Or those hoping to distribute Windows malware via the server. If you compromise a server that people trust, it's a lot easier to compromise the client.
While I won't say it's impossible, I was referring to what is currently known. Vista and 7 do not have any open ports to the internet by default, so that will make things more difficult.
The part you're not taking into account is that small independent video game developers are reasonable people. Malware writers are driven by greed, what else would drive you to not only do something illegal, morally repugnant, and likely to damage lots and lots of people?
If they were just looking for money, they would be doing something illegal rather than create a cool piece of software that people like. And if they were just interested in money, they would be targeting the largest platform.
Again, you have to look at the motivations of people. It's all about the money, and when you're doing something illegal, even if it has almost no chance of being caught, you want the biggest bang for your buck or hour or whatever you put into it.
I've worked in three different bank datacenters, all of them used MVS, none of them had a single Solaris box. I'm not sure where you get your information.
Whether or not Windows is "low hanging fruit" or not is a matter of opinion, but the fact is.. it doesn't matter.
Even if windows were 100x more secure than any other OS, it would still have the majority of the malware. Guaranteed. Because it has the majority of the reward.
Hackers may be lazy by nature, but they will do whatever work is required to get the job done (and usually no more). So one cannot look at the amount of exploitation as an indication of the level of security, since one also has to look at the motivations of the attacker, and the ability of the target to provide what the attacker seeks.
Unix and Mac systems do not provide the level of reward that Windows systems do, and none of them have any serious consequences for failure.
Sure, ATM networks would be the holy grail, except the consequences of failure are very high, and there are lots of people willing to hunt you down if you screw up in attacking something like that.
Yes. And? Tell me, if you could target 900 million users or 90 million, with the same amount of work, which would you do? Why would you expect the same amount of work to get 10% of the reward?
Because original, not service packed Windows XP or 2000 are the only versions of Windows that's susceptible to attack right out of the box within 20 minutes.
No, Vista and 7 do not have the ability to be compromised by themselves, out of the box.
The part you keep forgetting is that 100% of the mac market isn't anywhere near as lucritive as 10% of the Windows market. So having 100% of the mac market (even if you could get that) won't make you as much money as infecting 10% of windows boxes.. yep, you know where they're going to go.
You are confusing "vulnerable" with "exploited". I guarantee you that your system is vulnerable. There are several high profile apache vulnerabilities, for instance. I'll also bet you've applied security patches, which is not the same thing as taking a stock, unpatched system and connecting it directly.
I'll also bet you've enabled and propertly configured the firewall, something most people simply won't do.
What a ridiculous line of reasoning. The money is in lots of different systems. Unix, Windows, but largely IBM Mainframes running OS's like MVS.
But what OS is used is irrelevant, because those systems are well protected by more than just the OS itself. Further, those systems have the power of the FBI, CIA, NSA and others behind them to track down anyone who might be capable of penetrating the impressive outer security to get to the OS itself. No (sane) hacker wants that reign of hurt to come down on them.
Then, even if you get access.. then what? You have to figure out how to get the money out. That's not an easy thing to do, since there are tons of safeguards in place to prevent money from just evaporating.
It's *MUCH* easier to compromise low-security desktop machines and take over someones checking account, transfering a few hundred or thousand dollars using the users own credentials to someplace offshore. Or, it's even easier if you get the user to do it themselves (ala fake anti-virus).
Your "reality" is not any kind of real "reality".
Wow, you hook a 10 year old operating system up to the internet without any kind of security, and it gets compromised in 20 minutes. Great. I guarantee you a 10 year old copy of Linux could get compromised just as easily if someone had merely had the motivation to write the code to do it.
And trust me, a 10 year old unpatched copy of Linux probably has 10,000 or more vulnerabilities that could be exploited to do so... if anyone cared to.
But.. but.. you don't know what you're talking about...
Security patches on Linux are evidence that Linux has such a secure system that patches can be found so easily. Security patches on Windows are evidence that Windows sucks.
The vast majority of those devices do nothing to earn a malware writer money. They can't (easily) be used as spam zombies because nearly everyones email systems now reject mail from such systems. They can be used as DDoS hosts, but you really want systems with fatter pipes for that, although there's something to be said about death from a billion mosquito bites.
No, the real money in malware is in getting credit card numbers, fake anti-virus, and other sources.. all of which compromising routers and other devices won't get much of. You need a real computer with a real user, and you need to keylog because once it's over the wire it's largely encrypted.
There is some value in compromising those devices. But nowhere near the kind of value that most malware authors are looking for these days.
OpenBSD only stays secure if you only use OpenBSD blessed apps.. ie, from their repository. If you start installing stuff you download off the net, then all bets are off.
Linux and FreeBSD boxes get hacked all the time. One can claim it's because people use weak passwords or use the same password on their box as they do on every site on the internet, and there are probably a lot of those boxes that compromised that way, but a lot are also do flaws in software installed on Linux boxes. Spend some time going through sites like Zone-H and you'll see that Linux sites get successfully attaced as much, if not more so than Windows servers (the numbers change from day to day).
You're living in a dream world if you think Linux security is any better or worse than anyone elses. Most Linux boxes have 1000x more software installed on them, and each software package is a potential security flaw waiting to happen. Most of those can only compromise the account it runs on, but attackers are getting smart and creating blended attackes that include multiple vulnerabilities, including local root vulnerabilites that get executed via a user-level remote attack.
But really, the only people who attack Linux boxes are those looking to either brag, or those looking for fat pipe DDoS zombies. Malware authors, who target stupid users who will pay $50 to the fake virus writers are going to target the vast majority of systems.. ie windows.
He didn't say nobody gives a shit about apple. He said, nobody gives a shit about attacking apple's products (Mac's in particular).
Here's a hint. Say you are going to write a mean nasty program whos sole purpose is to make you money, and tons of it. Will you, a) target 5% of the computers in the world, or b) tartet 90% of the computers in the world?
I know which one I would do. And if you answer differently, then you either aren't being honest, or you have a very warped idea of how malware writers think these days. It's all about return on investment, and they are spending a LOT of money buying 0 day vulnerabilities and writing tons of code to exploit them, rootkits, etc.. it's not just kids in their parents basement trying to put penises on peoples screens anymore.
Nobody gives a shit about the "challenge" of the hack, if it doesn't make them lots of money.
When I wrote that, I suspected someone might go all etymological on my ass. However, I am not a language purist. And while I understand that the "pure" meaning of "begging" in the phrase is not "to ask", the fact is that that it now means something else than what it did in Latin.
"begging the question", based entirely upon english language meaning is correct for this term, even if not historically accurate.
"raises the question" is linguistically meaningless.. how can you "raise" a question? It's another turn of phrase, but linguistically speaking is less accurate than "begs the question".
So I choose to use the common terminology because it makes more sense to more people. I couldn't care less about your historical accuracy.
I don't think you are right there. I used to be very sceptical about C++, but I have had to develop some tools with it recently, and my respect for it has grown a good deal.
Don't get me wrong. I like C++, and I also respect it. But I respect it in that "handling nitroglycerine" sort of way rather than in that "treat it like a samsonite bag" kind of way that you can with C# or Java.
Just because you CAN write entirely high level code in C++ doesn't change the fact that it's a mine field filled with explosives waiting to go off at the first misstep.
Yes, you pay for that ruggedness in more modern languages in terms of run-time performance and other factors, but that's what makes C++ so odd... it's that mix of both, that makes it neither.
Yes, that is one way to do it, but my point was that gcc has always prided itself on being able to bootstrap itself with minimal work, and without cross compilation. Cross compilation was sort of considered to be "cheating"
Slashdot Mirror
I hadn't considered that one. You're right.
While I won't say it's impossible, I was referring to what is currently known. Vista and 7 do not have any open ports to the internet by default, so that will make things more difficult.
The part you're not taking into account is that small independent video game developers are reasonable people. Malware writers are driven by greed, what else would drive you to not only do something illegal, morally repugnant, and likely to damage lots and lots of people?
If they were just looking for money, they would be doing something illegal rather than create a cool piece of software that people like. And if they were just interested in money, they would be targeting the largest platform.
Again, you have to look at the motivations of people. It's all about the money, and when you're doing something illegal, even if it has almost no chance of being caught, you want the biggest bang for your buck or hour or whatever you put into it.
You missed the part "Windows File Sharing Must be enabled", which it's not by default.
I've worked in three different bank datacenters, all of them used MVS, none of them had a single Solaris box. I'm not sure where you get your information.
One need only look at the number of high profile vulnerabilities that have been found in the last 10 years.. OpenSSH has had several, for instance.
Whether or not Windows is "low hanging fruit" or not is a matter of opinion, but the fact is.. it doesn't matter.
Even if windows were 100x more secure than any other OS, it would still have the majority of the malware. Guaranteed. Because it has the majority of the reward.
Hackers may be lazy by nature, but they will do whatever work is required to get the job done (and usually no more). So one cannot look at the amount of exploitation as an indication of the level of security, since one also has to look at the motivations of the attacker, and the ability of the target to provide what the attacker seeks.
Unix and Mac systems do not provide the level of reward that Windows systems do, and none of them have any serious consequences for failure.
Sure, ATM networks would be the holy grail, except the consequences of failure are very high, and there are lots of people willing to hunt you down if you screw up in attacking something like that.
Not so much with desktop PC's.
Yes. And? Tell me, if you could target 900 million users or 90 million, with the same amount of work, which would you do? Why would you expect the same amount of work to get 10% of the reward?
Because original, not service packed Windows XP or 2000 are the only versions of Windows that's susceptible to attack right out of the box within 20 minutes.
No, Vista and 7 do not have the ability to be compromised by themselves, out of the box.
The part you keep forgetting is that 100% of the mac market isn't anywhere near as lucritive as 10% of the Windows market. So having 100% of the mac market (even if you could get that) won't make you as much money as infecting 10% of windows boxes.. yep, you know where they're going to go.
First, how many of those scans are targeted at windows boxes? How many of them are just generic brute force login attempts?
Other than those, how many Linux specific scans do you see?
You are confusing "vulnerable" with "exploited". I guarantee you that your system is vulnerable. There are several high profile apache vulnerabilities, for instance. I'll also bet you've applied security patches, which is not the same thing as taking a stock, unpatched system and connecting it directly.
I'll also bet you've enabled and propertly configured the firewall, something most people simply won't do.
What a ridiculous line of reasoning. The money is in lots of different systems. Unix, Windows, but largely IBM Mainframes running OS's like MVS.
But what OS is used is irrelevant, because those systems are well protected by more than just the OS itself. Further, those systems have the power of the FBI, CIA, NSA and others behind them to track down anyone who might be capable of penetrating the impressive outer security to get to the OS itself. No (sane) hacker wants that reign of hurt to come down on them.
Then, even if you get access.. then what? You have to figure out how to get the money out. That's not an easy thing to do, since there are tons of safeguards in place to prevent money from just evaporating.
It's *MUCH* easier to compromise low-security desktop machines and take over someones checking account, transfering a few hundred or thousand dollars using the users own credentials to someplace offshore. Or, it's even easier if you get the user to do it themselves (ala fake anti-virus).
Your "reality" is not any kind of real "reality".
Wow, you hook a 10 year old operating system up to the internet without any kind of security, and it gets compromised in 20 minutes. Great. I guarantee you a 10 year old copy of Linux could get compromised just as easily if someone had merely had the motivation to write the code to do it.
And trust me, a 10 year old unpatched copy of Linux probably has 10,000 or more vulnerabilities that could be exploited to do so... if anyone cared to.
But.. but.. you don't know what you're talking about...
Security patches on Linux are evidence that Linux has such a secure system that patches can be found so easily. Security patches on Windows are evidence that Windows sucks.
Get with the program.
