more Linux/Unix explots than in MS operating systems by a margin of 2 to 1.
Dolemite
Save the World! Use a Quote!
My lab used to have an unprotected DSL with out-of-the-box RedHat 6.x and unprotected Win95 boxes on it that we used for testing things. As far as I could tell, nobody ever successfully hacked the Windows box, and when I was running ZoneAlarm, it'd detect a lot of doorknockers but no real attack - No surprise, because we had file-system sharing turned off, a relatively obscure freeware web server, no Napster/Kazaa/Gnutella/Morpheus/etc., and not much else useful on it except clients so not much to crack.
But the main Linux box got broken into all the time - I eventually changed its name to "Kenny" because it was getting brutally killed every week. As far as I could tell, nobody seriously bothered it once I upgraded to RH 7.1 in a medium-secure mode (I didn't install FTP servers, for instance, and Apache didn't have any web pages complex enough to be exploited), but by then I wasn't doing much complex, and I'd replaced the highly reliable Pentium-66 with an faster el-cheapo machine that often died on its own so it wasn't available to crackers.
The most common attacks I was aware of were some rootkit followed by installing Staecheldraht DDOS and some IRC bots. (And after I'd wiped out Staecheldraht a couple of times, the loser got annoyed and wiped out my disk drive once.) I noticed the initial attack because one of Kenny's P66 cousins was used to run a tcpdump sniffer to monitor the LAN and it kept doing ICMP to machines at universities. At least one of the rootkits "fixed" ls and ps to not report on its directories and processes, but forgot about some other utilities like /proc, and forgot about semantics problems like
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Despite the thousands of known exploits and virii, most MS users aren't target of much harm
3 words... no shit sherlock. Despitesthe incredible stupidity of claims that klez is ineffective, I'd have to say the reason that thousands of different virii/exploits/etc aren't being used is because the existing ones work very well to nail a large range of people. If 2% of the exploits hit such a large audience of say 100000+ people, why bother trying to hack up new methods.
Once a given method begins to be less effective, then the hackers/etc can move onto something more effective.
It's like having a changeroom with 1000 peepholes. Why do you need 998 of them when the one or two in the corner are showing you all you need to see?
Even processors (like Intel CPUs) have a form of firmware (microcode), but this is usually updated on boot by the bios or OS (think Linux) and not stored on the CPU itself.
As far as I'm aware there is no hardware which implements authentication of the firmware upgrade, the hardware would happily accept garbage. Reflashing a bios / firmware filled with garbage can also be a major task - not all motherboards have a jumper for reseting the bios, and I'm not sure how you would upgrade the bios of a pci card if it didn't show up as a valid card. Besides, just try to find the correct bios / firmware for your "made in mainland china with just a serial number on the circuit board" thingy if the board doesn't even boot.
If you're interested in a discussion of this google for "disk2brick", that should find the long and bitter flamewar on the linux-kernel list on the topic of "how to destroy eide disks using undocumented eide commands".
Oh, and imho - the reason virus makers aren't exploiting this (except for overwriting the bios of some intel motherboards) is that most of them are bored teenagers talking about "virii". If someone with a clue and resources enough to test various hardware put their mind(s) to it I'm sure something could be made that messed up much of the common hardware today - enough that fixing it might cost more than replacing the hardware itself.
Combine that with, say, the bugs in the MS network stacks that MS has admited to existing, and you have the potential of creating a lot of damage in a suprisingly short time.
But of course, that won't happen with the US govermnent becoming the Internet Police soon.. (Ok, so that last sentence was flamebait, sorry
Something you're missing is that he's not referring to Mac OS X, but to "classic" Mac OS (9.2.2 and lower). All the standard buffer overflow problems are irrelevant on Mac OS classic because the vast majority of apps (and the OS itself) don't use the "standard" libs used everywhere else.
A buffer overflow in zlib means nothing... there was no OS-standard compression library until OS 8.5, and that didn't use anything zlib related (MacBinary+BinHex).
A BSD TCP/IP stack problem is irrelevent as well. Classic Mac OS used a STREAMS-based stack that was then heavily modified. Much better (according to SustWorks.com) and immune to BSD security holes.
Although I appreciate the engineering effort that went into Mac OS X, the classic Mac OS environment still has some signinficant things going for it, some of which were listed in this parent's parent (which isn't Flamebait =( ).
Hire a Linux system administrator, systems engineer,
DO NOT LEAVE IT IS NOT REAL
I love that line! "Servers will be going down for routine maintenance." Yeah, right. Been there done that. I'm not sure how the word maintenance is defined by the IT world but I think it goes something like this.
