Slashdot Mirror
McAfee Blames Open Source for Botnets
v3xt0r writes "It seems that 'the Open Source Development Model' is to be blamed for the recent increase in botnet development. 'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says. Why not just blame the IRC Protocol? Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?"
So, here is an article simply claiming that some "malicious developers" have found a way to collaborate using open-source tools...
Wow, I've seen a lot of commercial vendors doing that in the recent years also - maybe they're all suspect.
But what model would you blame for the hundreds of PC viruses that devestated home and corporate computers in the 90's up to today? I think the exploits they relied upon were simple coding flaws and insecure type checking or buffer overflows that wer simply poor coding kept as a secret.
So, in light of what causes the malware, would I rather the code be fully disclosed or instead guess that there's probably no major exploit possible? I'd probably go with the former considering the sheer number of viruses based on the latter and the fact that it's the exploits based on proprietary code that often do the most severe damage to society.
I would like to ask McAfee what they would think if a competitor found a virus and figured out how to fix it but couldn't tell McAfee that information because it would be considered disclosure. That would be the real irony here. Sites that host viruses and describe/publish them are often very useful sources for people looking to rid them from their computers or even how to avoid exploits in the future.
This article is entitled "Hackers Learn from Open Source" but they only learn as much as the researchers and patchers do. I would rather the community be progressing towards solid impenetrable code than have guarded secrets that keep everyone under a thin veil of security. Because if those secrets are ever discovered by the wrong people, we will not know about them and we'll essentially be caught with our pants down. I'd rather have every programmer know the pitfalls of coding than to have thousands of applications deployed world wide all waiting for one hacker to stumble upon a secret.
You really have to question McAfee's motives here in their Sage magazine
My work here is dung.
...it was the conspiracy to create insecure operating systems.
The actual blame rests on Charles Babbage, and that "computer" idea of his. But to be fair, he might never have done that if it hadn't been for those damned ancient Greeks with their abacus...
Slashdot Burying Stories About Slashdot Media Owned
When compilers|source-code control|whatever is outlawed, only outlaws will have compilers|source-code control|whatever...
Perhaps they should just cut the wires of this internet thingie and be done with it? We can stick with cable TV/download only.
I blame Eminem, violent video games, and/or the Republicans. whatever's trendier.
Say there is an vulnerability, only known to black hats which is being exploited. Someone finds it, reports it to the vendor. The vendor sits on it for months while a massive botnet spams the hell out of us using it.
Isn't it better to release info so people can do something about it? Network admins can use it to help block the attacks, or disable the vulnerable software. Users can stop using it. And people can ever make their own patches, or use the shared knowledge to look for similar flaws in other software.
We have seen this happen. Can anyone provide a good alternative, because McAfee certainly can't?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Pwnd.
McAfee is still around? I'm surprised...
Evil hackers learn programming techniques in schools and colleges!
Crackers will find vulnerabilities in software no matter what. In an open source application, there's a better chance of someone fixing the flaw faster. In a closed source application, you have to wait for the (usually extrememly slow) corproation who maintains the app to fix the flaw.
My journal: Clicky. Read it because it
Why not just blame the IRC Protocol?
Because McAfee has an unterior motive and wants to discredit the competition.
With there be anything else?
Actually, I see this as a great example of software natural selection. The OSS is killing off the weaker software.
Basically it seems to me that McAffee _isn't_ complaining about OSS, and explicitly says they don't. There are two _very_ distinct and unrelated parts of the article:
1. The open source part. Which doesn't contain any kind of anti-OSS slant. It just says that people now have a lot of F/OSS tools to manage their files and whatnot.
2. The part about full disclosure. Where they basically whine that they'd like to have what we all call "security by obscurity." Basically McAffee would like a world where researchers keep a lot more stuff secret, because supposedly being public about that helps evil hackers. Which is as stupid as it gets, yes, but it also has nothing to do with OSS at this point.
So why the fanboy slant in the summary?
A polar bear is a cartesian bear after a coordinate transform.
It's the "Brotherhood of Linux" that prevents malware being written for Linux computers and why there are no Linux zombie botnets.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Reportedly, evil malware authors have been discovered using Microsoft Visual Studio! That is right, they're using Microsoft development tools to create their evil wares. Where are the crowds with pitchforks?! Time to hang Redmond out to dry.
But seriously folks, malware authors using CVS? I never thought they'd think of using arguably the most popular version control system in the world. Besides, that means they are adopting the open source development model how? Plenty of companies use CVS internally, my employer included.
isomerica.net | Foonetic IRC
We're not taking aim at the open-source movement, but we hate the fact you like to be open and honest. How dare you tell people what's really going on! We're the only ones with the authority to do that!
Idiots.
Developers: We can use your help.
When I look for someone to blame for Botnets, I tend to lay it on Botnet operators. I guess McAfee has a different way of looking at blame.
Tom Caudron
http://tom.digitalelite.com/
-Tom
Open Source bugs will be revealed faster and closed faster PLUS a developer's code will be viewable by anyone (including those pesky hackers) so one might argue that the open source movement will (does?) cause people to be a little more careful in their code and not do things like say "oh, this pointer can be null here, but oh well, no one will know about it". We might see a flurry of open source security holes at first, but I bet they are closed and stopped quickyly, unlike the commercial counterparts which seem to be an endless security hole.
Amusingly, you could read this article as an endorsement of open source software and methods- as in, "Open source methods and tools are so awesome that crackers and blackhats have switched to using them and now run rings around the antivirus corporations who don't."
Enquiring minds want to know!
Blaming open source for malicious software is like suing your doctor for saving your life - you can do it, but it doesn't make any sense.
Haiku for you!
I suppose I shouldn't be surprised with the how about blame it on IRC, or Open Source > all silliness. How about leaving out the editorial comments so the reader can draw their own conclusion?
I blame the parents myself !
If it wasn't for you meddling kids
Scooby Dooby Doo !
As always, the blame for the newest problem has been levelled at the newest development in the industry. Because they came about at the same time, one must have caused the other, yes? Correlation does not imply causation, boneheads.
The full disclosure/open standards model is the best thing to happen to the industry in decades, possibly since the internet. In this model for development the consumer wins -- open standards allow everybody to play, and competition yields better products -- and the developer wins -- many eyes spot more bugs.
Yes, in open source everyone can see the source code. Yes, that means that so-called "malicious" users can see the source code too. But, it's a small price to pay, and if someone finds an exploit in a program important to your organization... fix it. You have the source.
