Re: M$ attack on Common Sense
From: Max Burke (mlvburke_at_%$%#@.nz)
Date: 09/12/03
- Next message: Fred_McGriff: "Re: Port "0" scanning"
- Previous message: Maxime Ducharme: "Re: Port "0" scanning"
- In reply to: aaron matthew croyle: "Re: M$ attack on Common Sense"
- Next in thread: Leythos: "Re: M$ attack on Common Sense"
- Reply:(deleted message) Leythos: "Re: M$ attack on Common Sense"
- Reply: Nick: "Re: M$ attack on Common Sense"
- Reply: Chris F.A. Johnson: "Re: M$ attack on Common Sense"
- Reply: Ed Murphy: "Re: M$ attack on Common Sense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Sep 2003 09:55:21 +1200
aaron matthew croyle scribbled:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> OK, I don't usually respond to drivel like this, but I'm board today.
OK I'll play (and in the 'tone' that you want this debate to head in)
I'll ignore the spelling mistake for the moment....
Opps I didn't ignore it..... ;-)
It's *BORED* That's B O R E D.....
Doesn't your Linux news reader support a spelling checker?
>> "Dave" <macquigg@ece.arizona.edu> wrote in message
>> news:a3b19517.0309110654.5db832f9@posting.google.com...
>>> I use both Windows and Linux. This last two weeks have been hell on
>>> my Windows system. McAfee has a bug, which they won't even
>>> acknowledge, and I had to switch to Norton Antivirus. Norton's
>>> running fine for now, but I see from the newsgroups that it too has
>>> had problems. I look forward to the day when I can move all my
>>> stuff to Linux, and I expect it will be soon. A little more polish
>>> on the office and business applications, and the day will come.
>>
>> Most linux machines I come across have NO antivirus programs
>> installed (even though there are several free versions available (eg
>> F-Prot, OpenScan etc). This is not because there are no virii around
>> for linux. Its just that mose linux users believe they are safe
>> [and many are because they set their box up to do a specific task
>> then just leave it - users realy use linux boxes on the desktop].
>
>> From the F-Prot web site, these are the numbers of virii it scans
>> for:
> 41381 DOS/Windows
> 266 Unix/Linux
> So, which OS would you like to be running. I didn't look at the
> definitions, but I'd be willing to bet that most of the 266 Unix/Linux
> (Note that not all Unix virii can effect Linux and vice versa, so
> there
> are actually less then 266 that could possible effect Linux)
> exploited older versions and would not effect more recent
> installations.
FYI:
Linux Still Less Secure Than Windows
On the flip side of the coin, I should point out that Linux still
suffers from far more security bugs and other vulnerabilities than
Windows does. Researchers at mi2g Intelligence Unit (http://mi2g.com),
which has been tracking and verifying computer-based vulnerabilities
since 1995, say that in August 67 percent of all successful and
verifiable attacks against servers targeted Linux, compared with just
23.2 percent that targeted Windows--and August was the month during
which SoBig.F and MSBlaster hit.
Furthermore, 12,892 e-business sites running Linux were successfully
breached during that month, compared with just 4626 sites running
Windows. Windows vulnerabilities get more press because more people run
Windows on the desktop, so any Windows-based worms or viruses will
generally affect a far larger group of individuals.
But anyone who thinks that jumping to Linux is a cure-all should think
again. Even if you don't consider the usage numbers, everyone's
favourite open-source poster boy is still a huge target for attackers.
An often-irreverent look at some of the week's other stories, by
[Paul Thurrott http://www.winnetmag.com]
> More to the point the reason for having F-Prot is to scan for windows
> virii, if you don't run Windows, you don't need to be doing that, now
> do you?
> A google search for `virus OpenScan' Produced 0 results, and one for
> `"Open Scan" virus' Produced nothing relevant, so I'm going to wager
> you were mistaken about that one. OpenScan seems to be scanner
> drivers.
> I know.... you said etc, so there must be others! To make a long story
> short they mostly scan for windows virii, so that your linux mail
> server can prevent your retarded windows users for even having a
> chance to infect themselves.
> As for use as a desktop I'm sitting at my linux desktop right now (at
> work) and I have one at home as well. I know you'll look at my
> Headers and see that this came from Solaris, but don't get upset. You
> see in the Unix world you can connect to other machines (ssh) and run
> programs there. Such as pine, which I use to check E-mail and read
> news groups.
>From my Network World daily e-mail newsletter:
NETWORK WORLD NEWSLETTER: JASON MESERVE ON VIRUS AND BUG PATCH ALERT
09/11/03
Today's focus: Another Blaster-like vulnerability
In this issue:
* Patches from Red Hat, others
* Beware worm that spreads via P2P networks
* Sobig's success prompts calls for secure e-mail, and other interesting
reading
* Links related to Virus and Bug Patch Alert
Buffer overflow vulnerability in pine
iDefense has found a couple of buffer problems in the pine e-mail
client. Both of the flaws could be exploited to run arbitrary code on
the affected machine. Pine Version 4.58 fixes the problem. For more, go
to:
iDefense advisory:
<http://www.idefense.com/advisory/09.10.03.txt>
How to obtain Pine updates:
<http://www.washington.edu/pine/getpine/>
Red Hat update:
<https://rhn.redhat.com/errata/RHSA-2003-273.html>
Slackware update:
<http://www.nwfusion.com/go2/0908bug2b.html>
Red Hat patches flaw in GtkHTML
Red Hat is reporting a flaw in GtkHTML, the HTML rendering engine for
the Evolution e-mail reader. A user could get the application to point
to a null pointer, causing the system to crash. For more, go to:
<https://rhn.redhat.com/errata/RHSA-2003-264.html>
SCO releases Samba update for OpenServer
A flaw in SCO's Samba implementation for OpenServer could be exploited
by a remote user to gain root access to the affected machine. The
updated binaries can be found here:
<ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.13>
Nearly *every day* this e-letter list OSS/Linux vulnerabilities that it
does for any MS OS or application.....
Then there are these websites (just a few of many note) which need to be
*ESSENTIAL and REQUIRED* reading of anyone running OSS/Linux....
http://www.partyvibe.com/flavour/linux/security.htm
http://www.linuxsecurity.com/advisories/index.html
http://www.opennet.ru/base/linux/
http://www.securityfocus.com/news/19
http://lists.debian.org/debian-security-announce/
>> I guess if you take all your norton and mcafee stuff off you'll be
>> just like the majority of linux machines so long as you don't let
>> any users touch the keyboard/mouse!!
> Flame bait! This statement is nothing but inflammatory.
And your's aren't?
>> Actually there are a lot more viruses written for Linux than the
>> Radio Shack TRS-80 machine. Why don't you move to the TRS-80? I
>> have not heard of a single infection in the last half a decade.
> More Flame bait.
>From you as well......
>>> An alternative future is that Windows catches up with Linux on
>>> security, and then we have a choice of two nice, but fundamentally
>>> different systems. Why is it taking Microsoft so long? I'm
>>> looking for intelligent discussion of this issue in the newsgroups
>>> and websites (search term comp.security). I looked at this thread
>>> because the title was interesting, and there were 17 replies. What
>>> I find here is a childish flame war. I sense, however, that there
>>> are some intelligent people here who can shed some light on this
>>> issue.
>> Its only turned into a flame war by some people who appear to have
>> been recently introduced to unix like machines and don't know how
>> easily they are compramised.
> Half of that statement is true. I will admit that there are retarded
> Linux users, just as there are retarded windows users; windows just
> has more of them, but the Linux ones tend to be more vocal.
Far more vocal. Just read COLA (comp.os.linux.advocacy) for a few days
for evidence of that
> If its so
> easy to compromise, why have I had zero problems in the last five
> years.
You mean like I have for the last *twelve years running various versions
of Microsoft OS'es and applications?
> I used to work in network security, and I can tell you that
> only about 5% of the incidents we got involved Unix or Linux boxes.
> And most of the ones that did were hacked (cracked rather, research
> the difference if you don't
> know it) into, not infected by the worm de jour.
Anecdotal experiences are interesting, but hardly count as factual
evidence that generally applies to everyone.....
