Slashdot Mirror
SpyEye Botnet Nets Fraudster $3.2M In Six Months
wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.
If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.
35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
Click here to unlock your account [notification.zip].
I know it's a crime and all, but should we feel sorry for people who get scammed because they're just that gullible? I know plenty of people who are.
And... when are we going to "fix" the email system to prevent this? It's the same system that was designed when there were 1,000 computers on ARPANET.
Most of the stuff on
Capitalism. Gotta love it. Of course, this particular guy is frowned upon because he isn't a megacorporation doing it on much larger scales.
OK, so when are we going to hold Microsoft and other software makers for making insecure software? Nice DMV comment...so true. "Waddaya mean I need insurance to register my vehicle?!" Yes, I heard that once before...
"That's right...I said it."
Yeah, haven't you ever picked up a globe!?
Man blir trött av att gå och göra ingenting.
A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.
What? You don't manually check your brake lines every time you drive? You don't even know where to look? But that's YOUR RESPONSIBILITY!
Do you count your knives each night to know no one has stolen them to stab someone?
Personal responsibility means taking reasonable steps to make sure you don't harm others. It doesn't mean becoming an expert in every single aspect of technology to make sure it is impossible for anyone to use your equipment to harm others. It's completely unreasonable to expect your average person to know enough about their computer to know whether it is being used for crime.
In a world where picture frames come preinstalled with malware, in a world where simply visiting the wrong website can infect you if Flash has an unpatched vulnerability, that's too simplistic.
I blame people for running Trojans, I blame people for not doing updates (but come on, what other industry would tolerate having a recall on the second Tuesday of every month), but this is still a world in which drive-by downloads are possible. I run Noscript, of course, but don't expect anyone else to live with the problems it causes.
"Personal responsibility means taking reasonable steps to make sure you don't harm others"
Yes, and people DON'T DO THAT. I've seen people get spyware, right in front of my eyes. They absolutely do not take reasonable steps to avoid so doing. They'll cheerfully run ANYTHING. That is not a reasonable behavior, on what is fundamentally a Turing machine.
So yes, let's hold them responsible when they don't take reasonable steps towards safe computing.
Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
Sorry, but no. You may have 35 years under your belt, but my 80+ year old Mom doesn't, and the vast majority of mere users out there are a lot like her. When even highly educated users like doctors and lawyers are stupid around computers, how can you expect my Mom to do any better?
Case in point: she's on a Mac using Safari, and it drives her up the wall when the history pane doesn't show her favourite sites. I've told her that's not how it's supposed to be used and to use bookmarks instead. She wants to use the history window instead and can't understand why she shouldn't.
A friend of mine was using Windows and got it infected. I built him a Linux box and showed him how to use it. Problem solved? No, because he kept going back to using his infected Windows box, wondering why his ISP cut him off every time he used it (because his ISP determined his machine was infected).
I've seen just as stupid !@#$ from doctors and lawyers.
What you want is for your politicians to write a law that forces all computer users to get a driver's license before being allowed on the net, and that isn't going to happen since the vast majority of politicians are lawyers who're just as stupid around computers as is my Mom. For most users out there, computing is still magic to them and I doubt that's going to change anytime soon. They see no need and are quite capable of blaming something/anything else for their ignorance.
Besides, it'd be a lot simpler to force ISPs to police their users. They have the expertise and at least some are doing it already. What's wrong with the rest of them?
"Tongue tied and twisted, just an Earth bound misfit
If his profits reside in a single account (or many accounts?) all his... Couldn't this be used to potentially track him?
It's quite true. I can't blame users for shitty fucking plugins like Flash. They want to view online content, so are essentially forced to become part of an insecure ecosystem.
The world's burning. Moped Jesus spotted on I50. Details at 11.
You want to hold all the Linux contributors responsible too? Especially when the malware usually comes via user stupidity, not insecure software.
What are they being responsible for? Just running piece of software isn't illegal. Even FBI or whoever it was that cleaned one of the botnets gave computer owners the possibility to opt-out of it, in case they wanted to keep it on their computer.
I agree, to a point. But it is less simple than you've made it. As an AV industry employee, I get to see firsthand how infections spread. It's actually pretty amazing how much of it is spread by software or operating system vulnerabilities and software companies are slow to address even known vulnerabilities. That being said, it is also true that most people on the information superhighway are simply driving at 700 kmh while texting, eating a donut, and watching a porn video. Click OK or Next now and think about it later.
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines.
But the brakes in a car generally don't fail because someone put the wrong CD in or tuned to the wrong radio station.
Are you saying that Flash should be limited to Linux, BSD, OpenSolaris, and other operating systems with minimal protections? Better tell Adobe, because they always release new versions of Flash first for Windows. Does that imply Adobe is also complicit with the botmasters?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Ok, I understand if you comprimise a PayPal account, you could transfer money to another Paypal account and withdraw. And that you can sell the information perhaps... But other than that, how can these people make money from a Botnet? Maybe could apply for credit card with person's info, but that seems slow. The article said what $17,000 a day. And as far as transferring money, seems risky, as someone had to setup the account transferred into.
If your solution is for people to be smarter then you might as well throw in the towel now.
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.
I can blame the webmasters that insist on using flash and mandatory javascript (etc) even when it is unnecessary, ad peddlers that don't give two sh*ts about what goes throughout their network if the price is right, sites using a CMS for static content, that bet abandoned at some point, with the CMS getting taken over and serving exploit kit iframes for the next decade... etc... The issue at hand is that the current situation is caused by all involved parties not taking any responsibility whatsoever, it's neither the user, nor the companies, nor the websites, it's all of them.
+1 truth
I'm sick and tired of people who defend the unnecessary use of things like javascript by putting all of the blame for the accompanying reduction in security on the user.
The car analogy is that it is like demanding that people not wear seat-belts and when they get hurt in a wreck then blaming them for not having the latest air-bag system.
When information is power, privacy is freedom.
A lot of us are in the wrong business. The world is full of stupid people, and we could simply tell them to hand us money hand over fist.
Om, nomnomnom...
"A better analogy would be someone using their car in a reasonable manner but crashing into the crowd because someone cut their brake lines."
But running malware and trojans is not "using a computer in a reasonable manner".
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.
"Is that the victims were generally NOT the people who allowed botnets to run on their computers."
Of course. There is no evolutionary pressure in the ecosystem to detoxify exploited computers. Bubba and Laqueefa don't give a fuck about internet security and WHY SHOULD THEY when there are negligible negative consequences?
I don't advocate any nonsense like government regulation to (not!) solve the problem.
It would be better done with destructive malware that disconnects infected PCs from the internet and does enough system damage to coerce a reinstall. No need to make personal files unreadable or data unrecoverable, just trash the OS.
There is NO ethical way to solve this problem, and there is no way to solve this problem without causing collateral damage.
Joe Dumbshit gets his porn appliance disconnected enough and gets tired of paying for reloads, and he will in some cases take action. Even if he replaces his PC with something more modern and, it is to be hoped, more secure, that's progress.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
"...there were a handful of victims in 90 other countries..."
A handful of victims in 90 countries? What were they victims of, dismemberment?
So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software? Or how about the malware spreading by exploiting other system flaws? Yes, some is user stupidity by installing some random program or clicking through popups and going to (compromised sites that exploit system flaws) but not ALL of it is caused by the end user.
"That's right...I said it."
A better analogy is leaving your car running while you dash into the store. Which IS against the law in many places. Someone might hijack it and commit a crime. Now, I haven't looked, I don't think you'd be liable for that crime, but if they hit someone else with that car, your insurance is at the least going to drop your ass like the irresponsible assbag that you are.
Did anyone else read "Fraudster" and thought it was a new social network?
CDE open sourced! https://sourceforge.net/projects/cdesktopenv/
Is that the victims were generally NOT the people who allowed botnets to run on their computers. Because if they had been, maybe that would have been just punishment for harming the common good by allowing malware.
This is 2011. Personal computing has existed for, depending on just how you measure, about 35 years. I've been using them that whole time, and have NEVER, not once, had any form of malware. It just isn't that hard, and people have had 35 *years* to learn to not run shit. It's time we start holding people responsible for the results. In this case, the owners of those 25,000 compromised machines should be responsible for the 3.2 million that was lost. It should be their responsibility to pay it back.
If people drive carelessly and crash into a crowd of people, we hold them responsible. If an engineer designing a bridge is careless and the bridge falls down as a result, we hold them responsible. It's high time we start holding people responsible here as well. If you can't act responsibly, then you don't get to be on the public internet with everyone else, just like if you can't drive responsibly we eventually take away your license. You are still free to drive on your own private land, just like you're still free to use your computer on your own private network, but you don't get to use it where the rest of us are trying to be responsible citizens of the online community.
35 *years*. Time to fucking stop running malware. Yes, the botnet operators also are responsible, but that doesn't mean the owners of the compromised systems are NOT. They are as well.
BS. The bad guys are a lot smarter than you think they are. Exploit kits, iframes, obfuscated javascript, etc... they're EVERYWHERE now. Quit blaming the victim already.
So you don't remember all the email virus that spread years ago simply by opening them because they were exploiting flaws in system software?
Yep, it was years ago. On that note UNIX and Linux used to have lots of worms that spread remotely too, and there's still lots of bugs and sometimes even remote exploits. Firefox and Chrome patch hundreds of bugs per year.
If software vendors were being held responsible for every bug that might have slipped through, what you think would happen? Open source contributors would stop contributing software, because they would risk losing their personal money in the process. On the other hand, Microsoft has the money. You would only kill open source development.
Given that those 3.2 million that was lost most likely originated from some of the 25k compromised machines i'd say that those responsible got what they had coming for them. If a single mother living under minimum wage had her machine compromised, yet no assets stolen via or from her then why slap her with a $120 fine so that the few rich guys that are main targets don't have any incentive to fix their security holes.
If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.
And they would fail on all other systems, anyway. Other systems have bugs. Windows is insecure, and this insecurity is unfixable by design.
Contrary to the popular belief, there indeed is no God.
People are only be held accountable for things that they or any reasonable person would beheld accountable. Corporate users are taught not to use their 'work' computer for personal use or not to go to unauthorized sites. This is mostly to keep the corporate internet connection from being the source of malicious applications. Some organizations go so far to teach or introduce users to information assurance as part of their right to access the internet. ISPs will continue allowing Darwin Award candidates access to the internet as long as they continue to pay for service. God help the USA when free internet gets here for every home. By free I mean, purchase by US tax dollars. ISPs should do their part in education the account holder on internet usage, or ISPs should be held responsible for the attacks that happen on or from their networks. I am not asking that they censor access, just education the user. That annual 'this-is-how-to-safely-use-the-internet' course would remove responsibility from the ISP on any incident.
what other industry would tolerate having a recall on the second Tuesday of every month
Personally, I think we'd be safer if Microsoft didn't create Patch Tuesdays, and actually released patches as soon as they have fixes, instead. It seems that Patch Tuesday in practice just exists to reduce how often Microsoft is seen to release patches. There's a claim that we need a certain date in the month for all sysadmins to know to look for updates, but that's silly. Sysadmins should always be checking for vulnerabilities, and if they really can't be bothered to do it more than once a month they can set their own calendar -- but make the fixes available immediately to the rest of us.
Get off my launchpad!
I agree with you, same as a car, you would not just start driving one because you can afford to buy one, you have to take courses and also pass tests.
Computers in society seem to common place and without accountability. A pilot has to be registered to fly a plane and go through screening....why can not the ISPs enforce such things as well.
This is where the problem lies, it is more so the ISPs responsibility also to know when an infected computer is within ITS network, and block it off indefinitely until the problem is resolved. If a judge can turn around and ban you from driving because of a DIU (act of stupidity) and decide not to let you access the roads until such time as he feels you have learned your lesson....so to should the ISP providers enforce actions that would keep you off the internet until such time as you can prove to them you are bug free....and this would be tested once you contacted them with information about being now secured, they would keep you under watch and block you again if you showed signs again of reinfection.
Some might argue that you pay for a service and should not be stopped from enjoying it (internet), but I do not agree....you pay for your insurance, car, license, and plates, yet a judge can under acts of stupidity (driving drunk) remove your privilege, yet you still own everything else and need to pay for it regardless....
Until we actually treat infected pcs as badly as we might someone having aids, we wont get anywhere...imagine if tomorrow everyone understood that an infected pc is like having aids yourself...no one would ever want to interact with you simply for fear of infection.....so treat it as bad as this to make the point get home.