...it would still be better than every patch/exploit would sound like "Blahblahblah could allow remote code execution..."
Car theft is the fault of metal-workers. After all, if powered centre-punches weren't available due to metal workers using them to mark drilling spots on metal then car thieves wouldn't use them to break car windows.
Forget the fact that a powered centre punch is just an inanimate tool and that it's purely the malicious intent of car thieves that means they're used for illegal reasons, someone must be to blame. So let's lynch metal-workers for causing car theft!!
Hmmmmmm..... Deep fried and look like Squirrel.
Aren't these the same clowns who's interface (used) to be based on internet explorer and active X ?!!
So if you did the first most obvious things to secure your system like clamping down on internet permissions (disable active X, etc.) and disable explorer (and install a different browser) you couldn't pull up the McAfee interface.
Or at least that was a couple years ago.
My headline is as credible as theirs. If they want to start flinging mud we can fling it back. Outsourcing virus writers to help perpetuate sales of Anti Virus software is good for business has a large return on investment and a practical way of making sure that the next incremental release is purchased by all your customers.
Do not look at laser with remaining good eye.
The villains are using CVS? My God, Man! What anarchist allowed weaponized bleeding edge technology like this out into the wild? If they learn about diff and patch we could be RUINED!
This article is all FUD. The fact that bot makers use the occasional FOSS tool makes them.... Just like (nearly) every other programmer. The fact that nearly all bots attack weaknesses in MS products either suggests that "they" are cross compiling experts or they have been using the Windows SDK for writing bots for a very long time.
..... who said that that OSX is the next Windows:
t ePapers/NewAppleofMalwaresEye.pdf
http://download.nai.com/products/mcafee-avert/Whi
So take anything they say with a grain of salt.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
What this guy is probably pissed about are people who publicly release and share exploits before they could be fixed. In some cases, they don't even notify the software authors. It happens for both closed and open source software.
MacAfee is who I blame for the first, ever, loss of a hard drive to improper worm detection and deletion.
... Nope, didn't need *that* data ...
Thanks guys!
Seriously, I think back to the mid to late 90s when viruses were becoming more prevalent. MacAfee always seemed to be the first ones that came out with a fix usually within hours to days after it being announced. That seemed strange to me because of the timeliness of such fixes. It almost seemed as if the stuff was being launched by well known software producers only to generate sales and essentially create the need for virus protection.
I know it may not really be that way, but I know that other people have felt this way and said the same things about them and other anti-virus companies.
As for attacking the Open Source Model, all I can say is find some thing else ot go pick on.
It's intentionally our fault that years of hard work have kept a lot of us off your virus definition update list.
What language is the said malware written in? Why don't we just eliminate the compiler on a global scale. Eliminate all compilers since you could write malware in any of them.
/sarcasm
Hell, Why don't we just eliminate this whole "software" hullabaloo (sp?) altogether? That way, if it doesn't exist it can't be used for evil.
However, we should then probably get rid of the hardware, since it could be used for evil.
Come to think of it, why don't we just ex-nay computers completely, it's not like they do anything important and look at all the problems they're causing.
It just never ceases to amaze me what people will blame their problems on.
noobcake or noobmuffin? It is the same price...
"Same class?" Meaning as slow to start, buggy, and bloated as McAfee products? Open-source developers should by thanking that guy for the compliment.
-b,
Given that the summary itself says that this is not about the open-source development model, I've got to conclude that the headline is a troll. You can apply the full-disclosure model of security notification to any software, open or closed.
This is about whether the finders of security vulnerabilities give the vendor a grace period to fix the problem before disclosing the vulnerability to the general public. It has nothing to do with open source.
Causation can cause correlation
"You know what really grinds my gears?..."
Linux is evil, Windows is good, proprietary blah blah blah. The biggest shock to me is that anyone has the balls to point to open source and say "YOUR development model is responsible for this mess," especially considering the way Windows ships as default (make all initial users members of Administrators). I'm still reeling from hearing McAfee (or someone officially affiliated) say something to the effect of "Your open code and development is killing us!"
You have to consider the fact that some tools, while they can aid those with ill will, serve mostly to benefit. Take nmap, for example. Some script kiddie can use it to scope out their target. On the other hand, a tech can use it to check for open ports on their own systems to prevent those kinds of things. These are useful tools, but because of their power, they could also potentially be used as bad devices in the wrong hands. You could say the same thing for guns. Innocent people are killed with guns (among other things, such as knives and harsh language). Should a bullet-proof vest manufacturer come out and say, "We're not taking aim at the gun manufacturers; we're talking about the ability to propel small things really fast and how that effectively serves criminals?"
From the sounds of it, it sounds like they're blaming the OSS model simply because malware authors use it. Although, I could have completely missed what TFA was saying; I'm really tired and I keep reading each paragraph over and over and I just can't grok it.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
aren't malware and viruses primarily a windows problem, made possible by microsoft's famous "SwissCheeseSecurity(tm)"? put another way, how much did it cost microsoft to get mcaffee to be their shill? (the proper unit of measure for which is probably baystars-per-press-release....)
Who brought you an "update" the other month that categorized files from "IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT" as viruses and promptly deleted them. Here's the story.
There are no uninteresting things. There are only uninterested people.
...curing Viruses? Most viruses are the most minor change in code yet that is all it takes for the new version of TRJ_Worse_Virus_ever.BA3 and then BA4, and BA5, to infect the next PC. If they did there job as good as they could do it they would put themselves out of business.
I know 800 slashdotters are going to mod me troll and describe how wrong I am but I can't fully believe it.
Course I'm into JFK and 9-11 conspiracies as well....
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
Yes, release rough information about the problem so that people can disable the affected service (if applicable), but for the love of fucking god, DON'T RELEASE A PROOF-OF-CONCEPT. Many exploits in the wild are derived directly from the proof-of-concept exploits that security researchers so stupidly release.
RTFA, seriously. That disclosure that they mention is _not_ the disclosure of OS code. If you RTFA, at that point they explain very well what they mean by "full disclosure" and it has _nothing_ to do with OSS any more. Their "full disclosure" is about researchers disclosing a vulnerability, together with ample instructions and proof of concept code of how it can be exploited. It has _nothing_ to do with Linux vs Windows, Closed Source vs F/OSS, etc. It's about disclosing vulnerabilities.
Basically what McAffee says is, "I wish researchers stopped telling everyone everything about this and that buffer overflow. Telling people everything about a bug only helps the evil hackers use it in a virus!!!111one1eleventeen" Not an exact quote, but that's the general idea they're peddling there.
Which is, in the nutshell, just the old "security by obscurity" argument. Which has already been debated to hell and back and is known to not work that way. And, frankly, it's weird to see McAffee preaching that attitude, because the anti-virus makers should know the best that it never worked that way.
A polar bear is a cartesian bear after a coordinate transform.
Maybe they are trying to sway the spotlight from their own software, as reported last week:
o ftware_flaw
http://news.yahoo.com/s/ap/20060714/ap_on_hi_te/s
TFA defines Full Disclosure for us, in case we were confused: "However, Marcus did take issue with security researchers who distribute samples of malicious software, a practice known as full disclosure."
No. Full disclosure is just that: disclosure. Distributing samples of malicious software is at best a proof of concept, but usually just irresponsible and/or malicious distribution of same.
Given this piece of intellectual dishonesty, I think that any doubt that McAfee was on the up-and-up with this article can be laid to rest.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Since the OSS model or full disclosure model as the article calls it is widely available to the anti-virus companies (ie commercial programmers) and the malware programmer simultaneously and the malware programmer beats the commercial programmer out the door, does that mean that the OSS programmer is a better programmer?
Put a different way, and not to simplify it too much, but the anti-virus programmer needs to write a patch to detect a piece of code which has been handed to him/her. The malware has to write a program that actually impliments, propigates and hides from detection. Which should be the easier task? It seems that full disclosure should benefit the anti-virus company as much, if not more than the malware programmer.
Don't get me wrong, I'm not trying to bash the anti-virus companies or their programmers. They have a tuff job to do. However, blaming OSS and it's "full-disclosure" model is simply ludicrous and makes as much sense as blaming McDonalds for people being overweight.
However, if they said that their slow response to software threats being released in the public was the cause, likewise, people's overeating and underexercising for being overweight, well, then, that would make a lot of sense, but would hardly be the fault of OSS (or McDonalds).
You know, now that I think about it, suicide bombers often use cars... Cars are evil! We should all write stern letters to GM and Ford, telling them how evil all their vehicles are because a small minority of people use them for evil.
The fact is that even if those open source models didn't exist, crackers would still be making botnets. The one thing that would actually stop these guys from making botnets would be having Microsoft put out a secure OS (and/or people actually making sure to secure their computer- it's not hard!). Having a proper, functioning anti-virus program is a good start.
I hereby cordially invite you to write the better AV tool.
When you know an algorithm that flawlessly discriminates between "good" and "bad" code, copyright it today. You'll be a very rich man, if you sell it, or an icon of OSS development if you hand it to the OS community.
But at least you didn't claim that AV companies create them themselves, it's at least something I gotta give you.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
People shouldn't blame McAfee. They're just really stressed out. You'd be too, if you had to make Windows a secure OS.
Ah, "dude" I did RTFA. Perhaps you should read my fucking post because I never once used the words open source or OSS. Seriously, I was commenting on the fact that researchers publish exploits so that everyone knows about them. The title of the fucking article used "Open Source" so stop harping on me.
if it wasnt for the internet none of this would be a problem
It really blows my mind that a corral cache link isn't automatically added to submitted stories... just a little (cc) afterwards with the cc being a link would suffice.
e x.cfm?newsid=6601
http://www.pcadvisor.co.uk.nyud.net:8090/news/ind
-- Note: If you don't agree with me, don't bother replying. I won't read it.
I blame open source for the development of the interent.
Need Mercedes parts ?
Microsoft made the operating system that is the supreme virus transporter, so why not blame them? Or that would be blame themselves.
Ah, well, it's McAfee, so being "better" than that doesn't really say much. I'm sure there are some good OSS AV programs out there, but comparing them to McAfee really doesn't say much. It's sorta like saying that they're better than a kick in the crotch.
Honestly, the last time I used that crap "security" suite of theirs, it was far worse than your average virus.
Among _many_ samples that proved massive cluelessness was the fact that as soon as it "updated" itself, it actually couldn't cope with being installed in a different directory than what the installer proposed, and proceeded to install the update as a second copy in the default directory. Both copies running at the same time. The combined effect was slowing my computer worse than some spyware cocktails I've seen on other people's computers. Uninstalling it actually uninstalled one copy, and left the other one running. I had to edit the registry and delete files manually to get rid of it.
Yes, you've read it right. If you thought manually editing the registry applied only to getting rid of viruses and spyware, now you can add McAfee's crap to that.
Other stuff included a sort of a "privacy guard" that, effectively, ruined access to any site that used cookies. Using most forums became impossible. File Planet thought simultaneously that I'm logged in and _not_ logged in. And so on.
And, as I was saying, many many other such annoyances.
But you know what takes the cake? This: on March 10, McAfee deletes system and Office files, thinking they're a virus
I mean, frankly, at that point their solution is worse than most viruses and trojans. A lot of viruses just sit there and silently send spam or redirect popups or whatnot. Having to reinstall half your apps used to be the mark of the nastiest and most anti-social malware. Now McAfee lets you experience that without the trouble of actually getting virused.
So, frankly, comparing anything to McAfee is going to look good. A turd on the side of the road seems better when you compare it to McAfee.
A polar bear is a cartesian bear after a coordinate transform.
hmmm... let's put things in perspective here between companies and people.
As far as I can see it, FOSS supports people, and statements like this only drive home the point that companies are driven by wealth to the exclusion and elimination of health for people.
Companies were an exception when the King of England first granted them as favors to a select few. It allowed exceptional rights, and those rights have only grown over time. It has now come to the point where pretty much any organized human behavior must be regulated as a company of some sort, either for profit or nonprofit.
By itself, this is not an issue - organizing people and keeping some controls on what people do are all fine.
The problem is that the rights balance between people and companies is completely out of whack. The interest of the companies are making the rules, instead of following rules set up to make life good for people.
Capitalism basically says we should all be building wealth: results of human activity that transforms the world into usable stuff. Again, a great idea. Wealth is either consumed or kept around as capital to build more wealth. Taken too far, as we have now, the health of people suffers because there is a fanatical drive by enormously powerful companies that only care about wealth creation. Companies only give lip service to people's health when it serves their need to stay competitive in the wealth game.
The most important thing people will do in the next 50 years will be to capitate capitalism and promote wealth only in the context of supporting the health and wellbeing of sentient creatures. Wealth devotion without bounds leads to fanatical capitalism, and lots of unhappy individuals.
Could be that they have to get that air of being against closed source off them after they found Excel to be a trojan (ok... some might claim it's not really a false positive, but still... a few companies didn't enjoy the idea of having their Excel removed...).
But quite seriously, could anyone please explain just HOW a malware author would benefit from open source? Because of the tools? Seriously, if you're writing software that's considered "illegal" in most places of this planet, would you care about licensing? Whether the software is free (as in beer and as in software) is pointless for him. If it's not free, he'll copy it illegaly.
Because they could learn how to write malware? The "real" malware projects are not open source, actually anything BUT it. First of all, major exploits are not shared, they're sold. Plain and simple. Malware is a business, just like a lot of other software, and they are by far the last to go for open sourcing, simply because it would cut into their revenue. Actually, the few snippets and code parts that ARE open source is one of the key sources for AV researchers, unless they want to go for the darker venues in the trade. And, finally, when knowledge becomes illegal, gimme a ring. Then it's time to leave the planet.
If you want to learn how to write malware, you needn't wade through open source projects. You won't find much worth finding.
So I don't really understand just why McA is targeting the OSS movement. There is little to be gained by malware writers through OSS, but a lot for those opposing malware. If anyone, it's the AV researchers who benefit from open sourcing malware. Because they would have a hard time explaining just why they would have sent money towards people wearing darker colored hats.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Sheesh.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
i got a few words for this guy!
Not if you are an anti-virus software manufacturer. ;)
:q! Oh crap, not again...
Perhaps what McAfee is really afraid of is the open dialog and response of something like ClamAV?
If enough developers 'pool' into working on it, and an open dialog of faults and vulnerabilities continues, could they find themselves out of a job from an Open Source solution?
(especially as they are about to be challenged by MS Defender, which could also benefit from open dialoge to augment a shallower background in the field?)
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
You're assuming it's a case of open source zealotry and whinging. That sort of reverse-kneejerkery doesn't make you much better than what you're trolling.
McAffable is blaming full disclosure for the state of current botnets, which is indeed a convenient scapegoat as the title would suggest. From their perspective, lack of full disclosure means that software developers have more time to patch their software in secret before exploits ignite like wildfire, or that the descriptive methods make it easier to deploy by neophyte hackers. Conversely, the other side of the table thinks they're just complaining because they can't keep up with the work load and it's making them look bad.
The title is applicable. Slanted, but applicable.
we're talking about the full-disclosure model and how that effectively serves malware development
The open source, full-disclosure model improves the pace of ALL software development. All means all, including software development for "bad" purposes.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
So consider a development of condos that turn out to have a real problem with their security system. Well, I mean more than the gaping, massive problems that every home has (on a computer scale homes would be luck to rate as good as unpatched Windows 2000). So I notify the developers, they drag their feat since they've already sold the homes and don't care. Well clearly I need to inform the owners. But how to go about it? Do I:
1) Post or send a notice in relivant places that lets people know that they are venurable, and what steps, if any, they can take to fix it.
2) Post it any and everywhere I can with full instructions on how to use the exploit, locations of the houses, and a note that they are a rich neighbourhood with good stuff.
Clearly #2 is irresponsable. Why should I tell theives how to work the exploit? Who is that good for? Isn't it better to disclose what's necessary to let people know what is wrong and what to do about it, but not provide a DIY guide for the malicious?
I don't see why computers should be any different. Yes I want disclosure about security problems, espically if teh company is slow in getting a patch out. However disclose the problem, what it relates to, what the potential attack vectors, and what if anythign can be done to fix it. Don't go and post code that not only shows people how the exploit works but allows them to just compile and do it. Do that and in all likelyhood my system will be 0wned before I ever read the notice and try to do anything about it.
Just as the vendors claimed, this full-open-disclosure business is promoting distribution of powerful tools to, well, just anybody. Now the bad guys know about it and are using it. Can it get worse than this? Oh, sure. Try stopping it. __________________________________________ AllParadox - Retired Attorney, no legal opinions, just my opinion.
All is paradox. Retired lawyer, so this is just one more layman's opinion.
Someone needs to tell Macafee that it is time to put on their white shirts, roll up their sleeves, cross their arms and scowl.
You can disclose that there is a venurability and that it is with a certian service without disclosing how to exploit it. Now while that does perk up the black hats and get them looking for it, there's lag time. Lets people realise there is a problem and take some steps. I'd say it's better than providing all the tools you need to exploit it from the get go.
As a sys admin, knowing the specifics does me no good. I don't even look at the code, i'm not a programmer. The relivant information to me is "Service X is insecure, there's no patch, it's a critical exploit." Ok fine, X goes behind a firewall then (or gets shut down) until there's something that can be done about it. I'd rather that when I get the notice of the problem the black hats are still trying to figure it out, rather than using the code provided to get at my systems before I can do anything.
Hackers use CVS? Seriously, who cares where they get their drugs, anyway?
Can we also blame Windows for the number of viruses and exploits available? If so, it should switch to using an open source model.
Below are two excerpts from the paper, found, interestingly enough, using the "fortune" program. Yes, I know that the making of locks isn't exactly like the creation of software, but the principle remains the same. Security through obscurity is no security at all; however, if the standards and techniques are open and available to the public, we, the "experts" in the field, will actually be hold companies accountable for problems and shortcomings in their software.
Ne Cede Malis.
Once again, I see someone or something (corporation this time) blaming freedom for society's woes. Get a clue, McAfee! You look like a bunch of luddites, now!
Why not just blame their programming language? Or better yet, Benjamin Franklin for his work with electricity that led to the invention of the digital computer which led to invention of software which led to the invention of malware!
The actual article are very different from the obvious slant that exists in the posting summary. It's also unclear whether the original poster actually read Sage or simply relied on comments from the Robert McMillan article in PC Advisor. Either way, I've read both and McAfee doesn't seem to be targeting open source in any way that's unfair or incorrect (read for yourself):
"Paying a price for the open-source advantage" is not the cover story, but rather the cover text describing the subject matter for Vol 1 Issue 1 of Sage. Here are the contents:
- Security Trends and Events of the Last Six Months [Technical Article]
- Good Intentions Gone Awry [Feature Article]
- Money Changes Everything [Feature Article]
- Open-Source Software in Windows Rootkits [Technical Article]
- Building Better Bots [Feature Article]
- Is Open Source Really So Open? [Opinion / Editorial]
- Vulnerability Bounties [Opinion / Editorial]
- Will the Worm Eat the Apple? [Technical Article]
In this Issue:
The Open Sourcing of Threats
Open source is an important and powerful force in today's networked world. From basic tools
and utilities to applications and operating systems to the foundation of the Internet itself, opensource
products have created tremendous value.
The fundamental tenets of the movement are quite simple:
"When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. This rapid evolutionary process produces better software than the traditional
closed model at a speed that, if one is used to the slow pace of conventional software development, seems astonishing." 1
Belief in the open source philosophy approaches an almost religious zeal in its most ardent proponents. However, like any powerful tool, open source can also be used for malicious purposes, particularly in security. Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open sharing of information--especially in the realm of computer and network security, where the desirable degree of openness in the sharing of vulnerability and threat information and the role of open source in the production of
malware are significant points of contention.
As Dmitry Gryaznov explains in "Good Intentions Gone Awry," malware authors have been collaborating and sharing source code, using books and bulletin board systems and, eventually, ftp sites and the Web, since soon after the first computer viruses appeared in the late 1980s. Gryaznov also quantifies the significant impact that such sharing has had on the production and proliferation of malware.
Igor Muttik continues the narrative in "Money Changes Everything," in which he presents ample evidence of a vibrant and sophisticated open-source community actively engaged in the development and dissemination of both new and repackaged malware. The bundling of threats and the use of obfuscating tools (to thwart security scanners) offer clear evidence that modern malware is the product of
collaborative efforts.
The advent of bot herders and their botnets, however, signals a change in the character of and intent of malware. Though malware authors started sharing and collaborating 20 years ago, the degree of process maturity and quality of code in those early threats was never comparable to that of commercial software products. As a result, most malware was, by comparison, poorly written, prone to failure, and ultimately ineffective. Michael Davis' "Building Better Bots" confirms that this situation has changed. Bot malware is now developed with the same methodologies and tools used
to produce marquee open-source products such as Firefox, Apache, and MySQL. Driving this charge toward professional quality code are the fi nancial rewards that a large botnet can
earn for its master, whether from sending spam, injecting adware, participating in a Distributed Denial of Service (DDoS) attack, or performing some
Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?
Why would they want to slow down that far? Seriously, if MS was as fast as open source, we'd still be running on DOS 5.0 with Windows 3.0.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
I know he is suggesting that they are not throwing snowballs at Open Source, but specifically at full disclosure. However, if you go ahead and a read a little more into it, phrases such as
"We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development," he said.
become more transparent.
What effectivly serves malware development also serves things like clamav and snort. I suspect this botnet thing is just a short term issue for them, the long term problem is full-disclosure used to defend oneself.
Maybe I am wrong. Maybe it is all about malware developers becoming more effective. If thats true then this reads like an appology for being ineffective.
Or maybe its just a sad cry for help. Like a suicide note left in a conspicuous place.
Its fun reading things into things.
I think you underestimate just how much I just dont care.
While I do write programs and utilities as part of my job (and I like tinkering with it anyways), I'm not a coder by trade. So, with that disclaimer out of the way, I'll render my admittedly uninformed opinion.
I suspect that, all else being equal, it's probably easier to find exploitable flaws in a system and write malicious code to take advantage of it as opposed to trying to defend against such attacks. Not only is it generally easier to destroy than to create, but the attacker need only find a single flaw among many to exploit where the defender must protect all vulnerabilites - known or unknown.
Then again, using that line of thought, it's probably easier to attack a largely closed operating system than an open one, which goes against McAfee's position....oh well.
A goal is a dream with a deadline
Vendors don't fix problems if they're not scared. POCs scare them.
Why not get rid of IRC? It's main purpose nowadays seems to be bot management. So some people lose their warez servers, boo hoo.
All they are saying is:
So what we get from this is that the freely available tools used by open source advocates are good for working on projects with many source files that are shared among many people. This is news?
Anti-virus company (pre-inc): Hey theres alot of macro virus's out there. Lets start a new business.We can get investor seed money, blame everything on M$,hire researchers, and pay people from the underground, and have the 1st fixes available.
Anti-virus company (inc): Hey we're making alot of money. Weee.
Anti-virus company (years later): Hey we are paying too much money to underground researchers, our staff cant keep up, we are falling behind with fixes, and we have a fewer customers than before. Lets blame the OpenSource community. Hell let's blame everyone.
The AV Business was created off the idea to make money off of anti-virus solutions for end users. If the business is not making money as intended, sell the business.
Of course it is FUD. McAfee does not make money on open source, since their products are used almost exclusively on Windows. Why would anyone pay them to secure a Linux box? It makes all the sense in the world for them to be bashing open source and discouraging its use. Hopefully corporate purchasing managers can see through this crap.
Maybe that's what McAfee really cares about. Full disclosure means, in part, that it's easier for new vendors and products to compete in the security field. Sticking with limited disclosure, where only the OS vendors and established security vendors are informed, just lets the established vendors get complacent. Which given the quality of modern security software I would say has already happened. So they throw a bunch of FUD around, as though the problem isn't in large part due to closed-source software vendors being incapable of getting their shit together when it comes to security.
I, for one, blame McAfee!
I mean, according to their logic, people only create virus because they know about it. And since McAfee is one of the first (second?) antivirus on the market, they are the ones that made people aware that virus exist. Ergo, people know it is possible to create virus.
According to their logic, if antivirus companies didn't exist, people would not know it is possible to create virus, so there would be none. Ergo, McAfee should be blamed for it.
morcego
TFA leaves one with the impression that McAfee might perhaps be getting some funding from somewhere -- oh, I dunno, a proprietary OS vendor with a much-delayed release, perhaps? -- to assist in a broader effort to slag open source software generally. This is mendacious!
In other news: World Blames Macafee for their bad software.
Security isn't something you can make - it's something you do. McAfee's magic potion just doesn't work. And it's not because the magic potion is bad (after all, this is a magic potion that's been developed over many years and has taken many skilled hackers to create). It's because magic potions don't work.
Take for example one fairly secure operating system - OpenBSD.
- What is it that OpenBSD developers do that results in them getting broken into so rarely?
- What is it that OpenBSD users do that results in them getting broken into so rarely?
The answer to #1 is "a hell of a lot", and the answer to #2 is "very little". This is the best example of security via best-practice that I know of.The "Microsoft and McAfee" system of machine security has the answers to these two questions the wrong way around. The jobs that MS and McAfee do should both be under the same roof - stopping viruses through recognising a problem in the system and making a heuristic that recognises exploits and releasing that to the public for them to include in their system is a fundamentally bad system of security.
OpenBSD's method doesn't even involve looking for viruses at all - they pretty much just look for bad methods and change them. A lot of the time, OpenBSD developers fix problems without actually realising it - because part of their practice is that, when they find code they find hard to understand, they rewrite it. This isn't by any means all that they do, but it's a pretty good example of good process.
Yes, the article was about disclosing vulnerabilities, not releasing open source software. However, if you don't have the source, the details of the vulnerability don't do you much good, since you have no way of fixing it. So open source users will tend to want the details out there, while closed source users will tend to want the lid kept on until the vendor fixes the problem.
In either case, you need active administration to keep things properly patched. Maybe McAfee thinks their customers want to bury their heads in the sand and pretend that security problems aren't going to affect them so that they don't have to pay for administration resources to prevent them. Keep the noise level down by keeping the problems quiet and maybe the customer won't keep asking you to protect them from the latest threat.
a) Open Source: Easier to find bugs/exploits in the source, for both malicious and altruistic (fixing 'em) purposes.
b) Closed Source: Harder to find bugs/exploits, meaning that they might be harder to exploit, but also oftimes harder to get a timely fix and/or fix it yourself... or even know the bug exists.
There's a bad and good in both worlds.
... all retail store owners for the existence of petty theft because they fully disclose the fact they have cash registers and display their products out in the open.
"Opensource is a threat to our existance, after all, full disclosure means non-anti-virus companies can fix the problem without us and dont need our software, or those dirty filthy pesky free solutions for virus scanning can get to our slice of the pie faster."
They have made exploits and viruses their business, and they see OSS as the biggest threat as one day, OSS virus databases could rack up more viruses than they could at a much faster rate. It scares them.
Watch, next companies like McAfee and Norton will push congress to pass the "National CyberSecurity act" which will outlaw open code and free virus scanners.
I'm actually afraid when that happens. Bad enough McAfee sucks.
plus dont be shocked by the idea that McAfee and Norton wouldnt be as low as to create their own worms and viruses, that could be another take on this, they dont like "open sourced" viruses prolly because they CAN be caught quicker. Meanwhile a closed virus means great business for them. let it wreak havoc and then slowly deploy a cure for it. I wouldnt be shocked if they released a few on a slow year in the past or in the future.
People who make money off others' suffering should be shot.
Clearly the problem is due to the fact that there are keyboards attached to most personal computers. Silly hardware vendors, when will they learn that if they give a user an interface to a computer some people will try to use it. Just give us monitors with shiny bouncy balls on the screen. Soooo happy. Shiny bouncy balls. /sarcasm
After carefully analyzing McAfee's arguments I have come to the conclusion that they're fucking stupid!
"Hackers are using techniques popularised by developers of open-source software like Linux to improve their malicious code, a researcher at McAfee has said."
They're sharing information. Wow, what a concept. No criminal group ever did that before open source.
"Nowhere is this more apparent than within the growing families of 'bot' software, which allow hackers to remotely control infected computers. Unlike viruses of the past, bots tend to be written by a group of authors, who often collaborate by using the same tools and techniques as open-source developers, said Dave Marcus, security research and communications manager with McAfee's Avert Labs."
The bad guys are using the cheapest software available to do what they do. If open source tools were not available that wouldn't stop them. They would simply use proprietary tool that they pirated. They're bad guys after all.
"Over the last year and a half, we've noticed how bot development in particular has latched on to open-source tools and the open-source development model," he said."
I'd be interested to know the source of your information. Do they call you up and tell you "We use CVS 'cause it's kewl And we share information 'cause the Open Source model is l33t."
"Mcafee researchers have described this use of open-source techniques in a magazine set to launch today. Called Sage, the publication features a cover story entitled 'Paying a price for the open-source advantage'..."
This is just an Open Source bashing article. Gee could competition like ClamAV have anything to do with it?
"Marcus said his company is drawing attention to the open-source trend to educate users, and not as an attempt to discredit open-source alternatives to its own proprietary software products. "We think [open-source antivirus products] are fine. They've never been something that was really in the same class as ours, but we've always been big supporters of open-source antivirus," he said."
Oh! Well that clears it up nicely. **cough Liar cough**.
"We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development," he said."
Translation: We're not taking aim at the open source movement, we're taking aim at the open source movement...
Summary: The fact is, bad guys collaborate and trashing the open source movement will not change that. If open source tools were not available they wouldn't let that stop them, they would simply use proprietary tools.
ClamAV and other open source anti-virus products out perform your product and are here to stay so get over it!
You've made a lot of accusations and offered no proof in a rather transparent attempt at FUD.
The race isn't always to the swift... but that's the way to bet!
I concur. Security is not a product, it's a process. Unfortunately, we let all the clueless people in who don't know the first thing about security. What should we do? Lock them out? Throw them out of the 'net 'til they learn how to keep their crate secure? I'm the first to sign that petition, but you'll have a very hard time getting it passed past the counter pressure of the industry trying to sell the 'net to them, since they are by definition a more interesting target group than people who know their tools and their net. Would you buy a virus scanner? A firewall solution? Hell, would you click a "punch the monkey" ad? Would you follow a spam mail?
Nope. But they do. And there's money to be made.
So those people are here, and they're here to stay. You can't teach them security. It's futile, I've tried. They care about their inter...thingwebsomething and mailing their auntie in Greece and that they can buy some pr0n online but being a spambot or trojan distributor, who cares?
Yes, MS's APIs contain some horribly insecure functions, coupled with the predominant (ab)use of admin privilege accounts (because some horribly written software requires it), and the fact that people would rather switch "everything on" before trying which setting is REALLY required. "Just make yourself admin and all works" is the creed.
Don't think it would be different if Linux/BSD was the dominant system. We'd get to see the same problem, except that people would surf around the 'net as root. The main difference would probably be that patches would start popping up more quickly, and if some program relies on an insecure function it would break 'til the programmer fixes it. Linux/BSD core people tend to be less lenient, especially with functions labeled "for debugging purposes only".
So AV tools are a stopgag against that problem. Yes, we see the same entry points abused time and again. Yes, it starts to be boring every time I dissect another trojan, only to find it uses the same routines to sink its hooks into the system. Yes, we tell MS to get rid of those functions and the only thing we get in return is "we can't".
So tell me how to solve this problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Theres no need for "hobbyist programmers" just like theres no need for "hobbyist weapons manufacturers."
I don't know about others, but McAfee blows chunks and sucks. It's probably the worst AV tool out there, or close to the worst. How about they shut their trap and work on fixing their shitty software before bad mouthing others. Better yet, why don't they use the open source model of communication to improve their crappy product.
OT, but interesting is HP's interactive relighting of the Antikythera Mechanism.