>>> Let's see if we can redirect this discussion. Here are some
>>> possible answers to my question (in order of plausibility):
>>> 1) Technical difficulty. Making Windows as secure as Unix will
>>> take a major overhaul of the most basic levels of the operating
>>> system. In Unix, users are isolated from each other (and the
>>> system) by a very robust access model. All files and processes
>>> have an owner. No user
>> Have you seen Windows NT or XP Professional? NTFS supports unix
>> like file ownership and permissions.
> The hell it does, My Administrator account cannot read the files from
> my user account. Ownership and permission doesn't really matter on a
> machine that is designed to be used my a single user, and that single
> user usually runs with full privileges. (Yes, I did admit to using
> windows, I have and Xpee box as well, so I can play games; it only
> leaves me feeling slightly dirty).
My turn; Flame bait......
It's interesting that you choose to see using a computer running an OS
as some sort of 'moral indiscression' on your part.
It's a typical comment and response of a OSS/Linux zealot.
It's just a *computer running an OS*........
> I would also wager that most Windows users have no idea what to do
> with ownership and permission settings.
I would wager most Linux users have to set ownership and permissions
just to make their OS boot.....
See I can make stupid comments about millions of other people I dont
know as well. See how easy it is to do things like THAT......
>>> code (even virus code that is run inadvertently) can alter the files
>>> of another user. If viruses were to become prevalent in Linux
>>> systems, users would quickly learn to handle email and surf the
>>> internet only under a username whose files they don't mind losing.
>>> The worst a virus can do is destroy all files belonging to that
>>> username.
>> This is wrong. The goal of many virus programs these days do not
>> destroy files. They try to do the following things
>> 1. Install themselves to run on bootup
>> 2. Remain hidden (remove zonealarm, Norton processes etc)
>> 3. Try to spread themselves
>> 4. Gather information (usually PASSWORDS)
>> The worst many of the viruses can do is empty your bank accounts and
>> spend your credit to its limit then log into your associates
>> computers and do the same for them. Passwords/information are more
>> important than files so virii go for them.
> I'll admit this is true, real harm from virii does not come from
> damaging files. But then again, if you are dumb enough to leave all
> your banking information and passwords sitting around in those files,
> you get what you deserve.
For *anyone* using a computer........
>> This also defeats the primary security for unix like machines for
>> home users. The most malicous viruses install keyloggers (which can
>> be done in a user account) and detect passwords [such as the root
>> passsword].
> Granted. Key loggers are quite bad.
On *any* computer running *any* OS......
>> Most ssh
>> daemons are set to disallow remote root login and sysadmins are
>> FORCED to login as a general user and su to root. [this is the case
>> on all monitorless gateways I know of]
> Gee, since most sysadmins are "forcing" this on themselves, I bet its
> really not a bad thing. In fact I force myself to do this, why had I
> never though of opening up the root logging to the network so I could
> be more vulnerable. Oh, but I do have public-key authentication on
> for the root account (actually that only on the machines behind my
> firewall, and not on the firewall itself), so I can log directly into
> the root account with no password ever typed. Also, people should be
> in the habit of sudo-ing
> things which still only exposed your password and not the root users.
> It is important to note that you cannot (with just a user privilege)
> grab the password during login, since that process is run by root. So
> a key grabber has to wait for you to login to something else to get
> your password, if
> you never do that (and there are many ways to avoid it, and still be
> fully productive) you have defeated it.
But it *can* happen right? Right.....
> Admittedly this takes more time and effort to set up, but in the long
> run you are safer, more secure in your authentication, and actually
> use your password less.
So how many OSS/Linux users do you think take the time to set it up, as
opposed to those that have bought the 'belief' that, hey they're running
Linux, they're safe, nothing like that can happen to them......
>> Great scheme for a keylogger installed on a
>> user account. On most linux systems the only way to stop keyloggers
>> from getting root access is by logging out of the user accout and
>> logging into the root account at the console each time you want to
>> do something. Not many people do this because the system allows
>> (and encourages) changing users on hte fly.
> There is no venerability in changing users "on the fly". Even XP lets
> you do this, and MacOS 10.3 will as well.
