Full Disclosure mailing list archives
Re: CyberInsecurity: The cost of Monopoly
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sat, 27 Sep 2003 02:04:05 -0500
"Bruce Ediger" <eballen1 () qwest net> wrote:
On Fri, 26 Sep 2003, Rick Kingslan wrote:I'll not argue that the Windows operating systems are the target of the majority of virus', but that's typically what happens when a system is
used
by a known large group of people that might not be qualified to run a computer, much less secure it.Doesn't this just constitute special pleading to use Microsoft's products? For example, this theory is totally unfalsifiable - only Microsoft
products
are in such a position. Oh, wait. Apache has about 2 times the market share of IIS, and I'm still getting Code Red and Nimda hits TWO YEARS after they were released. By contrast, I only got about 2 days worth of hits from Slapper.
[snip] And, of course, this theory has complete relevance in the discussion -- oh wait, Apache runs on dozens of different OSes, and by the time you include individual distributors' binary packages, you're getting into ~100 different Apache flavors (a conservative estimate). IIS runs on OSes which are (under the hood) quite alike -- Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. The reason you only get two hits a day from Slapper is because that worm targeted a very small portion of Apache's install base (certain versions of Apache 1.3 + mod_ssl installed + SSLv2 support + certain OpenSSL versions + certain linux distributions, ...), while the only inhibiting factor to Nimda was a vulnerable version of IIS. Similarly, Code Red didn't require any non-default settings (sadly), all it required was a vulnerable Windows 2000 Gold setup. In some cases, the exploits used in Slapper are language-dependant, whereas Code Red and Nimda were not, ... I could go on all day. When you see the first Apache exploit that works on a third or half of vulnerable Apache installs with a single target (an event I probably will not live to witness), then we can talk about disproportionate numbers of attacks against systems. When you get into discussion about system monoculture, so to speak, you have to assess the system at every level -- right down to the CPU in many cases. This is the problem with the theory of system monoculture -- variations at one level often create a tendency at another level. For instance, the reason IIS has remained limited to 30% of servers is because it runs on fewer (Microsoft) platforms. However, this makes IIS a more attractive target in terms of attack success as the OS framework underneath it (which plays a substantial role in exploitation) is similar. Had the market balance been shifted in favor of Apache even further, presumably in favor of cross-platform portability (thus requiring any number of exploit methods for one version), the attacker would then have a greater chance of guessing the correct exploit method, as a greater number of potential victims is available. Similarly, had IIS been ported to multiple platforms and became the majority server, Code Red would have perhaps seen a *decrease* in infections due to crashing many potential victims. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: CyberInsecurity: The cost of Monopoly, (continued)
- RE: CyberInsecurity: The cost of Monopoly Richard M. Smith (Sep 25)
- RE: CyberInsecurity: The cost of Monopoly Jonathan A. Zdziarski (Sep 25)
- RE: CyberInsecurity: The cost of Monopoly B.K. DeLong (Sep 25)
- RE: CyberInsecurity: The cost of Monopoly Richard M. Smith (Sep 25)
- Re: CyberInsecurity: The cost of Monopoly Gregory A. Gilliss (Sep 25)
- RE: CyberInsecurity: The cost of Monopoly Mike Hoskins (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Marc Maiffret (Sep 26)
- Re: CyberInsecurity: The cost of Monopoly Fabio Gomes de Souza (Sep 26)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Bruce Ediger (Sep 26)
- Re: CyberInsecurity: The cost of Monopoly Matthew Murphy (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 27)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 28)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Kristian Hermansen (Sep 28)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Gregory A. Gilliss (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Valdis . Kletnieks (Sep 30)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 29)
- Re: CyberInsecurity: The cost of Monopoly Gregory A. Gilliss (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Fabio Gomes de Souza (Sep 28)