Indeed, security through obscurity is bad, but that's how antivirus vendor make their bread. So they are for OSes and apps full of holes and disclosure, but they just cannot tell it as it would make customer afraid.
I gave up with the idea of an useful sig...
The chickens are coming home to roost. The anti-virus model is essentially untenable-- akin to closing the barn doors after the horses have escaped. Anti-virus only works if you get the anti-virus signature updates before you get the virus attack-- but the signatures cannot be produced until the virus is encountered in the wild, by which time it has likely mutated into something new. AV is only capable of protecting against *old* viruses. Far better preventatives are a good network firewall, a good executable firewall, and to eliminate significant transmission vectors such as HTML email, local-client based email, ActiveX, etc.
In addition, there is a conflict-of-interest in anti-virus vendors, who we have seen recently turn to chicken-little and boy-who-cried wolf techniques in order to bolster their flagging revenues.
The advent of Vista is raising a big question mark WRT the role of future anti-virus programs on the Microsoft platform. I fully expect more fevered FUD from AV vendors, including plenty of "Vista is also vulnerable" claims -- simply consider the source...
I don't know, someone would IMHO need to be completely clueless for such an association to really result in distrust.
I mean, seriously. So some virus writer uses CVS. In what way does that say anything bad about CVS? It's like saying that gangsters use(d) cars for their drive-by shootings. Does that mean we should start distrusting cars or car manufacturers? And some are stereotyped as beating people up with baseball bats and/or throwing people off piers with cement shoes. Does that mean we should start distrusting baseball or cement? And the Nazis in WW2 used tanks. In fact, they're famous for it. Does that mean that, say, the US Army should get rid of their tanks because of that association? Etc.
In fact, it's even weaker than that, because here CVS isn't even directly involved in the crime. So it's more like saying that terrorists have fridges and TVs in their homes, hence you should start distrusting fridges and TVs.
Basically even as guilt-by-association goes, it seems to me like it's a very very weak one.
A polar bear is a cartesian bear after a coordinate transform.
Nobody knew about the Sony rootkit. Except probably the AntiVirus companies who were probably in cahoots with Sony NOT to detect it.
The only people the 'obscurity model' helped there were the virus writers.
I don't understand how anyone can even consider buying Norton or McAffee after that Sony fiasco.
They pretty showed what sort of business ethics they have by deliberately ignoring the Sony virus wouldn't you say?
Huh, they call it a "story". Script-kiddies were selling rootkits on IRC channles for a long time. Some rootkits were freely available with source code. I know admins who still use rootkits to manage PC parks they are responsible for. (Aparently rootkits are easier to use compared to Windows remote management a-la WMIC.)
M$ made sure that its new compiler produces code 100% compatible to .Net 2.0. Other free C/C++ compilers are terribly outdated (e.g. Borland's one). Intel wants money for it's compiler. So the only choice people now have to make efficient software - viruses/malware - under Windows is MinGW. With MinGW you get all those wonderful tools like autoconf/automake/friends which happily run uner MSYS under WinXPsp2. Why not to use the tools if they fit the purpose and make your life easier?
P.S. ZOMG!! Story implies that botnet developers - who might have guessed! - use closed-source methodologies to develop malware?!?! That MUST be stopped. </sarcasm>
All hope abandon ye who enter here.
Anything useful can be used for good or ill depending on the heart of the user. Cell phones can be used to coordinate between gang members or to call the police for help. Databases can keep track of charitible giving or can help genocidal dictators.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
As others have pointed out, McAffee is actually worse than spyware. At first, I thought it was just the fault of Windows that reading stuff off the disk was taking several minutes for 10 or 20 megs of data. Or maybe the nvidia software RAID. But I disabled McAffee, and suddenly, it was as fast as it was supposed to be.
As to why it was there in the first place? College gave me lots of commercial software for free, including a copy of XP Pro. I have a legit, original, burned copy of XP Pro. Weird, I know.
More to the point, it's obvious why McAffee would blame the full disclosure people. But really, think about it: Who's to blame for a security hole? The people who wrote the fucking software! But of course, McAffee wouldn't want to blame themselves, and they certainly wouldn't want to blame Microsoft -- it might damage their relationship, and if people took them seriously, they might start using something other than Windows, effectively destroying the artificial/niche/cottage industry for antivirus software.
Really, the difference is night and day. On the other side -- open source or Mac, take your pick -- the reputation of the software actually matters, whereas on the Windows side, nobody nobody needs reputation when they can have lock-in. Thus, it's in Microsoft's best interest to do as little work as possible -- keep costs down, but do just enough work that people don't start switching away. But it's in everybody else's best interest to make the best software they possibly can.
Worse, look at the anti-virus people. It's in their best interest for a Windows computer with anti-virus software to be the most secure computer in the world. This means a few things:
In other words, while there is some truth to what McAffee says, the real problem goes much deeper, and the real solution isn't censorship or hush money, it's developing a secure system in the first place. Unfortunately, the only way McAffee will ever support such a decision is by fundamentally changing their business model, or even their whole industry.
Don't thank God, thank a doctor!
Yes they did. You release an "anti-virus" program that deletes all exe and dll files. Every computer that downloads this "patch" can no longer be used as a zombie machine. If a third party can not look at the code before it is realesed, then the "zombie" machines never have a chance to protect against this anti-virus patch.
This is terrible. Clearly, Open Source must be banned.
Honest. We malware writers have been trying to write in good, cross-platform Java. We want our malware to work on Linux and BeOS. Its just, you know, deadlines an' stuff. We have to cherry-pick. What can I say? Windows SDK just makes everything easier.
I'm confused - when you refer to "their" headline, do you mean the one from the original article, which was written by PCAdvisor, or the one here, which was written by v3xt0r (assuming timothy didn't "edit" it)?
Perhaps you want to make sure you're aiming in the right direction, before flinging too much mud.
It's official. Most of you are morons.
>Outsourcing virus writers to help perpetuate sales of Anti Virus software is good for business
How is it good for business to add a fraction of a percent to the volume of malware already in the wild?
There's an entire bibliography of the full disclosure controversy.
I disagree that the situation would be different if the average user used Free Software. (access to source code is not directly responsable, however)
Free Software operating systems, such as Ubuntu, have taken to enforcing basic habits on users that ensure basic levels of security. For example, Ubuntu takes a good deal of configuring before actually making the root user account useable (the sudo complex). There is even more work required before one can "log in" as a root user.
Another facet of the Free Software community is that the repository system used results in more peer review than is present in the normal Windows situation of downloading and running an unchecked binary. Ubuntu (while I think that they could certainly stand to add a longer test period) does have a good system in place. Community consensus primarily dictates what goes into a repository, then a maintainer who checks the program is appointed, then a testing program is begun (normally lasting, in total, and month at least) and finally the program comes into an optional repository that users choose to enable. If it is very well known to be solid and needed for the standard use, it will probably recieve further checks before entering the "main" repository. Users on Free Software systems very, very rarely run the "binary lottery" that Windows users often do. I don't remember the last time I downloaded a binary to run on my system.
This is probably not a monopoly that Free Software has over secure process. It's not something that Microsoft couldn't do if they put their mind to it. In fact, it's probably something the Apple (in particular) could do very easily, seeing as their system contains mainly their own software, plus Free programs. Apple would find this very simple to implement (it's not like the Apple community is too small, or not committed enough). In fact, fink is a Free Software attempt at much of the process that I have stated.
Damn them, the compet*err* opensource is evil and must be banned.
---- Booth was a patriot ----
If I may propose...
Terrorists are evil.
Terrorists eat food.
Food helps terrorists,
therefore food is evil.
Conclusion, ban food.
They do mention OSS. For God sake man the title of their cover story in their trash publication sage is "Paying a price for the open-source advantage"
These people don't want open source anti-virus software driving down their prices and they don't want an open source OS to become dominate if it only has a handfull of ineffective viruses.
The race isn't always to the swift... but that's the way to bet!
The "binary lottery" would not change for most users. They can't read the source code, so whether they download an executable or a source and compile it won't matter to them. Yes, some people would be able to read the source and discriminate between "good" and "bad" code, maybe even fix a thing or two about it. Most would just do what they do now: Download something and run it. With the only difference being that they complain about having to compile it first.
Also, yes, most distris take precautions about root. Either you can't log in directly as root, or they limit the ability of root to connect to the outside world. Which, on the other hand, is something that I do not really embrace to be honest, I tend to distrust systems that limit me artificially. It also only gives you a false sense of security. root, as my mentor put it, should be used while you're sitting on your hands. Being able to do everything as root teaches you, albeit the hard way, that you indeed CAN do everything to your system. You'll inevitably trash your first system. But that's what learning is about.
A user who should actually be using a distribution that limits root access, because he does not want to learn, will most certainly not choose one of those. He will try to get one that does not limit his root abilities (and they do exist), for simplicity's sake.
And you're back to square one.
Security comes at the price of comfort, and many people are not willing to pay that price. If nothing else, they will search for ways to circumvent the security mechanisms in their distributions before trying to learn how to use it sensibly.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
January 1997
``In fact it's probably easier to write a virus for Linux because it's open source and the code is available. So we will be seeing more Linux viruses as the OS becomes more common and popular.''--Wishful thinking from McAfee
saw that here: http://www.linuxjournal.com/article/9065?
The "binary lottery" would not change for most users. They can't read the source code, so whether they download an executable or a source and compile it won't matter to them. Yes, some people would be able to read the source and discriminate between "good" and "bad" code, maybe even fix a thing or two about it. Most would just do what they do now: Download something and run it. With the only difference being that they complain about having to compile it first.
Yes, it would. At risk of just repeating my self: when was the last time you downloaded spyware from the debian repository? The fact that the average user can't read source code doesn't make any difference whatsoever. It's not the direct affect of the source being available that benefits them. It's the indirect effect. It's not like I personally check every line in the OpenBSD sources. The only languages I where I can read the sourcecode on a level where I am able to debug are common lisp, scheme, python and bash. It's not a binary lottery when it's been throught the peer review required for it to enter the repository.
I tend to distrust systems that limit me artificially.
There's no artifical limit on the root functionality. Removing the root account is nothing akin to removing root functionality. It doesn't even stop you from having a root shell (I think the correct sudo flag is -k). The difference is in the method, not in the result. I personally prefer su, but that's only because I have no need for the sudo functionality. Temporary privelige escalation are a far better choice for users who primarily use GUI tools. It means people still use their normal user account, but after being warned and entering a password, are able to do as they wish.
Security comes at the price of comfort
No, I don't think it does. I'm no less comfortable in Ubuntu than I am in my native distribution. The su --> sudo change has a trivial effect (three extra characters on your normal shell change) and yet is a very useful facility.
This looks like an astroturfing and/or puff-piece for the Sage. They just had to have some real eye-catchers for the first issue, I guess, so they took everyone's favourites and linked them up with bad things. Nothing to see here (or probably in Sage either), move along.
The open source model is effective at enabling malware because it is effective, period.
Blaming the open source model for the propogation of malware is like blaming the invention of the internet for the spam in your inbox.
File under 'M' for 'Manic ranting'
Haha, when I first read the post I thought "What is John McAfee saying now". Then I realized they were talking about the company. I remember back in the day when Peter Norton was Symantec and John Mcafee was Mcafee :)
...it makes their job hard. That is, the job whose description is: be one of an elite cartel of information-hoarders who graciously condescend to rent everyone else security fixes.
The wole "anyone can submit a patch", "free, rapid fixes", "peer reviewed security" thing just totally screws with their business model. I can see how they'd get grouchy.
Has anyone heard of this CVS thingy? - it sounds like a really neat new tool!
Genesis 1:32 And God typed
McAfee's just jealous. They haven't had a decent product since the DOS version of McAfee AV.
This is the same compmny that posted a faulty virus signature earlier this year that wiped out a lot of software on a lot of computers. I personally had a lot of cleanup and reinstall time due to this problem. Since then, I discount almost anything this vendor has to say; maybe they are in need of making some noise to make people forget what a shoddy product they put out?
Date Public 03/18/2005 A buffer overflow vulnerability in the McAfee Virus Scan Engine may allow a remote attacker to execute arbitrary code on an affected system. Because the vulnerability exists in a core component, a number of different McAfee products are affected. http://www.kb.cert.org/vuls/id/361180
My hyperlinks aren't worth the paper they're printed on.
So If there are no examples of how to program
then there will be fewer programmers.
Few programmers leads to fewer Botnets
And with fewer Botnets, and viruses for that matter,
There will be less need for McAfee software.
And in turn a larger market for software
that can self automate our lifes.
Or in other words when programing becomes illegal
then only criminals will program.
Well, that made my life easier. Now when I try to decide what sort of anti-virus software to recommend to people, there is one fewer option that I have to consider. Clearly these "McAfee" people don't know a thing about what they're talking about.
http://outcampaign.org/