Maintenance - The act of repairing something that's totally jacked up.
It's a wired article, do people really expect them to have accurate journalism? If I wanted that, I'd go here.
This sig no verb.
One of the things that annoys me the most is the number of reported holes that are caused by buffer overflows. There's simply no excuse for them this decade! If you don't have a good enough quality control process to test for them all, and MS doesn't, you shouldn't let your people write code in C! Don't get me wrong - I really *like* C, and I've been using it for over 20 years. It's a great language for a lot of things, including compact, efficient, clean, obvious code, and it does let you shoot yourself in the foot. But if you can't keep your people from shooting, and can't tell where the holes are, and can't tell whether all your feet are intact, it's not the language for you. And if you want to use C++ or C-- or C-sharp or C-dull, and you don't enforce the use of safe I/O and copying methods, don't do that either. (By the way, this rant applies to Linux as well.)
Esther Dyson has her signature-line about "Always make new mistakes". Buffer overflows and testing for maliciously formatted input aren't new mistakes, folks! They're CS100 material, the first thing you should be learning after you learn how to do arrays and input functions. (And I learned my programming in PL/I, an language that won't let you overflow buffers.) At least make the bugs interesting, like race conditions or something! Accepting input that abuses ..s in directory paths when they shouldn't be there isn't a new mistake, and it's one of the most common bug reports I see that aren't memory-related.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Security is, and never will, be perfect but it does make it harder for an intruder to pull something off. Florida in the late '70s probably had the most stringent security of any airports in the states (lots of cuban hijackers wanting to go home, etc.). Nontheless, I was able to walk all over their security systems before I made the mistake of tellling someone what I'd just done (asking for help, I was).
It's not that most home users aren't affected by viruses, it's that most home users don't notic when they're infected. Most home users don't have the money to pay for someone who can watch their network on an ongoing basis for signs of intrusion. Even fewer are geekheads like me who can look at the blinking lights on my hub, go 'where did that traffic come from' and then load up ethereal and/or go through my firewall logs (firewall? what fireall) to figure out if what happened was really benign.
Even businesses -- One place that I do occasional work (the only Unix-head in a sea of Windows) didn't know that they were infected until I noticed way too much traffic for the time of day and started up ethereal. I told their admin, he plugged the holes, and a little while later I found more signs of exploitation on their net. The last time I told their Windows admin about a problem, he had given up trying to secure their boxes. Spammers are still using their proxy boxes to deliver email but most majour services (except Hotmail!) are refusing their connection, now.
If Al Quaida was using the thousands of 'benign' Windows exploits to setup a distributed meltdown of the internet, we wouldn't know it untill after the pieces fell down. They spent 4 years setting up September 11. How much damage could they do with 4 years worth of Windows exploits?
OS Software is like love: The best way to make it grow is to give it away.
Isn't this kind of like saying, "Small Countries go Mosly Uninvaded" or "Girls Alone walk Mostly Unharmed"? The reason everyone gets worked up about these things is because of how bad a single incident can be.
Ever notice how all the replies here that get the highest scores are the ones that bash microsoft the hardest?
What a crock of user dung! I work at an WISO/ISP/Computing/Network enginerring business, we get ten to fifteen machines a week infected with some variant of the newest nasty bug.
I have my own ideas of how viri get started. They include some far fetched conspiracy theories that I won't bother you good folk with.
My point being, windows holes do get exploited, and viri spread like user superstion and ignorance. It is a great big endless cycle. The great part about it? I get paid. Those users, while I loathe their inability to look for their own answers and have the pride of learning themselves. I do appreciate the fact that they come back and keep me in a job.
People usually don't say what they will do, and rarely do what they say.
I seem to remember BO affecting quite a few people.
"big guns such as Klez have had almost no effect on home users"
Bull!
I work at a PC shop, and at least lately, not a day goes by that I'm not cleaning Klez off a customer's PC. About half the time there's little damage.. But on a 98 box, well--I'm sure you all know how fragile they are.
Almost no effect? I think not!
do try this at home kids, click on one of them examples bellow, I dare you! ;-)
crashing testI (c:\nul\nul)
crashing test II
(c:\con\con)
crashing Test III
c:\aux\aux
crashing test IV
c:\clock$\clock$
crashing test V
c:\config$\config$
crashing test VI
file://nul\nul
crashing test VII
file://con\con
crashing test VIII
file://aux\aux
crashing test IX
(file://clock$\clock$)
crashing test X
file://config$\config$
Netscape doesn't crash at first, because the string to call a path is changed to file:///D|/c:\nul\nul. Upon entering c:\nul\nul in the URL without file:///D|/ you -do- crash Netscape and the Operating System.
(read Microsnot's responce)
the original message in full, copied from some newsgroup:
May I point out the word is virus, the plural is viruses. There are not such thing as viri; and the people who say virii are doubley wrong!
This is perhaps the same group of people who say CD's an CPU's. It's a bloody plural! There is no apostrophe!
Can we please god kill people for basic grammatical mutilations?
The very nature of closed sorce binary distribution, especially as practiced by M$, makes it imposible to fix bugs. The limited numbers of M$ developers are further hampered by NDA's and closed source than their numbers would indicate. because Software Develpmnet Kits (SDKs) needed by programers of M$ junk cost money to replace. This creates a secondary source of unpatched binaries that continue to infect the world even after M$ has patched the problems in their own code. M$ may or may not fix the SDK or holes in their OS, no one can help them, and those that would help may not even benifit from M$ fixing the problem. This is amplified by confused users who's only way to fix problems of M$ bit rot is to "rebuild" the machine with the ancient unfixed CD that came with it. The only solution to this kind of problem is free software.
Friends don't help friends install M$ junk.
And knowing this problem with the Windows framework as a Sys Admin has driven me border line NUTS for years now. Fortunately I'm in a position to _completely_ control OS' in use and have the patients to put up with a little pissing match from Microsoft.
:)
I went with DOS and then WFW3.11 at the office.
Of course the servers were Netware. Quietly I went from using Coherent to Linux at home...
Windows NT and 2K were each re-evaluted for use and lost in all my benchmarks and security tests. Thankfully Netware has won many rankings and Linux has also quietly slipped into the mix.
Actually moved Linux to the basement. Still "running the house" -- X10, files, web, email, dns, HV/AC, anything/everything.
OS X was a fresh breath after drooling over the NeXT years back. GUI of choice for myself at least.
Linux has since out numbered Netware for server deployments with thankfully sleep filled nights with -0- Windows server based deployments.
My first and original Netware 3.12 server still lives to this day. I can't bring myself to shut it down.
We skipped Windows 95 and 98 due to HORRIBLE networking issues. 98se made the desktops with 2K being a too quick replacement IMHO. XP has not even been a consideration nor does it appear to be on the horizon. Palladium is also a major turn off for privacy reasons.
In re-evaluating the Windows desktop situation at the office with the board of directors it was decided that for obvious _security_ reasons that the desktop environment should be AT LEAST a 50/50 mix of OS'. At no point shall any one operating system have 100% penetration into any facility.
Those X-Serve servers sure are looking intersting too... Behind Netware in operation today for server use is good 'ol BSD.
Unix at the left. Unix to the right.
I'm starting to think the writing is on the wall for Microsoft. Heck, on OS X I stay 100% away from their applications myself -- Word and Excel unfortunately excluded... I think there are six (6) virus' for OS X in the wilds today. You can thank Microsoft and their applications for that...
Bufffer overflows and just plain stupid programming and mistakes can (and will) happen. In dealing with the security problems with the various operating systems listed I can personally say that Windows, by far, is the problem child.
On a technology basis it is lucky to run sphagetti code IMHO. Ironic that my original training was for programming and I've done some development across all the platforms with the various tools. Nothing hard core by ANY means -- not since my college days at least. Microsoft's development platform isn't all that encouraging, but I'm not even close to being prepared to go into THAT debate.
I've found it both easier and cheaper to use/rape THEM (Microsoft) when I so see fit. Today I have yet to replace one (1) application that is in use on Windows today -- and that would be AutoCAD. Their days are numbered too -- unless they pull a Unix based release (again).
HHhhhmmmmm.... At least all the other users around me (family & friends) *have* been listening. 3 Linux users actually shocked me and literally everybody else have bought Mac's. Of course I won't talk about the 20 or 30 other people running Linux that I've setup that could't/wouldn't afford the new Windows with a new PC or a new Mac.
No problem. Re-use the old equipment. A buddy of mine can't understand how his old P2-450 seems more responsive than his whatever-Ghz P4 running 2K.
Games? Playstation of course.
Microsoft has ticked off too many business' on too many fronts AND haven't been able to prove they can REALLY product yet. Prediction within 10 years: they'll still be around as a APPLICATIONS and or SERVICES type company. May Windows rest in peace...
Assuming for a second that this article is correct, which I doubt, there is still a major problem.
I live in a fairly good area, houses rarely get broken into, but my doors still have locks - and I still use them. Just because a whole is unexploited, doesn't mean it is not a concern - and it doesn't mean it should not be fixed.
Here's a clue, guys: When Linux has 20% of the mainstream desktop market, then you can crow about how superior it is compared to Windows. Until then, you're bragging about a niche desktop OS that the vast majority of the mainstreamers haven't even heard of.
I'll give you an example: I use Outlooks's to do list to keep track of my tasks. There's a feature where you can attach shortcuts to each task. I've found this handy, whenever I need to do my time sheet I just pull up the task and double click the shortcut inside of it. Now, in order to 'crack down' on security on my computer, I turned off a bunch of those handy-dandy features and found myself unable to launch that shortcut anymore!
Now, before you start saying "Oh, MS could easily fix that...", instead think about the real problem here. Either I don't use that feature at all, or MS has to think of every single malicious use of a feature and only allow the non-dangerous ones. Sorry, that's not a good solution. You're holding MS (or anybody else) responsible for other people's creativity.
Umm, you might fault M$ for not using the reasonable and common security model of unprivlidged users to interact with an untrusted network. While I must congratulate you for figuring out how to make M$ and Lookout do things for you, have you ever considered the posibility of running Lookout as something other than "administrator" or super user so that tasks that can be assigned by others by email with links to malicious servers don't blow up your system files? Wow, what a concept. The rest of us will consider automatically executing code from email and tasks as root to be crimianal negligence. Not only was M$ aware of the problem before it shipped Lookout, but everyone with a clue warned that the results would be catasrophic.
Now, what was your point? That M$ is insecure because it has so many "features"? Get real.
Friends don't help friends install M$ junk.
Yeah, most home users are so clueless that they fail to realize something is wrong. That, and most don't care anyways.
Like the idiot whose computer has been sending me Klez every 30 minutes while his machine is powered up for the past month (he is a Road Runner customer - yay, rah.) This despite actually looking him up and calling him on the phone to tell him that his computer is infected - weeks ago! He even admitted that he had caught Klez several times in the past few months. What an asshole!
I've tried and tried to get Road Runner's attention about it - by numerous emails and a few phone calls - to no avail.
Other than driving 600 miles to his state and kicking the shit out of him, what can I do? I'm sure everyone else in his address book is getting nailed, too.
--
Out of order? Fuck! Even in the future nothing works! - Dark Helmet (Rick Moranis) "Spaceballs"
Yes, but for the very same reason there is no need to act as if every possible exploit will bring about World War III. Often times Microsoft is placed under a microscope when it comes to security and the smallest mountains are made into mountains that dwarf Everest. I read the security notices and the series of events that must occur for most of these exploits to be effective are so remote to be near impossible to happen.
On a similar note, the Pinto had a very minor problem of exploding when in a rear end collision. It didn't happen to all of them, so nothing is going to be done about it. Also, select Firestone tires on Ford SUV's have been found to undergo critical failure and have thread seperation. That is being ignored as well because it doesn't happen to everyone or that often. Do people check their brains somewhere before posting???
I turned off the intrusion alarm long ago becaus it popped off so often that I couldn't get anything else done.
Why would anyone want to run an exploit on my box? Ask the people who sent me Klez or have been running portscans or trying to get into port 137.
Tech Public Policy stuff
You mean thousands of slashdot articles have nothing to do with anything?
Well that settles my fears... As long as the security holes are going unexploited, then I don't mind having them.. (Yeah, i'm being a wiseass) Exploited or not, They still shouldn't be there, and when they are there, they should still be fixed ASAP.
-matt
I get Klez sent to me once a day, I never get it because my ISP has a virus scanner and so do I.
Who cares if most security holes are not *remotely* exploitable? It only takes one. Once I have access to your system, I can use all the others to elevate privilage.
Oh wait-- Windows 9x doesn't have a concept of permissions or privilage...
My point is-- weakest link principle: all it takes is one particularly bad hole and all the systems are easily compromised. Windows 9x security was way too brittle. Nt is better, but again, locally exploitable holes should might enable privilage elevation, thus making the security more brittle.
LedgerSMB: Open source Accounting/ERP
for an ISP and you can't tell me klez isn't affecting the homw owners. Klez and bugbear have been killer.
...because the affected zealot is 1) too ashamed to admit he got hosed, and 2) is in denial to admit that even Linux is vulnerable.
Considering the level or denial and zealousness these Linuxati have, for every Linux exploit publicized, there are probably 500 that are kept secret. This post will probably get labeled as a troll/flamebait in an effort to censor this idea. Just watch.
Especially with a fine piece of ass, like Sylvia Saint, or even Anna Amore.
It's a shame that even though we try to discuss this problem, it seems that many don't get the point. This has nothing to do with any specific OS is question.
Both Windows and [place your OS here] will most likely have issues getting rooted if it's "Swinging in the Breeze" with your average user at the controls.
Also to keep in mind is if all OS's were stock with a Firewall/IDS solution in place, they would break applications for users and that would cause YET another problem. NAT works well, but carries with it a set of unique issues for some (most commonly) game players.
User education is the best bet, but users don't want to take all the spare time they have to learn all the extra stuff they SHOULD know about owning a computer on a broad band connection.
We can only hope as time goes by, the now youthfull who know something about computers because they grew up with them will slowly start to crowd out the script kiddies and bastards who are looking for the "Easy Kill" due to computer operation Common Sense!!!
This is a definate possibility. Think virus that overwrites the firmware of CDRW drive, waits until a burn is attempted to a recordable disk, writes a bootable image to the disk, reboots the system, when cd boots it deletes itself from the harddrive then automatically reflashes the bios and IDE HDDs, and Video firmware with junk. Then passes boot to the first sector of the harddrive. Or just shutsdown the system. There are plenty of points of failure here (for the attack), but they involve user interaction and most users won't know what's happening and therefore won't react in time.
I find it amusing that after you have several pies in your face, for being lazy, tried a face save by saying that there are already pies in your face. Heh. You deserve more pies in your face. Here's another. Take it like a man.
Cheers,
e.
W32.Yaha.K@mm
e nc /data/w32.yaha.k@mm.html
Discovered on: December 24, 2002
Last Updated on: December 30, 2002 04:09:45 PM
http://securityresponse.symantec.com/avcenter/v
The exploits can be used for monetary gain. In that case the virus creator tries to keep things as quiet as possible.
A virus called jeem.pv is widely spread among those, who use P2P clients from kazaa and morpheus. By various estimates up to 100K clients are infected. But the epidemics does not get much attention. Why? Because the virus is not doing anything noticeably bad to the infected computer. All it does is serves as a relay for spam. Spamer, who created this virus, got tens of thousands of stealth open relays which are largely not known to block lists.
Search google for jeem.pv, see for yourself.
There are so many security problems in Win 9x, let alone Win XP.
Who needs hundreds of bonus issues?
Most burglars do not take advantage of a loose second story window... they find a more common problem like a garage door left open.
The best anti-virus software can not stop a user from downloading that damn Bonzi-buddy. That crap software has caused more problems for my clients than any so-called virus.
-ted
I'm a 2 bit sysadmin for a small company and both klez and bugbear have managed to get through to various users, even though they had updated virus scanners. My boss' love of porno sites and porno mailing lists is a big boon for spyware on our systems.
The article is ludicrous because the real threat with exploits is to commercial systems, and I'm thankful that my bank uses a Sun JVM Java client (despite Java's crappiness, it is still the only language which has security in it's design) and hasn't fallen for MS Passport. When and if they do I'm changing banks.
all the hackers are working on this.
DARPA intends to conduct a race of autonomous ground vehicles from the vicinity of Los Angeles to Las Vegas in 2004. A cash prize will be awarded to the winner. The purpose of the race is to encourage the accelerated development of autonomous vehicle technologies that could be applied to military requirements. Many of the details of the race are being developed. New details will be posted to this web site as soon as possible.
About Klez not affecting home users: Bu11$hit.
:(
.PST file which is unportable (Though I think Mozilla can import those to some extent now.)
My parents got it (by hotmail/yahoo I believe)
Fortunately, I was able to clean it off with Symantec's tool.
I also received it (By Outlook)
Since outlook tends to load script shit, even from a preview pane, it tried running it, and my Virus scanner was no up-to-date. It was easily fixed, but It caused me to divorce Outlook for good. Actually I am happy, because that ended a crutch for my Windows addiction. Now I do all email in Linux!!!
