Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines

An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk. Here's the white paper in which the researchers explain the exploit.

Re:Most Linux distros ship with malware by default

Would you like some cheese with your whine?

Which OS has yet to be compromised?

[Taco+Cowboy]

So Windoze, Linux, BSD have all been compromised ... how about Hurd / Plan-9? Have they been compromized?

Re:Which OS has yet to be compromised?

as soon as someone starts using hurd, we'll let you know how it's holding up.

Re:Which OS has yet to be compromised?

[Eunuchswear]

I would suspect that some of the OS's that are used in embedded devices (If you really want to call something running an OS embedded.) have been pretty safe.

Would you?

https://threatpost.com/lizard-squads-ddos-for-hire-service-built-on-hacked-home-routers/110341

Re:Which OS has yet to be compromised?

Your link says that the routers that are impacted by this "hack" runs Linux and the security issue isn't a flaw in the operating system but with standard passwords.
Not only did you fail to read the entire post you responded to, you didn't even read the link you used as a source for your post.

Now, I'm not going to disregard you as an idiot straight away, but if you are a troll I expect you to be better at it.

Re: Which OS has yet to be compromised?

When is the +1 button :-)

Re:Which OS has yet to be compromised?

[TheGratefulNet]

Ultrix 4.2a, here. have not seen a virus on this machine, ever.

still clean after all these years.

as long as you can find scsi1 disks, you can keep running Mosaic and some versions of lynx. DECwindows rocks!

(what? whaaaaat?)

Re: Which OS has yet to be compromised?

[pfleming]

When is the +1 button :-)

It's just a jump to the left.

Re:Which OS has yet to be compromised?

[tricorn]

A trojan that's inside a bulk e-mailer program, yet. Almost funny.

Re:Which OS has yet to be compromised?

[ruir]

Why not running netbsd? I think there was a port.

Re:Which OS has yet to be compromised?

[ruir]

As a side anecdote, I do remember on my later days of Ultrix administration of buying a scsi2 hard disk that was far cheaper than the ones from DEC. It was far bigger than the supported ones and was backward compatible with scsi1. The biggest disadvantage is that I had to modify some obscure table (it was 20 years ago you see), to be able to partition/format it. I also had to make some adaptation to the bay, however I managed to get a disk 2x or 3x times the size of the ones DEC sold and saved a lot of money on the process. Regards

Who cares?

[WombleGoneBad]

This isn't as interesting as it sounds (or have i misunderstood?) Basically, if you are a spammer, and download binaries of 'cracked' spamming software... surprise surprise, there is a back door in it that lets other spammers use your servers to spam. It is kinda interesting from a technical point of view (putting perl scripts into elf binaries) but the headline is very misleading, this is not a serious linux/bsd security issue.

Re:Who cares?

Oh a denial, this is gonna hit +5 fast!

Re:Who cares?

[CoderJoe]

"The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

So, not just from downloading the "cracked" mailer program.

Re:Who cares?

[ledow]

It's not even very good.

If you have noexec /tmp, it can't even start. That's been the default in almost every distro for years.

And it's a random third-party binary. It's not like it got into package repositories or a major piece of software. Some cock downloaded a piece of malware, of his own accord, outside of package management on a Linux machine. And so few people did that, it wasn't even showing up on the radar.

God, if I had a penny for every spam email sent from a compromised Windows computer that I've had brought to me and been asked to clean, I'd have earned more than a year's wages already.

Re: Who cares?

[Traxton]

My home FreeBSD server has /tmp mounted in RAM and /var/tmp linked to /tmp. Even if the malware got installed, it would get wiped at reboot.

Re:Who cares?

[fisted]

So it's more of a serious joomla/wordpress security issue, right?

Re: Who cares?

[peragrin]

yet how often do you actually reboot? Once a year? twice?

Re:Who cares?

Something or someone is using Joomla and Wordpress exploits? Stop the presses!

Re:Who cares?

[phantomfive]

It is kinda interesting from a technical point of view (putting perl scripts into elf binaries)

If you find that interesting, you may also be interested in the VMWare install script, which starts as a shell script but has a compressed binary attached to the end.

Re: Who cares?

[pigiron]

Mod this up.

Re:Who cares?

[KiloByte]

Installing joomla/wordpress implies installing PHP, and that means your security is dead right there.

Re:Who cares?

So it's more of a serious joomla/wordpress security issue, right?

More like a site-owners-can't-be-bothered-to-click-update issue. I work at the abuse dept for a semi-large shared hosting provider and we had a noticeable drop in the number of hacked WP sites when WP started with automatic security updates. That doesn't stop some people to either disable automatic updates, or to run versions old enough to not auto-update.

Joomla's worse; it doesn't update automatically. To make matters worse, some people still cling to the ancient Joomla 1.5 as if it was the pinnacle of CMS design, or something.

In both of the cases above, the culprits are often various web design firms, who hands the customer sites, already installed on an affiliate account with their favourite host, but without any support agreements, or any information about maintenance. New version of WordPress not compatible with the new theme? Disable updates. Joomla released a new version that needs a complete rewrite of all themes? Let's just leave the site there for three years with known flaws - what could possibly go wrong?

Narh, it's not the WordPress/Joomla developer's fault. It's the WordPress/Joomla communities' fault. It's the site owners' fault, and it's the hosting providers' fault, because we let them continue without interfering.

Re: Who cares?

[Traxton]

I reboot whenever a security fix for the kernel is released, so every few weeks to a couple of months, typically. Maximizing uptime for e-peen shouldn't take priority over applying security fixes, imho.

Re:Who cares?

[tlhIngan]

If you find that interesting, you may also be interested in the VMWare install script, which starts as a shell script but has a compressed binary attached to the end.

That's not interesting at all - there's something called a shell archive, or "shar" which is what it implies. GNU has "sharutils" which is used to create and extract files from shar files (or you can run the script - it IS just a regular shell script).

The benefit is, of course, you can embed a binary inside it and it self-extracts, and is transmissible over text-only media without having to use uuencode/base64 or other utility.

Of course, they aren't standard, and often are limited because they rely on external installed programs you should have in your system, and often there's version dependency on the programs it relies on, enough so that older shar files might not work on newer systems.

Re:Who cares?

[phantomfive]

lol sounds like it's interesting enough to you that you'd write three paragraphs about it.....

Spamming daemon packed inside ELF binary

[DougPaulson]

"Perl code packed inside ELF binary .. The Perl spammer .. The spamming daemon is also written in Perl and packed inside an ELF binary"

OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

Re:Spamming daemon packed inside ELF binary

[CoderJoe]

TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"

Re:Spamming daemon packed inside ELF binary

[ledow]

You can be insecure on any machine, same as you can be a dick in any language.

If you have a non-package binary installed on your system, it's user-error. You have decided to run that, and done that with privileges enough to run it.

This isn't packaged with any software, except for a spam-generating (mass mailing) software anyway. Just that those spammers didn't know they were being used to spam for others too.

Same as if you just run a program on a Windows machine. It's got FUCK ALL to do with open-source, but don't let that stop you.

And packaged open-source software is hash-checked and signed by the distributors. This has not been found in ANY repository of distribution packages. It's a random program that someone has decided to install, and is bundled with spam-generating software, so that's how it "kept quiet"... the people installing didn't give a shit about what they were installing, or the mass-mailing they were already doing. It's like getting a virus from a game crack.

But, please, continue to think you're superior because "lol OS is insecure". I don't actually see any difference between your unrelated argument and, say, "lol Xbox sucks because".

Re:Spamming daemon packed inside ELF binary

It's as good as fact, then. Oh, wait, remember a few years back when that powerful country sold a war to the world because they *believed* a country was harboring powerful weapons? It turned out they were wrong.

Re:Spamming daemon packed inside ELF binary

No, it turned out they where lying.

Re:Spamming daemon packed inside ELF binary

[gmack]

It wouldn't be the first time I've seen malware installed via compromised wordpress. Wordpress has had more than a few vulnerabillities over the years and most people who install it just forget about it after and never install security updates. To top it off, wordpress has a web accessible world writeable folder so any exploit easily becomes shell level access.

On the plus side, most of the spammers never even try to gain root.

Re:Spamming daemon packed inside ELF binary

[drinkypoo]

Whoa dude, I froth regularly, and even I can see that you're overly frothy of late. Calm down, have some dip. It's only life.

Re:Spamming daemon packed inside ELF binary

[cas2000]

modern windows malware still has a lot to do with insecure design, but not much to do with the stupidity of microsoft developers. stupidity of their managers, perhaps, but not their devs.

the problem is that microsoft management believes that their users are idiots and incapable of understanding or practicing even basic security. whether they are correct or not is irrelevant - either way, that belief leads to them choosing to design for an idiot user's convenience rather than for a normally intelligent user's security.

they don't make insecure software because they're too stupid to do otherwise. they do it because they *choose* to, because they believe their users are too stupid to cope with anything better.

rather than lift their dumber users up to a higher level of understanding and safer practices (i.e. by requiring it in their software design), they dumb things down so that even smarter users find it difficult or impossible to run a secure system. in doing this, microsoft are doing ALL of their users, both dumb and smart, an enormous dis-service. IMO, constituting gross negligence.

It's in the fine article - download "crack"

[dbIII]

OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?

Via greed driving user interaction in the hope of a "free lunch". From the article:

The price of the software is $240, but interestingly enough, there is a link to a site offering a "cracked" version of DirectMailer. ... The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

Re:It's in the fine article - download "crack"

[drinkypoo]

So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.

They're feeding on them for the purpose of sending still more spam, and meanwhile, the software will send out the spam the spammers are actually intending to send out. So, if you give them a medal, be sure to accelerate it appropriately in the process.

Not so uncommon

[vga_init]

These PEBKAC exploits happen more often than you might think on Linux

Re:Not so uncommon

This has nothing to do with the OS. It's malware hidden inside a binary some sucker installed from a third party.

Re:Not so uncommon

Ayup. At one time, I had a nice business fixing compromised Linux web servers. If you run a web thing, then you have to watch port 25 for crap, since sooner or later, some luser will think that it is kewl to use a four letter password and then the SSH or FTP server will be breached by a script kiddie.

Re:Not so uncommon

[tepples]

Shouldn't the web server be submitting messages through TCP port 587 (SMTP message submission with authentication) out to a dedicated mail server?

Summing up + Translation(babble to information)

[burni2]

And removing the "text extending babbel":

1.) Don't get a pirated copy of "DirectMailer" - because it's infected and will trojanise your server.

2.) keep your server and especially it's services updated - check your Joomla and Wordpress installation - and additionally to that the themes you installed.

- the white paper says that the researchers think that these were the most likely vectors

- the article puts faith on the thoughts of the researchers

Translation:
The infected server were so extremely outdated that the researchers didn't know where to start to search. Some believe to have seen active kernel versions dating back to 2000 and even further and surrendered the computers to archeologists to study ancient server setups.

3.) an antivirus on freebsd or linux system is pratically useless in detecting recent malware - they need at least 5 yrs. of cultivation

On windows the infection base is much greater. However the idea of "quarantining" software of problematic origin for a certain period of time and early virustotalling it, should be considered.

lesson: no cracked software on linux/freebsd system

Re:Summing up + Translation(babble to information)

[jedidiah]

On Windows it gets even more fun. They like to piggy back spyware with cracked games. So for your unwillingness to spend $50 on a game, you have some creep electronically playing out the plot of Porky's with your PC.

Re:Summing up + Translation(babble to information)

[tlhIngan]

On Windows it gets even more fun. They like to piggy back spyware with cracked games. So for your unwillingness to spend $50 on a game, you have some creep electronically playing out the plot of Porky's with your PC.

Actually, not really. The games themselves are generally distributed verbatim in order to keep all the code signing signatures intact (this includes the installer). In fact, they're typically the same as if you bought the downloadable version of the game. This is handy for those of you who lose the original disc but have the keys and whatnot around. Or if it's a steam game, it keeps the original signatures as if you got it from steam.

Instead, the infected part is the unsigned code - i.e., the crack or keygen. No one expects those to be signed, so they wrap them with a dropper utility that will install the malware before running the real code.

Or, there are also a bunch of fake cracks and keygens that do nothing other than install malware.

Content management systems

Broken content management systems like Joomla and Wordpress seem to play a big part in all sorts of problems these days. Why are these packages not robust, despite them being open source? Isn't the general claim around here that in open source, vulnerabilities are quickly found and fixed?

Re: Content management systems

[cyber-vandal]

They are usually quickly fixed but not quickly updated by end users. That's the problem with all OSes. The advantage of OSS is that you have the option of fixing it yourself if the software creator doesn't.

Re:Content management systems

[burni2]

Mostly outdated version of Joomla and Wordpress play the bigger role.

But the answer is: "no" opensource is not by default secure. The projects are comprised of people with different coding skill sets, some lower, some higher. Also feeling the need for fixing possible weak points is unevenly distributed.

sense for security
For example last week I was on a bussiness trip and the hotel had free wifi.

1.) the wlan had no PSK WPA2 encryption

2.) the login page were you enter your credentials
to confirm the MAC-Address was "http" totally 100% unencrypted .. forcing https .. lead to the server answering "no ciphers"

3.) yes it was MAC-address fixed after the login (no additional cookie) and the MAC-address is nowhere to be known except inside the unencrypted over the air traffic and everything else is there.

Also everyone knows the MAC can't be spoofed or !?

The wlan was offered by a third party service, commonly used by many hotels. The credentials are pinned to the room number.

So it's common sense that this provider applicates the highest security standards to protect it's customers.

Re:Most Linux distros ship with malware by default

WTF?

Decent people don't want to be associated with people like MikeeUSA, the fact that the anti-systemd people seem happy to associate with him isn't going to help their cause.

What about this one: "decent people don't want to be associated with people like Hitler, the fact that the vegetarian people seem happy to associate with him isn't going to help their cause."

See what I did there? (no, that doesn't qualify as Godwin, not yet)

I'm one of these anti-systemd people, and I don't want to be associated in anyway with a troll like MikeeUSA. He's behavior has nothing to do with accepting or not systemd and trying to make some kind of true-scotman-non-sequitur-bullshit out of it is utter non-sense.

Who installs perl again?

[tlambert]

It's not like the script can run without the interpreter. Even if you were stupid enough to mount /tmp other than noexec (the default).

Re:Who installs perl again?

[Eunuchswear]

Uh. more or less everybody?

(Everybody running a Debian based distro anyway, I don't know if RedHat has perl as a required package).

Isn't DirectMailer a SPAMMING engine?

I thought direct mailer was a bulk spamming engine? It seems to be a dog eat dog situation.

i.e. if you install a pirated version of a spamming engine [FOR YOUR OWN USE] it will also spam for other spammers too.

Re:It took 5 years?

[dbIII]

You certainly didn't wait long enough to read the article before posting.

Re:Most Linux distros ship with malware by default

[Eunuchswear]

Since when was Russell Coker an official spokesman for Debian?

Detector, please

[AndyCanfield]

I've got three servers that I maintain; four if you count my workstation. They all run Ubuntu Linux 14.04.

What is top in my mind is DETECTION. How to tell if Mublehard has infected us. If it has I must can go in person and re-install all the systems from scratch. But I'm not going to spend several nights on the bus until I get a YES or NO. Perhaps Yellsoft sells a Mumblehard detector, ha ha?

Re:Detector, please

"Second, if you don't know how to detect this, you shouldn't be running servers."

How's about a real answer or at least a link to a resource to help someone learn what they need to know rather than acting high and mighty?

That's always been one of the bigger problems facing linux adoption. :P

Re:Detector, please

[AndyCanfield]

Just for reference, just because you have some raspberry pi's running Linux, doesn't really mean you should be saying you run some servers.

Second, if you don't know how to detect this, you shouldn't be running servers.

Third, if you don't know how to prevent this from being useful, OR you don't take those actions be default, you shouldn't be running anything other than Windows.

The server brand names I'm not sure of; generic 80386 boxes. They are owned by a company I work for. I set up these machines myself; they paid me for it. Two are in Bangkok, Thailand, the other one is 1000 kilometers North of there. Plus my own Lenovo notebook. They run information management software what I wrote, plus the OS and Apache and MySQL of course. I update all four every weekend using apt via ssh. Other than outgoing connections to certain IP addresses, I saw nothing in the paper that showed how to detect Mumblehard. (PS: You sound very snotty. I did say "Please".)

Re:Detector, please

[aaarrrgggh]

What did I do?! I know the answer... Or at least an answer.

Re:Detector, please

[tricorn]

Check crontab entries trying to run an executable in /tmp. Disable execution from /tmp. Read the paper linked in TFA.

Re:Detector, please

[Smallpond]

mount /tmp with noexec and you are safe.

Re:Detector, please

[Smallpond]

Sorry. I meant /var/tmp, but both should be noexec.

Re:Detector, please

[drinkypoo]

Second, if you don't know how to detect this, you shouldn't be running servers

He's right. Armed with the knowledge that it lives in /tmp and can be defeated with noexec, you should know how to find it with find, and moreover, I shouldn't have to tell you to use find.

However, if this shit is on your system, then you clearly shouldn't be running servers, because you are running antiques without proper supervision. Not running updates is seriously fringey behavior, especially when they are available free-of-charge.

Re:Detector, please

[Enter+the+Shoggoth]

Drop Linux, learn MenuetOS, don't worry about getting infected by this kind of crap, and enjoy INSTANT boot-up/reboot/shut down and about a 400% speed improvement over current Linux.

Sure, it's proprietary, but as long as you understand ASM, you can do anything you want, more than Linux can.

I just dropped 'menuetos' into google to remind myself of what it was and the home page comes up as the first hit with a warning from google: "This site may be hacked." so remind me as to why I should worry about getting infected?

Re:Detector, please

[AndyCanfield]

Thanks. /tmp is not mounted; it is part of the / file partition on /dev/sda1. As of now there are no executable files in it at all. So I guess, for now, we're safe.

Re:Detector, please

[rtb61]

Especially in light of this particular comment on a forum https://www.atomicorp.com/foru.... Nothing new here at all.

Re:Detector, please

[RuffMasterD]

To his credit, he did say "don't worry about getting infected by this kind of crap". You can rest assured you are being infected by some other kind of crap.

Re:Detector, please

[Khyber]

Google's "This site may be hacked' is a long-known false flag that they refuse to remove from MenuetOS (because MenuetOS is beating their ass hands-down when it comes to making a REAL OS from scratch.)

Re:Most Linux distros ship with malware by default

[Eunuchswear]

Yes, you're right, anti-systemd people are not all insane, but some of the most vocal of them are.

(And it's not just good old "I want to marry 12 year old girls" MikeeUSA, there are also the "systemd will eat your ouput" loons, the "systemd is an NSA plot" obsessives, the "systemd is an end run around the GPL" tin-foil hatters...)

Re:Most Linux distros ship with malware by default

[rvw]

Decent people don't want to be associated with people like MikeeUSA, the fact that the anti-systemd people seem happy to associate with him isn't going to help their cause.

What about this one: "decent people don't want to be associated with people like Hitler, the fact that the vegetarian people seem happy to associate with him isn't going to help their cause."

See what I did there? (no, that doesn't qualify as Godwin, not yet)

I'm one of these anti-systemd people, and I don't want to be associated in anyway with a troll like MikeeUSA. He's behavior has nothing to do with accepting or not systemd and trying to make some kind of true-scotman-non-sequitur-bullshit out of it is utter non-sense.

Wikipedia about Godwin:

Godwin's Law is an Internet adage asserting that "As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1" — that is, if an online discussion (regardless of topic or scope) goes on long enough, sooner or later someone will compare someone or something to Hitler or Nazism.

This is a perfect example - even if it is not a troll, even if it's meant to tell us that this is not a Godwin, even if meant as a serious answer.

What the...

[X.25]

This "article" is beyond retarded.

Re:It took 5 years?

[Barsteward]

read the article to see how it got there

Imo, that is rather funny.

this malware is pretty unix-y about the way it does things. its small, does few things and does them efficiently.
The author should be complemented on his adherence to the unix philosophy. Even his social engineering campaign is that way.

Functionality wise, an equal malware executable on windows would be megabytes in size and be installed as a service :D

Re:Most Linux distros ship with malware by default

[killkillkill]

Cheese is a GNOME application and runs natively , no need for a Windows compatibility layer.

Re:Most Linux distros ship with malware by default

[Barsteward]

oh dear.... what an unoriginal troll.. leave the internet and come back when your age exceeds your shoe size and maybe you'll become more informed

Re:It took 5 years?

[ArcadeMan]

Read the article? What madness is this?

I haven't read it either and I'll still agree with MobileTatsu-NJG here: the huge benefit with OSS that people keep talking about is that thousand of people looking at the source code are able to find bugs, trojans and backdoors. And this particular problem is over five years old, too.

Re:It took 5 years?

[grcumb]

Yeah, I can't wait to hear how this is spun I to a tale of how great OSS is.

Wait no more!

The article states that the analysts have identified 8,867 infected IP addresses. In April 2014, Netcraft confirmed that there were roughly 958,919,789 sites on the web at that time. Independently of them, W3Techs state that nearly 68% of servers are running some form of Unix, and the vast majority of those can be safely assumed to be running Linux.

So let's say, then, that better than half a billion sites are potentially vulnerable to this exploit, but in practical terms, over the course of years, a mere 8,867 of them actually were infected by this exploit. That means that, uh... carry the 9... somewhere around, oh... 0.0017734% of all vulnerable Linux sites have been compromised by a hitherto unknown and unmitigated active exploit.

Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos.

Re:Most Linux distros ship with malware by default

[Khyber]

"\u201cconservative\u201d"
"doesn\u2019t"
"I\u2019m"

Looks like systemd already wrecked your shit. Your punctuation doesn't even fucking work!

Re:It took 5 years?

[Khyber]

"Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos."

Pretty much, because once you understand Linux, you realize that it's a fucking tangled web of crap with no cohesion, and thus no real chance of ever being half secure.

MenuetOS does a better job at security, and it's fucking proprietary garbage.

laugh

[koan]

Don't you love it when an exploit explanation is given in PDF form... it's a trap!!!

Re:Are we talking about the same ESET...

[koan]

Or they are using it.

Re:It took 5 years?

[BarbaraHudson]

If you had read both the article and the white paper, you would have known that the operators behind the infection purposefully keep the number low to stay under the radar. It has succeeded for at least 5 years (and possibly up to a decade). And who's to say that others won't copy the technique, now that the assembly code for the unpacker is also given in the white paper?

The reality is that the "many eyes" claim of open source is a myth, and gives a false sense of security.

Re:It took 5 years?

[dbIII]

that thousand of people looking at the source code are able to find bugs, trojans and backdoors.

There is no source code available to look at in this case. The article is very short and you could have read most of it in the time it took you to post the above irrelevant post, but as it is you are not even aware it's so irrelevant that it looks very silly in context.

Re:It took 5 years?

[jedidiah]

Without stating the precise nature of the "exploit", it's hard to know whether or not your trolling is even relevant.

Re:It took 5 years?

[BarbaraHudson]

Then maybe you too should read the white paper.

However, that doesn't change the reality that the "many eyes" claim is a myth, like so many other software myths, such as "proprietary software is better because you get what you pay for."

Re: It took 5 years?

[Plumpaquatsch]

Read TFA. The flaw isn't in the OSS.

You are right. The flaw is in the OSS-users who think that OSS magically makes them secure from Trojans.

Re:Most Linux distros ship with malware by default

[drinkypoo]

Yes, you're right, anti-systemd people are not all insane, but some of the most vocal of them are.

Congratulations on your insightful mod, there, for your fallacious characterization. As if we needed more proof that this place has gone to shit.

Re:It took 5 years?

[drinkypoo]

However, that doesn't change the reality that the "many eyes" claim is a myth,

What? No, no it is not. The fact is that many bugs and vulnerabilities are found because of "many eyes", while we have to wait for either a vendor or a malicious attacker to find and announce vulnerabilities in closed-source software. Nobody credible ever claimed that "many eyes" makes FOSS invulnerable to bugs, back doors, etc. The claim is that it makes it less vulnerable, through better practice. Now, if you can provide a citation that shows this is false, I'll show you a paper full of lies — because a comparison is impossible, because the code we most care about isn't available for analysis and comparison. Without the code for the massive and common operating systems and packages which users commonly run, you can't actually make a meaningful comparison.

So, since we can't prove the claim either way, but we certainly have plenty of evidence that it does work that way since many eyes do in fact often find flaws through code analysis of FOSS but those many eyes do not find flaws in code analysis of closed-source software due to lack of availability. Therefore, the onus of proof is on you — if you want to show that something behaves counterintuitively, you're going to have to prove it.

Somewhere, OpenBSD fans are smiling

[rbrander]

/. announced OpenBSD 5.7 the other day and the usual crowd came out to say, "so what", and "nobody uses it", etc. Well, this is why it has fans. Yes, yes, there were Linux and FreeBSD machines run well enough to be proof against this exploit...it's that OpenBSD machines tend to be safe out of the box and you have to make a real effort to de-secure them.

Re:Somewhere, OpenBSD fans are smiling

[drinkypoo]

I just keep finding that it doesn't support the hilariously ubiquitous hardware that I want to run it on, stuff that is agonizingly well-supported and -documented on Linux. I bought a CD and a Tee Shirt and then it shit all over itself trying to just deliver packets reliably between four eepro100s and then I gave up and went back to Linux and haven't regretted it since.

Maybe someday the PC hardware landscape will simplify to the point that OpenBSD can support a significant percentage of it, and then I'll give it another look.

Re:It took 5 years?

[haruchai]

This is a trojan not an exploit. Any vendor could do this. How do I know that even the legitimately purchased programs aren't using my computer or network resources for their own benefit?
For all I know, M$ could be using the Office suite programs to mask some kind of analysis or number crunching at my expense and using Windows Update as a command-and-control.

Re:It took 5 years?

[BarbaraHudson]

Sure it's a myth. There are bugs in open source products that have been sitting there out in the open for YEARS without anyone recognizing them until they're exploited. Shellshock and Hearbleed (OpenSSL library - you can't get much more critical than that) prove once again that the "many eyes" that are not bothering to look because they all have something else to do (like scratching their own itch) proves that you also have to wait for a malicious attacker to find the vulnerabilities before they're fixed.

It's simply not a "better practice" - just different - and the myth leaves people open to exercising less caution out of an erroneous feeling that someone out there is going over the code to fix it just because it's open source. We all know that debugging and fixing code is a lot less attractive to people than writing new code, and that's simply not going to change, because it's human nature. Most programmers simply do not like to do code maintenance, which is why proprietary software with revenue streams have both an incentive and the means to PAY people to do the maintenance.

Which I guess is why the Windows kernel is now more secure than either the Linux or BSD kernels. So, citation provided :-)

Am I happy about it? No, but that's the reality of it, and denying it is being willfully negligent.

Re:It took 5 years?

[BarbaraHudson]

Trojans ARE exploits, duh!

Re:It took 5 years?

[drinkypoo]

Which I guess is why the Windows kernel is now more secure than either the Linux or BSD kernels. So, citation provided :-)

I've already debunked the citation of this report when other people who failed to understand it cited it. That is a report on reported vulnerabilities. It says so right at the top of the chart. Now, go back and re-read my prior comment to understand why that is useless, and why you have failed.

If you want me to debunk any other crappy citations for you, I can do that. But if it gets to be a habit, I'm going to bill you.

Out of print

[tepples]

Don't be a dick. Pay for the software you use.

This works if the software is still in print. True, on a server, you're going to want to use software that's still maintained. But there are plenty of video games that have gone out of print.

How to patch PEBKAC?

[tepples]

Trojans are exploits of a human vulnerability. How would you go about patching a system against operator stupidity?

Re:How to patch PEBKAC?

[BarbaraHudson]

Hey, ALL viruses, bugs, programming errors, etc., are exploits of human vulnerability. And yes, in this particular case, it's possible to fix it so that machines that download and attempt to run the exploit fail. It's right there in the white paper.

PHP: The Good Parts

[tepples]

PHP, and that means your security is dead right there

In theory, it should be possible to adopt good coding practices that leave out all the bad parts of PHP, in much the same way that Douglas Crockford recommends for JavaScript in his book JavaScript: The Good Parts. If you think the PHP interpreter inherently has poor security despite good coding practices, have you tried notifying the operators of Wikipedia?

Re:PHP: The Good Parts

[fisted]

The fact that you can go out of your way and produce "good" PHP code doesn't really make the language less shitty.

My favorite analogy:

Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.

You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.

You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.

You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.

And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.

Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.

That’s what’s wrong with PHP.

(source)

Re:PHP: The Good Parts

[tepples]

Then why for many years have shared web hosting providers acted so irresponsibly by selling hosting that allows the use of only such a shitty language? I've seen "PHP hosting $5/mo; Perl/Python hosting $10/mo" from some providers.

Re:PHP: The Good Parts

[fisted]

That's probably because people want it, and web hosts would be quite a failure when not providing what the customer wants. Again, that doesn't make the language less shitty.

Re:PHP: The Good Parts

[tepples]

Charging a premium for not-shitty languages encourages continued development of applications in the shitty language because site owners know they'll be able to get a discount by paying only for the use of the shitty language. Do you agree at least with this point? And what should have been done in the first place to discourage widespread use of the shitty language?

Re:PHP: The Good Parts

[fisted]

Charging a premium for not-shitty languages encourages continued development of applications in the shitty language because site owners know they'll be able to get a discount by paying only for the use of the shitty language. Do you agree at least with this point?

I sort of agree, but I think you're having it backwards. I don't think it's a premium on non-shitty languages, but rather a reduction in price on PHP hosting due to high demand.

And what should have been done in the first place to discourage widespread use of the shitty language?

Dunno, not have invented the www? I don't think there is or was anything one can or could have done about it.

Re:Most Linux distros ship with malware by default

[Godwin+O'Hitler]

Fellow pedantic here. The Godwin definition is of a comparison "involving" Nazis, not "with" or "to" Nazis (the words "compare ... to" are part of a rather poor and unnecessary Wikipedia paraphrase).

Re:It took 5 years?

[BarbaraHudson]

We can only go by reported vulnerabilities - we have no data for unreported vulnerabilities, and claiming that there are fewer unreported vulnerabilities in the linux and bsd kernels than in the windows kernel is totally unprovable - it's "magic thinking". And as shellshock and heartbleed have shown us, linux and bsd are not "magically invulnerable".

Times change. BSD used to have the least, followed closely by Linux, but not any more. Whether this trend will continue in the future is unknown, but for right now, "them's the facts."

Neither software development (open or closed) is perfect. They both have obvious problems. Back when the Windows kernel was more vulnerable, people claimed it was because Windows was used more. Today linux is more vulnerable, even though we haven't seen any increase in uptake, so why is linux more vulnerable now?

Simple - Microsoft, after having one near-death experience too many, got their act together. The excitement we had 20 years ago over the promise of linux - "maybe this will be the year of linux on the desktop" - will never happen, and we know it. As Apple has shown with BSD, and Microsoft continues to show with Windows, the vast majority of people are quite willing to pay for software and don't care about whether it's open or not. The problem with linux is fragmentation, and it's now too late to address that.

Re:It took 5 years?

[drinkypoo]

We can only go by reported vulnerabilities - we have no data for unreported vulnerabilities, and claiming that there are fewer unreported vulnerabilities in the linux and bsd kernels than in the windows kernel is totally unprovable - it's "magic thinking".

No, it's a proven fact. Now you don't even know what you wrote. Hilarious. You've got yourself all in a tizzy.

Re:It took 5 years?

[BarbaraHudson]

So show me the stats on unreported vulnerabilities.

Re:Oh, boy...

[deviated_prevert]

Lost my mod points or you would get em. Another problem is that there is a huge number of scanners running out there looking for known back doors. Here is my log trace for the group that seems to be knocking on my routers, interesting how they use stealth attack vectors but do leave the trace if you know where to look ;-> Looks like they are mostly from Russia with love LOL Notice my whois is not as root. The router logs on the dos attacks tell the tale and are persistent but timed every few weeks. This is the latest but it tracks to russia the same as the other ones that seem to be knocking on my router thinking there is a server behind it.

~$ whois -B 185.94.111.1

inetnum:        185.94.108.0 - 185.94.111.255
netname:        RU-QRATOR-20150331
descr:          HLL LLC
country:        RU
org:            ORG-LA267-RIPE
admin-c:        LA27-RIPE
tech-c:         AA8879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-QRATOR
mnt-routes:     MNT-QRATOR
changed:        hostmaster@ripe.net 20150331
source:         RIPE

organisation:   ORG-LA267-RIPE
org-name:       HLL LLC
org-type:       LIR
address:        5 Magistralnaya, 8A
address:        123007
address:        Moscow
address:        RUSSIAN FEDERATION
phone:          +78003333522
e-mail:         mail@qrator.net
abuse-c:        AR16870-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-QRATOR
mnt-by:         RIPE-NCC-HM-MNT
changed:        bitbucket@ripe.net 20150330
source:         RIPE

person:         Alexander Asimov
address:        5-ya Magistralnaya, 8a
address:        119034 Moscow
address:        Russian Federation
notify:         aa@highloadlab.com
e-mail:         aa@highloadlab.com
mnt-by:         MNT-QRATOR
phone:          +7-499-241-81-92
nic-hdl:        AA8879-RIPE
changed:        aa@highloadlab.com 20100623
source:         RIPE

person:         Lyamin Alex
address:        5-ya Magistralnaya, 8a
address:        119034 Moscow
address:        Russian Federation
phone:          +7-499-241-8192
e-mail:         flx@msu.ru
nic-hdl:        LA27-RIPE
notify:         flx@msu.ru
changed:        ada@comstar.ru 19961219
changed:        flx@msu.ru 20000529
mnt-by:         MNT-QRATOR
source:         RIPE

% Information related to '185.94.111.0/24AS197068'

Re:It took 5 years?

[MobileTatsu-NJG]

The article is very short and you could have read most of it in the time it took you to post the above irrelevant post, but as it is you are not even aware it's so irrelevant that it looks very silly in context.

It's a lot less silly if you know anything about Microsoft or Apple and read the stories about exploits in their systems, here. I've actually people describe Android malware, for example, as 'freedom'.

In short, you and a couple of people with mod-points missed the point of my post. I have no hard feelings, I know double-standards are hard to admit to.

Re:It took 5 years?

[dbIII]

missed the point of my post

So what exactly was the point? All that is there is something about lying (spin) about OSS.

Re:It took 5 years?

[MobileTatsu-NJG]

Again... Double-standards.

Re:It took 5 years?

[dbIII]

Doesn't seem in any way related to your post so maybe you should actually try writing some stuff instead of assuming that people will figure out the unrelated unwritten stuff for themselves. I suspect that's why the mods didn't have the faintest clue what you were writing about and just saw an accusation of a lie that hasn't happened.

Re:It took 5 years?

[MobileTatsu-NJG]

I don't know what's worse: This remark from Captain RTFA or the fact that I already explained it. Good night.

Re:Most Linux distros ship with malware by default

[Eunuchswear]

What's falacious? You haven't seen the trolls I've described? You deny that their ideas are insane?

Re:It took 5 years?

[Teun]

The problem with linux is fragmentation, and it's now too late to address that.

Uhhh, There's only one Linux kernel and that's what you were comparing, kernels.
But I do agree with you that the Linux community could do a lot better in vetting source code for vulnerabilities.
But by lack of an itch and/or pay it's going to be hard to find competent analysts.

Re:It took 5 years?

[BarbaraHudson]

Thanks. I would just like to point out that there are many different linux kernels. Many distros do their own customizations and patches. And there are many build targets - x86, ARM, POWER, etc. And there are kernels that are hard real-time. Which is pretty neat, and a GOOD THING (tm), even if it introduces even more complexity.

Re:It took 5 years?

[BarbaraHudson]

Of course, the number of high vulnerabilities of Linux is lower than all of the Microsoft OSes except those popular fan favorites, Vista and RT. Ahem... but I digress.

If you consider both high and medium vulnerabilities, OSX and Linux take the top spots, by more than a 2 to 1 margin compared to Windows. Hopefully this will incentivize OSX and Linux to look at different processes for development, testing, and deployment.

Makes sense it took 5 years

[darkonc]

They put a trojan horse into pirated copies of code for a bulk mailer -- then used those servers to send spam. Who's gonna notice? Who's gonna be surprised that their machine gets 'accidentally' flagged as a spam box? Who do you complain to when you figure out that your 'cracked' spam software turned out to contain a trojan?

Higher demand should mean higher price

[tepples]

but rather a reduction in price on PHP hosting due to high demand

I thought "high demand" (movement of the demand curve to the right) caused an increase in price level, not a decrease. Are you claiming that the demand curve moved so much that hosting providers were able to build in enough economies of scale that they could move the supply curve so far to the right that it more than compensates for the increased demand? Or is there some particular shitty aspect inherent to PHP that happens to push its supply curve to the right?

Re:Higher demand should mean higher price

[fisted]

Yes I was referring to economies of scale. After you have created a usable $language webhosting environment (say, a VM image), supply is essentially infinite (modulo hardware).

Re:Higher demand should mean higher price

[tepples]

Perl existed before PHP. Why was it so much easier to make a standard image for PHP than for Perl?

Re:Most Linux distros ship with malware by default

[jeremyp]

No you compared this MikeeUSA person to Hitler.

MikeeUSA = Hitler
anti-systems people = vegetarians

It certainly was an instance of Godwin's law in the truest sense but just saying "that's Godwin's Law" doesn't invalidate your point.

Re:Most Linux distros ship with malware by default

[jeremyp]

s/systems/systemd/