Unnoticed For Years, Malware Turned Linux Servers Into Spamming Machines 180
An anonymous reader writes: For over 5 years, and perhaps even longer, servers around the world running Linux and FreeBSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. What's more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a "system for automated e-mail distribution" that allows users to send out anonymous email in bulk.
Here's the white paper in which the researchers explain the exploit.
Who cares? (Score:5, Informative)
Re: (Score:3, Funny)
Oh a denial, this is gonna hit +5 fast!
Re:Who cares? (Score:5, Informative)
"The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"
So, not just from downloading the "cracked" mailer program.
Re: (Score:2)
Re: (Score:2, Insightful)
Installing joomla/wordpress implies installing PHP, and that means your security is dead right there.
PHP: The Good Parts (Score:3)
PHP, and that means your security is dead right there
In theory, it should be possible to adopt good coding practices that leave out all the bad parts of PHP, in much the same way that Douglas Crockford recommends for JavaScript in his book JavaScript: The Good Parts. If you think the PHP interpreter inherently has poor security despite good coding practices, have you tried notifying the operators of Wikipedia?
Re: (Score:3)
My favorite analogy:
Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there.
You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes.
You pull out the hammer, but to your dismay, it has the claw part on both sides. Still serviceable though, I mean, you can hit nails with the middle of the head holding it sideways.
You pull out the pliers, but they don’t have those serrated surfaces; it’s flat and smooth. That’s less useful, but it still turns bolts well enough, so whatever.
And on you go. Everything in the box is kind of weird and quirky, but maybe not enough to make it completely worthless. And there’s no clear problem with the set as a whole; it still has all the tools.
Now imagine you meet millions of carpenters using this toolbox who tell you “well hey what’s the problem with these tools? They’re all I’ve ever used and they work fine!” And the carpenters show you the houses they’ve built, where every room is a pentagon and the roof is upside-down. And you knock on the front door and it just collapses inwards and they all yell at you for breaking their door.
That’s what’s wrong with PHP.
(source [eev.ee])
Re: (Score:2)
Then why for many years have shared web hosting providers acted so irresponsibly by selling hosting that allows the use of only such a shitty language? I've seen "PHP hosting $5/mo; Perl/Python hosting $10/mo" from some providers.
Re: (Score:2)
Re: (Score:2)
Charging a premium for not-shitty languages encourages continued development of applications in the shitty language because site owners know they'll be able to get a discount by paying only for the use of the shitty language. Do you agree at least with this point? And what should have been done in the first place to discourage widespread use of the shitty language?
Re: (Score:2)
Charging a premium for not-shitty languages encourages continued development of applications in the shitty language because site owners know they'll be able to get a discount by paying only for the use of the shitty language. Do you agree at least with this point?
I sort of agree, but I think you're having it backwards. I don't think it's a premium on non-shitty languages, but rather a reduction in price on PHP hosting due to high demand.
And what should have been done in the first place to discourage widespread use of the shitty language?
Dunno, not have invented the www? I don't think there is or was anything one can or could have done about it.
Higher demand should mean higher price (Score:2)
but rather a reduction in price on PHP hosting due to high demand
I thought "high demand" (movement of the demand curve to the right) caused an increase in price level, not a decrease. Are you claiming that the demand curve moved so much that hosting providers were able to build in enough economies of scale that they could move the supply curve so far to the right that it more than compensates for the increased demand? Or is there some particular shitty aspect inherent to PHP that happens to push its supply curve to the right?
Re:Who cares? (Score:5, Insightful)
It's not even very good.
If you have noexec /tmp, it can't even start. That's been the default in almost every distro for years.
And it's a random third-party binary. It's not like it got into package repositories or a major piece of software. Some cock downloaded a piece of malware, of his own accord, outside of package management on a Linux machine. And so few people did that, it wasn't even showing up on the radar.
God, if I had a penny for every spam email sent from a compromised Windows computer that I've had brought to me and been asked to clean, I'd have earned more than a year's wages already.
Re: Who cares? (Score:5, Insightful)
yet how often do you actually reboot? Once a year? twice?
Re: (Score:3, Interesting)
Re: (Score:2)
It is kinda interesting from a technical point of view (putting perl scripts into elf binaries)
If you find that interesting, you may also be interested in the VMWare install script, which starts as a shell script but has a compressed binary attached to the end.
Re: (Score:3)
That's not interesting at all - there's something called a shell archive, or "shar" which is what it implies. GNU has "sharutils" which is used to create and extract files from shar files (or you can run the script - it IS just a regular shell script).
