Re: M$ attack on Common Sense
From: Max Burke (mlvburke_at_%$%#@.nz)
Date: 09/13/03
- Next message: wendy: "Re: Which Router for VPN and Webhosting"
- Previous message: User: "Re: M$ attack on Common Sense"
- In reply to: Ed Murphy: "Re: M$ attack on Common Sense"
- Next in thread: Ed Murphy: "Re: M$ attack on Common Sense"
- Reply: Ed Murphy: "Re: M$ attack on Common Sense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Sep 2003 18:53:27 +1200
> Ed Murphy scribbled:
>> On Sat, 13 Sep 2003 09:55:21 +1200, Max Burke wrote:
>> Researchers at mi2g Intelligence Unit (http://mi2g.com),
>> which has been tracking and verifying computer-based vulnerabilities
>> since 1995, say that in August 67 percent of all successful and
>> verifiable attacks against servers targeted Linux, compared with just
>> 23.2 percent that targeted Windows--and August was the month during
>> which SoBig.F and MSBlaster hit.
>> Furthermore, 12,892 e-business sites running Linux were successfully
>> breached during that month, compared with just 4626 sites running
>> Windows. Windows vulnerabilities get more press because more people
>> run Windows on the desktop, so any Windows-based worms or viruses
>> will generally affect a far larger group of individuals.
> Exactly. If you measure server attacks alone, you're ignoring a big
> piece of the picture. Home users and workstations matter!
They're reporting attacks on servers at e-business sites. Why would they
need to include home users and workstations?
> Second, even if you just look at servers, some outfit saying "13,000
> vs. 5,000" is *not* the end of the discussion. Not even close! What
> if 1,000,000 servers run Linux and only 1% of them got hacked, versus
> 100,000 servers running Windows and 5% of them got hacked? What if
> their numbers are skewed because they overlooked some places - or
> because Microsoft quietly paid them to overlook some places? (Set up
> a totally insecure wide-open Linux, run 2,000 virtual e-commerce hosts
> that don't need to actually do any business, then drop a quiet e-mail
> to some script kiddies...)
If they were reporting what-ifs then all of the above would be relevant;
They're not. Therefore it's not relevant.
> I'm not saying that any of these things have actually happened, but
> they're *possible*, and any serious analysis needs to discount them
> before accepting mi2g's figures.
What-if's dont count.
> There seems to be a fair body of opinion to the effect that mi2g
> actually is seriously clueless and/or outright unfair:
Nothing like shooting the messenger when you dont like the message is
there...... ;-)
> http://www.infowarrior.org/articles/2002-12.html
> http://www.landfield.com/isn/mail-archive/2002/Nov/0103.html
> http://vmyths.com/resource.cfm?id=64&page=1
> I admit that I haven't researched the issue myself in great detail,
> so you should certainly review the evidence for yourself.
The report about e-business servers running Linux being attacked would
be a good place to start wouldn't it....
>> But anyone who thinks that jumping to Linux is a cure-all should
>> think again. Even if you don't consider the usage numbers, everyone's
>> favourite open-source poster boy is still a huge target for
>> attackers.
> Oh, absolutely! Hence tripwire, chkrootkit, etc etc etc. You have to
> distinguish between viruses and malware-in-general; Linux is
> susceptible to the latter, not so much to the former.
Because there aren't many viruses being created for Linux.....
But go back one step; How can such a 'secure' OS (as we're so often told
it is) have flaws and vulnerabilities that allow viruses and malware to
exist in the first place? From what I read about the flaws and
vulnerabilities of OSS/Linux, it's just as bad as OSS/Linux advocates
like to claim MS Windows is. It has WEEKLY [new] flaws and
vulnerabilities being found and patched; And to boot they're the exact
same kind of flaws and vulnerabilities that happen in MS Windows.....
> A clueless user will screw up just about anything. In particular, a
> badly-managed Linux box is worse than a well-managed Windows box. I,
> for one, will not dispute that for a moment; I've had to clean up
> after too many clueless users...
Then why the 'down' on Microsoft when that happens on that OS, and the
defence of OSS/Linux when that happens on that OS?
It seems to me that you have an a 'biased' approach to the problem of
clueless users....
>> Far more vocal. Just read COLA (comp.os.linux.advocacy) for a few
>> days for evidence of that
> Any *.advocacy group is going to draw a fair share of Induhviduals.
