Full Disclosure mailing list archives
Re: [inbox] Re: CyberInsecurity: The cost of Monopoly
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Mon, 29 Sep 2003 01:17:10 -0700
It's late and I am going to bed. However before I do I have to address this fallacious logic: On or about 2003.09.29 00:36:42 +0000, Kristian Hermansen (khermansen () ht-technology com) said:
The reason that MOST people look to exploit software/OS's is so that they can gain priviledges [sic] on the system.
Well, BITD hackers looked to exploit software to gain elevated privileges because computing power cost imaginary or real money. Today I would postulate that a lot of the vulnerabilities are exploited because of other reasons, including but not limited to gaining root privileges. The US government would have you believe that people exploit vulnerabilities in order to tumble our fragile democracy, but it's late and I have no time for that s**t... Next!
Windows machines make up 90-95% of the systems on the internet [sic], so people who discover an exploit for this widely used OS are likely to find a vulnerable machine which is easily exploitable and has the resources they want.
This is a law of averages argument, and it makes no sense! Law of averages is in their favor, yes. However law of averages does not rebut the fact that most Windows operating systems are insecure. The insecurity is inherent in the code itself, in the way that the code performs its logic (or fails to do so), and in the configuration of the software. The exploit, by its very existence, is proof of this. The statement "Windows is everywhere, so someone who finds a hole in Windows is likely to find a machine to exploit" has nothing to say about the hole that is found, nor about the motivation for seeking out either the vulnerability or the method to exploit it. Next!
Unix/Linux systems are very powerful, and although they don't make up a large portion of the net, they are widely used as servers, which typically have vast resourses[sic] available by an exploiter.
Actually, Windows servers are just as "powerful" as UNIX servers, insofar as "powerful" is defined by --- what? MIPS? Concurrent processes? Concurrent users? At the hardware level, UNIX machines have the same resources as a Windows machine. Resources depend on what's running as well as what the hardware is. Linux on a P2 versus W2K on an Athlon - gimme the W2K box! Solaris on a pie pan (yuk) versus BSD on a Xeon - move over Solaris! Next!
Novell, on the other hand, are [sic] rare to run into. How many people on this list have ever owned a Novell box?
See above - law of averages and capacity of the system do not dictate or determine the security of a system. We already did this. Next!
This is partly the reason for the lack of security patches.
Another reason, presumably, is that the software isn't broken. Next!
If there are so few boxes on the net with relatively little use, why do we need Netware exploits?
To get into them and 0wn them, of course :) Next!
If Netware were as popular as Windows, I'm sure a whole mess of bugs would be found. Anyways, that's just like my opinion...man....(the dude)
So basically I hear you arguing that discovery of bugs/exploits is in direct proportion to the popularity of an OS? Nah, not buying it... UNIX has been around (in various incarnations) since 1969. Windows (unless you want to count OS/2 as some bastardized pre-release version) didn't show up until the late 1980s. Linux was birthed around 1991. Netware ... well, I don't really know when the first version of Netware shipped. The earliest copyright on my old Netware 4 manuals is 1993, so I'll guess 1993. Anyway, here's your homework assignment. Pick any single year in which all four operating systems were available. Pick a variant of UNIX (not including Linux, which started off hardly resembling UNIX but which kind of evolved into a System V/BSD hybrid over time), a variant of Windows, a release of Linux, and Netware. Catalog the number of local and remote exploits for those systems during one single calendar year. See what you get. I assert that what you will find will *not* corollate with the number of installed site licenses or any other quantitative measure. Linux may, but the others almost certainly will not. And be glad that I am not dragging MVS or VMS into this discussion :) Now, I confess that this does not necessarily measure the popularity of the OS. In fact, it completely ignores it, which is my point :) All this exercise does is track vulnerabilities by operating system, which gives you --- what? A quantitative measure of the security of the OS? No, I doubt it. What it gives you is the number of exploits found that year. No idea of how devastating they were, no idea of what motivated people to find them. Because, frankly, there's no way to track that. Given any OS, there exists a finite number if vulnerabilities that will compromise the security of that OS. How many of those are actually found and exploited? No f**king idea, but likely a subset of the whole. When Aleph One and Mudge came out with buffer overflows, EVERYONE started looking for them. Same with printf string vulnerabilities. People looked on whatever operating system they had access to, or on whichever one they thought most likely to bear fruit. Or whichever OS they were most comfortable or most familiar with. Heck, I bet people tried to bust into OS/2 boxes <LOL>. I sincerely doubt that the popularity of the OS had much to do with it. Availability, maybe. Popularity? Nope. Night all =;^) G -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: greg () gilliss com Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: CyberInsecurity: The cost of Monopoly, (continued)
- RE: CyberInsecurity: The cost of Monopoly Mike Hoskins (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Marc Maiffret (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Mike Hoskins (Sep 26)
- Re: CyberInsecurity: The cost of Monopoly Fabio Gomes de Souza (Sep 26)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Bruce Ediger (Sep 26)
- Re: CyberInsecurity: The cost of Monopoly Matthew Murphy (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 27)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 28)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Kristian Hermansen (Sep 28)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Gregory A. Gilliss (Sep 29)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Valdis . Kletnieks (Sep 30)
- Re: [inbox] Re: CyberInsecurity: The cost of Monopoly Rodrigo Barbosa (Sep 29)
- Re: CyberInsecurity: The cost of Monopoly Gregory A. Gilliss (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Fabio Gomes de Souza (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 27)