The benefit is, of course, you can embed a binary inside it and it self-extracts, and is trans
Re: (Score:2)
Spamming daemon packed inside ELF binary (Score:4, Interesting)
OK. how exactly is this Mumblehard malware loaded and executed on the server,without user action and without the user running as root?
Re:Spamming daemon packed inside ELF binary (Score:5, Informative)
TFA: "The researchers believe that Mumblehard is also installed on servers compromised via Joomla and Wordpress exploits"
Re: (Score:2, Funny)
It's as good as fact, then. Oh, wait, remember a few years back when that powerful country sold a war to the world because they *believed* a country was harboring powerful weapons? It turned out they were wrong.
Re: (Score:3, Insightful)
No, it turned out they where lying.
Re: (Score:2)
It wouldn't be the first time I've seen malware installed via compromised wordpress. Wordpress has had more than a few vulnerabillities over the years and most people who install it just forget about it after and never install security updates. To top it off, wordpress has a web accessible world writeable folder so any exploit easily becomes shell level access.
On the plus side, most of the spammers never even try to gain root.
It's in the fine article - download "crack" (Score:5, Informative)
Via greed driving user interaction in the hope of a "free lunch". From the article:
So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.
Re: (Score:3)
So it's a parasite feeding on cheapskate spammers. I'm not sure whether to get annoyed with them or give them a medal.
They're feeding on them for the purpose of sending still more spam, and meanwhile, the software will send out the spam the spammers are actually intending to send out. So, if you give them a medal, be sure to accelerate it appropriately in the process.
Re:Spamming daemon packed inside ELF binary (Score:5, Insightful)
You can be insecure on any machine, same as you can be a dick in any language.
If you have a non-package binary installed on your system, it's user-error. You have decided to run that, and done that with privileges enough to run it.
This isn't packaged with any software, except for a spam-generating (mass mailing) software anyway. Just that those spammers didn't know they were being used to spam for others too.
Same as if you just run a program on a Windows machine. It's got FUCK ALL to do with open-source, but don't let that stop you.
And packaged open-source software is hash-checked and signed by the distributors. This has not been found in ANY repository of distribution packages. It's a random program that someone has decided to install, and is bundled with spam-generating software, so that's how it "kept quiet"... the people installing didn't give a shit about what they were installing, or the mass-mailing they were already doing. It's like getting a virus from a game crack.
But, please, continue to think you're superior because "lol OS is insecure". I don't actually see any difference between your unrelated argument and, say, "lol Xbox sucks because".
Re: (Score:2)
Whoa dude, I froth regularly, and even I can see that you're overly frothy of late. Calm down, have some dip. It's only life.
Re: (Score:3)
modern windows malware still has a lot to do with insecure design, but not much to do with the stupidity of microsoft developers. stupidity of their managers, perhaps, but not their devs.
the problem is that microsoft management believes that their users are idiots and incapable of understanding or practicing even basic security. whether they are correct or not is irrelevant - either way, that belief leads to them choosing to design for an idiot user's convenience rather than for a normally intelligent us
Not so uncommon (Score:5, Insightful)
These PEBKAC exploits happen more often than you might think on Linux
Re:Not so uncommon (Score:4, Insightful)
Ayup. At one time, I had a nice business fixing compromised Linux web servers. If you run a web thing, then you have to watch port 25 for crap, since sooner or later, some luser will think that it is kewl to use a four letter password and then the SSH or FTP server will be breached by a script kiddie.
Re: (Score:2)
Shouldn't the web server be submitting messages through TCP port 587 (SMTP message submission with authentication) out to a dedicated mail server?
Summing up + Translation(babble to information) (Score:5, Informative)
And removing the "text extending babbel":
1.) Don't get a pirated copy of "DirectMailer" - because it's infected and will trojanise your server.
2.) keep your server and especially it's services updated - check your Joomla and Wordpress installation - and additionally to that the themes you installed.
- the white paper says that the researchers think that these were the most likely vectors
- the article puts faith on the thoughts of the researchers
Translation:
The infected server were so extremely outdated that the researchers didn't know where to start to search. Some believe to have seen active kernel versions dating back to 2000 and even further and surrendered the computers to archeologists to study ancient server setups.
3.) an antivirus on freebsd or linux system is pratically useless in detecting recent malware - they need at least 5 yrs. of cultivation
On windows the infection base is much greater. However the idea of "quarantining" software of problematic origin for a certain period of time and early virustotalling it, should be considered.
lesson: no cracked software on linux/freebsd system
Out of print (Score:2)
Don't be a dick. Pay for the software you use.
This works if the software is still in print. True, on a server, you're going to want to use software that's still maintained. But there are plenty of video games that have gone out of print.
Re: (Score:2)
On Windows it gets even more fun. They like to piggy back spyware with cracked games. So for your unwillingness to spend $50 on a game, you have some creep electronically playing out the plot of Porky's with your PC.
Re: (Score:2)
Actually, not really. The games themselves are generally distributed verbatim in order to keep all the code signing signatures intact (this includes the installer). In fact, they're typically the same as if you bought the downloadable version of the game. This is handy for those of you who lose
Who installs perl again? (Score:2)
It's not like the script can run without the interpreter. Even if you were stupid enough to mount /tmp other than noexec (the default).
Detector, please (Score:2)
I've got three servers that I maintain; four if you count my workstation. They all run Ubuntu Linux 14.04.
What is top in my mind is DETECTION. How to tell if Mublehard has infected us. If it has I must can go in person and re-install all the systems from scratch. But I'm not going to spend several nights on the bus until I get a YES or NO. Perhaps Yellsoft sells a Mumblehard detector, ha ha?
Re: (Score:3, Insightful)
"Second, if you don't know how to detect this, you shouldn't be running servers."
How's about a real answer or at least a link to a resource to help someone learn what they need to know rather than acting high and mighty?
That's always been one of the bigger problems facing linux adoption. :P
Re: (Score:2)
Second, if you don't know how to detect this, you shouldn't be running servers
He's right. Armed with the knowledge that it lives in /tmp and can be defeated with noexec, you should know how to find it with find, and moreover, I shouldn't have to tell you to use find.
However, if this shit is on your system, then you clearly shouldn't be running servers, because you are running antiques without proper supervision. Not running updates is seriously fringey behavior, especially when they are available free-of-charge.
Re: (Score:2)
Especially in light of this particular comment on a forum https://www.atomicorp.com/foru... [atomicorp.com]. Nothing new here at all.
Re: (Score:2)
What did I do?! I know the answer... Or at least an answer.
Re: (Score:2)
Just for reference, just because you have some raspberry pi's running Linux, doesn't really mean you should be saying you run some servers.
Second, if you don't know how to detect this, you shouldn't be running servers.
Third, if you don't know how to prevent this from being useful, OR you don't take those actions be default, you shouldn't be running anything other than Windows.
The server brand names I'm not sure of; generic 80386 boxes. They are owned by a company I work for. I set up these machines myself; they paid me for it. Two are in Bangkok, Thailand, the other one is 1000 kilometers North of there. Plus my own Lenovo notebook. They run information management software what I wrote, plus the OS and Apache and MySQL of course. I update all four every weekend using apt via ssh. Other than outgoing connections to certain IP addresses, I saw nothing in the paper that showed how
Re: (Score:2)
Check crontab entries trying to run an executable in /tmp. Disable execution from /tmp. Read the paper linked in TFA.
Re: (Score:2)
mount /tmp with noexec and you are safe.
Re: (Score:2)
Sorry. I meant /var/tmp, but both should be noexec.
Re: (Score:2)
Re: (Score:2)
Drop Linux, learn MenuetOS, don't worry about getting infected by this kind of crap, and enjoy INSTANT boot-up/reboot/shut down and about a 400% speed improvement over current Linux.
Sure, it's proprietary, but as long as you understand ASM, you can do anything you want, more than Linux can.
I just dropped 'menuetos' into google to remind myself of what it was and the home page comes up as the first hit with a warning from google: "This site may be hacked." so remind me as to why I should worry about getting infected?
Re: (Score:2)
Re: (Score:2)
Google's "This site may be hacked' is a long-known false flag that they refuse to remove from MenuetOS (because MenuetOS is beating their ass hands-down when it comes to making a REAL OS from scratch.)
What the... (Score:3)
This "article" is beyond retarded.
Imo, that is rather funny. (Score:5, Funny)
this malware is pretty unix-y about the way it does things. its small, does few things and does them efficiently.
The author should be complemented on his adherence to the unix philosophy. Even his social engineering campaign is that way.
Functionality wise, an equal malware executable on windows would be megabytes in size and be installed as a service :D
Somewhere, OpenBSD fans are smiling (Score:2)
/. announced OpenBSD 5.7 the other day and the usual crowd came out to say, "so what", and "nobody uses it", etc. Well, this is why it has fans. Yes, yes, there were Linux and FreeBSD machines run well enough to be proof against this exploit...it's that OpenBSD machines tend to be safe out of the box and you have to make a real effort to de-secure them.
Re: (Score:2)
I just keep finding that it doesn't support the hilariously ubiquitous hardware that I want to run it on, stuff that is agonizingly well-supported and -documented on Linux. I bought a CD and a Tee Shirt and then it shit all over itself trying to just deliver packets reliably between four eepro100s and then I gave up and went back to Linux and haven't regretted it since.
Maybe someday the PC hardware landscape will simplify to the point that OpenBSD can support a significant percentage of it, and then I'll gi
Re:Most Linux distros ship with malware by default (Score:4, Funny)
Re:Most Linux distros ship with malware by default (Score:5, Funny)
Re: (Score:2)
Re: (Score:2, Insightful)
WTF?
Decent people don't want to be associated with people like MikeeUSA, the fact that the anti-systemd people seem happy to associate with him isn't going to help their cause.
What about this one: "decent people don't want to be associated with people like Hitler, the fact that the vegetarian people seem happy to associate with him isn't going to help their cause."
See what I did there? (no, that doesn't qualify as Godwin, not yet)
I'm one of these anti-systemd people, and I don't want to be associated in anyway with a troll like MikeeUSA. He's behavior has nothing to do with accepting or not systemd and trying to make some kind of true-scotman-non-sequitur-bullshit out of it i
Re: (Score:2, Insightful)
Yes, you're right, anti-systemd people are not all insane, but some of the most vocal of them are.
(And it's not just good old "I want to marry 12 year old girls" MikeeUSA, there are also the "systemd will eat your ouput" loons, the "systemd is an NSA plot" obsessives, the "systemd is an end run around the GPL" tin-foil hatters...)
Re: (Score:2, Insightful)
Yes, you're right, anti-systemd people are not all insane, but some of the most vocal of them are.
Congratulations on your insightful mod, there, for your fallacious characterization. As if we needed more proof that this place has gone to shit.
Re: (Score:2)
Decent people don't want to be associated with people like MikeeUSA, the fact that the anti-systemd people seem happy to associate with him isn't going to help their cause.
What about this one: "decent people don't want to be associated with people like Hitler, the fact that the vegetarian people seem happy to associate with him isn't going to help their cause."
See what I did there? (no, that doesn't qualify as Godwin, not yet)
I'm one of these anti-systemd people, and I don't want to be associated in anyway with a troll like MikeeUSA. He's behavior has nothing to do with accepting or not systemd and trying to make some kind of true-scotman-non-sequitur-bullshit out of it is utter non-sense.
Wikipedia about Godwin: [wikipedia.org]
Godwin's Law is an Internet adage asserting that "As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1" — that is, if an online discussion (regardless of topic or scope) goes on long enough, sooner or later someone will compare someone or something to Hitler or Nazism.
This is a perfect example - even if it is not a troll, even if it's meant to tell us that this is not a Godwin, even if meant as a serious answer.
Re: (Score:2)
Fellow pedantic here. The Godwin definition is of a comparison "involving" Nazis, not "with" or "to" Nazis (the words "compare ... to" are part of a rather poor and unnecessary Wikipedia paraphrase).
Re: (Score:3)
"\u201cconservative\u201d"
"doesn\u2019t"
"I\u2019m"
Looks like systemd already wrecked your shit. Your punctuation doesn't even fucking work!
Which OS has yet to be compromised? (Score:5, Funny)
So Windoze, Linux, BSD have all been compromised ... how about Hurd / Plan-9? Have they been compromized?
Re:Which OS has yet to be compromised? (Score:5, Funny)
as soon as someone starts using hurd, we'll let you know how it's holding up.
Re:Which OS has yet to be compromised? (Score:4, Funny)
Ultrix 4.2a, here. have not seen a virus on this machine, ever.
still clean after all these years.
as long as you can find scsi1 disks, you can keep running Mosaic and some versions of lynx. DECwindows rocks!
(what? whaaaaat?)
Re: (Score:3)
Re: (Score:3, Informative)
Your link says that the routers that are impacted by this "hack" runs Linux and the security issue isn't a flaw in the operating system but with standard passwords.
Not only did you fail to read the entire post you responded to, you didn't even read the link you used as a source for your post.
Now, I'm not going to disregard you as an idiot straight away, but if you are a troll I expect you to be better at it.
