Full Disclosure mailing list archives
Re: Obama Order Sped Up Wave of Cyberattacks Against Iran
From: Dan Cross <crossd () gmail com>
Date: Sun, 10 Jun 2012 22:41:38 -0400
On Sun, Jun 10, 2012 at 8:17 PM, Christian Sciberras <uuf6429 () gmail com> wrote:
All this talk about a lot of arguments to syscalls reminded me of `ls`....and that's just the beginning..
'ls' is a user program, not a system call; system calls are entry points into the operating system itself: basically little passage ways into the kernel. Having many them opens up the surface area for bugs. The Linux people seem to be making great strides in, ahem, 'catching up' to Microsoft in this area, but comparing the number of options to a non-privileged user-level program to the number of system calls in the win32 or win64 API isn't very useful.
Let's be honest, no matter the amount of "standardization" (or plain "planning") you put in, there's always room for complications.
I totally agree. The question is do you want to use the system that allows you to be complex, or the one that forces you to be?
In what I've seen, the only exception here, is a dozen or so small hobbyist OSes.
For general purpose computing, this unfortunately seems to be more or less true. It's a sad state of affairs. - Dan C.
On Mon, Jun 11, 2012 at 1:58 AM, Dan Cross <crossd () gmail com> wrote:On Sun, Jun 10, 2012 at 7:22 PM, Benjamin Kreuter <ben.kreuter () gmail com> wrote:I am a bit surprised by the direction of this conversation and I have been waiting for someone to say the obvious in regards to protecting yourself from .gov malware, it really is quite simple if you think about it. Stuxnet, duqu, flame, ect.. all only run on windows platforms. If the people you are protecting are concerned about that kind of malware (and they should be) it would be a great time to tell them about GNU/Linux, BSD, ect..Which would do little to protect anyone. Do you really think that GNU/Linux would be a more difficult target for the NSA (or whichever agencies were responsible -- I would guess the NSA, but there may be others)? GNU/Linux machines are compromised by criminals all the time, and the majority of people would not be willing to put in the effort needed to keep their system secure. There are probably a bunch of remote exploits in the Linux kernel, in Firefox and Chrome, in OpenSSL and NSS, in Ghostscript, and in any of the thousands of other packages that will be installed on a typical GNU/Linux system. There is no magic bullet here. Security is not about running the right OS, it is about running your OS the right way (and more). Telling people that using GNU/Linux will make them safe is silly.Fundamentally I agree with you, security isn't about running the right OS, etc, we should acknowledge that not all operating systems are the same. Windows is fabulously complex, with a really large number of system calls, many of which take a large number of arguments that in turn change the semantics of the call greatly. Together, these represent a very large surface area for potential attacks. In turn, many of the Unix variants are simpler; they may not be any more secure, but at a minimum, they have less attack surface area. Of course, it's been my impression over the last couple of decades that they're trying as hard as they can to fill the gap. To put it in military terms, the Unix variants have traditionally had more surfaces and fewer gaps than Windows. Anyway, this isn't to say that Unix or some variant is inherently more secure, but all other things being equal, I'd rather put my money on the simpler thing, since simpler is often easier to get right. Whether that's really the case or not is another matter; I simply wanted to point out that there are other arguments beside the flawed, "security through obscurity" that may come into play when deciding between operating systems with respect to security. - Dan C. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran, (continued)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Georgi Guninski (Jun 09)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran valdis . kletnieks (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Laurelai (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran coderman (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran valdis . kletnieks (Jun 10)
- Message not available
- Message not available
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Ian Hayes (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Benjamin Kreuter (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Dan Cross (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Christian Sciberras (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran valdis . kletnieks (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Dan Cross (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Ian Hayes (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Benjamin Kreuter (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran coderman (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Benjamin Kreuter (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran coderman (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran coderman (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Benjamin Kreuter (Jun 10)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran John Doe (Jun 09)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran John Doe (Jun 09)
- Re: Obama Order Sped Up Wave of Cyberattacks Against Iran Jason Hellenthal (Jun 09)