Nothing like COLA. There are some real 'nutcases' in that forum who
'advocate' for OSS/Linux.....
Saying things like OSS/Linux is going to save the whole world from a new
dark age, that using Linux set's you 'free,' that it's such a liberating
'experience' to become a Linux user, etc, etc.....
>>>> Don't forget that in the home user and small business situation
>>>> [where a large proportion of computers reside] the system
>>>> administrator is also the primary user.
>>> And your point here is?
>> That they are the primary user......
> That doesn't mean they should be logged in as "administrator" all
> the time. They should do it (or switch to it, or whatever) only
> when they actually need to administrate something.
Or run their computer securely so they dont need to switch accounts to
maintain the computer.
BTW have you ever tried to setup XP HE with a user account for daily
use, and get it to work with all the applications?
It's not a rewarding experience....
>>>> Because of the many different configurations available to linux
>>>> (even one distributer) if they because as popular as windows it
>>>> would be difficult to detect viral activity once a machine is
>>>> compramised and to eradicate the virus. Difficulties include:
>>> These claims make no sense.
>> Yes they do.....
> More to the point, the different configurations make it difficult
> for the virus to compromise the machine in the first place. (For
> the most extreme example, consider the entire world. Ever see a
> virus that could infect Windows *and* Linux *and* Mac? Know why
> you haven't? Because writing one would be *hard*!)
Of course; But then viruses can be written for all three. MS Windows
gets the high profile ones because it's the largest 'target....'
>>>> an inherently network based OS
>>> This is somehow better then an OS that is kludged onto the internet?
>> What OS would that be?
> That would be Windows.
IYO?
> At least some flavors thereof. Depends on
> what you count as a kludge, I suppose. As I understand it, Linux
> has TCP/IP support built into the kernel, so perhaps some people
> define anything-but-that as being a kludge.
Then they would be wrong....
>> And all OSS/Linux users are 'good' users?
>> Or do they (you) just use app get (whatever that command is)
> apt-get. Close enough.
>> and install
>> whatever update or patch because you heard it was required without
>> having a clue what it is that you're installing....
> As previously noted, dumb people can screw up even the best system.
Oh I agree 100%....
>> See the list of OSS/Linux websites that update at least once a week,
>> if not more often, all the vulnerabilities and flaws in
>> Linux/OSS..... For a secure OS, and applications, there sure are a
>> LOT of vulnerabilities and flaws listed....
> A more interesting measure would be the average delay time between the
> introduction of a vulnerability and its discovery.
No it wouldn't. Not when the claim is that it's inherently secure.
> For the RPC
> vulnerability behind Blaster, wasn't this delay time something on the
> order of *twelve years*?
Cite please?
It only became a vulnerability once someone had figured out how to
exploit it; before that it was (still is?) and programming flaw....
It's not the ordinary user that creates the code that exploits bad
programming after all; It's those that write the malware and viruses
that create the risks and vulnerabilities for users by creating the
viruses and malware code to exploit the bad programming. Before that
happens it's just bad programming that most of the time has no effect or
risk to the user....
> (Granted, Microsoft provided a patch about
> a month before Blaster hit; the "dumb people can screw up anything"
> argument still applies.)
> Also important is the practical level of attention that *actually
> gets paid* to OSS/Linux security updates.
> Windows's average is
> pushed downward by all the Joe Users who haven't run Windows Update
> once in three or more years.
We come back to the *numerous flaws and vulnerabilities* that get listed
for OSS/Linux each week; The attention that gets paid to these would
indicate that the OS and apps are just as badly written as so many like
to claim windows is.
And how many OSS/Linux users do you think are 'eyeballing the code' to
find the flaws and vulnerabilities that obviously exist? Have you done
that recently?
Do you know any Linux/OSS users that have this week? Last week? Last
month? In the last year?
-- mlvburke@#%&*.net.nz Replace the obvious with paradise to email me. See Found Images at: http://homepages.paradise.net.nz/~mlvburke
- Next message: wendy: "Re: Which Router for VPN and Webhosting"
- Previous message: User: "Re: M$ attack on Common Sense"
- In reply to: Ed Murphy: "Re: M$ attack on Common Sense"
- Next in thread: Ed Murphy: "Re: M$ attack on Common Sense"
- Reply: Ed Murphy: "Re: M$ attack on Common Sense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
