Slashdot Mirror
Computer Security Still Totally Inadequate
Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
With security suites like that you don't need any hackers or viruses. Bloated Symantic software makes your computer unusable and unstable anyway ...
Hmm no. Remember the BIND vulnerability a few years back, that sucked. Back then, most people ran BIND as root in a non chrooted environment. Really, just about all computer security is pretty much useless against anybody with a little determination.
We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours
Well, actually, I wonder what percentage of PCs are currently infected with malware? I'd guess way more than 50%, and the world hasn't come to an end. Actually, it would probably be a good thing if the hypothetical disk-erasing worm would come along -- it would probably prompt a lot of dumb users to make backups, take some basic security precautions, and maybe consider switching from MS-ware to more secure OSS.
Find free books.
This is why having a Hydrogenous network and/or having a society where no one platform dominates.
I'm guessing hydrogenous is not the word you were looking for. Assuming of course that you weren't proposing that we base our networks on hydrogen.
I'm going to instead assume you meant heterogeneous which is something often proposed on Slashdot and grants the proposer instant karma as people rush to mod them up.
The only problem is having a hetereogeneous environment increases your support costs whether you have a security incursion or not. How many people are security experts in Mac, Windows, Linux, BSD, Solaris, FreeBSD and CPM? Not many. Which means that for every environment your IT staff supports, you need additional admins.
I'm a big tall mofo.
Having the whole internet spammed with packets sent from infected machines, causing the network to slow to a crawl affects everyone.
That's the main problem with these viruses, they DON'T only affect microsoft products.
^_^
Our most effective viruses will be the ones that allow the system to live long enough to spread the virus, and as soon as it can't spread it anymore, or the rate of infection drops below a certain level, the self destruct button can be hit. Allowing maximum transfer, and then maximum destruction.
In the time between these two phases human interference should be able to pick up the CPU/network drain. (Or perhaps a software developer can make a program that realises when cpu usage + network activity is uncontrolled.)
According to Symantec, this is an enormous untapped market for them since we are all very attractive targets and living in a security dream world. And those products, particularly for Linux, are where exactly? Actions speak louder than words, and if Symantec really thought there was an enormous threat here, they would be pushing out products to address it, because that is what companies that want to maximize profit do. Instead, of products, they produce press releases. Once Microsoft's lapdog, always Microsoft's lapdog I guess, even after they have decided to have you put down.
It doesn't even matter how secure your "system" is, stupid users will always break the system and allow infections.
Where I live, there was a huge scandal about some company that sent other companies "demo discs" which the employees at the other company obviously ran, trusting some random company. This caused a trojan/backdoor to be installed, eventually costing the companies a lot of data which was viewed by their competitors.
Even in the army, they have a network completely (physically) disconnected from the public internet, with very strict rules on what's allowed to move inside and usually everything is ok. One time there was a large outbreak of a virus, obviously it was disconnected from the outside, but still an outbreak.
The source? A high ranked officer thought he's above the rules and connected his infected laptop to the inside network.
No matter how strong are your means of security, stupidity will always prevail.
^_^
Yet further proof that almost all "security professionals" have about as much intelligence as a gnat.
... please. The "it's not as popular" theory as to the lack of OS X viri and worms has been beaten to death over and over. Simple fact is the difficulty would make the first creator of an OS X virus or worm famous beyond anything another Windows worm would cause -- even if the spread wouldn't be nearly as bad. And yet, here we are, five years after the release, and not a single virus or worm that directly affects the operating system. Surprised?
I'm really tired of mediocre systems guys passing a CISSP exam (thousand miles wide, quarter inch deep) and being declared experts on securing things they don't even understand to begin with.
For one, quantative analysis of the numbers of vulnerabilities doesn't equate to determining if a system is more or less secure than another. It's also meaningless if you don't compare how the systems are configured in what kinds of environments. Even simple things like Linksys routers greatly contribute to additional security on a personal computer (Windows or otherwise).
From the article: "Symantec chronicled 1,862 new vulnerabilities during 1H2005 - an average of 10 new flaws a day - 73 per cent of which it categorises as easily exploitable. The time between the disclosure of a vulnerability and the release of an associated exploit was just six days. Half (59 per cent) of vulnerabilities were associated with web application technologies."
Can anyone tell me where in that statement is a shred of useful, meaningful information? Of course not. Because there is none.
Insofar as Firefox and and OS X being "in for surprises." Sure, Firefox is an evolving application, bugs will be introduced and squashed, and later on more will be introduced. Some of those will be security vulnerabilities. Any application who's sole job is to pull data from untrusted sources and parse it will be vulnerable to security problems resulting from buggy code. Period. End of sentence.
OS X
Despite that incentive, it has yet to be done. A rootkit is being touted as "proof of OS X's insecurity." Give me a break. If you can trick a user to type in their admin password with an application, it doesn't matter if you're running Windows, Linux, BSD, OS X, HP-UX, or Solaris -- you're going to get owned.
Jesus, I hate security people. I just want to choke them.
The primary problem with OS X is the indiscriminate use of the administrative password. Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in. Instant root-kit installation. Now, let's see if Symantec, with all their ridiculous doom and gloom crap, detects it.
It should come as no surprise that computer viruses and worms tend to aim for control rather than destruction. This exactly parallels what happens with biological viruses and worms. A virus that destroys its host cannot propogate very far before becoming extinct. Viruses that damage their host but leave it good enough condition to continue transmitting it to other hosts are much more successful. The most successful viruses of all are those that go largely undetected and manage to spread to a majority of the population (think of sexually-transmitted diseases such as HPV).
Symantec is publishing a self serving press release full of intentional lies as a news item, and idiot news outlets like the Register are publishing it without criticism.
Shame on both!
How about reporting:
"Symantic issued an official sensationist panic warning to Mac users who have not bought their product. It is unclear how Symantec's products will secure the Mac platform from exploits, since they do nothing to secure a system from a user with physical access. The company may also consider selling volcano insurance and eating babies"
From the actual Register story:
"While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future. Symantec's analysis on a rootkit (OSX/Weapox) reveals it is designed to take advantage of OS X. This particular trojan demonstrates that as OS X increases in popularity, so too will the scrutiny it receives from potential attackers."
So Symantec:
- is shy to report that there are no exploited vulnerabilities
- analyzed a OS X root kit and determined it ran on OS X
- thinks the adware/malware market, driven by demand for easy to zombify PCs, is somehow poised to launch specialized attacks on inherently secured systems via non-replicating trojans that require root access to install.
Which is worse, Symantic's bullshit misinformation, or the Register's uncritical dissemination?
From TFA: And that statistic means absolutely nothing. Simply counting the vulnerability ANNOUNCEMENTS does not tell you anything about the vulnerabilities themselves.
Is a vulnerability that causes FireFox to crash the same as a vulnerability that automatically installs an ActiveX control? Nope.Yeah. Whatever. How about you do a survey and find out how many FireFox machines have been compromised via FireFox? Huh? How about that?And he has determined that
Seems to me that IE's still being hit by spyware and such crap. Or didn't he mean those attacks?"We sincerely thank the person who killed our daughter because it makes us appreciate our son so much more now." Does that make sense to anyone?Hmmmm, Symantec sells anti-virus software and the like.
Macs don't seem to be having massive virus/trojan/worm problems.
Something doesn't look right.When "emerging" becomes "successfully attacked and cracked" it will become an issue. Until then, the "threat" is purely theoretical.Again, it isn't the number of vulnerabilities, it's how they can be exploited.
Yet I keep seeing references the the NUMBER of vulnerabilities announced.#!
cd /
rm -R
Oh my GOD!!! It's a trojan that is designed to exploit the bash shell on LINUX!!!As does my example with regards to bash and Linux.
It isn't whether someone can write a virus/worm/trojan. It's whether they can get such onto your box.Why "away from"?
Aren't they also the top target on the desktop?
How about "As well as the desktop, Microsoft's enterprise apps are targets for attack"?
Nothing but more crap from a vendor who's seeing their gravy train getting ready to leave the station on its last run.
