RE: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)

From: Bassett, Mark (mbassett_at_omaha.com)
Date: 10/24/03

  • Next message: Benjamin Krueger: "Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)"
    To: "Paul Schmehl" <pauls@utdallas.edu>, <full-disclosure@lists.netsys.com>
    Date: Fri, 24 Oct 2003 13:57:13 -0500
    
    

    I think something we are also forgetting is that statistically *nix
    users are people who are computer geeks. Average joe #1 buys his pc
    from Best buy pre-loaded with windows XP and has no clue how to install
    it. Currently vendor pre-loaded *nix machines aren't very popular,
    which means in order to have linux on your machine, you must
    download/purchase it and load it yourself. Most people don't want to
    mess with the hassle of the whole thing, aside from the fact that it
    doesn't play new game #1313413. All this means is that the *typical*
    *nix user knows what they are doing and therefore knows to keep the
    machine updated.

    --These same users on Windows (and who probably also run windows boxes)
    would also be unaffected by the rash of 'sploits--

    Until we start seeing vendor pre-loads going to Joe Blow, *nix will
    still be the O/S of servers, and geeks. (no offense to geeks out there,
    I'm one too ;) )

    Mark Bassett
    Network Administrator
    World media company
    Omaha.com
    402-898-2079

    -----Original Message-----
    From: Paul Schmehl [mailto:pauls@utdallas.edu]
    Sent: Wednesday, October 22, 2003 10:19 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No
    Subject)

    --On Wednesday, October 22, 2003 6:00 PM -0600 Bruce Ediger
    <eballen1@qwest.net> wrote:
    >
    > The real questions go something like:
    >
    > "Source code for Unix viruses has been available for years, from
    sources
    > almost too numerous to mention. Why haven't Unix viruses become
    epidemic
    > the way that Windows viruses have?"
    >
    The usual argument is that Windows is more ubiquitous than Unix and is
    therefore the target of choice. I would argue that the *real* reason is

    that Windows is more ubiquitous as a *desktop* operating system and is
    therefore the target of choice. However, that's changing. Linux is
    gaining in the desktop space and so is Mac OS X, which is really
    "exposed"
    for the first time. By that I mean that previous Mac OSes weren't as
    easily attacked remotely because they used Appletalk rather than TCP/IP.

    (Yes, Macophiles, I know TCP/IP was available before OS X.)

    The real key to prevalence of malware, IMNSHO, is the ease of attack
    *and*
    the potential pool of victims. People think it's really stupid to
    "surf"
    the Internet using an administrator account on Windows. Well what do
    you
    think the neophyte Linux users are doing? I seriously doubt you'll find

    many that have a regular account and use su or sudo to do administrative

    tasks. They're bound to run in to something sooner or later that they
    find
    irritating (like being prompted for root's password every time they try
    to
    run up2date on RedHat) and they'll do the same thing they always do on a

    desktop system. They'll start logging in as root because they don't get

    "pestered" by all those warning messages and they can install software
    any
    time they want. (Mind you, Windows still has a long way to go in that
    regard. MS doesn't make it easy to run as an unprivileged user, that's
    for
    sure.)

    And when folks are on the net, logged in as root, on a Unix box, they're

    just as susceptible to worms and viruses as any Windows user is. All it

    takes is some momentum in the desktop space and the stats will change.
    When the average desktop user can figure out how to burn CDs, listen to
    music and print on *nix as easily as they can do it on Windows, you'll
    see
    more and more malware for *nix as they move over to it (if they do.)

    Now I am *not* arguing that Windows is the best OS to use (or even a
    good
    one for that matter) or even that Windows is no easier to attack than
    *nix.
    But worms and viruses will follow desktop users, not OSes, no question
    about it.

    > "Security problems of the same magnitude as .ida buffer overflows, or
    > MSRPC buffer overflows exist in unix programs like Sendmail and
    others.
    > Why hasn't a worm materialized for this problem?"
    >
    Because unpatched apache isn't installed *and* running on *nix boxes by
    default. We had 90 boxes hit by Code Red. Only one was an "IT" box,
    and
    that one had just been installed and was *at* windowsupdate when it got
    infected. Of the other 89, all but three were desktop systems. When
    Nimda
    hit, we had 40. All 40 were desktops. People who know what they're
    doing
    don't get infected with that crap. People who don't, do. What OS
    they're
    using is irrelevant.