They don't have to claim they're the most secure, they need only claim they're more secure than Googles.
The vast majority of those devices do nothing to earn a malware writer money. They can't (easily) be used as spam zombies because nearly everyones email systems now reject mail from such systems. They can be used as DDoS hosts, but you really want systems with fatter pipes for that, although there's something to be said about death from a billion mosquito bites.
No, the real money in malware is in getting credit card numbers, fake anti-virus, and other sources.. all of which compromising routers and other devices won't get much of. You need a real computer with a real user, and you need to keylog because once it's over the wire it's largely encrypted.
There is some value in compromising those devices. But nowhere near the kind of value that most malware authors are looking for these days.
OpenBSD only stays secure if you only use OpenBSD blessed apps.. ie, from their repository. If you start installing stuff you download off the net, then all bets are off.
Linux and FreeBSD boxes get hacked all the time. One can claim it's because people use weak passwords or use the same password on their box as they do on every site on the internet, and there are probably a lot of those boxes that compromised that way, but a lot are also do flaws in software installed on Linux boxes. Spend some time going through sites like Zone-H and you'll see that Linux sites get successfully attaced as much, if not more so than Windows servers (the numbers change from day to day).
You're living in a dream world if you think Linux security is any better or worse than anyone elses. Most Linux boxes have 1000x more software installed on them, and each software package is a potential security flaw waiting to happen. Most of those can only compromise the account it runs on, but attackers are getting smart and creating blended attackes that include multiple vulnerabilities, including local root vulnerabilites that get executed via a user-level remote attack.
But really, the only people who attack Linux boxes are those looking to either brag, or those looking for fat pipe DDoS zombies. Malware authors, who target stupid users who will pay $50 to the fake virus writers are going to target the vast majority of systems.. ie windows.
He didn't say nobody gives a shit about apple. He said, nobody gives a shit about attacking apple's products (Mac's in particular).
Here's a hint. Say you are going to write a mean nasty program whos sole purpose is to make you money, and tons of it. Will you, a) target 5% of the computers in the world, or b) tartet 90% of the computers in the world?
I know which one I would do. And if you answer differently, then you either aren't being honest, or you have a very warped idea of how malware writers think these days. It's all about return on investment, and they are spending a LOT of money buying 0 day vulnerabilities and writing tons of code to exploit them, rootkits, etc.. it's not just kids in their parents basement trying to put penises on peoples screens anymore.
Nobody gives a shit about the "challenge" of the hack, if it doesn't make them lots of money.
TurboPascal is not Pascal. It's TurboPascal. It's a "Pascal-like" language.
True that you can do it, but it's not the default mode. You can take off the safeguards, and run without shielding, but watch out for the radiation.
When I wrote that, I suspected someone might go all etymological on my ass. However, I am not a language purist. And while I understand that the "pure" meaning of "begging" in the phrase is not "to ask", the fact is that that it now means something else than what it did in Latin.
"begging the question", based entirely upon english language meaning is correct for this term, even if not historically accurate.
"raises the question" is linguistically meaningless.. how can you "raise" a question? It's another turn of phrase, but linguistically speaking is less accurate than "begs the question".
So I choose to use the common terminology because it makes more sense to more people. I couldn't care less about your historical accuracy.
Also, Comeau C++ was one of the first compilers to fully implement the full C++ language back in the day..
Don't get me wrong. I like C++, and I also respect it. But I respect it in that "handling nitroglycerine" sort of way rather than in that "treat it like a samsonite bag" kind of way that you can with C# or Java.
Just because you CAN write entirely high level code in C++ doesn't change the fact that it's a mine field filled with explosives waiting to go off at the first misstep.
Yes, you pay for that ruggedness in more modern languages in terms of run-time performance and other factors, but that's what makes C++ so odd... it's that mix of both, that makes it neither.
Yes, that is one way to do it, but my point was that gcc has always prided itself on being able to bootstrap itself with minimal work, and without cross compilation. Cross compilation was sort of considered to be "cheating"