Re: (Score:3)
When is the +1 button :-)
It's just a jump to the left.
Re: (Score:3)
A trojan that's inside a bulk e-mailer program, yet. Almost funny.
Re: Content management systems (Score:3)
They are usually quickly fixed but not quickly updated by end users. That's the problem with all OSes. The advantage of OSS is that you have the option of fixing it yourself if the software creator doesn't.
Re: (Score:2)
Mostly outdated version of Joomla and Wordpress play the bigger role.
But the answer is: "no" opensource is not by default secure. The projects are comprised of people with different coding skill sets, some lower, some higher. Also feeling the need for fixing possible weak points is unevenly distributed.
sense for security
For example last week I was on a bussiness trip and the hotel had free wifi.
1.) the wlan had no PSK WPA2 encryption
2.) the login page were you enter your credentials
to confirm the MAC-Addre
Re:It took 5 years? (Score:5, Funny)
Re:It took 5 years? (Score:5, Insightful)
Read the article? What madness is this?
I haven't read it either and I'll still agree with MobileTatsu-NJG here: the huge benefit with OSS that people keep talking about is that thousand of people looking at the source code are able to find bugs, trojans and backdoors. And this particular problem is over five years old, too.
Re: (Score:3)
There is no source code available to look at in this case. The article is very short and you could have read most of it in the time it took you to post the above irrelevant post, but as it is you are not even aware it's so irrelevant that it looks very silly in context.
Re: (Score:2)
The article is very short and you could have read most of it in the time it took you to post the above irrelevant post, but as it is you are not even aware it's so irrelevant that it looks very silly in context.
It's a lot less silly if you know anything about Microsoft or Apple and read the stories about exploits in their systems, here. I've actually people describe Android malware, for example, as 'freedom'.
In short, you and a couple of people with mod-points missed the point of my post. I have no hard feelings, I know double-standards are hard to admit to.
Re: (Score:2)
So what exactly was the point? All that is there is something about lying (spin) about OSS.
Re: (Score:2)
Again... Double-standards.
Re: (Score:2)
Re: (Score:2)
I don't know what's worse: This remark from Captain RTFA or the fact that I already explained it. Good night.
Re: It took 5 years? (Score:5, Interesting)
Read TFA. The flaw isn't in the OSS.
You are right. The flaw is in the OSS-users who think that OSS magically makes them secure from Trojans.
Re: (Score:2)
Re:It took 5 years? (Score:5, Interesting)
Yeah, I can't wait to hear how this is spun I to a tale of how great OSS is.
Wait no more!
The article states that the analysts have identified 8,867 infected IP addresses. In April 2014, Netcraft confirmed [netcraft.com] that there were roughly 958,919,789 sites on the web at that time. Independently of them, W3Techs [w3techs.com] state that nearly 68% of servers are running some form of Unix, and the vast majority of those can be safely assumed to be running Linux.
So let's say, then, that better than half a billion sites are potentially vulnerable to this exploit, but in practical terms, over the course of years, a mere 8,867 of them actually were infected by this exploit. That means that, uh... carry the 9... somewhere around, oh... 0.0017734% of all vulnerable Linux sites have been compromised by a hitherto unknown and unmitigated active exploit.
Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos.
Re: (Score:2, Informative)
"Clearly this debacle is indisputable proof that Linux security is a shambolic, shameful charade that needs to be stopped before the world collapses into chaos."
Pretty much, because once you understand Linux, you realize that it's a fucking tangled web of crap with no cohesion, and thus no real chance of ever being half secure.
MenuetOS does a better job at security, and it's fucking proprietary garbage.
Re: (Score:2, Troll)
If you had read both the article and the white paper, you would have known that the operators behind the infection purposefully keep the number low to stay under the radar. It has succeeded for at least 5 years (and possibly up to a decade). And who's to say that others won't copy the technique, now that the assembly code for the unpacker is also given in the white paper?
The reality is that the "many eyes" claim of open source is a myth, and gives a false sense of security.
Re: (Score:2)
Without stating the precise nature of the "exploit", it's hard to know whether or not your trolling is even relevant.
Re: (Score:2)
Then maybe you too should read the white paper.
However, that doesn't change the reality that the "many eyes" claim is a myth, like so many other software myths, such as "proprietary software is better because you get what you pay for."