Besides saving email in plain text is a hell of a lot better than some damn encrypted
Patent: from Latin patere, to be open
I don't think your used strap-on dildos will ever be worn my Gnu/Hippies. If you are smart, wait don't answer, here's the information anyway...goto your phone booth, lookup "BDSM" in the index, choose an organization, and donate your used toys. For most value, I recommend you go onto eBay and sell your strap-ons. I watched someone's "barely used vagina" sell for $10 and it was that elegent Wendy Whitebread model! Oh wow, jus imagine what your strap-ons would go for :O
In Sudan there are about 2 millions landmines remaining, and there are more than 700,000 landmines victims since WWII.
"The average citizens wouldn't know a hack if it walked up and bit them," Sweeney said. "And many of the so-called landmines require a very specific event to occur and the odds are very slim that it will occur. "
Idiot. People care about the security problems is like Sudan's citizens care about landmines problems. The fact that majority of them are not victims doesn't mean it's safe out there.
Well, while reading along I couldn't help but notice the gigantic Microsoft flash animation at the top of the screen. Not to jump to conclusions but MS is helping pay to keep wired up (either that or wired loves MS so much they'll give space away for free, take your pick).
I bet if people were a bit more paranoid about the insecurity of their OS, they'd start to notice that all their computing problems are MS's fault.
I haven't been hacked because I have a firewall and I use my windows machine for nothing but games and making sure my web page works right on IE for Windows (Does this thing comply with any standards or is it just me?). My friend's two firewall-less computers were hacked, however, and so have many other people's computers.
I have a feeling that one of these days one of Microsoft's competitors is going to launch a marketing blitz targetting these holes and pointing out that this isn't just "no big deal." With a small amount of effort you could install a keyboard logger and get credit-card/social security numbers.. important stuff that noone wants given out. That's what I call big shit, and maybe a couple of class-action lawsuits (over security holes) later, MS's PC OS division will be up "the creek" and crumble.
Bill Gates said himself: "If we make a flop in this market, we'll be dead in five years."
Latewire
http://www.theregister.co.uk/content/55/28515.html
This is news to me. I've personally had at least five clients who didn't keep up with their services packs and hotfixes who found themselves proud owners of Klez. All of them experienced massive data loss that cost their companies thousands of dollars of man hours. Anti-security/Pro-M$ FUD if you ask me.
"faster el-cheapo machine that often died on its own so it wasn't available to crackers."
so THAT'S microsoft's plan with windows! of course! *slaps forehead*
I'm self employed and I make my living by fixing computers. Most of my customers are home users.
In the last 10 months I have been called by 5 people with actual viruses on their PC. I have been called by 7 more people with problems directly related to anti-virus software (eg when installed it messes the system up, it has expired, etc).
The total I have charged for all this work is about GBP 1000, plus the cost of copies of Norton Antivirus.
I now have 4 people/families who use GNU/Linux + Kmail exclusively for email.
My school is continually scrubbing Klez from emails.
I have seen quite a few posts mentioning OpenBSD and just wanted to add that there is another interesting alternative for people that don't want to spend too much time on their firewall, but still want something pretty secure.
...) and set up the rules between the them. No need to know that some services (such as ftp) needs special configuration. I used a hand-written script on my linux box before, but this is a lot easier and more complete.
I know a few OpenBSD developers and was seriously considering using OpenBSD for my new firewall. Then suddenly the Mandrake Multi Network Firewall came out (slashdot article here) and I decided to try it out.
It's a linux firewall distribution that's very easy to install. Having finished the installation, everything can be managed from a easy-to-use web interface: System configuration, internet access, firewall configuration, VPN (server/client) connections, IPsec, backup and restore of the configuration, DHCP server, web cache server, dns caching server, system logs, url content filtering and more.
The default system feels secure (a normal user doesn't get to access anything) and the system also keeps track of what you're changing. I authorized ssh root access, which was quickly turned off. There's also a built-in intrusion detection.
The firewall itself is very easy to manage. You define different zones (wan, lan, dmz,
...the security holes exploit YOU.
I doubt that most of these things can be flashed in our modern protected mode OS's. That is usually the reason you usually have to boot off of a DOS floppy to flash your system and video card BIOS. Unless the operating system enables the proper interrupt line for the BIOS's flash mechanism, there would be no way for the CPU to pass along the message. This would generate an 'unhandled exception' error in Windows, just like when you try to do a lot of old school low level things that used to work in DOS. Unless the manufacturer includes the proper VXD or SYS file, with support for the flashing mechanism built in, I don't think Windows will allow it to happen.
The clash of honour calls, to stand when others fall.