I agree. We are on the same side :)
I should have made it more clear in my first post that I was being sarcastic to the OP. The AC claiming that we should go after the people who are installing malware and to go after them. Like you stating that not every little bug can be perceived, nor can every computer user realize what they are installing is NOT malware, which the AC claims they should know what they are installing. Then I was sarcastically stating then why not go one step further and go after the people who make the software... Not saying it is a good idea and yes, it would really only hurt the Open-Source market, which, IMO is the only market that is truly making a difference.
"That's right...I said it."
What about the stinking security people who release vulnerabilities knowing they haven't been fixed yet? Because boohoo they didn't get fixed as fast as they though they should have. I blame them more then i blame the criminals. There is enough blame to go to users but those who do know better are far more responsible for taking advantage of people. Stop blaming users that's a copout
Jack of all trades,master of none
Don't forget all the bug hunters/security people who released the vulnerabilities before it was fixed. They are more responsible then the criminals themselves in my book.
Jack of all trades,master of none
Other systems have users, which makes them just as vulnerable. A program only needs to be running in userspace to host a website on a weird port, send millions of emails, or intercept what the user is doing and send screenshots to Nigeria.
Quit with the stupid fallacy.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
A program running as user, does not survive rebuilding the user's directory. And with proper security (such as apparmor) it is confined to its own (not even user's) files.
On Windows, compromise anything and you have compromised everything -- privilege escalation is a given.
Contrary to the popular belief, there indeed is no God.
Yeah, and isimilarly, people have been dealing with money for thousands of years, but they still let themselves get mugged or burgled. With all that time to have become experts, they have only themselves to blame.
To have a right to do a thing is not at all the same as to be right in doing it
A better analogy would be someone deciding to drive over metal spikes and then crashing into the crowd because their tires are shredded. Duh...
The phrase "a better analogy" in English does not mean "a compltely fucking retarded compairon".
To have a right to do a thing is not at all the same as to be right in doing it
If your mom or your friend cannot operate a computer without getting it infected with malware and trojans, they are not qualified to be operating a computer and should not be doing it. Furthermore, if they choose to do it despite their incompetence, they should be held liable for whatever damages their use does to others.
Yes, because only people with Computer Science PhDs should be allowed to use computers, and ideally all computers would be giant mainframesi n universities or large corporations. All this giving computer and internet access to the masses is just plain wrong..
To have a right to do a thing is not at all the same as to be right in doing it
mod parent +1 funny for use of the term "informaion superhighway".
To have a right to do a thing is not at all the same as to be right in doing it
and there is no way to solve this problem without causing collateral damage.
Fuck me, it's Mr Internet Tough Guy on the rampage with military jargon off a cornflakes packet.
To have a right to do a thing is not at all the same as to be right in doing it
If it wasn't for the ubiquitous nature of Windows these guys would be making their malware of other OS.
And they would fail on all other systems, anyway. Other systems have bugs. Windows is insecure, and this insecurity is unfixable by design.
Nothing is perfectly secure in a world where there are clever criminals and ordinary users
All the social engineering tricks to get information are independent of what fucking OS you're using.
To have a right to do a thing is not at all the same as to be right in doing it
I was going to reply, but the AC nailed it already. Users don't give a crap whether "Calculator.exe" gets infected with a virus. They do give a crap when "Jimmy at the beach.jpg" gets infected. Who cares about the system, the user's files are the irreplaceable data! Linux people constantly talk about how you can just blow away the user's home folder to sort out virus issues on Linux. Guess what, blowing away "My Pictures" is a ten million times harder sell to a user than blowing away "System" - and to be honest I can't blame them.
App Armour sounds like a giant pain in the ass- app sandboxing done right is great, but I've yet to see it done right.
And frankly, privilege escalation is most certainly not a given. Yes, there's been some stupidly simple vulnerabilities (GDI cursor escalation anyone?) but at this time I know of no PE vulns on Windows.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
On a desktop /home is more important than /bin. This is exactly what Linux cheerleaders don't get. They are thinking at the kernel level. X.org crashed ? Who cares ! As long as I can execute uptime and get a good number, the rest is irrelevant.
Home directory can be safely backed up and restored in minutes, and should not contain anything executable in the first place -- it should be mounted with noexec option unless the user is interested in development. While out of the box Ubuntu won't do that for you, it's easily doable.