Re:It took 5 years? (Score:5, Insightful)
However, that doesn't change the reality that the "many eyes" claim is a myth,
What? No, no it is not. The fact is that many bugs and vulnerabilities are found because of "many eyes", while we have to wait for either a vendor or a malicious attacker to find and announce vulnerabilities in closed-source software. Nobody credible ever claimed that "many eyes" makes FOSS invulnerable to bugs, back doors, etc. The claim is that it makes it less vulnerable, through better practice. Now, if you can provide a citation that shows this is false, I'll show you a paper full of lies — because a comparison is impossible, because the code we most care about isn't available for analysis and comparison. Without the code for the massive and common operating systems and packages which users commonly run, you can't actually make a meaningful comparison.
So, since we can't prove the claim either way, but we certainly have plenty of evidence that it does work that way since many eyes do in fact often find flaws through code analysis of FOSS but those many eyes do not find flaws in code analysis of closed-source software due to lack of availability. Therefore, the onus of proof is on you — if you want to show that something behaves counterintuitively, you're going to have to prove it.
Re:It took 5 years? (Score:5, Insightful)
Sure it's a myth. There are bugs in open source products that have been sitting there out in the open for YEARS without anyone recognizing them until they're exploited. Shellshock and Hearbleed (OpenSSL library - you can't get much more critical than that) prove once again that the "many eyes" that are not bothering to look because they all have something else to do (like scratching their own itch) proves that you also have to wait for a malicious attacker to find the vulnerabilities before they're fixed.
It's simply not a "better practice" - just different - and the myth leaves people open to exercising less caution out of an erroneous feeling that someone out there is going over the code to fix it just because it's open source. We all know that debugging and fixing code is a lot less attractive to people than writing new code, and that's simply not going to change, because it's human nature. Most programmers simply do not like to do code maintenance, which is why proprietary software with revenue streams have both an incentive and the means to PAY people to do the maintenance.
Which I guess is why the Windows kernel is now more secure than either the Linux or BSD kernels [gsmarena.com]. So, citation provided :-)
Am I happy about it? No, but that's the reality of it, and denying it is being willfully negligent.
Re: (Score:2)
Which I guess is why the Windows kernel is now more secure than either the Linux or BSD kernels. So, citation provided :-)
I've already debunked the citation of this report when other people who failed to understand it cited it. That is a report on reported vulnerabilities. It says so right at the top of the chart. Now, go back and re-read my prior comment to understand why that is useless, and why you have failed.
If you want me to debunk any other crappy citations for you, I can do that. But if it gets to be a habit, I'm going to bill you.
Re: (Score:2)
We can only go by reported vulnerabilities - we have no data for unreported vulnerabilities, and claiming that there are fewer unreported vulnerabilities in the linux and bsd kernels than in the windows kernel is totally unprovable - it's "magic thinking". And as shellshock and heartbleed have shown us, linux and bsd are not "magically invulnerable".
Times change. BSD used to have the least, followed closely by Linux, but not any more. Whether this trend will continue in the future is unknown, but for righ
Re: (Score:2)
We can only go by reported vulnerabilities - we have no data for unreported vulnerabilities, and claiming that there are fewer unreported vulnerabilities in the linux and bsd kernels than in the windows kernel is totally unprovable - it's "magic thinking".
No, it's a proven fact. Now you don't even know what you wrote. Hilarious. You've got yourself all in a tizzy.
Re: (Score:2)
Re: (Score:2)
The problem with linux is fragmentation, and it's now too late to address that.
Uhhh, There's only one Linux kernel and that's what you were comparing, kernels.
But I do agree with you that the Linux community could do a lot better in vetting source code for vulnerabilities.
But by lack of an itch and/or pay it's going to be hard to find competent analysts.
Re: (Score:2)
Re: (Score:2)
Of course, the number of high vulnerabilities of Linux is lower than all of the Microsoft OSes except those popular fan favorites, Vista and RT. Ahem... but I digress.
If you consider both high and medium vulnerabilities, OSX and Linux take the top spots, by more than a 2 to 1 margin compared to Windows. Hopefully this will incentivize OSX and Linux to look at different processes for development, testing, and deployment.
Makes sense it took 5 years (Score:2)
Re: (Score:2)
This is a trojan not an exploit. Any vendor could do this. How do I know that even the legitimately purchased programs aren't using my computer or network resources for their own benefit?
For all I know, M$ could be using the Office suite programs to mask some kind of analysis or number crunching at my expense and using Windows Update as a command-and-control.
Re: (Score:2)
How to patch PEBKAC? (Score:2)
Trojans are exploits of a human vulnerability. How would you go about patching a system against operator stupidity?
Re: (Score:2)