Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Tectonic Shifts

From: Dave Aitel <dave () immunitysec com>
Date: Wed, 10 Dec 2003 10:36:38 -0500
So apparantly hell froze over, and there were no bug reports to Microsoft in the past month. Techically, Microsoft refuses to acknowledge a bug until they have a patch for it and the average patch time is well over a month, so there were no patches in the past month would be more accurate (can you FEEL the trusted computing love?). In other news, Washington DC, sitting on the hellmouth, had a minor earthquake due to related tectonic movement.
Over the past week I've come around from thinking that the ease of compromise of Linux's developers and source repositories is a weakness. Like anyone with more brains than an aquatic turtle who has ever used a computer, I have to assume that Windows Update has been owned at least once. I have a "very high confidence" there are people on this list who could tell me that definitively. Now, just because Windows Update has been owned, you don't see the world falling apart, do you?
Partly, that's because this whole "computer" stuff affects almost no one in real life. I think the other reason is that until you find out you've actually been owned by a real person, the psychological effect of running risky software is negligable. Fluffy Bunny could stand up tomarrow and say "Yo, I own all of you through my trojaned copy of IE that you guys upgraded to via Windows Update to fix some useless IE parsing bug" and most CIOs wouldn't bat an eye. It's only until their payroll spreadsheets get posted to full disclosure that they get all outraged and start trying to sue everything in sight, SCO-style.
I guess the other reason is that there are more than enough bugs to go around. Now that rsync is blown (grrr) it may require some other bug to get into gentoo's source repository, but invariably there will be a way. Probably via some other bug in the Immunity Vulnerability Sharing Club.
But it's not the end of the world if it does. Plenty of people replace their kernels, and active use of any bug is going to compromise it soon enough. Even assuming every program is trojaned, it's going to be hard to do that on a grsec'd box. And so they'd also have to trojan the gcc to prevent a grsec'd box from finding them, which is probably prohibitively difficult.
In the long run, mass-owning is never the answer. It shows a lack of the very magical skill that would have enabled it to work in the first place.
In other words, I think that Linux is safe. The really good hackers pick their targets, and the hackers who aren't good enough to do so, aren't able to effectively trojan a repository in the first place. 

Dave Aitel
Immunity, Inc.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: