Full Disclosure mailing list archives
Re: Linux (in)security (Was: Re: Re: No Subject)
From: Gary Flynn <flynngn () jmu edu>
Date: Wed, 22 Oct 2003 22:59:17 -0400
Bruce Ediger wrote:
Not sure the source has anything to do with viruses. But your statement certainly says something about the concept that publishing source magically makes software that isThe real questions go something like: "Source code for Unix viruses has been available for years, from sources almost too numerous to mention. Why haven't Unix viruses become epidemic the way that Windows viruses have?"
secure. ;)
"Security problems of the same magnitude as .ida buffer overflows, or MSRPC buffer overflows exist in unix programs like Sendmail and others. Why hasn't a worm materialized for this problem?" "The scalper worm didn't effect nearly as many hosts as msblast did. Why not? Why did the scalper worm seem to die out, yet wormwatch.org still records many hits from much older worms like SQLSpida and Nimda?" And I guess you can generalize and ask why the Windows "culture" generates so many problems of such a magnitude, that last so long? My home office web server got a Code Red hit on Sept 19th 2003, for example. Other computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why not? Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws when none of them turn into grotesque epidemics like Sobig.f. To extend your "wooden house" analogy a bit: In a city made entirely of wooden houses, a single house fire is way more likely to level the city than a in a city where a mix of wooden, brick and vinly-sided houses. Having the occasional brick house mixed in with the wooden houses provides a lot of resistance to a whole-city conflagration. It doesn't provide absolute immunity from fires for every house in the city.
Three things come immediately to my mind:1) Make up of user base. Generally not understanding the nature and aspects of a programmable,
general purpose computer connected to a world-wide network.2) Size of target. If you're going to cause havoc, why not cause havoc in the largest population? If you're going to study how to break into safes, why not study the ones in most common use? I don't buy the monoculture argument. Sure, it has some validity but can you imagine explaining to users of 40 different platforms and applications how to secure their systems? While we might not have worms, we'll have worse...silent parasites. Besides, there are very strong advantages to a standard platform. TCP/IP is a monoculture. HTTP/HTML is a monoculture. i86 is a monoculture. We had the BSD/SystemV/POSIX wars. We're having the BSD and linux wars. Do you really want to live in a world with completely fragmented platforms...one without the
common APIs we've been trying for decades to achieve?3) Microsoft's steadfast refusal to ship systems in a "NO listening ports configuration" by default. Cripe, now we've got anonymous, distributed file storage on how many Windows XP Shared Documents folders all over the Internet available to anyone that wants it not to mention a hack or infection in waiting with every new install of 2000 or XP because netbios/RPC is shipped in the open state. This isn't a problem of not having a firewall. Its a problem of shipping a system in a state presenting unnecessary risk for the vast population of users of that system. Bad, nay, irresponsible, business decision IMHO.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: No Subject, (continued)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Bradford Shedwick (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Paul Schmehl (Oct 21)
- Re: Re: No Subject Byron Copeland (Oct 21)
- Re: Re: No Subject Peter Busser (Oct 22)
- Linux (in)security (Was: Re: Re: No Subject) Peter Busser (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Bruce Ediger (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Darren Reed (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Gary Flynn (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Ron DuFresne (Oct 23)
- Re: Linux (in)security (Was: Re: Re: No Subject) Paul Schmehl (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Ron DuFresne (Oct 23)
- Re: Linux (in)security (Was: Re: Re: No Subject) George Capehart (Oct 23)