I'm not trying to shift the discussion from OS X, but it's not the only OS with that potential user issue. How often does a Linux user click on a program on their desktop that asks for a password? This is a user education issue, just like the "don't click on files that you weren't expecting" Windows problem. Unfortunately, it's darn-near impossible to protect the user from his/her own stupidity, regardless of the operating system they're on.
"It's too bad stupidity isn't painful." - A. S. LaVey
When I first replied to jellomizer with what I thought was a reasonably tactful correction of his use of the word "hydrogenous", his signature said something to the effect of "Waiting until I get a root post with +10 Yea!" (paraphrasing).
Well, after I posted my response to him (read it for yourself here, he changed his sig to:
--
Insult me if you feel you must, Ill just mod down your other messages.
Out of curiosity, I checked my user page. Several of my comments in the last couple days have been modded down. Of course, nobody would have any reason to mod them down - they're long since off the first page.
Karma is so ridiculously easy to come by that I wouldn't imagine anyone would care enough to do such a thing. I think this qualifies as the most assinine use of mod points in quite some time. Congratulations, asshat!
I'm a big tall mofo.
So am I, but I don't kid myself the lack of OS X viruses is because of something in the OS making them impossible (or even difficult) to create.
No one thought the Unix systems of yesteryear were so vulnerable. They were. No thinks the Unix systems of today are as vulnerable. They are. In years past it was naive lack of understanding of the basic nature of the user base. These days, naive lack of fear.
I've seen people have that same attitude before someone draws down and leaves them a crumpled mess on a bar rooom floor. It didn't help them and doesn't help the OSX, BSD, and Linux crowd. You cannot underestimate the danger of the average users' whimsy and inexperience, the truly committed crackers, and the legions of script kiddies who learn their tools from the first two. It isn't Windows that is insecure and dangerous. Windows does nothing it isn't told to by people stupid enough to tell it so by accident or on purpose.
The future is pointed at self-contained encrypted containers of both interpreted and compiled code objects flitting about the global net and this future will be embraced by Microsoft and the only way that Microsoft will not entirely control it is if the major vendors arrayed against them co-opt the paradigm with standards themselves. The law of unintended consequences being what it is, there is no way that the non-MS community can say credibly that the sheer combinatoric explosion of possibilities for system interaction in this future will not affect them, no matter what their safeguards. It's like trying to guess the outcome of a mating based on a glimpse of a few genes of one parent.
Assume the worst or the worst will happen to you. Hold true in survival on the streets, in the jungle, or on the Internet. Blowing off the very idea is foolhardy in the extreme. The only option for Linux for its part to avoid it is to remain a sado-masochistic wrong and hard is better than right and easy platform which scares away the average user. In that case, Microsoft's hegemony is assured simply through the incompetence of their opponents, not that it isn't close to that already.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
.....Mac users are so used to typing in that password that if an installation ask for it the user automatically types it in.....
That assumes the Mac user knows the admin password. In a business or school environment the password could be kept only by a few administrators and in a home the parents could keep it. Everybody else is just an ordinary user and the computer is therefore safe from any attack that needs adminsistrator access.
In Windows that is much harder and often impossible to do, because so much software for mostly stupid reasons will not run correctly if the user is not an adminsitrator.
Restricting users like this would go a long way to reducing the spread of malware. Only those clueless computer users that are running as as adminsitrators could be affected if they type in their password after they have downloaded something from the Internet.
Unlike Windows, there are NO known exploits that can come over the Internet that DON'T require some action on the part of a user. If the action involves an unknown admin password, then that stops the nast stuff right then and there.
All theory is gray
The only problem I've had with my Mac came, surprisingly, not from some unknown and undiscovered internet vulnerability, but from Symantic.
That would be the "Norton Utilities" for Mac OS X they wrote and sold, that corrupts your hard drive because Symantic didn't bother to figure out how our filesystem works. Wonderful. I had to buy Diskwarrior to sort it out.
If you go to the Amazon page for the Norton Utilities they sold, it's still there, but along with the dozens of one-star reviews, there is a suggestion that Symantic has quietly stopped shipping it.
It will be a long time before Mac users trust Symantic again.
Protect your liberties. Donate to the ACLU
If someone can palm a manipulated programm off on you, he can also give you a false checksum to match.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck