Damn Vulnerable Linux — Most Vulnerable Linux Ever

← Back to Stories (view on slashdot.org)

Damn Vulnerable Linux — Most Vulnerable Linux Ever

Posted by timothy on Saturday July 17, 2010 @11:11AM from the in-context-it's-barely-vulgar dept.

An anonymous reader writes "Usually, when installing a new operating system, the hope is that it's as up-to-date as possible. After installation there's bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different; it's shipped in as vulnerable a state as possible. As the DVL website explains: 'Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop – it's a learning tool for security students.'"

167 of 227 comments (clear)

Wait, so I shouldn't have used that at work? by Anonymous Coward · 2010-07-17 11:12 · Score: 5, Funny

Don't tell my boss.
1. Re:Wait, so I shouldn't have used that at work? by binarylarry · 2010-07-17 11:41 · Score: 5, Funny
  
  Don't worry, it's still safer than the Windows servers you run.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
2. Re:Wait, so I shouldn't have used that at work? by Neoprofin · 2010-07-17 14:05 · Score: 1
  
  Some would argue that means Linux lacks functionality.
3. Re:Wait, so I shouldn't have used that at work? by ozmanjusri · 2010-07-17 14:31 · Score: 1
  
  Such as?
  
  --
  "I've got more toys than Teruhisa Kitahara."
4. Re:Wait, so I shouldn't have used that at work? by Darkness404 · 2010-07-17 14:44 · Score: 4, Funny
  
  I know! I've been wanting to get these free kitten screensavers and family guy cursors and they aren't working! And I can't get sexyladies4324aefe.exe to run either! Man, Linux doesn't run anything good...
  
  --
  Taxation is legalized theft, no more, no less.
5. Re:Wait, so I shouldn't have used that at work? by ae1294 · 2010-07-17 14:48 · Score: 4, Funny
  
  Such as?
  The ability to run the Malware he writes for fun and profit. Ok... mostly profit...
6. Re:Wait, so I shouldn't have used that at work? by Cheeze · 2010-07-17 15:57 · Score: 1
  
  I bet they run in Wine!
  
  --
  Why read the article when I can just make up a snap judgement?
7. Re:Wait, so I shouldn't have used that at work? by jellomizer · 2010-07-17 16:11 · Score: 2, Insightful
  
  Yes the random poke at Microsoft...
  Lets stay blind dumb and happy with our Linux.
  Linux isn't any more secure then Windows is. However Linux users like to get bragging rights because they release fixes to security glitches fixes (a good thing) much faster then Windows does. However security patches isn't the only thing...
  Usually the reason for most Vulnerabilities in Windows is due to stupid Administration. Being that windows is easier to maintain by the average joe, means that a lot of Windows Server Networks are being administered by people who really don't have any rights administering a network. Having Poor Security procedures, buzzword based security settings, Firewall with holes.
  Linux users are either the Old time Unix administers or people who actually think about technology as a bit more of a means to an end, actually on the average are at least bit better then the laimo Windows Server non-administrators.
  However Linux is still quite vulnerable. Updates may not be run as often as they should, legacy code needing older versions of software to run. The fact that they think they are immune makes sure fixing these problems are a less of a priority.
  I have seen man Linux Systems hacked into more then I have seen windows systems, why because the administrators of the Linux systems were Lazy and bought into the fact that Linux is SO MUCH MORE SECURE THEN WiNDOWS and let the Servers Run Bragging about their huge uptimes while it keep on getting rooted. Yes the times I have seen Windows get compromised it is often a bigger problem then when it happens to Linux, as windows vulnerabilities make it more possible to spread viruses across the unsecured intranet.
  But the moral of this post is. Don't put your faith in the software for security, Keeping a secure network is up to a human hopefully they are skilled to keep it secure.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
8. Re:Wait, so I shouldn't have used that at work? by Neoprofin · 2010-07-17 16:39 · Score: 1
  
  Demonstrative vulnerability. If the system can't be made to do something, something that another system finds very easy, and something that people want it to do, it lacks functionality.
  
  Or I guess I could just say "woosh".
9. Re:Wait, so I shouldn't have used that at work? by Anonymous Coward · 2010-07-17 17:53 · Score: 3, Interesting
  
  Pretending you are secure using DSL is just stupid.
  Your PC will be owned in 24h or less(how many rootkits are installed by default?). My web and ssh servers get attacks searching for common vulnerabilities constantly since the day I started them and they aren't even live yet. If they had been running any vintage version of Linux it would have been automatic pwnage.
  I wonder if streaming a Tb or two of good quality PRNG data into a bot or a "security researcher"'s computer would get me into any problems. They always seem so sad when they find nothing to grab. They are the ones making the HTTP or SSH request it's not my fault they discover my RNG server ;)
10. Re:Wait, so I shouldn't have used that at work? by ae1294 · 2010-07-17 18:00 · Score: 1
  
  I bet they run in Wine
  Heh ok.... I'll take that bet...
11. Re:Wait, so I shouldn't have used that at work? by Anonymous Coward · 2010-07-17 20:14 · Score: 1, Funny
  
  "Being that windows is easier to maintain by the average joe,"
  No. No. It isn't. Just because the populous keeps using inferior software does not mean it is better or easier to use. It just means people are stupid.
  "means that a lot of Windows Server Networks are being administered by people who really don't have any rights administering a network."
  Yes many people are administering windows server networks that don't have rights to do so. Thats the bloody point in case of your op. And if you really meant to say that people are doing the admin work they shouldn't be well then that is probably also true, if it was a linux network they would have one guy/gal running the show and never need to worry about being understaffed again.
12. Re:Wait, so I shouldn't have used that at work? by Pharmboy · 2010-07-17 23:09 · Score: 1
  
  Come now, Microsoft has enough market share and billions of dollars that they don't really need you defending them. And as for security, the reason Linux is more secure than Windows has to do with the security model more than the actual software. Linux IS more secure than Windows, there is no doubt. People like to say it is because "People don't write viruses for Linux, just Windows" not realizing that it is much more difficult to write viruses/trojans for any Unix type system as it has security built into the kernel. There are less viruses because it is harder to exploit, or at least has fewer vectors of attack.
  It is a trade-off: MS has more apps and has a lower level of skill required to setup (although higher level to master), Linux has a steeper initial learning curve but is easier to maintain. (You can update a server from your Droid pretty easily). Any admin as lazy as you describe would be fired soon, regardless of which platform he worked on. Saying that all Linux admins look and act like the Comic Book Guy is pretty laughable.
  
  --
  Tequila: It's not just for breakfast anymore!
13. Re:Wait, so I shouldn't have used that at work? by jellomizer · 2010-07-18 00:47 · Score: 1
  
  1. It isn't defending Microsoft it is trying to make sure the Linux Users are aware of the security to prevent them from being blind sided.
  2. Is it really that difficult to write a virus/trojan for linux... No not really... Most Linux distributions have a huge of scripts/python/perl code for a lot of the apps, at least to get them to start.
  So you make a script say a Python or Bash Script. That searches for files using find and grep that have the same interpreter you are using. Inject the Source for this script in a location where it will execute then run the normal code.
  Check the users mozilla cache for websites that seem to have forms... Espectially Linux formums... Or Email people from your contact list or check of shared SSH keys and auto sftp in and see where you can put your code
  Have it post a message randomly like Try This script... This should fix your problem.
  Now what usually stops this type of script from spreading in Linux vs. Windows is 1 Linux Admins being better Admins know how to reduce root access to their system, and use it as a last resort.
  The case of amount of Windows users vs. Linux users is a big case too. Just in terms of networking and finding like systems. It is not Linux superior model but it is just big enough to have enough stupid people to cause the virus to spread.
  3. There is a lot of security built into the Windows NT Kernel. In some ways more then in Linux. But still it is going to do what it told, and if you can run a program to raw write to your devices you have enough to cause problems.
  4. The Lazy admin I describe probably wouldn't be fired because the person who I describe isn't an Admin. Most companies are small companies and the guy who maintains the computers is probable in sales or the owner or doing something else as their main job.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
14. Re:Wait, so I shouldn't have used that at work? by commodore64_love · 2010-07-18 01:49 · Score: 1
  
  >>>Linux isn't any more secure then Windows is.
  When Linux develops a hole, it can be immediately plugged by updating the source code. In contrast with Windows you have to sit-and-pray that Microsoft will do something. In most cases they don't - they like to drag their feet. QED linux is more secure.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
15. Re:Wait, so I shouldn't have used that at work? by ae1294 · 2010-07-18 03:11 · Score: 1
  
  Talking about dis???
  
  lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2253
16. Re:Wait, so I shouldn't have used that at work? by TheLink · 2010-07-18 03:33 · Score: 1
  
  Uh, what better security model? From what I see Windows NT/2K/XP and say Ubuntu/Suse Linux have pretty much the same security model. OK so defaulting to admin user was a pretty stupid idea, but malware nowadays don't even care so much about admin - zombies that send spam and DDoS do not need admin privileges. So as long as you can get a user to run something, you're in.
  Currently at work I'm writing stuff for unix/unixlike software+hardware asset management, and believe me it's not that difficult to write a cross plaform "zombie" script that works on Linux, OSX etc. I wouldn't do that of course but if it ever becomes profitable enough to do so, I'm sure someone in the world will do it.
  After all if you have the same Windows users who would type in passwords to unzip password locked zipped files and then launch the malware[1], why wouldn't they do the same for Linux and OSX too? Think those same idiots wouldn't type in perl Britney?
  [1] Examples: http://www.f-secure.com/v-descs/email-worm_w32_bagle_fy.shtml
  If you only want a spam sending zombie you do not even need root privileges, so you wouldn't even need them to enter passwords.
  All you need to do is set up a user cron or at job, or modify/replace/shim a commonly used user-owned program/script. Aunt May ain't gonna even notice.
  I'm personally curious whether most antivirus scanners would be able to cope with perl malware. TMTOWTDI and all that (a half decent perl coder could write something that'll churn out versions of ACME:Bleach or similar, and automatically test them on multiple virus programs - so you only "release" malware that passes).
  You could create something fairly innocuous, but uses LWP or wget or curl to fetch new instructions and then run those new instructions.
  --
  
  Too many replies beneath your current threshold
17. Re:Wait, so I shouldn't have used that at work? by Thinboy00 · 2010-07-18 07:13 · Score: 1
  
  I doubt screensavers will integrate correctly with all three of xscreensaver, gnome-screensaver, and kde-screensaver, even with Wine.
  ObTopic: I wonder which is more "secure" w.r.t. probability of being successfully cracked by some random black hat: OS X or DVL (given that in any case said random black hat will be distracted by Windows)?
  
  --
  $ make available
18. Re:Wait, so I shouldn't have used that at work? by jellomizer · 2010-07-18 08:27 · Score: 1
  
  Can you Fly all the airplaines. can you drive a Semi-Truck, can you operate a Train, could you fly the space shuttle...
  Saying people are stupid for not knowing how to use a technology they are not trained in is in itself idiotic. Why cant everyone use Linux... Because they have put trade offs in their life's to learn things that are more useful for their survival.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
19. Re:Wait, so I shouldn't have used that at work? by Risen888 · 2010-07-18 19:03 · Score: 1
  
  As far as I'm aware, kde-screensaver is simply a wrapper for xscreensaver. I could be wrong though, and I'm too drunk to do my own research.
  
  --
  Hey, I finally got my first freak! Took you long enough!
20. Re:Wait, so I shouldn't have used that at work? by Risen888 · 2010-07-18 19:04 · Score: 2, Insightful
  
  Being that windows is easier to maintain by the average joe
  Obviously it is not. It is easier to fuck up. That's a different thing altogether.
  
  --
  Hey, I finally got my first freak! Took you long enough!
21. Re:Wait, so I shouldn't have used that at work? by Von+Helmet · 2010-07-19 00:15 · Score: 2, Interesting
  
  A few years ago, around 2006/7, I worked in a (UK) school doing IT support. One of the guys in the science department was some kind of Linux geek. He had a Red Hat server running on the school network for some reason or other, I forget what, and he had requested and been given an external IP address on the network so that he could get in from home and do... whatever.
  So, one day the big talk is that the local education authority, who provided the Internet connection, have been getting calls from the US Department of Defence wanting to know why they're getting hundreds of thousands of hits to some of their servers from this address block. The education authority traced it to the school and we traced it to this guys Red Hat server and pulled the plug. I didn't get a good look at it, but it was running a 2.4 kernel well into the 2.6 days, so I'm guessing there were plenty of other things that were out of date on there.
  I don't know whether you'd lay the blame on the science teacher or the admin who let him put that box on the network with an external IP address and then didn't spot oodles of outgoing SSH attempts or whatever, but one way or another someone took it on trust that someone else knew what they were doing with Linux when they clearly didn't.
22. Re:Wait, so I shouldn't have used that at work? by JasterBobaMereel · 2010-07-20 00:45 · Score: 1
  
  A Badly configured outdated server with a clueless operator, is a badly configured out of date server with a clueless operator no matter what operating system ...
  Red Hat has automatic updates, which he obviously had turned off, which would have fixed some of this (the same as Windows updates)
  And SELinux (standard on RedHat) should have stopped most malware ....but he probably disabled it ...
  
  --
  Puteulanus fenestra mortis
Or by Voulnet · 2010-07-17 11:13 · Score: 4, Funny

Or use a fresh install of XP.
1. Re:Or by Luckyo · 2010-07-17 12:07 · Score: 4, Funny
  
  Ebola or AIDS. Choices!
2. Re:Or by Co0Ps · 2010-07-17 12:07 · Score: 4, Interesting
  
  Seriously, I once attempted to see how long it would take to get a fresh install of XP hijacked on a virtual box. After about one hour of bad IE6 surfing on suspicious sites (would you like to download and run this? yes please) I had one or two pieces of malware installed that had taken over the computer completely, filling the screen with popups and disabling all kinds of system configuration tools.
3. Re:Or by maxwell+demon · 2010-07-17 12:21 · Score: 4, Insightful
  
  To be fair, if you download run random stuff from the web, your Linux computer isn't too secure either.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
4. Re:Or by tuxgeek · 2010-07-17 13:41 · Score: 4, Insightful
  
  To be fair..
  most malware available for download on the web is designed to be run on windows
  It doesn't do anything much less run in linux
  Windows is such an easy target for exploit and success, it's everywhere and run by every bone-head idiot on the planet
  Linux on the other hand is most used by advanced individuals and can be very difficult to exploit making it a waste of time for the black hats, it can be done, but rarely successful
  
  --
  "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
5. Re:Or by causality · 2010-07-17 13:54 · Score: 1
  
  Or use a fresh install of XP.
  Yeah but this is a learning distribution for security students. "Download this script-kiddie tool and point it at the XP machine's IP address" doesn't allow for much learning and understanding...
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
6. Re:Or by rtp · 2010-07-17 14:26 · Score: 1
  
  DVL is effectively the Crash Test Dummy for Linux.
7. Re:Or by Culture20 · 2010-07-17 14:30 · Score: 5, Informative
  
  That's nothing. During the Blaster days, I stood by and let someone attach their computer to the network for updates after a clean install. It was an object lesson: Before she could navigate to windows update, it started rebooting again. Always update security patches from a known-safe medium.
8. Re:Or by bigstrat2003 · 2010-07-17 14:53 · Score: 4, Insightful
  
  That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.
  This doesn't excuse vulnerabilities that do exist in operating systems, but since Co0Ps specifically mentioned that he/she was actively agreeing to download certain pieces of malware, it bears mentioning.
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
9. Re:Or by samurphy21 · 2010-07-17 15:09 · Score: 1
  
  Or at the very least, from behind a hardware firewall/router.
10. Re:Or by RocketRabbit · 2010-07-17 15:45 · Score: 1
  
  Oh yeah, there's tons of malware out there for Linux.
  I know of concept pieces but genuine malware, even on ancient distros is really hard to find, especially the kid you'd pick up from just browsing web sites. Rooting incidents are much more common, but still rare enough that it's barely worth worrying about.
11. Re:Or by jmerlin · 2010-07-17 15:50 · Score: 1
  
  "Windows is such an easy target for exploit and success"
  
  It's not Windows that's being targeted. It's the people using Windows. Get it right.
12. Re:Or by im_thatoneguy · 2010-07-17 16:19 · Score: 1
  
  I'm no fanboy but a $20 Netgear Router also would have prevented that.
13. Re:Or by uninformedLuddite · 2010-07-17 17:26 · Score: 1
  
  I accidentally left a box online when doing an xp install and it was infected before the install had completed. It got a prevalent virus(can't remember which one). It was one of the batch of virii that flashed up the shutting down in 60 seconds messages that was popular around 2005/6
  
  --
  The new right fascists are bilingual. They speak English and Bullshit.
14. Re:Or by Phroggy · 2010-07-17 18:10 · Score: 1
  
  NAT has only been the standard for about the last 10 years or so. Prior to that, a LOT of desktop PCs were connected directly to the Internet with publicly routable IPs and no firewall.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
15. Re:Or by st0nes · 2010-07-17 18:23 · Score: 1
  
  virii
  viruses please. And octopuses, platypuses etc.
  
  --
  Tempora mutantur, nos et mutamur in illis
16. Re:Or by rsborg · 2010-07-17 18:35 · Score: 4, Insightful
  
  That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.
  You know, I'm going to get flamed to hell and back for this, but if you download (ie, buy a free app of) free kitten screensavers in iOS, you will likely have no security impact to your device... some (lots of) folks just can't be trusted outside walled gardens, and that's why Apple is doing so well.
  
  --
  Make sure everyone's vote counts: Verified Voting
17. Re:Or by uninformedLuddite · 2010-07-17 18:37 · Score: 1
  
  I was trying to be hip
  
  --
  The new right fascists are bilingual. They speak English and Bullshit.
18. Re:Or by maxwell+demon · 2010-07-17 21:10 · Score: 2, Interesting
  
  That's not the point. The point is that if you actively download and run random stuff from the web, it doesn't tell much about the security of the OS if you get lots of malware.
  However, I can imagine that the first sort of widespread malware on Linux will be cross-platform Firefox extensions. It shouldn't be too hard to write an extension that does something users want, but also contain some malicious code. That code would have full access to anything you browse, including your banking site and all passwords to various web sites, and it could silently send that data to an arbitrary place, or silently manipulate it. If the extension is otherwise useful, people may install it. For example, how many people have inspected the source of NoScript before they installed it? And of every update as well? I haven't. I installed it because it has functionality I want, I've read lots of recommendations, it has lots of users, and it is on the official Mozilla add-on site. Also the fact that this add-on is quite complex and very actively maintained and developed is IMHO a indication that it's not just a way to introduce malware. However, what if someone would manage hack the web site and push a slightly modified version as update? Note that this would hit exactly those people who are least likely to get other malware.
  There's a reason why I created a second profile in Firefox where absolutely no extensions are installed. That's what I use for online banking.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
19. Re:Or by RocketRabbit · 2010-07-17 21:15 · Score: 1
  
  This problem can not be solved. I recommend reading "Reflections on trusting trust." Eventually you need to trust a person, somewhere, and if they are trusted and really clever they can hide what they are doing in a large system. The source code may be innocuous and completely inspected, but it has to be compiled or interpreted somewhere, and if the compiler or interpreter is rigged you'll never know.
  How many people have understood the entirety of Firefox? How many of those also read and understood the source for GCC and all the libraries that Firefox uses? It's turtles all the way down man.
20. Re:Or by Co0Ps · 2010-07-17 21:36 · Score: 3, Insightful
  
  I have to disagree. If an OS had good security, just running an executable should not give it permission to disable system configuration and mess with system files. In XP if you had an administrator account (everyone did), even screensavers had full permissions. Yes, I surfed on possibly-malicious sites and opened possibly-malicious executables. After that, trying to open task manager gave me "Permission Denied". Also, If an OS has a PERFECT security model (which Linux hasn't), everything should be run sandboxed. In such an OS, you shouldn't be afraid of installing potentially malicious software, just like you're not afraid of visiting web pages with a secure web browser.
21. Re:Or by maxwell+demon · 2010-07-17 22:26 · Score: 1
  
  This problem can not be solved. I recommend reading "Reflections on trusting trust." Eventually you need to trust a person, somewhere, and if they are trusted and really clever they can hide what they are doing in a large system.
  Yes (and I've already read that text a long time ago). However, the main point I wanted to get across is that just because you are on Linux, you shouldn't be too sure you don't get targeted, because Firefox extensions are often cross-platform, and offer great opportunities for malware.
  And while you cannot ever have complete trust, you can certainly minimize the number of parties you need to trust, especially for sensitive stuff. Therefore my separate banking Firefox profile: There I only have to trust Firefox and libraries used (plus the compilers etc., of course), and the maker of the Linux distribution (I trust them to not create malware themselves, but I also trust them to actively care for the security of the packages, which adds another level of trust to those — of course, there can be mistakes at that level, too, see Debian ssh).
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
22. Re:Or by apqvist · 2010-07-17 22:38 · Score: 1
  
  http://www.youtube.com/watch?v=wFyY2mK8pxk
  Or octopi, or octopodes. Which are just as correct as octopuses.
23. Re:Or by ThePhilips · 2010-07-17 22:48 · Score: 1
  
  Have you ever used IE? You do not need to accept anything, it all installs automatically. Plug and Play so to say, the way MS intended it.
  P.S. Hint: in XP, IE has ActiveX on by default. IOW it would happily run any legit-looking binary code code off net without even telling the user.
  
  --
  All hope abandon ye who enter here.
24. Re:Or by ultranova · 2010-07-18 00:09 · Score: 1
  
  Ebola or AIDS. Choices!
  
  Ebola. You're either dead or cured within two weeks. With AIDS, you linger and die slowly for years, as well as spread the damn thing.
  In computer terms, a crash right away is better than a buffer overflow resulting in memory corruption and malware infection which makes your macine a part of a zombie network that keeps selling people illegal Viagra and spreading the infection. This is why managed environments are superior and should be used whenever possible.
  Ebola is better than AIDS, just like Java is better than C++.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
25. Re:Or by antdude · 2010-07-18 00:44 · Score: 2, Informative
  
  I saw this happen with a 3 KB/sec dial-up connection too! It was nuts. My friend was wondering why his new XP Pro. downloads were so slow.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
26. Re:Or by icebraining · 2010-07-18 01:08 · Score: 1
  
  ChromeOS takes that route too, by allowing only webapps.
  
  --
  Dilbert RSS feed
27. Re:Or by boxwood · 2010-07-18 01:16 · Score: 1
  
  yeah but you sound like a douche when you use octopi or octopodes.
  if you use "virii", you not only sound like a douche, you're also wrong. "virii" is not a valid plural of virus.
28. Re:Or by boxwood · 2010-07-18 01:31 · Score: 1
  
  any OS thats usable is going to have susceptible to PBKAC. If the user is able to make and run executable, send and receive over the network, create and delete files, then malware is also going to have that ability. Yeah malware won't be able to mess with stuff in /usr/bin or /etc, but if can send out spam, delete all the files in your home directory, screw with your video settings, etc.
  Yeah, sure your linux system will reliably boot up no matter what a user does. But is anything going to work after the user logs in? Do you consider a computer to be working if it reliably gets to a login prompt? Most people have a higher standard where the computer isn't working unless they can actually do stuff after they log in.
29. Re:Or by xouumalperxe · 2010-07-18 02:08 · Score: 1
  
  Have you ever used IE? You do not need to accept anything, it all installs automatically
  Dunno whether he used IE, but you sure as hell didn't bother reading the post he was replying to.
30. Re:Or by wwphx · 2010-07-18 05:58 · Score: 1
  
  I installed a copy of Windows 2000 Pro RTM, the machine was online directly through a cable modem - not a router, and it was compromised before I could install SP 4. It was on a friend's machine which had crashed in a very interesting fashion. We went and bought a copy of XP Pro with SP2 and it's been smooth ever since.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
31. Re:Or by TheLink · 2010-07-18 06:50 · Score: 1
  
  > If the user is able to make and run executable, send and receive over the network, create and delete files, then malware is also going to have that ability.
  Why should it necessarily be so?
  https://bugs.launchpad.net/ubuntu/+bug/156693
  --
  
  Too many replies beneath your current threshold
32. Re:Or by hawk · 2010-07-18 08:17 · Score: 1
  
  At the tail end of XP/SP1 shipping (leftover units in the supply chain), some magazine tried to do a security article about it.
  They found that it got compromised faster than it could download SP2, and that this was repeatable.
  (yes, being behind a firewall probably would have made a difference).
  hawk
33. Re:Or by DrGamez · 2010-07-18 08:19 · Score: 1
  
  Why did you put a > in front of your sentence?
34. Re:Or by Anonymous Coward · 2010-07-19 02:25 · Score: 1, Insightful
  
  That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.
  You know, I'm going to get flamed to hell and back for this, but if you download (ie, buy a free app of) free kitten screensavers in iOS, you will likely have no security impact to your device... some (lots of) folks just can't be trusted outside walled gardens, and that's why Apple is doing so well.
  You can't download free kitten screensavers in iOS.
  
  It's against Apple's guidelines for published apps in the App Store.
35. Re:Or by neurovish · 2010-07-19 05:02 · Score: 1
  
  Seriously, I once attempted to see how long it would take to get a fresh install of XP hijacked on a virtual box. After about one hour of bad IE6 surfing on suspicious sites (would you like to download and run this? yes please) I had one or two pieces of malware installed that had taken over the computer completely, filling the screen with popups and disabling all kinds of system configuration tools.
  Or in the days of slammer or blaster, just install XP and wait 30s. I remember having to use linux to download the appropriate service patches and fixes because the XP computer wouldn't stay online long enough to install them.
36. Re:Or by Actually,+I+do+RTFA · 2010-07-19 05:15 · Score: 1
  
  To be fair...
  Most malware is WINE compatible.
  
  --
  Your ad here. Ask me how!
37. Re:Or by Boomshadow · 2010-07-19 06:47 · Score: 1
  
  The original definition of Plug and Play as a marketing term was the concept that if a user plugs in a hardware peripheral, like a printer, scanner, microphone, etc., it should tell Windows what it is and Windows should automatically make it work. As far as I know, there were never any documents identifying Plug and Play with, say, software, much less malware code.
38. Re:Or by ThePhilips · 2010-07-19 07:01 · Score: 1
  
  Well, I meant that one just "Plug" PC with WinXP into the Net, and malware automatically starts "Play"ing on the computer.
  
  --
  All hope abandon ye who enter here.
39. Re:Or by Boomshadow · 2010-07-19 08:25 · Score: 1
  
  Well, if you're gonna rock out with a metaphor, I always like the Kevin & Kell approach: referring to Windows as a "scratching post" for malware. Posted from my Windows 7 desktop---oh noes!!!
Big deal by Anonymous Coward · 2010-07-17 11:13 · Score: 4, Funny

So it's like Fedora then.
1. Re:Big deal by magsol · 2010-07-17 11:30 · Score: 5, Insightful
  
  Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?
  
  --
  "I'd just like to emphasise that taking a million years isn't a metaphor here..." -Rich Bradshaw
2. Re:Big deal by basscomm · 2010-07-17 11:39 · Score: 5, Funny
  
  Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?
  You must be new here.
  
  --
  http://crummysocks.com
3. Re:Big deal by hdparm · 2010-07-17 11:49 · Score: 1
  
  You're not far off. I remember installing Redhat ten years back:
  
  No, not too far. Just about 10 years.
4. Re:Big deal by RichardJenkins · 2010-07-17 11:51 · Score: 1
  
  Because Fedora is no laughing matter.
5. Re:Big deal by bsDaemon · 2010-07-17 12:00 · Score: 1
  
  that's what she said.
6. Re:Big deal by keatonguy · 2010-07-17 12:21 · Score: 5, Insightful
  
  Don't be obtuse, he raises a good point. Linux is not infallible and shouldn't be treated as such even in light of it's advantages and the personal support we all have for it. Criticism breeds improvement. Keep that in mind, mods.
  
  --
  If you aren't angry, you aren't paying attention.
7. Re:Big deal by DittoBox · 2010-07-17 13:39 · Score: 1
  
  Constructive criticism said sans doucheiness breeds improvement.
  Criticism said to build oneself up breeds contempt.
  
  --
  Good. Cheap. Fast. Pick Two.
8. Re:Big deal by sea4ever · 2010-07-17 13:48 · Score: 1
  
  Criticism breeds improvement.
  
  The amount of criticism that Microsoft and Windows in particular have received from /. over the years...
  Are you sure about that one there?
9. Re:Big deal by LynnwoodRooster · 2010-07-17 13:55 · Score: 4, Funny
  
  Exactly. Everyone knows the only OS that gets to claim invulnerability is OSX...
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
10. Re:Big deal by causality · 2010-07-17 14:11 · Score: 2, Insightful
  
  Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?
  That has since been modded some more and now sits at +4 Funny at the time of this post.
  
  Had he denigrated Apple or its products, it would have gone down to -1 and remained there.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
11. Re:Big deal by inode_buddha · 2010-07-17 14:28 · Score: 1
  
  True, but Apple flamewars are fun; you can spend all day trying to get them to come out of the closet. Meanwhile you can watch the fanbois get all twisted until they grow a pair enough. Of course you can say the same thing about Linux guys. I've been running it since the mid-1990's and I have very few illusions. Main thing is, Yeah, bone-stock generic linux install is a shitload better than Windows, but that doesn't mean it's perfect. There's always ways to tighten up the generic distro defaults to fit your specific situation, even with the latest. As for myself, I haven't allowed MS products in my house since 1999. Not missing much of anything either, it seems. And yes, I still enjoy all of the new web crap.
  
  --
  C|N>K
12. Re:Big deal by causality · 2010-07-17 14:39 · Score: 4, Insightful
  
  Don't be obtuse, he raises a good point. Linux is not infallible and shouldn't be treated as such even
  Did it occur to you that the more experienced/advanced/technical users who tend to gravitate towards Linux are very much aware of this, that they administer their systems accordingly, and that this is in fact a big reason why successful malware "in the wild" is all but unheard-of on this platform? Compare to "buy the next version of Windows, it's easier and more secure than ever!" that carries the strong implication of "oh, security is someone else's problem". Not noticing or appreciating that difference would also be obtuse.
  
  What I am getting at is that there are both technical and cultural differences between the two platforms.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
13. Re:Big deal by w0mprat · 2010-07-17 15:08 · Score: 1
  
  Agreed. So on the topic of infallibity, here's more criticism.
  1. Linux is still vulnerable through software the user runs. Vulnerabilities in popular browsers are still exploitable (Chromium, Firefox, Opera) etc. This doesn't give you low level access to the users system, but there is a helluva lot you can do once you've taken over a browser's running instance. (But Chrome has done a lot of work around sandboxing to address this).
  
  2. It's not necessary to have root to do a lot of damage - anything the user account can access is yours (keylogging, delete data, wreck havoc on network shares).
  
  3. I've always been concerned that in most distributions the user enters a password for superuser functions - you only need to phish this and suddenly you have low level access to the system. Distros are frequently frivolous with the prompting for admin password, such that even a expert user may enter it like a reflex, especially if the dialog box is visually accurate. It is not too difficult to imagine a number of easy ways to implement this :S which I won't go into, although it is reliant on user stupidity - which unfortunately is in abundance.
  
  4. Complacency is the most dangerous security flaw, and Linux users have this in abundance also. Assuming security is the most dangerous thing you can do. Also dangerous is assumptions about the users competence.
  
  4a. Security is not a one-time effort. Software is so complex these days there are ALWAYS flaws that can be exploited.
  
  5. The assumption the if Windows was replaced with Desktop Linux, everything would be better. Fact is, it is still not tested in wide distribution accross tens of millions of machines with all kinds of users from all walks of life. There must be a lot of undiscovered flaws lurking. I would expect if you suddenly replaced all Windows installs worldwide with a single distro it wouldn't be long before the malware and shitware purveyors are back to business as usual. It would be no magic cure for malware.
  
  6. Anyone who's had a Linux firewall and looked at the logs knows Linux systems are routinely attacked. Brute forcing SSH for example.
  
  6a. I have friends who hack each others systems all the time like a sport. These are common distributions like Ubuntu and Fedora.
  
  7. This is /. where I will be modded troll, flamebait in 3...2...1..
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
14. Re:Big deal by Hurricane78 · 2010-07-17 15:18 · Score: 1
  
  But compared to Windows, it actually looks infallible. It’s like multiplying a very large number stored as floating point with a very small number. It won’t change the very small number because the small one is to small and it can’t compute. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
15. Re:Big deal by Charliemopps · 2010-07-17 16:07 · Score: 1
  
  Because windows sucks and we all know it as fact?
16. Re:Big deal by mysidia · 2010-07-17 16:56 · Score: 1
  
  It's a bit different nowadays, things don't run from inetd. They run daemonized or from xinetd. And old inetd crap is always turned off by default.
  No chargen for you, sorry. You won't be tricking IRC users to accepting DCCs from you to chargen ports on random Redhat EL servers, at least... (EG)
  The minimal instead of Redhat EL is decently bare, once you turn off kudzu, CUPS, bluetooth, pcscd, haldaemon, rpc.portmap, rpc.idmapd, rpc.mountd, and nfsd.
  I never understood why a minimal install includes CUPS, by the way; who the hell wants to print something from a DNS server?
17. Re:Big deal by TheVelvetFlamebait · 2010-07-17 16:57 · Score: 1
  
  A lack of exposure to criticisms breeds preciousness and a thin skin. Mods should also keep that in mind before sending a comment to -1 hell.
  
  --
  You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
18. Re:Big deal by http · 2010-07-17 17:02 · Score: 1
  
  If criticism bred improvement, Windows would be so close to perfect it would bring you breakfast in bed. Criticism, and the inablility to hide the current source code tree from prying eyes, inspires improvement.
  
  --
  If opportunity came disguised as temptation, one knock would be enough.
  3^2 * 67^1 * 977^1
19. Re:Big deal by CAIMLAS · 2010-07-17 17:15 · Score: 4, Insightful
  
  Criticism, even if inaccurate?
  You can still run a multiple-year-old and barely-updated Linux distro on a public network and not fear being exploited. Sure, it can happen, but I'll be honest in saying the only times I've seen a Linux machine exploited was when it was horribly out of date (2.0 kernel in the early 2.6 kernel days) and was running samba... on a public network. That said, the exploit employed was over 6 months old at the time when the machine got exploited.
  Unless you're running a PHP based CMS or the like, it's pretty uncommon for a Linux machine to get exploited. PHP = bad.
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
20. Re:Big deal by Tablizer · 2010-07-17 18:56 · Score: 5, Funny
  
  Exactly. Everyone knows the only OS that gets to claim invulnerability is OSX...
  Only if you hold it right.
  
  --
  Table-ized A.I.
21. Re:Big deal by BrokenHalo · 2010-07-17 19:32 · Score: 1
  
  I never understood why a minimal install includes CUPS...
  
  Because there are other types of server than DNSs. For instance, I have a headless file server at home that also handles printing and a number of other miscellaneous functions. It would be useless to me without CUPS and NFS. I know I could use SMB, but NFS has plenty of advantages in an environment made up entirely of Linux, BSD and Mac boxes.
22. Re:Big deal by masterwit · 2010-07-17 20:08 · Score: 1
  
  Ok, that comment made my day. I'm no OS hater, rather I prefer when people are open-minded.
  
  --
  We should start a new Slashdot and return control to the geeks. It actually wouldn't be that hard to get some users to
23. Re:Big deal by NotQuiteInsane · 2010-07-17 20:48 · Score: 1
  
  You're right, it's not infallible. If a (l)user falls prey to the Dancing Bears Problem, their machine is going to be just as r00ted as the Windows box sitting next to it.
  What Linux has is (relative) obscurity and a decent security model. Want to change a system setting? Root password pls. Want to install software in /usr or /opt? Root password pls. You get the picture.
  The issue is that Windows makes it impossible to get any real work done (besides word-processing and that sort of thing) on a standard User account. To do anything interesting, you need (as a minimum) Power User access, which opens up a huge can of worms in terms of security.
  What I like about Linux is that you can use Udev rules to allow users to access (e.g.) the VirtualBox device file (run virtual machines), add a Udev rule so a certain USB or PCI device is user-accessible... all this can be done on a per-user or per-group basis.
  "Assume the user isn't allowed to do anything, then allow an admin to grant them permissions to do stuff" -- aka default deny -- will always be more secure than the default-permit security scheme Windows uses.
  With default-permit, you can still lock the machine down nicely, but unless you have a full master list of everything that needs disabling, you're going to miss at least one setting, and Murphy's Law dictates that it'll be the one that the virus uses to pooch your machine... With default-deny this is a bit less likely because you have to explicitly allow things.
24. Re:Big deal by mangu · 2010-07-17 23:22 · Score: 1
  
  Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?
  Because a fresh Fedora install is orders of magnitude safer than a fresh Windows install.
25. Re:Big deal by selven · 2010-07-17 23:31 · Score: 1
  
  Well, to be fair, the statements about Windows and Fedora weren't really criticism, they were jokes playing to the common meme of Windows being insecure and the far less common meme of Fedora being insecure (that's why the Fedora joke got modded troll until someone came along and yelled at the mods).
26. Re:Big deal by TheRaven64 · 2010-07-17 23:33 · Score: 1
  
  I think you misunderstand the point of a minimal install. It doesn't mean 'everything anyone could possibly need' it means 'the minimum that gives you a working system'. This is one of the reasons I prefer *BSD - you get a minimal install by default and then add the stuff you want, you don't get a bloated install that you have to trim stuff from.
  
  --
  I am TheRaven on Soylent News
27. Re:Big deal by JonJ · 2010-07-17 23:44 · Score: 2, Informative
  
  Ugh, I'm gonna undo all my mod points for this but... Fedora is on the bleeding edge, it has never been about stuffing the distro with old and vulnerable software. The comparison is so far off it's not even funny. If he'd said 'Debian Stable' I might've seen the humor in it, but using Fedora is a really poor example. So he's not only a troll, but a stupid one at that. And it's really annoying seeing all the hate Fedora and Red Hat gets here on /. even if they do amazing work for both servers and desktops. I wish the constant Apple and Ubuntu masturbation would stop.
  
  --
  -- Linux user #369862
28. Re:Big deal by the_womble · 2010-07-17 23:47 · Score: 1
  
  Did it occur to you that the more experienced/advanced/technical users who tend to gravitate towards Linux
  The proportion of naive users has grown a lot over the last few years, but the amount of malware has not (at least not in proportion)
29. Re:Big deal by LinuxIsGarbage · 2010-07-18 01:14 · Score: 2, Informative
  
  You know that Windows Vista and Windows 7 were released which by default run the user as a limited user, and prompt for elevation when needed.
30. Re:Big deal by GameboyRMH · 2010-07-18 01:24 · Score: 1
  
  You're right, it's not infallible. If a (l)user falls prey to the Dancing Bears Problem, their machine is going to be just as r00ted as the Windows box sitting next to it.
  If Joe Luser's system mounts /home and all removable drives as non-executable, and he doesn't have sudo privileges, he can click on Dancing Bears.deb all he wants.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
31. Re:Big deal by icebraining · 2010-07-18 01:37 · Score: 1
  
  6) Stopped for me when I changed the port from the default.
  
  --
  Dilbert RSS feed
32. Re:Big deal by mysidia · 2010-07-18 03:53 · Score: 1
  
  Because there are other types of server than DNSs. For instance, I have a headless file server at home that also handles printing and a number of other miscellaneous functions.
  So what? Some folks run webservers too, does that mean Apache should be included in a minimal install? Hell no.
  Only things that are necessary for all installs should be present in a minimal installation.
  Most servers do not need any functions provided by CUPS.
33. Re:Big deal by NotQuiteInsane · 2010-07-18 04:45 · Score: 1
  
  Point taken -- I forgot about that (I don't have a machine running Vista or Win7).
  I run XP and 2000 in my virtual machines (it's not exactly hard to delete the snapshot file and start over if need be) but that's the extent of my Windows use.
34. Re:Big deal by NotQuiteInsane · 2010-07-18 05:08 · Score: 1
  
  Indeed. But on how many systems is that the default?
  The problem in industry tends to be one of authority: someone with some clout (read: one of the CEO's golfing buddies) wants to run Dancing Bears.
  IT tell him it's a virus and put their foot down.
  Joe Clueless then goes whining to the CEO, who overrules IT ("it's just a screensaver with some dancing bears, what harm can it do?"), who reluctantly allow Joe Clueless to install it (all the while telling the CEO that it's a Really Bad Idea). Joe installs it and, oh look, Steve the Script Kiddie just got access to the corporate LAN and all the company's secrets, source code, and other juicy tidbits.
  CEO fires the IT manager, conveniently forgetting the fact that the manager had told the CEO that allowing Joe Clueless to run Dancing Bears was a really bad idea....
35. Re:Big deal by keatonguy · 2010-07-18 22:47 · Score: 1
  
  Yes, not to mention the architectural differences mentioned above. I was replying to one of the obnoxiously common "you must be new here" posts. We shouldn't dismiss or laugh off the inherent bias in our collective thinking. Linux deserves to have it's weak links brought to light specifically because it's such a good tool.
  
  --
  If you aren't angry, you aren't paying attention.
36. Re:Big deal by keatonguy · 2010-07-18 22:48 · Score: 1
  
  Of course. Criticism is only helpful if you actually listen to it. Simply saying something, no matter how truthful, does nothing if it falls on deaf ears.
  
  --
  If you aren't angry, you aren't paying attention.
37. Re:Big deal by Ginger+Unicorn · 2010-07-18 23:17 · Score: 1
  
  ok, just give me a few seconds, i'm nearly there...
  
  --
  (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
38. Re:Big deal by at_slashdot · 2010-07-19 06:19 · Score: 1
  
  Yes, let's focus on 1 in 5 million disease and ignore the one that strikes 1 in 5 (numbers are arbitrary). You can say "you can get a 1 in 5 million disease" that's true, but is it important, effective use of time, smart to focus on that? I'll never claim that Linux is "safe" no OS is safe, no piece of software that has more than 20 lines of code is bug-free, however claiming "software is insecure, Linux is software, therefore Linux is insecure" while logically correct is misleading and irrelevant.
  Basically, call me back when there's a virus that spreads actively on Linux.
  
  --
  "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
39. Re:Big deal by synthesizerpatel · 2010-07-22 11:06 · Score: 1
  
  in fact a big reason why successful malware "in the wild" is all but unheard-of on this platform?
  Are you joking? The reason they call them 'rootkits' is because they get you root access.
40. Re:Big deal by causality · 2010-07-22 15:17 · Score: 1
  
  in fact a big reason why successful malware "in the wild" is all but unheard-of on this platform?
  Are you joking? The reason they call them 'rootkits' is because they get you root access.
  I believe you are unfamiliar with what is meant by "in the wild" when used to describe malware. It generally refers to a self-propagating piece of malware, such as a worm or a virus, that can spread by infecting other hosts in a fully automated fashion. Blaster and Code Red for Windows are examples of successful malware that was in the wild. That is not what a rootkit does.
  
  Linux has proof-of-concept viruses and worms. Linux generally does not have viruses and worms that are actually infecting computers and continuing to spread themselves. To begin to explain why would require a very long post, but suffice to say that Linux as a platform has not been a successful breeding ground for self-propogating malware.
  
  On Linux, a rootkit is something a human (i.e. non-automated) attacker uses after making a targeted attack against a specific system and successfully compromising it. In common parlance, the definition has been expanded a bit to include the exploit code actually used to gain root, but this is not the original definition of "rootkit".
  
  Everything that follows is the original definition of "rootkit":
  
  A rootkit will replace various system utilities (the "ps" command being a good example) with malicious copies. The replaced utilities will work in concert to hide the presence of the attacker. For example, a sysadmin might normally be able to use standard system tools to notice that a particular user is running an unauthorized server, or is using a high amount of CPU time, or that a root-owned process he's never seen before is now running. With a rootkit installed, the sysadmin can check for these telltale signs and find nothing because the malicious versions of system utilities will not report certain information to him.
  
  But if you want to replace system utilities (which are executables owned by root and writable only by root) with malicious versions, you first have to be the root user. Once you have root, a rootkit can help you to avoid discovery and thus maintain control of the compromised system. That's all they are for.
  
  Windows can have rootkits too. In fact I think the consolidation of various exploit code, rootkits, worms, etc. for the Windows platform into single packages used by script kiddies is a big reason why "rootkit" has departed from its more specific original definition. It's a bit like the way the line has been blurred between a virus and a worm.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
41. Re:Big deal by synthesizerpatel · 2010-07-22 15:43 · Score: 1
  
  Go read up on the sendmail worm and burn your CISSP certificate.
Great Learning Tool by bytethese · 2010-07-17 11:22 · Score: 4, Informative

We used it in my Forensic Computing masters program in some classes, definitely useful in our Network Security and Architecture of Secure Operating Systems classes to show what can happen with buffer overflows, gaining root access, etc.
Re:Only a matter of time by fuzzyfuzzyfungus · 2010-07-17 11:22 · Score: 1

"Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop" is a chillingly accurate description of embedded systems design; but the risk you cite seems exceptionally remote. If the embedders are clueless and barely paying attention, they'll just default to the OS or distribution with the highest mindshare, which won't be this. If they are not clueless and barely paying attention, they'll select something approaching the right tool for the job, which won't be this.
Re:Amusing by Peach+Rings · 2010-07-17 11:23 · Score: 1

A good rule of thumb is that you know you packed too much if your retinue for carrying your luggage needs more food per meal than one person can carry alone.
Security study DVL by GNUALMAFUERTE · 2010-07-17 11:25 · Score: 5, Funny

A notable team of security researches are suggesting windows users migrate to a platform known as DVL. "DVL is a mess. It is vulnerable to a variety of attacks, but it is still more secure than the average windows install". Another researched pointed "Windows users must migrate to DVL immediately, in order to protect their computers".
While several independent research groups are considering DVL as a valuable alternative to windows, Microsoft didn't stay behind, and promised to use DVL as the base of Windows 8, the upcoming version of windows. A spokesperson for Microsoft notified that microsoft decided to use DVL after thoroughly analyzing it, "It provides a great building block for the next release of our greatest product, DVL certainly fits like a glove within our strict security and QA policies".
Windows 8: DVL Edition, the most secure windows version ever released, is scheduled to hit the shelves next summer.

--
WTF am I doing replying to an AC at 5 A.M on a Friday night?
1. Re:Security study DVL by GNUALMAFUERTE · 2010-07-17 11:27 · Score: 2, Interesting
  
  Heheh, previous story says:
  
  "More than a year after Microsoft issue a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7."
  
  --
  WTF am I doing replying to an AC at 5 A.M on a Friday night?
2. Re:Security study DVL by Internalist · 2010-07-17 12:26 · Score: 1
  
  Re: your sig...Try reading this one, instead...
  Structured Procrastination
  
  --
  Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun
3. Re:Security study DVL by GNUALMAFUERTE · 2010-07-17 14:58 · Score: 1
  
  Very interesting. Thanks for the link.
  I am an awful procrastinator, but I do get things done, usually in a very similar fashion to the one explained in the link, many times even staying on-project. I usually split up projects into its parts, and when I get bored and try to avoid writing complex functions, I do interface work, or write a generic library to do $task, and generally procrastinate within a project by doing other parts that are not the major work that I had pending at the moment. This proves eventually very productive, since unconsciously I am thinking about the complex task that I am avoiding, and when I finally get around doing it, I have not only done a huge part of the total project, but I also have a very good understanding and planning of that complex piece that I've been avoiding for so long. That is, when I am not reading /. :)
  
  --
  WTF am I doing replying to an AC at 5 A.M on a Friday night?
How long ? by Pelekophori · 2010-07-17 11:28 · Score: 5, Funny

till Microsoft uses it in get the facts comparisons?

--
The best ideas are common property
1. Re:How long ? by Pelekophori · 2010-07-17 12:20 · Score: 1
  
  Well it was written in that spirit, but jokes get most laughs if they poke close to truth. Your interpretation is also acceptable.
  
  --
  The best ideas are common property
2. Re:How long ? by xs650 · 2010-07-17 14:34 · Score: 1
  
  When I read the title I thought Microsoft was releasing a version of Linux.
3. Re:How long ? by Daniel+Dvorkin · 2010-07-17 16:12 · Score: 2, Interesting
  
  A while back, IIRC, there was a story about the different ways that vulnerabilities are counted in Linux vs. Windows. There have been various MS-sponsored "studies" which sum the total number of vulnerabilities for all distros, so that if, for instance, the same vulnerability exists in Debian and Fedora, it's counted twice. (Likely much more than twice, since if it's in Debian, it's probably in all the Ubuntus too.) Meanwhile, of course, Windows vulnerabilities only get counted once. So don't be at all surprised to see stories along the lines of "5000 new Linux vulnerabilities discovered!" coming from the astroturfers soon.
  
  --
  The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
4. Re:How long ? by tokul · 2010-07-17 20:57 · Score: 1
  
  till Microsoft uses it in get the facts comparisons?
  
  What's the point. It still looks better than windows.
what about a weird-arch linux? by keeboo · 2010-07-17 11:38 · Score: 4, Interesting

Something philosophically similar which could be created is some sort of "weird arch" Linux for code debugging purpuses.
Like something with 16bit chars and ints, non-0 NULLs... Perhaps running under an emulated invented weird architecture with strange byte order (non-LSB/MSB) and weird alignment issues.
I wonder how many software would break.
1. Re:what about a weird-arch linux? by sconeu · 2010-07-17 11:50 · Score: 4, Interesting
  
  architecture with strange byte order (non-LSB/MSB)
  You mean like the PDP-11?
  0x11223344 was stored in memory as 0x33 0x44 0x11 0x22
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:what about a weird-arch linux? by mmkkbb · 2010-07-17 12:14 · Score: 3, Informative
  
  And the PDP-10 had bytes in any size from 1 to 36 bits.
  
  --
  -mkb
3. Re:what about a weird-arch linux? by maxwell+demon · 2010-07-17 12:15 · Score: 1
  
  Some more strangeness to add (all conforming to the C standard, some of them violate Posix, though):
  Pointers have different sizes, depending on type. Function pointers and data pointers cannot be cast to each other. Pointers with different representations can actually point to the same memory address, but still have p1<p2 (this happened in 16 bit real mode).
  BTW, does the C standard demand that all integer types use the same representation? If not, one could imagine that e.g. char uses signed magnitude, short uses ones complement, and long uses twos complement.
  And of course, the storage would contain some transparent type tagging mechanism, so that certain type punning operations which are undefined in C are guaranteed to fail at run time.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
4. Re:what about a weird-arch linux? by ls671 · 2010-07-17 12:26 · Score: 1
  
  > Something philosophically similar
  Maybe, but for me "weird arch" Linux equals security through obfuscation. I know it doesn't qualify as real security but "security through obfuscation" has saved our asses a few times against zero-day exploit or more like "less than 1 day exploits" I should say. In our case, "obfuscation" is just using custom configurations, chrooting things, using reverse proxies and limiting reachable URL. etc.
  Just changing the default admin username on things like MySql, FreePBX, Joomla and the like can save your ass sometime. You can also pretty easily change the root user name on Linux by editing /etc/passwd and /etc/shadow and replacing "root|" with something else although I have never done it in production environments, maybe because I wrongly trust that gaining root on our system is impossible and that binary hacks will use user number 0 anyway ;-)
  Also, most serious companies I have worked for use some level of obfuscation, host names like e444tyh56p, etc...
  Using obfuscation brings an additional cost although because it goes against usability and ease of maintenance principles.
  
  --
  Everything I write is lies, read between the lines.
5. Re:what about a weird-arch linux? by deniable · 2010-07-17 14:52 · Score: 1
  
  Well, let's see it breaks things. We'll call it Sid. Oh, damn. At a higher level, play with things like file permissions and see what kind of helpful error messages you get. Making developers watch their work tested in a toxic environment may be eye opening.
6. Re:what about a weird-arch linux? by chgros · 2010-07-17 14:56 · Score: 1
  
  Well, POSIX requires CHAR_BIT to be 8, so if you change that it's normal if it breaks.
  But otherwise to test portability this seems interesting, although it would be most interesting if it could detect when something isn't done right.
  Most importantly though, you'd need a compiler to target this architecture.
  For instance, NULL being 0 is usually not part of the computer architecture itself; 0 is addressable on x86, causing this bug:
  http://lwn.net/Articles/341773/
7. Re:what about a weird-arch linux? by Hurricane78 · 2010-07-17 15:38 · Score: 1
  Your imagination is weak! How about...
  dog-eat-dog multi-tasking (who can grab the most resources, wins), with the kernel running in the outmost shell, being dominated by the apps
  9 bit “bytes”/chars, non- IEEE floating point with a structure that makes no fuckin sense at all, +INF and +0 being the same, but no -INF existing, overflow and underflow resulting in bitshifts, 27 bit words, with a fractal-reversion BIT (not byte) ordering that looks more like enryption than the same data,
  pointers having 7 bits for the super-segment, 9 for the segment and 11 for the offset, starting from the top of the RAM for applications and the bottom for the kernel, but counting from the top end of the kernel space,
  the kernel automatically trying to execute every segment (there are no separate data segments) loaded RAM as a separate task, in case it’s a program
  A 7 bit address and data bus but a 144+1 bit CPU
  Flippy (the chimp) — A kernel thread equivalent of Clippy, making weird assumptions “it looks like you are trying to corrupt your hard disk...”, but normally just flipping bits at random for “optimization”.
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
8. Re:what about a weird-arch linux? by noidentity · 2010-07-17 16:02 · Score: 1
  
  I'd love something like that. Main problem is that getting Linux itself to run on it would probably be a big chore, due to dependencies on the arch not being weird.
9. Re:what about a weird-arch linux? by RealGrouchy · 2010-07-17 16:54 · Score: 1
  
  Weird-arch Linux, or weird arch-Linux?
  - RG>
  
  --
  Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
10. Re:what about a weird-arch linux? by afabbro · 2010-07-17 17:42 · Score: 1
  
  > Something philosophically similar
  Maybe, but for me "weird arch" Linux equals security through obfuscation.
  The grandparent was not discussing security at all, but rather a distro "for code debugging purposes". I know you just learned about security by obscurity and how to modify /etc/passwd from reading a blog today and can't wait to use this new knowledge, but your multi-paragraph was kind of silly.
  
  --
  Advice: on VPS providers
11. Re:what about a weird-arch linux? by mlts · 2010-07-17 19:40 · Score: 3, Interesting
  
  If you are feeling really insane, some UNIX operating systems can dispense with root altogether, even past having it disabled for logins (like how OS X has it present but not usable until explicitly turned on). AIX 6.x has the ability to completely chuck root (where stuff running as UID 0 is essentially running as nobody with no privs whatsoever), and what would have been handled by the superuser is handed off to other users as roles. Of course, if a critical role isn't defined before root gets stripped of its mantle of rulership, well, have fun rebooting to install media or to a NIM server and fixing that.
  Some UNIX variants don't care a bit if the user root is renamed. Others will choke and give up the ghost. Ideally it would be nice to rename the root user (and put a dummy user named root just for kicks, similar to how Windows admins worth their salt have a bogus Administrator user with insane amounts of logging enabled), but it is hard to tell which UNIX variants don't care, and which will be really unhappy.
  Maybe the best of all worlds is to have SELinux-like ACL policies be made into an easier pill to swallow. For example, a Web browser should not have access to a user's .xinitrc, .profile, .bashrc, or other files. If a policy enforces this, even if a Web browser is completely compromised, there is no way a blackhat can install software running in the browser's context that would start on a login, nor even with a valid su or sudo password, would ever get to a "#" prompt. By focusing on isolating applications, a system can be partially compromised, but not completely taken over, unless the security problem lies in a critical subsystem like ssh/sshd where it really can't be put into a fenced in playground.
  As for obfuscation, it does work against script kiddies, but a blackhat worth his salt will eventually go through the IP range and find that one randomly named server is listening on port 80 and 443, and communicating with some other box via some ports that are usually for Oracle. Security through obscurity is not a good solution in the long run.
12. Re:what about a weird-arch linux? by PseudonymousBraveguy · 2010-07-17 23:57 · Score: 1
  
  Well, we all love the DeathStation 9000. But I guess that it would take a lot of development time and nasal deamons to compile gcc on that architecture without destoying nearby cities, let alone port a complete linux distribution to the DS9K...
13. Re:what about a weird-arch linux? by GameboyRMH · 2010-07-18 02:10 · Score: 1
  
  Maybe the best of all worlds is to have SELinux-like ACL policies be made into an easier pill to swallow.
  It's called AppArmor.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
14. Re:what about a weird-arch linux? by stands2reason · 2010-07-18 07:59 · Score: 1
  
  The C standard says a char is one byte, so you can't fault software that won't work properly when the compiler doesn't adhere to the standard.
15. Re:what about a weird-arch linux? by truedfx · 2010-07-18 09:01 · Score: 1
  
  The C standard says a char is one byte, but does not say one byte is one octet. It allows for 16-bit bytes, which of course also means 16-bit chars. Speaking of weird archs, omething I'm experimenting with myself is enabling alignment checks on x86 (x86-64 only right now; x86-32 causes too many problems); a large number of packages have no problems whatsoever with it, and of those that do, most of it comes from "if x86 then don't bother with alignment" logic, which is easily disabled.
16. Re:what about a weird-arch linux? by sconeu · 2010-07-18 16:06 · Score: 1
  
  Dammit!!
  I mean 0x22 0x11 0x44 0x33
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
17. Re:what about a weird-arch linux? by truedfx · 2010-07-19 10:02 · Score: 1
  
  BTW, does the C standard demand that all integer types use the same representation?
  The C standard almost requires that the corresponding signed and unsigned types have the same representation for non-negative values within the signed type's range, so you probably won't see a little-endian signed int and a big-endian unsigned int even on specially created weird archs, but other than that, anything goes. ("Almost requires": it doesn't actually require it, but there are a few ways where the standard allows you to read a signed value using an unsigned type or vice versa, so if the representations differ, some sort of type tagging is needed.)
  
  If not, one could imagine that e.g. char uses signed magnitude, short uses ones complement, and long uses twos complement.
  As far as I know, that does not violate any of C's rules.
Re:Source? by IANAAC · 2010-07-17 11:53 · Score: 1

This distribution should be basic knowledge by now anyway.

Basic knowledge for whom?
I'm not the most technical guy around, but I try to keep up on things (certainly WRT Linux, as it's my main OS), and I'd never heard of it. Of course, I'm not in school studying security concepts either, so there ya go.
Honey Pot Module coming up next week. by ls671 · 2010-07-17 11:58 · Score: 5, Informative

We are working on a honey pot module for Damn Vulnerable Linux, it should be coming out soon ;-)
Basically log all activity to a network server while hiding the fact that we are doing it. Just refresh from a fresh image once in a while. Once an intruder is noticed, we can give him as many rights as we want in real time, especially with regards to network connectivity, which is done at the firewall level. It is a nice way to get a good grip of what is running in the wilderness of the internet. If you are lucky enough, you can even learn about unpublished exploits although I would use a up to date distro to specifically discover these.

--
Everything I write is lies, read between the lines.
1. Re:Honey Pot Module coming up next week. by lennier1 · 2010-07-17 13:28 · Score: 2, Funny
  
  Chances are the user will even get Chinese lessons free of charge. ;)
I did it all for the NUXI by tepples · 2010-07-17 12:08 · Score: 1

0x11223344 was stored in memory as 0x33 0x44 0x11 0x22
I did it all for the NUXI (come on) the NUXI (come on)
So you can take that cookie and stick it up your (yeah).
The Year of Linux by flimflammer · 2010-07-17 12:23 · Score: 1

This will bring Linux to the desktop!
1. Re:The Year of Linux by deniable · 2010-07-17 14:55 · Score: 1
  
  Yeah, I can bring a lot of computers to my desktop.
so if one were to do this with bsd... by ducomputergeek · 2010-07-17 12:46 · Score: 2, Funny

would it be ClosedBSD?

