Slashdot Mirror
SecurityFocus On MS Security "Hole"
friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.
So what you're saying, what, that goat guy is actually Bill Gates?
If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.
I mean, if I wanted to hork data off of a system I had full physical access to, I'd just grab the drive, stick it in my pocket, and walk out whistling "Jimmy Crack Corn and I Don't Care."
Now I can't get that song out of my head!
Decimal caused this. Anybody else hate decimal?
Anybody else stunned that Slashdot posted an article about MS that didn't involve an explanation as to how they're incompetant?
Just another bug in the list.
It's flamebait, and you know it.
.. but he is right about the physical security. Not long ago I walked a client several hundred km away through an OpenBSD boot via floppy so he could change his forgotten root password. I don't hear the masses screaming for Theo's head because this is possible.
Trolling is a art,
This appears to be a problem using the win2k recovery console on a winxp install, not the XP console.
And all it allows you to do is copy files around. Whoopty do. Pop in a linux boot floppy with ntfs support and do the same thing, only easier (because the win2k recovery console doesn't support wildcarding; lame.)
Once the general populace knows about a problem, the media has to say something, because how would it look if they didn't report on a new trend? Suddenly everybody "knows" about the problem, even though it does not exist.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I mean, first, tons of dupes, now it's this. Don't they understand what Slashdot wants?!
... who still thinks the Registry is a bad thing?
(comment to be taken lightly. Should irritation persist, chill.)
"Derp de derp."
[I posted this on SecurityFocus.]
Actually, it is CRITICAL in one aspect.
If Avaya's security consultant Ken Pfeil is correct when he said:
"If the system is a member of a workgroup and not a domain, you can just change the user's password that the file was encrypted under," Pfeil said. "Then you can log on as that user having access to the encrypted file."
Then EFS is useless in the standard configuration for protecting hard drives. Specifically, hard drives on LAPTOPS, which frequently get stolen.
Most likely this is an IMPLEMENTATION issue, though, and NOT a "hole" in XP. It sounds like the certificate/key used for EFS is stored on the drive, and the password for it is tied to the Workgroup/Domain password. The certificate/key really needs to be stored on a USB key or other removable media, so it can be kept separate from the system.
Encrypting files/folders/partitions on hard drives is supposed to guard against exposure EVEN WHEN CONTROL OF THE SYSTEM IS COMPROMISED!
Case in point -- laptops. What is the point encrypting data on the drives if when stolen, the machine can be consoled and the password changed, opening all the files?
I do not know if you can move the certificate/key off to removable media. If you can, like I suspect, then it is an implementation issue and not a "hole". If not...
You are right in that it was overplayed as a major catastrophy, though. For almost all other cases, if you've lost control of the hardware, you're screwed.
-Charles Hill
Learning HOW to think is more important than learning WHAT to think.
Jornalistic integrity? Man which world do you live in?
No doubt.
--sex
Very popular slashdot journal for adul
Decimal is base 10 as opposed to base 0x10.
I'm with the author on this one. I dislike MS as much as the next guy, but I'd WANT a recovery disc to dump me at a prompt if the data files were corrupt. If the files on the drive are THAT important, they should have been encrypted anyway...and if I was the admin of the box, they would already be encrypted.
I have nothing to worry about.
Tim Mullen is probably the most notorious apologist for Microsoft in the security community. He is known far and wide for his articles (accompanying every notable security problem with a Microsoft product) which attempt to downplay exposure and combat anti-Microsoft hype.
In this particular case (as per his MO), Mr. Mullen attempts to downplay the threat involved in this situation by first declaring that it is desired behavior (it's a feature, not a bug), and then addressing the most poorly researched articles from a press that we all recognize can't get it's facts straight.
Sure. The press is often whack on this stuff. Sure, the Recovery Console is doing what it's intended to do. However, is what it's intended to do unacceptable? Is it still unacceptable, even though the press doesn't understand it?
Mullen's logic seems to be, "Hey, it's not a 10 on the panic scale, like some say it is, so it must not be on the panic scale at all."
Seventh graders in debate club recognize this logic as faulty.
Paper Pusher
"And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console."
Now if we can just collect all of Timothy's mistakes into one place.
News flash: this is expected, and desirable, behavior. The Win2k RC can't read the XP registry, so it thinks it is a corrupted Win2k installation. When it can't verify the SAM, it bails out to the console. Administrators want this behavior. If you have an installation on which some third-party driver has hosed the registry, the Recovery Console will allow you to attempt to fix it. That's what "Recovery Console" means.
No recovery console does not mean to bypass the password set by the administrator. It means to recover data that has been lost due to reason "foo".
While I don't see it as being that big of a deal, you could do it w/any OSs bootdisk I suppose (or even a LILO prompt on a Linux machine) I think it is an odd bit of information that should be known.
Media organizations know they get eyeballs when their audience is afraid.
Ignorant and afraid of terrorists? Watch Fox News.
Ignorant and afraid of hackers? Read Wired, or WinInformant.
Maybe we should be afraid of ignorance, instead.
Laugh at my Lisp and I keeell you.
This isn't a security flaw.
This is desired administration behavior. The Win2k disc can't deal with the WinXP registry properly, so it goes straight to recovery mode. Recovery mode is pretty much useless to begin with, and you can't really do anything to a system in recovery mode
Besides, if you can physically walk up to the computer in question and boot it from a CD in your pocket, your security problem doesn't come from Windows - it either comes from a BIOS that doesn't support changing the boot order, or it comes from between your ears.
When banner ad revenue for a media outlet becomes more important than accuracy, it's time to find a new profession.
Try reading the article next time.
Well, it has never been successfully tested.
does XP Recovery Console run on Linux?
"Instead of wasting space on functions that are not even vulnerabilities, they should be covering issues like Oracle's "unbreakable" applications having yet another series of remote buffer overflows that took six months to fix. They should be covering the fact that in order to get the patches for Oracle, you have to pay for them under a service contract. If Microsoft tried something like that, angry mobs of protesters would pull Bill Gates from his own home like a group of crazed Colombian soccer fans and bind him to a whipping post. "
Although the last part about whipping arouses me in a peculiar way, I'd much rather see Larry Ellison's claims being dissected and put into context. Sure they are a marginal player in most markets, but in the enterprise application business they really advertise aggressively and not so truthfully.
Seeing the tech press just relaying a story like this only confirms the notion that there are no journalists that understand tech, and no techies that understand journalism.
Oh, I can't help quoting you because everything that you said rings true
To quote an MS employee, "A case of beer to whoever manages to get this article on the slashdot front page."
That's patently untrue. It's a well-known fact that Microsoft's security problems are not due to exposure alone.
Microsoft's development model is fundamentally flawed from a security perspective, because it squarely places featureset additions above security. The corporate culture at Microsoft is and always has been more about gaining marketshare than about anything else.
It seems that there are differences in security, above and beyond the monopoly domination Microsoft enjoys. How many ISPs use FreeBSD to run their servers? Hmm.. I wonder if there's more to it than just speed and the fact that FreeBSD is Open Source.
I'm not alone in my assesment. There's this security guru named Bruce Schneier. Perhaps his name has crossed your desktop at some point. He's contemplating getting a Mac, because he is tired of hassling with security problems on his Windows machines.
Read the EFF's Fair Use FAQ
In contrast, I know SQL Slammer was reported day-of. In this case, a free patch was available six months prior to the worm. And let's face it: if the patch is available but not applied, it's not Microsoft's, Oracle's, Linus's, or any other vendor's fault--only the SysAdmin in question.
One major difference was that SQL Slammer took out several networks, where Oracle did not have such impact.
To \.'s credit (and I'm going mostly off memory), but big critique was on the DB admins, not on Microsoft.
I totally agree on this - I've been doing Win2k installs for a few years now, and I'd have had to totally scrap god knows how many systems if it weren't for the recovery console.
And the fact that you can use the Win2k boot CD to log in without a password isn't a bug, or even a security hole, it's simply the fact that MS didn't require a password to use the Console in Win2k.
What do the critics want MS to do? Recall and patch every single Win2k boot CD?
sig:- (wit >= sarcasm)
Step 1: Install Debian (because Dead Rat sucks balls; Debian r000lz!!!!11!1!) Or so the guys in the the aol chatroom "coldice" tell you.
Finally, math books without any of that base 6 crap in them.
I could install a rogue program(keylogger/backdoor etc..)on an XP machine through the 2k recovery?
if so, it is an issue. espionage is a serious threat.
The Kruger Dunning explains most post on
How is this informative? He states very clearly in the article that he is discussing booting the win2k recovery console on an winxp machine! And on top of that it isn't a backdoor to winxp any more than booting trinux would be! Will someone please mod this down...
Fnord.sig
People forget passwords.
Especially if they're 'smart users', and never run in root. Sure, they should have it written down, but that piece of paper can get lost, and might not be able to be kept reasonably secure.
Thus, would you rather having a box marginally more secure, or would you like to be able to log in if that little piece of paper gets lost?
Physical security is a no-brainer. If you find that you have to sit down and think about it now, you've been doing something seriously wrong for however long it is you've been running a computer.
So what's the deal? You see an article with "Windows" or "Microsoft" and "hole" or "exploit" or "fundies" and you automatically hit reply and type in some snively childish remark to whore some karma? Or are you just plain bored?
Overrated Moderation: This posts sucks... because.
Step 3: boot from any Linux boot disk, because this entire thing presupposes you have physical access to the machine, and the floppy is bootable.
Step four: Mount the physical disks.
Step five: do whatever you want to the data.
Vintage computer games and RPG books available. Email me if you're interested.
If they reported _every_ M$ bug on Slashdot all the good articles would get pushed off the front page.
As opposed to now, when all the good stories getting pushed off the front page by reposts, you mean?
sig:- (wit >= sarcasm)
Whether or not, in this particular case, the reported exploit is not the vulnerability described, there have been so many valid, exploitable, preventable, denied by Microsoft, bugs/cracks/flaws/exploits/holes that Microsoft is presumed guilty from the get go. And considering their programming and their behavior following, this is to be expected. They've created an atmosphere where the logical, understandable response is to mistrust them. That's their doing, and they're the ones to fix it (if at all possible).
Yes, but one would still:
Step 3: Set BIOS password
Step 4: Disable floppy and CD boot
etc.
etc.
and restrict physical access.
Same difference.
it either comes from a BIOS that doesn't support changing the boot order
This is only useful assuming that your BIOS is password protected AND/OR the person doesn't have physical entry into the case thereby allowing them to zap the BIOS parameters.
Well it would be if it actually worked. But it doesn't.
PHYSICAL SECURITY. This is the first tenet of network security. Prevent the box from being accessed by those who should have no access. This tenet, however well implemented, is absolutely useless if the baddies that mean your network harm are INDSIDE the network, which in 75% of cases is true. It's a sad-assed day indeed when your own employees are the evil that is supposedly lurking outside the firewall.
Step 4: Ummm, they didn't teach me how to do that in MCSE boot camp.
The parent is not off-topic, unless you didn't read the article.
If this is a hole then so is the fact I can mount your ex2fs /home partition from a boot floppy and ftp all the filez there to whereever I want them to reside. Actually the linux "hole" is worse, as it has infinitely more powerful command-line tools available to a bootflopper.
/]% rm /*/* on my way out. Know your enemy, he's probably a family member.
People fear the Internet and what a hax0r could do to their PC, but (as this article proves) give me physical access to your machine and I could do more damage to you than 99.999% of crackers ever possibly could - and that's only because I'm not enough of a bastard to [root@localhost
-Mark
BIOS is almost as easy to get into as a loaf of bread, no real protection there.
this is the kind of hole that people who perform espionage love.
Stealing a machine might make you a few hundreed dollars, getting usefull information on an regular basis is what will get you hundreds of thousands of dollars.
The Kruger Dunning explains most post on
Step 5 - Set grbu password
Step 6 - Fire all MCSEs
So then, you're saying that if a hacker couldn't get a super-secret XP recover disk, he could use a much more readily accessable W2K disk? Wow. Now I'm nervous.
Seriously. Yea a stupid error was made and several sites reported on it. I am supposed to feel bad to bill or do what Tim Mullen says and "Give Bill a Break"?
No I won't be giving Bill G. a break. I'll continue to point out that of the billions of dollars in virus damage are done every year and MS is responsilbe in the vast majority of the cases. If MS has the occasionally mud kicked in their face well too bad for them. If there is such a thing as karma then MS has a lot more of this coming. I for one don't pity them based on the dirty illegal tactics they've been using for a decade now.
MS doesn't get nearly enough flack for the amount of damage their poorly coded software causes. Maybe if more articles are written which say how bad MS software is MS might actually have to be accountable one day. For me that day can't come soon enough.
If you wanna get rich, you know that payback is a bitch
So where are all those slashdot "security experts" who bashed MS over this one?
Listen up! I come to Slashdot for one thing only: Microsoft bashing. If I want to read pro-MS stuff I'll go to -- um, some site that people talk about how great Microsoft is.
This is too much. Let's hope it's not the start of a trend. Thank God I didn't subscribe.
Ceci n'est pas une pipe.
So what do you recommend for encrypting laptop HDDs? PGPdisk?
Actually, EFS *might* be fine. And, PGPDisk *might* have the same problem, if implemented the same way.
What I recommend is the same thing the PGP/GPG people recommend -- keep your secret key on a removable device. For a laptop, something like a removable USB key. They are starting to get cheap, and you don't need a ton of memory. You can get a 32 Mb "pen drive" at BestBuy for $30.
Learning HOW to think is more important than learning WHAT to think.
No he's right! All these people are doing are installing [Linux|OSX] on servers just hoping nobody's going to spend the time h4x0ring them.
And for some reason, they just get left alone! Yes, that's why Linux is so lean! They just don't put in any code for checking things like passwords, buffers etc. because nobody even tries to hack into any OS if it isn't windows...
God forbid any h4x0rs read the Linux source, lest they find all the /* FIXME - we probably should compare the password entered with the hash in /etc/shadow, but nobody reads this stuff anyway */
Yes, Linux affords security only through obscurity. Anybody reading the source code could find 10 security holes in as many minutes eh?
The fact of the matter remains that you can use this method to access files in the file system. The authors' downplaying of this by mentioning that it takes 5 minutes for the console to load and that it's difficult to copy files to a floppy is weak argumentation.
The author does not seem to understand the principle of thing. I've never tested this but if you can copy files, then can't you rename them? How about deleting files?
He's just playing the odds. They're about: buffer overflow:1
the media blitz on this subject is certainly indicative of their lack of sophistication on the subject. but, given that many other, seemingly more techno-able sources came through with this story, it's not particularly blameworthy. It's believable because it fits into a pattern.
Microsoft has a history of having gaping security holes in their software. in this instance, a reported bug wasn't what it was made out to be. but I'm sure I'm not the only person who thinks that Microsoft and Security Flaw are nearly synonymous.
sweatyb
It breaks my pluginses, my precious!
A moron on slashdot??? who would thought it....
I'm not, or at least I don't understand his passion and personal defensiveness. So a few blow hole Windoze rags got all excited? Could it be that those rags got upset because they actually think Microsoft "Security" is improving just like Bill Gates says it is? Why is Tim Mullen acting so offended? He wrote much of the article in the first person, using "I" no less than sixteen times. "Give me a break", he cries, "When banner ad revenue for a media outlet becomes more important than accuracy, it's time to find a new profession. " Is someone putting undue pressure on poor Tim? Like a major spnsor looking for damage control?
Others are pointing out that Tim might have gotten the bit about "administrator" access wrong and that's important. The administrator may have control of tools that conceal his presence in a way that makes it easier to alter the system. Undetected system alteration is more damaging than simply digging up data. It gives the perpetrator access to data present and in the future undetected. That's far worse than stealing a hard disk and a good reason to take the five minutes (typical M$ efficiency!) to boot that way. It also justifies the use of the W2K boot disk over a Linux disk, though it's nice of Tim to portray Linux as the ultimate cracker tool. The only thing worse than no security is security that impeeds and lulls the user but aids the cracker.
"What, me worry?"
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.
Anyone else find it funny that when Slashdot apologises for an error, it still links to another article?
I don't agree.
Those who say it is not a security issue feel that it is OK for the administrator to forget the password and to have some sort of backdoor that can help in that case. I say, if you really want a secure system, ask for that password anyways. You are compromising security to allow cover for root password forgetfulness.
C'mon, it CAN be exploited. Think not? Think again.
Seems to me this whole issue is a direct result of MS's tarnished brand. Why bother doing research to find out if this weeks security hole is bogus or not? Microsoft's brand is so coupled with "security compromise" you don't need to prove the case anymore to attain public credibility.
I have a second sig, I call it sig#2.
I have subscribed to Security Focus mailing lists and read their site for about 2 years, and by default I ignore anything Tim Mullen writes. To me it appears his role as a writer at Security Focus is the resident Loyal Microsoft Lackey. Check for yourself, I bet every single article he has written talks about how good MS is, or how they have been wronged, or how he is tired of people bashing Microsoft, or how the latest MS security flaw 'isn't that bad.'
MAN I wish I caught this story earlier, so I could have posted earlier =\
An IT manager who runs a computer center with lots of servers and personnel wants to be sure that the servers are secure even from some of his employees. One thing that they don't want is some disgruntled employee elevating his security level and then doing massive damage just before he quits.
What this means is that for servers, being able to elevate ones security level, even for people with access to the box, is not a good thing.
The race isn't always to the swift... but that's the way to bet!
Sorry, but your skills in spelling the word "competent" won't get you very far in this market. There just isn't as much of a demand for a professional "competent" speller as there used to be.
"Question with boldness even the existence of a god." - Thomas Jefferson
This is also the way to solve the problem of "getting any work done."
Hey freaks: now you're ju
Posting a page that says
This article has now been archived. It is available for GBP 50+VAT. If you are already a member of the Inner Sanctum you will be entitled to a 50% discount. To retrieve the original article please fill out the order form.
is hardly good evidence.
Even if a default password doesn't get them through the BIOS, you can open the case. Then either muck around with the BIOS jumbers, or for the impatient, slip the HDD into your cargo pants, and head home.
Yes the GRUB password prevents someone from booting another image / device. Even though I have a BIOS password set, I don't expect it to get in anybodys way should they want access to my machine, and I'm not in between them and it.
Step 3: boot from any Linux boot disk, because this entire thing presupposes you have physical access to the machine, and the floppy is bootable.
Step four: Mount the physical disks.
Step five: do whatever you want to the data.</i>
Step six: Profit!
Only in former Soviet Russia.
Sigs are bad for your health.
Physical access aside, the only security hole worth
mentioning/fixing is one that requires shutting down desired port
access or filtering packets on said port. Everything else is operator/admin error
"If the system is a member of a workgroup and not a domain, you can just change the user's password that the file was encrypted under," Pfeil said. "Then you can log on as that user having access to the encrypted file."
I'm asking this honestly, not trying to be a smartass. Yes, this sound like it would theoritically work, except that I believe that the EFS keys are actually encrypted with the user's password. Therefore changing it, while it would change the password for the account, would then make the EFS data inaccessable since the password is no longer the correct one to open the files.
I don't have a test system available to try it on right now, but based on what I've read about EFS and other experience I've had with it, I believe that this is the case. Windows XP specifically warns you NOT to use the user manager as an admin to force a password change since it will screw encrypted data.
So try it, install XP on a system, encrypt some data, then use some boot-time password changer program to change the password. See if you can get at the data (by get at it I mean open it up and use it, not just get a list). I suspect you won't be able to.
Since the registry is updated basically anytime anything happens it is resonable to make a backup of it periodically (certainly before you install a new program or peice of hardware if not weekly).
BTW Binary files are ussually much smaller than equivalent ascii files. EG integer numbers less than 2^8 (256) take up 1 byte in binary, but up to 3 in ascii. 2^16(25536) takes up 2 bytes in binary, and up to 5 in ascii. Character information takes up exactly the same amount of space. Therefore, the registry should be in binary to save space.
Galium Arsenide is the material of the future, and always will be.
Indeed, if a particular system were more vulnerable than Windows then crackers would scan for that system and attack it. Opportunists go for the easy prey, not necessarily the most common thing. You can find non-MS nodes on the internet if you look - that's not a problem.
In a domain, the Administrator account for the forest root domain is the recovery agent. Additional recovery agents can be assigned through the domain group policy object. The certificates are self-signed if no CA (Certificate Authority) is configured. Any recovery agent should export the private key to removable media and lock it up in a secure place and keep another secured copy off site. Delete the copy from the forest root's first domain controller.
On a stand alone server or workstation (Not a member of a domain), a self signed certificate is generated for use and the local Administrator account is the recovery agent. The private keys for the administrator and your own user account can be exported to a floppy or other removable media and deleted off the computer. Another copy should be kept in another secured location in case the first gets burned down, stolen, corrupt, etc. Make sure the floppy isn't in the laptop carrying case, otherwise, the theif will have your private key when he takes the whole bag.
Another important thing to note is that the document is decrypted in memory and a clear text copy isn't put on the drive. A hacker going through your drive, looking for deleted temp files will be wasting time. If you want to be extra paranoid, configure windows to clear the page file at shutdown.
For more reading:
Click Here
If you really want to learn this stuff, read this book. I found it to be extremely educational and was the only book to explain certificate server to me effectively.
Click Here
-Lucas
Windows NT and 2000 MCSE
Indeed. And not only featureset but usability and user-friendliness factor are also placed above security issues. :)
As a result we have a dominant OS that's insecure and a secure OS that's mostly unusable by anyone who is not a third generation sysadmin. In all that rush no one had the time to write an OS that's is BOTH secure and user-friendly. Flame away
Part of the article is also pointing out that Oracle has just pulled some MS style delays, and maybe worse because of the need to pay for a service agreement, yet the only report was that Oracle fixed the holes. No mention of how long they were there, etc.
Put into perspective, if MS Windows may be the largest base of PC OSes out there and deserves to be dissed like crazy; then Oracle is the largest based of DB "OSes" out there and also deserves to be dissed like crazy.
The reality is that security holes must be reported fairly, evenly with all the facts. OSS fans don't need to be afraid of that; the turn around times on the patches and the definite lack of finger pointing will make them look good every time. But by throwing near, but not quite, terrorist level rhetoric for any security problems only causes a panic, draconian, overkill rules .... (Insert Ghostbusters quote here)
I don't see things in black and white; I see the gray. Heck, I actually see in color, which makes things more difficult
Step 6: Profit :)
MS has worked hard at creating an atmosphere of extreme distrust towards them. And since they've repeatedly denied/misled the press on real, dangerous exploits, it would disingenuous of them to request fair reporting on security problems.
We have nothing to ignore, but ignorance itself!
I just thought of this:
For years, like its whole life as a company, Oracle has been known to sell non-existent features and walk away with your money and no or little support. In the last 80's or early 90's this was a major PR and sales problem for Oracle. For the life of me I can't see a whole lot of change in their sales approach; so I just figured out they've managed to hit the saturation wall. There was so much flack about Oracle sales people, riviled worse than used car sales people (who at least could feel good that there is someone lower than they are according to one old, old joke), that it just isn't news anymore.
So, maybe MS's long term plan is to mess up sooo much on security, that it no longer news at all. Then after 5 or so years, everyone will have forgotten that they have a bad security record, because "everyone knows MS has bad security!"
I don't see things in black and white; I see the gray. Heck, I actually see in color, which makes things more difficult
I believe the guy(s) who did "Scramdisk" have a commercial product (forget what it's called at the moment) that allows you to encrypt entire Windows partitions (must specify decryption password to boot). Can probably find it with a little googling (is that a lawyer I hear?).
Another bug bites the dust.. *sings*
kinda trolly and offtopic, but I couldn't help it to get that song in mind... aaaand another bug bits the dust... la lallala
I'm trying out Advanced Registry Optimizer (http://www.systweak.com/aro/adv-registry.htm)n d it seems to help some, but I'm not 100% certain yet. It will clean out and optimize the registry in a matter of minutes.
a
It appears to help, but YMMV.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
It doesn't matter how many users it has because they users won't be looking for security holes in the first place. So if you put 10 Windows users in a room, none of them would know much about these things. Putting 10 Linux users in a room, and you increase the chance that you'll find a real hacker. I'm a Windows user myself, so I'm not trying to sound like an elitist bastard. I haven't even uncovered any security holes in my life.
But it is difficult to determine this case, as there are a lot of questions and too few answers.
Let us instead look at a piece of software where the numbers are reversed - where Microsoft's product has only a small part of the market.
I am talking about the open-source Apache HTTP server, vs. Microsoft's IIS.
Apache has 60-70 per cent of the web server market. IIS has less than 30 at the moment. Yet, despite these figures, Apache has had far fewer known security issues than ISS. How does this fit with your question? Obviously, there are a lot more eyes on Apache due to its large market share?
So how does IIS come out so crappy when it comes to security?
I think we can come to the conclusion that your "it's not as frequently used so very few are looking for security holes"-like statement simply does not make sense. It is a myth. FUD?
Clever signature text goes here.
you forgot,
Afraid of the gov't, read slashdot.
Afraid of big companies, read slashdot.
If either of the above apply, post to slashdot !
*and yes this was a joke, if you are offended by it maybe you fit into one of the above catagories, and should rethink your position.*
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Yea, this does nothing for the outside atacker, he takes HD, leaves, accesses data at his leisure.
But BIOS passwords, boot order changes make it harder for the disgrunteled employee to mess with the system, he wants to trash the system, not steal data (usually) and he will likely get caught with the case open if he is trying to reset the CMOS.
The outside atacker is likely to be working after hours, or find some way to get physical acess without being seen anyway. opening the case for the HD won't expose him any more to being caught than just being there would, where the employee won't get caught just for being there (usually)
It took me hours to fix a system I broke this way. The sad part is, the XP online help actually recommended I do this in its best practices section on using encryption.
Just as Bill is pitching the strengths of Windows security to the japanese
/. has too much on MS already IMHO.
government.
Would submit it as a story myself, but
Another comment with very much the same content was posted in the same minute and got modded up to 4. The slashdot article mentions the WinXP recovery console, which is simply wrong: The WinXP recovery console will not let you do this, because it can read the target system's registry. The recovery console is a backdoor to the system. It's not the front door, obviously, but it does grant access to files on the system. Yes, Trinux or DOS with NTFS drivers can be seen as backdoors too if used in that manner. The existence of backdoors of this kind is trivial, but they still are what they are.
What does that article say? It says "Based on the number of vulnerabilities announced in 2002 that affect operating systems..."
Now, either I'm an idiot or that article is basing its results on REPORTED VULNERABILITIES. Might the number of reported vulnerabilities have something to do with how hard people ARE LOOKING FOR VULNERABILITIES?
The ONLY way to test the relative vulnerability of an OS is to do a thorough code review of each, or send experts on each into a room and ask them to find exploits (and both approaches won't even be that accurate).
I've used the boot floppies for installing debian to rescue my system a couple of times. Once the install screen is present, change to another console and mount the hard drive. In fact, with the correct filesystem drivers on that handy linux disk (floppy, cd, whatever), I could read and write to any computer hard disk I walked up to.
If you really want to protect the system, the filesystem on the hard drive needs to be encrypted and protected with a key and those keys need to be entered outside of the system either by hand or by inserting some media with the key on it into a drive.
Are there any encrypted filesystems out there?
I'll google for it later.
I'm hoping this has actually been fixed by now (I'm still on RH 7.3), but I have a number of periodic problems with Gnome configuration. It took me a while to figure out that the biggest problem is that if the system crashes (typically from kicking the plug out or some such, I rarely have a system hang), you have to be sure to remove the lock files in both .gconfd and .gconf so that gconfd starts up correctly. It also has blown away my configuration a number of times, although I'm not completely sure that this isn't related to having the same user logged in from multiple machines (to an NFS home dir).
Of course, at least this is just my user's desktop settings and not the entire machine config, but it is annoying enough when it bites you. By the time this is as mature as the Windows registry, I fully expect this to be pretty much flawless and better documented (well, if it is fixed, I probably don't need the docs anyway).
You left out the "???" step, which is the whole point of the steps joke.
:-p
Of course, in this case, ??? means: train your users for a couple months, spend lots of $ converting file formats, and boot into Windows most of the time to use your useful programs that don't run in Linux.
Find me ten good examples of security holes in the Linux 2.4.18 kernel, and write them up with a description of why they are a problem. For bonus points, suggest at least one way to reduce the risk attached to that vulnerability.
I think that is called OS X
Everybody dies frustrated and sad and that is beautiful
In contrast, I know SQL Slammer was reported day-of. In this case, a free patch was available six months prior to the worm.
That's because Steve Ballmer is an open-source mole inside Microsoft and he knows how things are supposed to be done.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's great that we have security. Most people won't mind security. Even Joe Sixpack seems to understand that security is generally good. Now, people are starting to get that Open Source is secure, stable, blah blah blah..
The thing with Linux (and probably BSD's though I don't have much experience there) is that most people that know what is a server, can set up a linux server. Even most of those people can keep their server relatively secure with security.debian.org and shutting down redundant stuff and such. But even many of those people are not willing to switch to Open Source on desktop.
As I see it. Linux IS decent desktop OS too. If you pre-install Gnome or KDE or pretty much anything else for someone, they will be able to use it. My girl-friend has no trouble at all with my wmx-based desktop, after about 2 minutes of briefing. But the thing is, once things get nasty on Linux desktop they often need even MORE experience with the OS than when running a server.
Once you have to touch the command-line, it can be a pain before you get used to it, but finding the relationships between the nice GUI and all the scripting and configs and stuff, is even more so.
No flames though, this is getting better all the time, I think, but the fundamental nature of UNIX as opposed to Windows seems to make UNIX easier for someone who knows what he's doing (like sysadmin or developer) while Windows is still easier for my mother, which unfortunately might have to mess with the network settings to read her mail, even if somebody assisted her by phone.
I'm currently doing a toy desktop OS with the idea of trying to combine the ease of use, even when going to system levels, with easy to develop with API, and strong security.. then again, don't hold your breath =)
Software should be free as in speech, but if we also get some free beer, all the better.
Quick, make sure both Ashcroft and the Department Of Homeland Posturing know that anybody whistling Jimmy Crack Corn needs to be tackled at the knees!
- First they ignore you, then they laugh at you, then ???, then profit.
OS X is pretty secure and its usability is second to none.
Help I'm a rock.
This is all about the media and it's tendency to sensationalize, not do research, no perspective, etc, etc. Just this morning, I looked at CNN's website and saw the headline "Snow, ice leave at least 14 dead in central U.S.".. I thought to myself, I wonder how many people died in car wrecks today. Why do they never have the "x people die in car wrecks every day" headlines. I'm just using car wrecks as an example, there are many others. According to NHTSA, about 41,730 people died in motor vehicle crashes in 2001 (in the US). That's 115 per day. During the Vietnam war, the year the US had the most casualties was 1968, with 14,594 soldiers killed in action. Almost THREE times as many people died in car wrecks in 2001 than US soldiers killed during wartime in 1968! The media has their head up their collective asses. The truly horrifying part is that the masses believe them. When enough people believe something, is it true? If so, the media can make anything true.
Also you can use Windows XP - WindowsXP will LOSE the encryption key if you force a password reset. If you ever try forcing a password change as an admin on another user it will warn you that his encrypted files will no longer be accessible.
They changed how it works from WinXP to Win2k
In other news, Linux was found to have the same flaw as Windows XP this week, after Jimmy Costain, a four year old boy, hacked into his father's Linux machine with a RedHat recovery disk.
/etc/passwd file."
/etc/passwd file is an old Unix recovery technique, used since the dawn of time, and that he's happy to see Windows XP finally catching up on the feature list.
"It was quite easy. I just booted the floppy, mounted the root filesystem, and zeroed the root password from the
Linus Torvalds was available for comment.
"Well, of course, you idiot, if you have physical access, anything is open."
Linus went on further to say that booting a floppy to wipe a password from the
"I wish people would stop trying to find lame security flaws which are not security flaws at all and actually concentrate on the serious ones" mused Linus.
well, I'll let you pick which end
/. that server.......
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
I wonder if we could
Don't ordinary filesystems ever get trashed? What about the next-gen database filesystems? The only concern with the registry is the reliability of the code that updates it - there is no logic in believing that the registry is inherently any less robust than an ordinary SQL database, or any more "all eggs in one basket" than putting everything on the one HDD no matter what the storage mechanism.
Not that it couldn't be made better.. like being able to regenerate the registry from both static information from CD and automatic detection. We're getting into tin-foil hat territory here though.. the backup registry files and 'rollback' features should be enough for most people without resorting to tape (if you have to go back to tape, your HDD probably died and you'd be just as fucked if it wasn't backed up as you would with your config files all over the HDD).
Why? Because SUCH a small percentage of people honestly work with the source. Im sure that less than 1% of linux users know how to do anything more than run the code thru the compiler, and the majority cant even do that.
As I constantly point out, every slashdot user is not helping write the kernel of Linux.
The reason MS is getting probed is twofold. 1) Hackers have a bug up their ass about MS (no pun intended), and 2) Security firms are hunting for obsure exploits due to the notariety they get in being credited with finding the bug/exploit. If you are a security firm and can tell your clients you found five exploits in the last year, that equates to money.
And dont believe that Linux users are any more computer savy than Mac users. Thats like saying brown eyed people are smarter than blue eyed people. A lot of people learned Unix while they were in college. Those skills can easily transfer over to Linux. Thus, its mearly a comfort thing than a tech savy thing.
Also, the Apache vs. IIS thing. I would account for the market share and the security issues just by maturity of the product. How long was Apache web server out before IIS came out? Quite a while. Unless MS sawed down and copied Apache, it would be hard to make a product w/o making a few mistakes. NOTHING is perfect the first time. How secure was the first version of Linux?
Also, Im sorry, but Apache still gets hacked. I remember before IIS was out pages were getting hacked all over the place. Free Kevin, anyone?
Im not slamming what you are saying, really, because I dont get the feeling you are one way or the other on this. I am just expressing a point of view. But there is definitely a lot of anti-MS FUD expressed here, and strangely enough, MS got quite a bit of /. lovin today.
Hopefully this will be the start of a trend. Not pro-MS, but pro-rational article.
Manipulate the moderator system! Mod someone as "overrated" today.
The amazing part of this, is that MS has supposidly thrown all sorts of money at total security. Yet, they account for If they are so inept that they can not secure something like IIS or Sql server, then how do you expect them to secure their kernel or Office, when it is literalty magnitudes more complex.
I prefer the "u" in honour as it seems to be missing these days.
> So how does IIS come out so crappy when it > comes to security? Simple. It's because IIS is a much larger product. It does so many more things than Apache it's not even funny. When you have more lines of code, you have more bugs. When you have more bugs, you have more security holes. IIS has tons more lines of code -> IIS has tons more security holes. If you'll look at all of the IIS exploits, you will find that most of them (and I mean > 90%) are in very seldom used extensions/code sections (known as ISAPIs in IIS-speak). Apache does not have these components. If the support for a particular feature is not present in Apache, there cannot be security holes in it. Since there are thousands of lines present in these IIS components, there are bound to be security bugs. Saying that IIS is more secure that Apache is not a fair comparision. It's really that simple.
OK, I did an experiment and put 2 machines out on the net with no FIREWALL!!!!! One ran W2k Server and one Linux from Red Hat! Guess which one got hacked 3 TIMES and had to get reinstalled! Hint: IT was not windows! Never got hit and never had to be reinstalled! Both installs were simply vanilla. Just get em on the net and see who gets creamed. Turns out MANY of the deamons that run in Linux have huge buffer overrun holes that caused the hacks! Funny thing is they are well documented but not fixed! In windows I get an auto update as soon as something goes haywire! In a way I appreciate all you have nothing better to do hackers becuase you ARE HELPING Windows by your high profile attacks! You are forcing Microsoft to produce the BEST most secure operating system and right now via my real world test it appears you have succeeded! I think you.
Thank you, that explains the problems I had with a customers system a couple months ago; we ended up formatting and doing data recovery from backup, as I couldn't find squat about this online.
Sigh.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
That every desktop user in the world should move over the FreeBSD, and learn a whole new environment? We'll ignore the fact that Linux (in any of it's variations) is infinitely more difficult for the end-user.
Why is it people like you always miss the point - it's not about brand names or vendors. It's about a bloody tool. A PC is just another tool, and if it can't be used by the people who need it, it's not good enough. Sure, security is important, but what good is a secure computer that only 10% of the population can figure out how to log into?
I'll happily move over to a better OS if it comes along, provided it's actually going to help me do my job in a better way! Until then, forget Linux - it's 5 years behind MS, and probably 10 behind MacOS (and yes, I'm aware OSX is based on BSD, blah blah blah).
Ok, being a sysadmin for both apache systems and IIS systems, I would love to know what you think IIS can do that apache cannot. ISAPIs in IIS can be loaded as modules in apache. So I am really interested to know if you have anything in mind or if you are just blowing smoke.
I had mod points and was going to use them in this forum... but I just couldn't resist replying to your post because there just simply isn't any foundation to your claims.
The only thing that Apache lacks (and it doesn't anymore) is a good GUI configuration tool. Personally though, I always liked the direct editing of the config file anyway. I still do that even though the GUI is a very nice addon. I am not saying that IIS sucks and I am not saying that Apache is the coolest thing since sliced bread... all I am asking is for you to back up claims like that with real facts.
On another note. You might want to consider adding <br> tags to your posts when you want a new line. Makes it easier to read.
I thought OS X ran everything as root.
Is there user-level security in OS X similar to Unix? Does the user have to log out of his regular account and into a different account, or enter a root password, to do admin tasks like adding new software? I admit I haven't run OS X but I think from what I've heard, the answer to these questions is no. (correct me if I'm wrong, I am always willing to learn something new) It's as secure as any other Unix machine where every user runs as Root. That's not secure.
Did anyone see the lastest "vulnerability headline" at Security Focus? The "eject" utility lets a local user exploit the system to obtain information about documents. What the hell is Tim Mullen talking about when his own "rant host" is posting similar local user exploits?!?!
MS apologist indeed! And apparently he doesn't read the site he writes for either !
MS could *at least* make sure that one OS CD (Win2K in this example) does not allow a recovery console to boot up when that OS isn't installed on the system. Dontcha think?
So, basically this little trick allows you to copy the system files and other users' files even though, as a security feature, XP tries to prevent you from doing so.
Shame on all those media outlets who assumed that the failure of a security feature constitutes a security flaw! MS didn't implement a feature with holes, they promised an undesirable 'security' feature that can't be implemented. Now it's being grossly mis-characterized as bad security.
My heart breaks.
-- . . ramblin' . . .
I realise that the sysadmin comment was facetious, but you *did* say flame away ;)
Yes, realistically, linux *IS* harder to learn than windows (learn, not neccesarily use). However, if you will settle for *only* using a windows-like interface, mandrake and lycoris are pretty damn accessible. Windows (in the easy-peasy sense of the word) is a *user's* operating system. Sysadmining isn't just point-and-sneeze in windows either.
Free Java games for your phone: Tontie, Sokoban
Thanks. He wasn't offtopic, or trolling, or flamebait, or redundant. There is no -1 Wrong moderation, replying is *always* the way to go if you disagree.
Free Java games for your phone: Tontie, Sokoban
what's holy about ****?
Mr. Greg Mundie confirmed this at the RSA Europe 2002 confrence. Of course, it is not a flaw but a feature.
Having unobserved physical access to a machine for multiple hours is different than 3 minutes is different than observed physical access. If someone cracks open the case of the computer in the lab, the admin is going to notice and act appropriately. If someone uses a boot disk to get to the command prompt, that might not be noticed by $6/hr guy AIMing away at the desk across the room.
Granted, you probably don't keep anything critical on a lab computer to begin with, but OS security that assumes some level of physical access does have its purposes, if only to keep users from mucking it up.
paintball
> Is there user-level security in OS X
> similar to Unix?
Yes
> Does the user have to enter a root password to
> do admin tasks like adding new software?
Yes (actually: a password for the 'wheel' group; the standard installation does not even enable root as login)
> correct me if I'm wrong
You are.
you might want to read some third party history on mi2g's credibility
The Register
Vmyths
you couldnt of picked a more inept company to quote if you tried
From the article:
In fact, you don't get to administer it at all. You can't list services, because it can't read the registry. You can't enable or disable services, because it can't read the registry. You can't really do anything, except copy files around -- that is, as long as they are not encrypted with EFS or something else.
So you can move the registry away from its normal location, then boot the machine with an XP recovery disk which does let you administer the machine then.
That contradicts what he was saying about being unable to administer the machine. In either case, physical access to the machine lets you do anything you want. It's a physical security problem - not a Windows one.
Follow me
Maybe he should have posted with a smiley for the humor-impaired, but it was a joke.
We expect the full port to be finished in about a year's time.
Next port scheduled is of msconfig.
/. Where the truth
I wouldn't have modded that particular comment anyway. I generally only mod things as funny, interesting, or insighful. But funny is my preferred mod practice. :-)
...say it. "That is not a security hole, it is a feature!" The reality is, yes physical security is in fact a major issue. However, there is no need to allow Windows 2000 Recovery Console to access Windows XP machines, perhaps it would have been best to make it so that only XP recovery consoles could access XP machines. No matter how the author tries to spin this, it is a security hole. If you are complying with Microsoft Licensing, as I am sure everyone who reads Slashdot is, then you will have a copy of Windows XP professional lying around somewhere. Thus no need to use the Windows 2000 CD.
----- "It's all fun and games 'til somebody puts an eye out, then it's just funny."
Since you can change the administrator password with a linux boot disk and some utilities (I've used it, it works) booting with windows CD-ROMS is not a major bug. http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.h tml is one version, there are many. You have to know/guess which partition is the windows partition.
You got me into this! You were the ideologue! I'm only a poor assassin! - Twenty evocations, Bruce Sterling
No, it doesn't, because I don't have a wireless network. Neither do the overwhelming majority of the station's viewers who have computers. But I bet they had a large audience of clue-impaired viewers last night.... Even though it's the station I usually have on for the 10 pm news, I deliberately changed to a different station on principle, so I didn't watch the story itself.
Dumbass.
I agree here. When Bill stated last year that Microsoft would spend, what, a year improving the security of their software packages. We're approaching a year later and we've had the Slammer hit hard, because MS released a patch that was difficult to implement and no one did, and the internet came to a STOP. I wonder if they're are going to get a clue soon. I like my job as internet tech support, but the slammer gave my three man office a huge headache! MS, get your act straight!!
Who knew life could be this funny?
Your reply:
The parent:
Thanks for your comments about "direct editing of the config file", though. I've always liked direct-editing as well, but I must admit that I'm not nearly as accurate as tools built to update the configs.
Maybe, but it is generally the track record for a generation of their product line that has since met its demise or at least the end of its collective support lifecycle.
With a few notable exceptions, properly patched configurations of NT4,W2k,WXP can all be quite secure, regardless of what the opinion of
I'm soo tired of hearing this baseless bullshit. How can you say it places any more emphasis on featureset than, say, Debian does? Just because it has a wide array of features built into its "distro" that you *may* want to install on a server doesn't mean you should. If you select every checkbox in the "Add/Remove Windows Components", then you'll get exactly what you deserve. Most of the major GNU distros have at least matched Redmond's capacity for bloat from install time at this stage in the game, and it's getting worse. No windows setup program that I've seen (and I've seen 'em all since they were handed DOS from IBM) has ever had a checkbox that said "I Want It All", but that exact feature is creeping into almost every major GNU distro out here.
There used to be a time when GNU products were the darling only of smart individuals who knew how to configure a server, a client, a subnet, a router and a network as well as script the configuration or gcc their own modules/kernels if need be. It seems more and more (if the opinions voiced on
And the latest version of your favorite Adobe DTP apps
And Serv-U.
And anything else that leaked onto EFFNET three months ago.
It's sad to see the community devolve from a group looking for a better UNIX into teeming masses of dowload junkies. Just once I'd like to runand not get
Can I bum a sig? I left mine at the office.
Note the relationship of the described encrypted files key management to TCPA (not necessarily Palladium). TCPA stores the private key on a chip and protects it (not from physical attack). The concept is to eliminate the need to keep a working copy of the private key on an external device such as a floppy. The TCPA description indicates that the Linux-boot-floppy attack would not allow access to TCPA encrypted files since the boot environment would be different.
This is the parent I replied to. It is a little hard to read because he didn't use any BR tags. By the way, I clicked on the "parent" link on my original post to get the link that is in this message. I believe the message you are referring to is actually the grandparent.
Yea but what do you think is the % of ppl hunting security hole?
I guess my point is the same as it is every time I reply to the folks who automatically assume that any security battle between GNU and Redmond is going to go to the free OS: More and more, MS's biggest security risk is the large number of people using their products who have no business doing so and no idea how to. Their products have matured well, but the user base flounders. I use lots and lots of MS servers and some GNU servers too, but I know what I'm doing because I've always been in the position where someone needed to know WTH was going on but no one did. So I just decided to become that person. GNU/WIN, doesn't matter. What's important is that you know the strengths and limitations of whatever you're using and use it accordingly.
MS's achilles heel is their popularity on the desktop and among users with lots of technical need/appetite and no prowess. And if GNU steals that away, then GNU will have the same problem
Can I bum a sig? I left mine at the office.
Hey, thanks a lot for clearing that up. I really appreciate it.
And there isn't some easy password for 'wheel' that it's general practice for people paste to the monitor on a post-it note, eh?
Actually, I thought my point was fairly clear. The poster I was replying to was in effect saying that Windows vulnerabilities are only apparent because there are so many Windows systems out there.
I was pointing out that the Windows development methodolgy never has emphasized security, and that there are therefore fundamental differences in Windows that make it a more vulnerable platform.
That doesn't mean that I think the world should move over to FreeBSD or Linux or BeOS or OS X. It just means that Microsoft's record on security is pathetic. Offer up any number of excuses you like, but I think it's difficult to argue that Microsoft has a sterling track record on security.
As an aside, I agree completely with you about ease of use being of primary importance. That's why I use OS X.
Read the EFF's Fair Use FAQ
Its the UNDISCOVERED exploits that get you!
If you think about it, this constant probing will eventaully just make Windows more and more secure. When you have a company with the resources and people MS has, it just makes them continue to polish their product.
I will say one thing, though, is its a shame they went and slammed IE4 into the OS. It really introduced a lot of crappy quirks and inconviences, as well as its share of bugs. I compare that decision to the likewise poor decision of slamming LanMan into into NT. LanMan introduced junk that has persisted until Windows 2000 allowed you to drop all that NBT crap if you choose.
Manipulate the moderator system! Mod someone as "overrated" today.
You can read whatever you like into my comments, but for a moment let's focus on the original point of my comment.
Microsoft's track record on security is pathetic. This is not my uninformed opinion. I've administered NT 4 and a wide variety of Linux distros, as well as Mac OS 9, OS X, and OpenBSD. I haven't admin'd Windows 2000 or XP, but from what I understand, Microsoft is slowly getting better at making their OSes more secure by default.
But you make it sound as if there is some sort of security equivalency between Windows and every other OS out there. Are you trying to tell me that OpenBSD (without constant patches) is as prone to vulnerabilities as Windows 2000? Most of the services that can lead to security problems are left off by default in a basic OS X installation. Mac OS 9 servers, while not as capable as Windows servers, are much more difficult to crack.
Every OS vendor has to emphasize one aspect of perceived value over another. In the pre-OS X days, Apple prioritized on maintaining rigid adherence to user interface and proprietary standards, which made their machines less-capable as servers, but far less exposed as well. Sun has optimized Solaris around scalability and robustness.
I would argue that Microsoft has for years emphasized including as many features as possible into all of their software. The company's DNA is based on acquiring marketshare. "Embrace and extend" is a term that applies to *features*, and it's not by accident. But by emphasizing features over a more methodical development strategy, they have given rise to the expectation that frequent patches are to be expected and proper.
Not once did I mention that I'm a disciple of RedHat. In fact, I'd argue that their methodology is becoming more like Microsoft's, which is leading to increased bloat in their distributions. They're trying to be all things to all people, just as Microsoft has for years.
The infamous "Trustworthy Computing" initiative at Microsoft came about for a reason. They know their record on security sucks. They're working to change that, and I applaud them for it. But doesn't the fact that Microsoft execs have publicly admitted the need to pay more attention to building secure products tell you that they are trying to shift their DNA?
Read the EFF's Fair Use FAQ
hehehe, no problem.
Also, Im sorry, but Apache still gets hacked. I remember before IIS was out pages were getting hacked all over the place. Free Kevin, anyone?
While I'm not denying that there have been security holes in Apache, it's worth pointing out that many "web server hacks" don't go through the web server. If the machine is also running a more readily exploitable daemon (say an FTP server or old Telnet) then the attacker can gain access that way, and demonstrate their 0wn3r5h1p by defacing the web site...
Does biff in bo work
coz it biffin doesn't beep
an if biff in bo is broke
then biff in bo I will delete
I've tried biff in bo with 'y'
I've tried biff in bo with '-y'
no biffin output does it show
so poor wee biff is gonna go.
-- John Spence on debian-user
- this post brought to you by the Automated Last Post Generator...