I'm sure that thousands of people leave their keys in the ignition of their parked cars and never have their car stolen.
That doesn't make their cars any more secure.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
I beg you pardon but the person that came up with the word virii should be shot.
For starters: virus isn't a latin word (it is, but it means as much as mucus or slime)
Second: If you want to pluralise it in Latin it would be viri.
Third: Virusses!
I would not expose a linux box to the Internet any more than I would a Windows box.
Sorry to break the news to you Linux fanboys, but comparing Windows security to Linux security is like watching a Detroit Lions vs. Cincinnati Bengals football game.
I totally disagree with that statement, that it had no effect on home users. I work for a computer shop that sees countless klez infected machines walk through the door. The klez worm often carried another payload with it, and caused harm to the machine. Its pretty much a given that once you get a virus in windows, windows is screwed.
The US's lack of nuclear defense has never been exploited, but that isn't stopping it from building one.
If you run the old Mac web server, it can be DOS'ed by having 2 people hit your site at the same time.
Hartman - Jesus H. Christ! Private Pyle, why is your footlocker unlocked?
Pyle - Sir, I don't know, sir!
Hartman - Private Pyle, if there is one thing in this world that I hate, it is an unlocked footlocker! You know that, don't you?
Pyle - Sir, yes, sir!
Hartman - If it wasn't for dickheads like you, there wouldn't be any thievery in this world, would there?
Pyle - Sir, no, sir!
Obviously this reporter never had their Windows 2K box repeatedly hacked so that windows slows to a crawl, and the kernel hangs -- only to reboot and be taunted by some little *beep* ( that hasn't seen sunlight since the introduction of xDSL )!!! Nor have they had the joy of reformatting, and changing their NIC in hope resolving the problem -- only to be hacked by the same little *beep!!! Since then I have been using Mandrake 9 as my primary OS-- and ALL ports are closed except for good old port 22!!!
I like my women how I like my sugar.. granulated.
if your argument is true, then why is Nortin and MacAfee Anti Virus still for sale?
of course i can agree that if one stops using windoze, ones 'unwanted cyber guest' problems seem to be greatly deminished...
This is one of those situations where you really HATE to bail out negligent, shortsighted companies. While these airlines are somewhat criticial to our economy, it would be nice if the airlines could be saved while royally reaming the previous owners.
This sort of crap has always been foreseeable. That's why El Al puts a solidly locked door between the flight deck and the passengers.
American airline companies were overly cheap and complacent. They ignored security issues for decades while people continually "hacked" them. Finally, these "merely annoying" hacks mutated into something dreadful.
Computing will eventually have it's 9-11. It will take serious loss of life for other American companies to take security seriously.
A Pirate and a Puritan look the same on a balance sheet.
A few days ago, I found myself defending my choice of alternative software to a semi-computer literate person. I use Windows, but never MSIE or Outlook Express for example, because I've found software which better covers my needs.
I was asked why I preferred this software, and among things like features, usability etc., I of course had to touch the subject of security. He got quite aggressive (yes, aggressive, like "why the f*** do you people think you are better than others for using alternative software?"), asking why I even bothered to use alternative software when it all came with Windows already and worked "perfectly". Well, I said that it didn't work "perfectly" for me, and most people should look for alternatives because of the many security problems.
His retort was basically that he didn't care. He simply didn't give a damn, because he had not experienced any problems.
He said that he scanned his system once and found 60-70 different viruses, but it didn't bother him at all because he didn't notice them.
I tried to explain that it might do damage behind his back, and it will certainly cause problems for others if he spreads viruses like Klez and other similar ones. Again, he didn't care. Why should he bother with other people's problems when he didn't have any himself?
I am not joking here, this guy just didn't give a damn. And in addition, he started ranting about how users of alternative software/operating systems all did so just to prove that they are better than others. And the problems caused by viruses is overrated and I was full of crap. (Let's see how many sysadmins agree with him on that...) He didn't even believe me when I told him that, no, my choice of software is based on what I prefer to use - what I find to be good software, and it is not an attempt to be "cool".
He is not the only one with that attitude.
So I find myself thinking that it is too bad that viruses and backdoors aren't more destructive to regular users. No, I know it's not very politically correct, but when they know that they cause problems for others and simply don't care because they don't notice it, I feel that they need to be faced with the realities of being connected to a network where your actions might affect others.
They need a wakeup call. The "I don't care because it doesn't to affect me" attitude is dangerous.
I was so offended by this person that I simply left - I couldn't even be bothered to try and set him straight because he had already labeled me as an elitist asshole, and anything I said would just prove to him that I was.
The only thing that helps get the point across seems to be massive destruction, showing that not giving a damn is a bad idea...
Clever signature text goes here.
Your post:
"This seems a common sense. I don't think that anyone would be surprised that while the human body is vulerable to many things, most criminals prefer guns and knives. Were all lazy, or efficient depending on your point of view, and usually use the easiest method to acomplish the task at hand, if there is a well known and easily exploited hole, who should the cracker be expected to go find a new and completely different one just to 0wn j00?"
I found many spelling errors, many grammar errors, and many run-on sentances. To correct your speech, I must refer you to the following corrected structures:
This seems to be common sense. I don't think anyone would be surprised that the human body is vulnerable to many things; most criminals prefer guns and knives. We're all lazy, or [non-?]efficient, depending on your point of view. Usually, we choose the easiest method to acomplish a task at hand. If there are well-known easily exploited holes, the cr4x0r is anticipated to search for a new and completely different security flaw just to 0wn j00?
How do you like my corrections from your non-proper usage and omitions in your message? The first couple sentances you provided were mysteriously vague, yet you have a good point in the last couple sentances Excelent insight, for both of us! If I had mod points, I would only give you a +2 because of your clean statments. I would give myself +2 also because my post appears to be offtopic and intentionaly critical of your post, however is most helpful to improve the quality of slashdot's intelectual forum experience. Remember, all words spoken are a cosmic event!
We can tell from the users profile if its a p2p network program, or a virus, viruses dont portscan your entire network, or spam your smtp servers.
.NET Services to take your computer and your investment to someone else's control (NOT OURS/YOURS).
Internet Service Providers (ISP(s)) are not supposed to determine the security of its customer's software. Who are we to judge someone's software based upon someone port-scanning or spamming the SMTP server? Spammers are verry much like viruses, yet they don't spread to use other resources with out permission...oh wait, they do... Be thankful you have controll of your software and your operating system...here comes
Also, proof-read your post dude! All words are a cosmic event!
Be careful. You know you are staring at me when the peephole you are using to stare becomes MY PERSONAL PEE-HOLE.
Don't look, unless you want my piss in your eyes. And yes, I piss on others and will not think twice before rubbing shit on your moppy hair.
The AC has a good point. What kind of software developer was hired to perform a task? Is the task involved competent of security? Hello, what programmers on slashdot are aware of memory leeks and which ones continue to use char * in their software? That is the difference between a good programmer and an ignorant programmer. Before anyone criticize me, I'm not taking ignorance out of context, yes anyone can be a good programmer when they sit down and think about the security in their software and not just its features. Unix software developers and Microsoft software developers differ in idealogy, but they still stink. Unix is just a way of saying "cross-platform-intention" and Microsoft Windows is just another way of saying "only-platform-we-support-intention". Nothing was secure at first, yet Unix as a whole was able to account for the vulnerabilities much more effectivly and solve/remove the exploits. However, each flavor of Unix is why the holes exist in the first place. GNU/Linux has its own set of holes, aside with *BSD, Sun Solaris, SGI Irix, and IBM AIX. GNU/HURD would be a proprietary split and perhaps could take account of security issues and remote *exploits* much better. What you will never see in the Unix world, at least not yet, is OS-developer feedback between the competing products. Do you think Sun is going to document the SGI exploits? Or IBM document the Sun exploits? You'll never see Microsoft help Linux or *BSD development, they just mimick functionality or features...
Oh yeah, and why am I still getting hundreds of port 137 connections on the firewall every day, not to mention the 139 and 1433 and port 80 scans.
These are not script kiddies playing with port scanners, they are automated bots running on someones WIN machine.
You're still an idiot.
It took 300 years to build and by the time it was 10% built,
everyone knew it would be a total disaster. But by then the investment
was so big they felt compelled to go on. Since its completion, it has
cost a fortune to maintain and is still in danger of collapsing.
There are at present no plans to replace it, since it was never
really needed in the first place.
I expect every installation has its own pet software which is
analogous to the above.
-- K.E. Iverson, on the Leaning Tower of Pisa
- this post brought to you by the Automated Last Post Generator...
In dwelling, be close to the land.
In meditation, delve deep into the heart.
In dealing with others, be gentle and kind.
In speech, be true.
In work, be competent.
In action, be careful of your timing.
-- Lao Tsu
- this post brought to you by the Automated Last Post Generator...