--
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
1. Re:so if one were to do this with bsd... by deniable · 2010-07-17 14:56 · Score: 1
  
  Extremely Open BSD. Maybe Wide Open BSD.
2. Re:so if one were to do this with bsd... by Anonymous Coward · 2010-07-17 18:01 · Score: 1, Funny
  
  Nah, it would be called Mac OS X.
Re:The future of Apple by IANAAC · 2010-07-17 13:10 · Score: 1

The company's financial health is great, sure, but so is Microsoft's. Its health in terms of reputation, however, isn't so good, and it is likely to get worse over the next few years. Then we will see Apple dealing with whatever reputation it has built, that will be coming back to bite Apple in the ass.

Apple will *always* have its fans to prop the company up, at least marginally.
Back during the Scully era I had a co-worker that worked on a Quadra, and no matter how many times a day we'd all hear the "bunnng" restart sound coming from his cubicle (at least 4 times a day), he swore it was the best thing ever and that's all he was ever going to use.
Of course, now Apple has an entirely different demographic with their iPods, iPhones and now iPads, so who knows.
My bet's on the fans though. Apple would have to really mess up to drive them away. This latest iPhone trouble isn't going to phase them. Seriously, how many times have we read posts from users parroting "A fix is coming out, so no worries"?
Re:Source? by lennier1 · 2010-07-17 13:23 · Score: 1

DVL is mentioned quite regularly when the topic of securing Linux or webservers in general comes up or in topics discussing specialized distributions.
IIRC he last Slashdot article where it was explicitly mentioned was less than 3 weeks ago.
And I develop web applications for a living. Certainly not a Linux security expert but one has to have at least some knowledge of the tools of one's trade. ;)
Darn, they stole my idea... by Logaan · 2010-07-17 13:42 · Score: 1

I was thinking it might be fun to make a linux distro like this. I would have called it "OpenLinux - Opening your Systems to the World!"
1. Re:Darn, they stole my idea... by afabbro · 2010-07-17 17:44 · Score: 1
  
  I was thinking it might be fun to make a linux distro like this. I would have called it "OpenLinux - Opening your Systems to the World!"
  The possible logos just draw themselves.
  
  --
  Advice: on VPS providers
Are the reviews in? by interval1066 · 2010-07-17 13:57 · Score: 1

What did Consumer Reports say about DVL? I predict its either "No thanks, we'll pass, not vulnerable enough." or "Excellent! The most vulnerable OS yet!"

--
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Microsoft's Linux vulnerability stats by Tracy+Reed · 2010-07-17 14:03 · Score: 3, Insightful

You just know MS is going to count the vulnerabilities in this distro against Linux just like how they count one vulnerability which affects 10 distros as 10 vulnerabilities because 10 warnings get sent out.
Semi-dupe by Improv · 2010-07-17 15:11 · Score: 5, Insightful

This was in the list of "most interesting linux distros" posted here maybe two weeks ago. Sigh.

--
For every problem, there is at least one solution that is simple, neat, and wrong.
1. Re:Semi-dupe by Legion303 · 2010-07-17 17:27 · Score: 1
  
  Not to mention DVL has been out roughly forever in computer terms anyway.
And Redmond rejoices! by Chas · 2010-07-17 18:52 · Score: 1, Funny

Now they have something they can favorably compare themselves against!
"This Linux has all these bugs in it and they haven't repaired ANY of them!"

--

Chas - The one, the only.
THANK GOD!!!
Not just for students by kolbe · 2010-07-17 19:00 · Score: 2, Insightful

At my last job, the "boss" was too cheap to purchase a descent VPN solution (I later convinced him to buy a Cisco ASA5520), so I deployed a series of IPCop servers... one as a firewall and one as a VPN server. Between the firewall and VPN Server I had fronted an old Pentium 2 based Windows 2000 server in the DMZ to give the appearance that an attacker, had they gotten through, would have figured they hit the "honeypot". I ran this configuration for almost a year and had one attacker get through because I had not patched my IPCop firmware soon enough to cover a LAMP exploit running on it, but they none the less only stopped at the Windows 2000 server and loaded a bunch of mail relays on it. One quick re-format, an IPCop patch, and some E-mails to SORBS and I was good to go again.
Distributions such as Damn Vulnerable Linux will not only help students, they will be a great asset to SMB's wanting something to do front similar topologies as mine to keep the bad guys out. I am sure there are other uses for DVL out there.
Good job DVL team!
No. by eugene+ts+wong · 2010-07-17 20:04 · Score: 1

Ebola and/or AIDS. Even more choices!

--
testing out my trending skills
Goatse.. by cheros · 2010-07-17 21:20 · Score: 1

Enough said, I think. It'll take a while to get rid of that image.. :)

--
Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
Re:Source? by complacence · 2010-07-17 21:59 · Score: 1

Basic knowledge for whom?
Slashdot readers, for example.

Insecure by design: Damn Vulnerable Linux
Damn Vulnerable Linux is "The most vulnerable and exploitable operating system ever" according to its Web site. It's designed for security training; it includes training material and exercises (as well as a whole bunch of flaws to exploit). As Mayank Sharma notes: "Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks."
(Unusual, Obscure, and Useful Linux Distros, 2010-07-01)
Good idea by delta98 · 2010-07-17 22:35 · Score: 1

Something like this is a good learning tool. I fully support the idea. Make people think. I know alot of old hats might have a diffrent view but I think this has potential as a skill builder.
Re:Source? by complacence · 2010-07-18 00:44 · Score: 1

I blithely expect them to fill in themselves the implied "a number of above zero and up to but probably below 100% of".
Ugh. by Beelzebud · 2010-07-18 06:05 · Score: 1

Insert 10 year outdated cheap shot against Microsoft here.
Re:Or... dont put fresh OS in DMZ by Steauengeglase · 2010-07-19 01:06 · Score: 1

How many people had more than one PC in their home in '03? Sure we now have 3 or 4 netbooks laying around the house, a couple iPod touches, a few old laptops and 3 half-dead PCs in the back room, but 52 year old, rural moms had (and probably still have) the one PC sitting sitting in the den, plugged directly into their dsl modem. Most people view routers as a way to get more than one device onto the internet, not a device that controls the flow of traffic.
I hope... by hesaigo999ca · 2010-07-19 01:10 · Score: 1

I hope they kept a ledger of all the broken things, so that you could technically grade a student by what he fixed and set up property compared to what was done to break it...and then see how good a student he was...or how creative.... cool idea though!
Ender's Game by HTH+NE1 · 2010-07-19 02:52 · Score: 1

It's all just fun with exploits until someone burrows through the giant's eye.

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
AppArmor | SELinux = Linux Win by daboochmeister · 2010-07-19 03:07 · Score: 1

Any reasonably alert admin can easily secure a Linux system with Mandatory Access Controls via AppArmor or SELinux. And no, it's not the rocket science people make it out to be ... it's now very straightforward, with one or the other approach (often both) being well supported in every major distro. And profiles for most major apps are easily found, or even if you need to develop one, it's just not that hard

Is there an equivalent in Windows? (asking honestly) I never hear it talked about. When I read about the sandboxing being applied to recent versions of IE (which is a good thing), it sounds like an app-specific version of the same concepts. But is there a general ability to define and constrain resource requirements/access rights for any app? Or are Windows systems reliant on one-off app-specific implementations, and at the mercy of the product producer for such?

--
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh ... never mind." Dave Bucci
Re:Amusing by KingAlanI · 2010-07-19 12:10 · Score: 1

LOL.
Anyway, we often did straightforward trips that included the food transported in a trailer or pickup truck. Nevertheless, consistently buying more food than necessary has been one of our logistical issues.
One of the rules *was* that we needed to be able to move the personal gear ourselves (both quantity of gear and how it was packed.)

--
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
So... by petrus4 · 2010-07-22 04:12 · Score: 1

Which release of Ubuntu is it based on?
Slashdot DVL Downloads Destroy Direct Download by HTRegz · 2010-07-22 04:36 · Score: 1

Hey All, This article prompted 30K downloads of DVL and is going to cost me thousands in bandwidth overage fees. As a result, I'm looking for donations while I fight with my hosting provider to get the costs cut. You can read more here: http://www.computerdefense.org/2010/07/ive-become-a-cyber-pan-handler/ If you downloaded DVL and appreciated the direct download link, a few dollars would go along way to helping out :) THanks, Tyler.

--
ComputerDefense Blog - http://www.computerdefense.org