It's called ease of use, and just like in Linux, if the PC is secure
then changing users isn't a great security risk....
>> Don't forget that in the home user and small business situation
>> [where a large proportion of computers reside] the system
>> administrator is also the primary user.
> And your point here is?
That they are the primary user......
> Actually most computers are in large businesses, banks, insurance,
> airlines, etc. Most windows machines are at home and in small business
> (hopefully this will change in the future).
>> (This is of course assuming the virus didn't take advantage of a
>> system bug and used the user web browsing / email etc to install
>> itself as many do)
> I'm not sure I follow you here. What exactly do you mean by install?
> In general on Unix/Linux you just run programs. "Installation" just
> means putting them in a particular place so they are easy to find
> (not junking
> up some magic centralized registry). Even so the user could not
> "install" the program system wide (a root thing to do), and even
> though they could set the permissions so that every one could run the
> program, they would still have to run it to be infected/compromised.
> Any one who just runs things haphazardly gets what they deserve.
ANYONE who does.......
>> The really bad thing with linux is that its far easier for virii to
>> remain hidden. Not many home or small business users use antivrus
>> software on their linux machines [mainly because the linux zealots
>> promote linux as being hard/impossible to crack and are lead into a
>> false sense of security]. Furthermore there are rootkits easily
>> available from the net that defeat most of the linux admin tools.
>> So once its actually installed its far easier for a virus to remain
>> hidden on a linux box.
> Anti-virus dispelled above.
Hardly.... See above.
> There are rootkit checkers available. When
> your system is acting odd, unlike windows this is not expected on
> Unix/Linux, You shut it down, then reboot off known good media, RedHat
> recovery, Knopix, Gentoo, etc.. Then run the rootkit checker, this is
> arguably virus scan for linux, and yes perhaps it should be done
> routinely by more people. Rootkits can only defeat the tools on the
> system that was infected, if you boot from known good media, they are
> easy to spot.
> The way these root kits work is by overwriting common system
> utilities so that these utilities will not show the existence of the
> root kit. The problem with this is they usually change the metadata
> of those system files, so when certain files that _never_ change are
> now 30x bigger and have a change date of yesterday (instead of the
> install date of the
> system) you see large red flags waving.
See above.
Open source critics also argue that open source can lead to a false
sense of security. They say that just because the source code is
available doesn't guarantee that anyone is reading it. Nor does it mean
that all the bugs have been found and fixed. Many users install and use
open source software without ever looking at the code. They assume
someone else has already scanned it for possible vulnerabilities.
Undetected bugs have lingered in some popular open source packages for
years. This is a legitimate concern.
But make no mistake, simply being open source is no guarantee of
security.
Elias Levy, "Wide Open Source"
http://online.securityfocus.com/news/19
>> Because of the many different configurations available to linux
>> (even one distributer) if they because as popular as windows it
>> would be difficult to detect viral activity once a machine is
>> compramised and to eradicate the virus. Difficulties include:
> These claims make no sense.
Yes they do.....
>> an inherently network based OS
> This is somehow better then an OS that is kludged onto the internet?
What OS would that be?
>> multiple methods of installing software - no very good installation
>> tracking
> Installation was covered above. Good users on any system should
> document
> on their own what they installed and when. There are tools available
> that will show changes in the file system.
And all OSS/Linux users are 'good' users?
Or do they (you) just use app get (whatever that command is) and install
whatever update or patch because you heard it was required without
having a clue what it is that you're installing....
>> a large number of start points for malicous code
> What does this mean?!?!?
I can understand what he means; Why cant you?.
>> further
>> To provide the same connectivity as windows many linux machines have
>> Samba installed (which appears to be a copy of the windows system).
>> This is just as insecure for linux machines as it is for windows as
>> far as speading viruses go. While Samba share vunerabilities have
>> not been exploited to spread (copy) viruses amongst linux machines
>> this is probably because not many linux machines are found on a
>> single subnet these days. (see your next comment)
> Misleading wording. Samba is what windows supports out of the box, and
> since it is such a pain to add NFS or AFS to it, and most of todays
> Linux distributions support samba out of the box, samba is what is
> used to connect to Windows boxes. This is not and cannot, for any
> number of reasons, be a "copy of the windows system" (however you
> want to define system).
>> From http://us1.samba.org/samba/samba.html
> Samba is an Open Source/Free Software suite that provides seamless
> file
> and print services to SMB/CIFS clients. Samba is freely available
> under
> the GNU General Public License.
> It is simply away to communicate. The exploitations happen in
> Microsoft's implementation of the SMB/CIFS protocols. And even if
> Samba on Linux were vulnerable, what good would it do to force it to
> run windows code?
See the list of OSS/Linux websites that update at least once a week, if
not more often, all the vulnerabilities and flaws in Linux/OSS.....
For a secure OS, and applications, there sure are a LOT of
vulnerabilities and flaws listed....
>>> 2) Virus writers hate Microsoft. Like Al Queda, these losers
>>> attack anyone who is successful. If Linux were the dominant OS,
>>> they would go after Linux instead.
>> There is a difference between hating microsoft and going for the
>> maximum effect from your virus. Most users are Microsoft. Use the
>> TRS80 to be virus free.
> Yes, I imagine a large reason virii are written for Windows, is
> because there in a larger population to infect. I also believe that
> it even if it is not easier to write malware for windows, there are
> more holes to exploit, again a larger target population.
To repeat:
See the list of OSS/Linux websites that update at least once a week, if
not more often, all the vulnerabilities and flaws in Linux/OSS.....
For a secure OS, and applications, there sure are a LOT of
vulnerabilities and flaws listed....
>>> 3) Business inertia. The virus problem just hasn't risen to the
>>> level where Microsoft will give it serious attention. This last
>>> month should be a wakeup call.
>>> 4) Conspiracy theory. Microsoft somehow benefits from the current
>>> situation. Even though they don't sell anti-virus software, they
>>> will in the future, and they see it as an opportunity to get
>>> control of everyone's computer.
>>> http://www.pcmag.com/article2/0,4149,991132,00.asp
>> On the one hand you say M$ don't give it serious attention then
>> suggest that M$ are developing antivirus strategies.
> These were all hypotheses, there is no reason to assume the author
> believes them all to be correct.
Hypotheses are generally proposed as something the proposer believes
will or should happen....
>>> Let's not respond to the flames, and see if we can have a discussion
>>> that will actually help people understand what is happening.
>> Sure. IMHO its a pity that many
> Hopefully this will advance a sensible discussion.
You're off to a bad start then Aaron.....
BTW How come your sig fails to follow the recommended usenet guidelines
(that so many OSS/Linux users insist everyone has to follow):
a.. No more than four lines. Occasionally called the "4-line McQuary
limit".
b.. Use "-- " as the beginning marker.
Net etiquette (the "netiquette") and practice dictate about four lines
at a maximum. This is a sensible and commendable restriction. But
contrary to the common belief and frequent claims its nature is that of
a recommendation. For example RFC 1855 Netiquette Guidelines by
CyberNOTHING state "If you include a signature keep it short. Rule of
thumb is no longer than 4 lines." (The "-- " beginning marker is not
counted as one of the four lines.) Likewise A Primer on How to Work With
the Usenet Community states "Don't Overdo Signatures". [Underlining is
mine.] Furthermore, on the technical level some programs and ISPs
automatically limit the signature length to the said four lines.
http://www.uwasa.fi/~ts/http/signatur.html
snip bloated, irrelevant sig......
-- mlvburke@#%&*.net.nz Replace the obvious with paradise to email me. See Found Images at: http://homepages.paradise.net.nz/~mlvburke
- Next message: Fred_McGriff: "Re: Port "0" scanning"
- Previous message: Maxime Ducharme: "Re: Port "0" scanning"
- In reply to: aaron matthew croyle: "Re: M$ attack on Common Sense"
- Next in thread: Leythos: "Re: M$ attack on Common Sense"
- Reply:(deleted message) Leythos: "Re: M$ attack on Common Sense"
- Reply: Nick: "Re: M$ attack on Common Sense"
- Reply: Chris F.A. Johnson: "Re: M$ attack on Common Sense"
- Reply: Ed Murphy: "Re: M$ attack on Common Sense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