    > "The scalper worm didn't effect nearly as many hosts as msblast did.
    > Why not? Why did the scalper worm seem to die out, yet wormwatch.org
    > still records many hits from much older worms like SQLSpida and
    Nimda?"
    >
    Because desktop users don't patch. Scalper didn't make much headway
    because *very few* desktop *nix boxes run Apache, and servers that do
    are
    admined by people who understand the need to patch.

    Remember the SunOS.Poisonbox.worm? That made pretty good headway on
    Solaris boxes and can still be found today. What did it attack?
    Sadmind,
    which few server admins would ever run and far fewer would run
    unpatched.
    Only desktop users have that on and don't want to be bothered with
    patching. And they got infected. Every *nix infection that I've had to

    deal with has been a desktop system, not a server.

    Why do you think wuftpd is so heavily attacked? I think it's because
    it's
    had many holes *and* lots of desktop users run it because it lets them
    easily move files around.

    > And I guess you can generalize and ask why the Windows "culture"
    generates
    > so many problems of such a magnitude, that last so long? My home
    office
    > web server got a Code Red hit on Sept 19th 2003, for example. Other
    > computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why
    not?

    Well, historically *nix was for the clued in. All others were excluded.

    And Mac wasn't easily exploited due to Appletalk. But all that's
    changing.

    KDE has been riddled with security problems. Once the number of desktop

    users using KDE reaches critical mass (whatever that is) you'll start
    seeing more and more malware on *nix. Malware follows negligent users,
    *not* OSes.

    > Shouldn't we focus our efforts on figuring out what aspects of Linux
    or
    > Mac cultures keep epidemics from occuring? It's certainly a waste of
    > breath to point out that OS X has horrendous security flaws when none
    of
    > them turn into grotesque epidemics like Sobig.f.
    >
    Well, think about it for a minute. You're going to write a virus that's

    designed to trojan machines so you can use them in a massive distributed

    spam network. What do you attack? The 5 million Mac machines
    worldwide?
    Or the 150 million Windows boxes? If your rate of success is 1 in 500,
    you
    get 2,000 bots with Mac and 300,000 with Windows. Which would you
    choose?

    I don't doubt that there is some politicization in malware production
    (people who hate Gates and his OS and want to embarrass him any way they

    can), but most malware authors are simply trying to get the most bang
    for
    the buck, if you will. They'll follow the desktop crowd wherever it
    leads
    them. And they won't have any more difficulty infecting KDE users than
    they do Windows users.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    ************************************************************
    Omaha World-Herald Company computer systems are for business use only.
    This e-mail was scanned by MailSweeper
    ************************************************************

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Benjamin Krueger: "Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)"

    Relevant Pages

    • Re: [Full-Disclosure] lame bitching about xpsp2
      ... >*nix way) you still would whine because they are also working on extending ... >are concerned that you will have to learn Windows, ... >I recall nimda and I don't recall my Windows machines getting infected even ... >BeOS isn't going to cause a great desire to learn computers. ...
      (Full-Disclosure)
    • [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
      ... Linux is poor in real-time, ... There is a fundamental difference in the security model and tools available for windows and for linux. ... Linux is descended (in thought and design concept) from unix -- which was designed for multi-user computer sharing -- usually with no one at the console. ... Even Windows as a server isn't designed as *nix has been. ...
      (SuSE)
    • [Full-Disclosure] FW: Mail delivery failed: returning message to sender
      ... I think something we are also forgetting is that statistically *nix ... from Best buy pre-loaded with windows XP and has no clue how to install ... By that I mean that previous Mac OSes weren't as ... The real key to prevalence of malware, IMNSHO, is the ease of attack ...
      (Full-Disclosure)
    • [Full-Disclosure] Re: MS-02-052 + blackholing MS
      ... > with an eye towards security, I look at the long-term track record of ... windows server products can be locked down. ... > free *nix equivalent - FreeBSD, ... They reboot their 200 Win servers every night to make ...
      (Full-Disclosure)
    • Re: End-of-line on the Mac?
      ... On *nix EOL is line feed 0a. ... On Windows EOL is 0d 0a ... In Cygwin line endings are normally also 0a, ... To make things even more confusing many *nix and Mac programs will ...
      (comp.programming)