The whole system can not have an easy recovery procedure or simple workaround against executable content -- once there is a suspicion that anything is modified, you have to have known clean system, and your backup has to bring OS and applications into the condition that allows all updates since the moment of backup to be applied, and all un-committed state has to be cleanly restored or discarded to maintain consistency. Windows user, no matter how knowledgeable, can't fix that on something as complex as Windows desktop with various third-party software installed.
App armour is broken shit because you rely on app developers or distro maintainers to secure their own apps rather than the OS actually securing it by default.
Apparmor is independent of the OS security, it prevent applications' security bugs from causing problems with something application is allowed to do according the OS security model. Such mechanism, if implemented, has to be configured per-application, and would be meaningless otherwise.
Nobody is going to maintain rules for every single app.
Distributions maintainers do a pretty good job at this, and users or administrators can add their own rules whenever necessary.
I guess given the limited apps on Linux its probably maintainable at present scale.
Your guess is wrong...
Which is cute.
...and your arrogance is misplaced. Debian and Ubuntu maintain their repositories better than anyone anywhere maintained any collection of software.
Got a serial printer?
For at least 20 years there are no serial printers in production.
Guess what?! Lets deny CUPS access to /dev/ttyUSB. Yay.. more security!! Perfect for grandma !!
If grandma managed to install a serial printer, I am sure, she can edit /etc/apparmor.d/usr.sbin.cupsd file that lists, among other things, devices accessible by cupsd. At very least, Linux has common driver model that allows multiple incompatible devices to be handled by one program using the same, actively maintained code. To support an obsolete printer in Windows, one would have to go to a warez site, and download something that was last updated in 1996.
Untrue. Facts tell us that Linux has had MORE security bugs than the NT kernel in recent times. But hey.. don't worry about facts just go on with your propaganda.
What the Hell are you talking about? Windows security is mostly plagued by problems that would have nothing to do with kernel -- if not for the fact that they stem from the fact that Windows does not have efficient and secure IPC mechanisms. Windows still can't provide an efficient interface to anything without exposing guts of all objects and data structure through it -- if bad security implementation won't break this, someone's illiteracy in data structures handling, or bad, object-leaking algorithm, definitely will. That's what would happen if Unix had only shared memory and TCP sockets, with thick layers of fluff designed to make such a system usable.
Most Linux bugs wouldn't be even considered bugs in Windows -- they are local denial of service and occasional privilege escalation (none of which are actually in kernel). There usually isn't anything more than suspicion of exploitability before the bug is fixed. On Windows, no one would raise an eyebrow for anything less than remote compromise with administrator access, with proof of concept exploit delivered to Microsoft doors.
Contrary to the popular belief, there indeed is no God.
How is it misplaced? Take an educated guess at the number of apps on the windows platform. For e.g. qwindows 7 32bit can run 16bit apps from DOS, Win 3.1 era Count all of them and given the number of distro volunteers they wont ever have time to create rules for even 10% of the apps. My point is you would require several orders of magnitudes of competent staff to maintain a repo on the scale of windows applications.
Repository maintenance != Your warez collection.
If you really care, DOS applications run on Linux just fine (and are sandboxed), however this has nothing to do with distribution maintainers keeping track of applications and their configuration -- including security settings. Indeed, that would be unthinkable in Windows world, when no one knows what exactly does he run and where does it come from.
False. If printer supports postscript, pcl, and other common printer tech you can use a generic driver for that. You will not get access to advanced featuress of the printer though, but that is obvious.
Except, of course, there is no infrastructure to reuse printer filters independently from port type, so those are the only printers supported. Even with network printing, it's a task of each client to generate the output in the format that can be sent directly to the printer. Great design, indeed.
You can look up any security databse. Bugs in the Linux kernel outnumber bugs in the NT kernel in recent years.
As I explained before, those are not the same kinds of bugs, and they are reported under vastly different standards of security research and disclosure.
Ofcource I am being nice in only comparing bugs in the kernel.
You mean, the part of Windows that no one would ever reliably attribute to any instance of successful exploit unless it happened in a lab while running under a hardware debugger?
If we were to compare a default install of an average consumer linux distro vs any store bought computer that runs windows, it would be laughable.
This is false.
At this point Linux fans will point out that the number of applications shipped is greater with a linux distro. But so what? If you ship it you should take responsibility for it.
What is it supposed to mean? Proprietary software vendors don't take responsibility for anything at all, least of all security of their software or any software that runs on their platform.
I have seen more kernel panics and BSODs than I can count but I have never ever encountered the windows subsystem ever crashing on NT.
Again, WTF are you talking about?
You're full of shit. You have half-baked knowledge about NT design.
There is no "NT design". There was a kinda-microkernel architecture of the original NT that was quickly drowned in ad-hoc stuff bolted on top of it. No one knows how much of it remains there, or what it does now.
Go and educate yourself
Where am I supposed to get any reliable information about Windows internals?
All the security features that Linux has bolted on ACLs/Apparmour/capabilities/etc have been in NT design since the start.
Linux has Unix security and IPC at its core. It also has various forms of containers that properly isolate sets of processes (and happen to do everything virtualization does except running a different OS). That's actual security. Filesystem ACLs are a worthless add-on that I have never ever seen being used on anything Unix-like because they are a stupid idea. If you have actual human users, their access has to be controlled by applications, not file permissions, and if "users" are actually applications, their access always fits into Unix user/group ID model. ACLs are a holdover from the time when file servers and multi-user computers with remote term
Contrary to the popular belief, there indeed is no God.
Well one way is to see the frequency with which the kernel binary is patched. A ton of malware is created after a OS patch is pushed (since most people run unpatched versions of windows anyway) . You can easily diff the patched binary and understand the code that was patched and create a working exploit.
No one does it on Windows -- there are plenty of low-hanging fruits, thanks for lack of secure design even when kernel works exactly as intended.
What I meant was if you do a total bug count of a fresh Windows install with a fresh Linux install, the linux install will have a higher bug count because of all the 3rd party crap that comes with it.
And most of that is not a security threat. In Windows, things like denial of service or potentially exploitable problems don't even show up on the radar. On Linux every instance of buffer overflow is automatically marked as "potentially executes arbitrary code" and is instantly fixed without questions. Following your logic, the most secure version of Windows is Windows 95 because nothing was actually reported or acknowledged by Microsoft for it.
Read Inside Windows NT , or The NT Design Workbook
http://www.facultyresourcecenter.com/curriculum/BZ/pfv.aspx?ID=7401 [facultyres...center.com]
Judging by the table of contents, it's not an OS design or implementation document, it's a random set of specifications, used somewhere by its kernel. They have no effect on anything that does anything of importance in Windows. I am sure, Windows at this point can be transferred to XNU or rebuilt on top of Linux, or, say, OpenBSD, and it would suck approximately as much.
If you want acess to the source code of windows you can easily get it if you're taking any computer science course in college/grad school or know anyone who does. But ofcource reading tons of implementation code to understand high level design would be a huge waste of time. I have it on my PC right now. I believe its a live snapshot of an XP era kernel from 2003.
It's only good tool for keeping people who are interested in it, yourself included, away from any other OS design.
Well-designed systems, of course, have readable and usable source.
By design "UNIX Security" is nothing more than enforcing simplistic rwx permissions of files and mapped devices, etc. Process isolation is just the the MMU doing its job. Which is ironic because original UNIX was targeted for single processor with a swap file & no virtual memory. NTs object/token design is vastly superior to anything the unix based operating systems have come up with. Using basic NT functionality you can take any running process token and reduce its rights (for e.g. reading/writing to a specific folder or controlling any other I/O) dynamically.
Again, you don't understand. First of all, things that you are talking about are "security features". Bells and whistles that do not actually provide any security, but allow creating all kinds of restrictions that in reality mean nothing. Second, Unix security can be simple because Unix does not have multiple type of objects and interfaces -- it has one, and such object is file descriptor. File permissions are only relevant when file, device or sockets are opened -- from system security point of view that procedure is not fundamentally different from, say, establishing TCP connection, exchanging keys and communicating over it using some encryption. At that point, the important things worth protecting are file descriptors because they represent somehow authenticated connections.
HTTP client's session may be completely un-authenticated, while sysadmin logged in over SSH may be authenticated and have unlimited access to the system, however, contrary to their name, there are no files or permissions in sight, even though in both of those example
Contrary to the popular belief, there indeed is no God.