Re: M$ attack on Common Sense

From: Max Burke (mlvburke_at_%$
Date: 09/14/03

Date: Sun, 14 Sep 2003 10:21:15 +1200

> Ed Murphy scribbled:

>> Max Burke wrote:

> Exactly. If you measure server attacks alone, you're ignoring a big
> piece of the picture. Home users and workstations matter!

>> They're reporting attacks on servers at e-business sites. Why would
>> they need to include home users and workstations?

> That depends on whether you're interested in the OS in general, or the
> OS specifically in a server role.

As far as this report goes I'm only interested in what it's reporting.
As far as being interested in an OS generally then I'm interested in all
of them, But I certainly dont say this report is wrong because it makes
no mention of something I might interested in......

> I admit that I haven't researched the issue myself in great detail,
> so you should certainly review the evidence for yourself.

>> The report about e-business servers running Linux being attacked
>> would be a good place to start wouldn't it....

> Yes, it would be a good place to *start*. It would be a lousy place
> to *stop*, though.

Who said it's a place to stop?

> Oh, absolutely! Hence tripwire, chkrootkit, etc etc etc. You have
> to distinguish between viruses and malware-in-general; Linux is
> susceptible to the latter, not so much to the former.

>> Because there aren't many viruses being created for Linux.....

> That's one reason. There are several others, which have been
> discussed earlier; some of them repeatedly.

I know. That doesn't however stop viruses being created for Linux/OSS.
Bottom line? Viruses can ONLY be created for computer OS'es when there
are flaws in the OS itself that enable the virus to work. Linux/OSS is
no more immune from that problem than Windows is, as the websites I have
listed (OFTEN) clearly show.
Windows has flaws and vulnerabilities? Sure it does. So does OSS/LInux.
But listen to many/most Linux/OSS users/advocates you'd think Linux/OSS
doesn't have flaws and vulnerabilities. It does, and ANYONE who claims
otherwise is spouting BS. It's certainly NOT advocacy for Linux IMO.....

>> But go back one step; How can such a 'secure' OS (as we're so often
>> told it is) have flaws and vulnerabilities that allow viruses and
>> malware to exist in the first place? From what I read about the
>> flaws and vulnerabilities of OSS/Linux, it's just as bad as
>> OSS/Linux advocates like to claim MS Windows is. It has WEEKLY [new]
>> flaws and vulnerabilities being found and patched; And to boot
>> they're the exact same kind of flaws and vulnerabilities that happen
>> in MS Windows.....

> This oversimplifies multiple aspects of the problem.

No it doesn't.
It states the reality as opposed to what many/most Linux advocates will
try and tell you about Linux....

> 1) How many vulnerabilities are located in the OS, as opposed to
> applications? (Applications can be removed or replaced if you
> don't need or want them.)

This is a stupid/ridiculous argument.
The websites I have listed (OFTEN) clearly show that MANY flaws and
vulnerabilities DO exist in Linux/OSS. Those websites list MANY more
than are listed for windows each week. If I was wanting to make a choice
on what OS to use based on the numbers of flaws and vulnerabilities that
were listed each week for any particular OS and it's applications, after
reading those websites Linux/OSS wouldn't be it simply because of the
Playing the numbers game is between the OS and apps is NOT a good way to
argue your point Ed.
The question being asked is that do flaws and vulnerabilities exist at
all, and if so, how easy it is for users to avoid those flaws and risks
that's being discussed here.....

But, if it's unfair to lump all open source software together for
bug-counting purposes, it's also unfair to do the same thing for all
Microsoft software. (Otherwise, to get an accurate assessment for Linux
systems, you'd have to include the bugs from open source browsers and
all other normal system add-ins or add-ons, on top of Linux's own bugs.)
Instead, to avoid an apples/oranges comparison, it's better to look at
specific brands, types, and builds of products across similar amounts of
time: That's the only accurate way to see how, say, operating systems
compare, or browsers compare, or E-mail programs compare, and so on.
story 2003/01/24
<end quote>

> 2) What's the delay time between introduction of a vulnerability
> and discovery/repair?

Irrelevant. See above as to why.

> 3) They're *not* the same kind of vulnerabilities.

Yes they are: Buffer over runs/under runs. Flaws that can allow root
access. Badly written code in the OS and apps doing what it's NOT
supposed to do....

FYI (from just ONE Linux security website)

Recent Advisories
     Below are the fifteen most recent advisories. For more please click
on the vendor link on the left of the page.

     Webmasters, our advisory listing is also available in RDF format
that allows you to customize the way the advisories are displayed on
remote sites. More information about RDF is available in the file and at

      9/11/2003 16:03 - SuSe: pine arbitrary code execution
      The well known and widely used mail client pine is vulnerable to a
buffer overflow. The vulnerability exists in the code processing
'message/external-body' type messages.

      9/11/2003 16:02 - Slackware: pine arbitrary code execution
      Upgraded pine packages are available for Slackware 8.1, 9.0
and - -current.

      9/11/2003 16:01 - RedHat: pine buffer overflow vulnerability
      A buffer overflow exists in the way unpatched versions of Pine
prior to 4.57 handle the 'message/external-body' type.

      9/11/2003 16:00 - RedHat: GtkHTML denial of service vulnerability
      Alan Cox discovered that certain malformed messages could cause
the Evolution mail component to crash due to a null pointer dereference
in the GtkHTML library.

      9/11/2003 15:58 - Debian: sane-backends multiple vulnerabilities
      Thes problems allow a remote attacker to cause a segfault fault
and/or consume arbitrary amounts of memory.

      9/11/2003 15:58 - SCO: bind buffer overflow vulnerability
      A buffer overflow exists in BIND 4 and 8 that may lead to remote
compromise of vulnerable DNS servers.

      9/11/2003 15:56 - SCO: apache multiple vulnerabilities
      There are multiple vulnerabilities in the apache web server

      9/11/2003 15:55 - SCO: samba arbitrary code execution
      This vulnerability, if exploited correctly, leads to an anonymous
user gaining root access on a Samba serving system.

      9/11/2003 11:53 - EnGarde: 'pine' buffer overflows
      The pine e-mail client shipped with EnGarde Secure Linux contains
buffer overflows which may be exploited by a remote attacker by sending
the victim a specially crafted email.

      9/9/2003 12:10 - Slackware: inetd denial of service vulnerability
      These updates fix a previously hard-coded limit of 256
connections-per-minute, after which the given service is disabled for
ten minutes.

      9/8/2003 12:08 - Debian: exim buffer overflow vulnerability
      A buffer overflow exists in exim.

      9/8/2003 12:08 - Debian: mah-jong multiple vulnerabilities
      Nicolas Boullis discovered two vulnerabilities in mah-jong.

      9/5/2003 14:52 - Red Hat: 'httpd' vulnerabilities
      Updated httpd packages that fix several minor security issues are
now available for Red Hat Linux 8.0 and 9.

      9/5/2003 14:51 - Debian: 'wu-ftpd' insecure program execution
      wu-ftpd, an FTP server, implements a feature whereby multiple
files can be fetched in the form of a dynamically constructed archive
file, such as a tar archive. This feature may be abused to execute
arbitrary programs with the privileges of the wu-ftpd process.

      9/5/2003 14:50 - Debian: 'exim' buffer overflow
      A buffer overflow exists in exim, which is the standard mail
transport agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.

> See previous
> discussion of why Linux is (generally) much less susceptible
> to viruses.

See above as to why *in reality* that it isn't, and as to why this
belief held by so many Linux/OSS users leaves them wide open to having
that belief squashed....

> The open-source-ness of OSS tends to encourage security.

In theory;

> First,
> there are potentially more proofreaders.

Ahh the many 'eyeballs on the code' argument.
When is the last time YOU examined the code Ed? When is the last time
YOU found a vulnerability or flaw in the code? When is the last time YOU
fixed a flaw?
Because they DO exist. In abundance. Just check out the websites I have
listed for evidence of the ones that have been found.....

Open source critics also argue that open source can lead to a false
sense of security. They say that just because the source code is
available doesn't guarantee that anyone is reading it. Nor does it mean
that all the bugs have been found and fixed. Many users install and use
open source software without ever looking at the code. They assume
someone else has already scanned it for possible vulnerabilities.
Undetected bugs have lingered in some popular open source packages for
years. This is a legitimate concern.
But make no mistake, simply being open source is no guarantee of
Elias Levy, "Wide Open Source"
<end quote>

> Second, the temptation
> to pursue security-through-obscurity is much less.

The 'if you dont have to have access to the source code' you cant be
really secure belief.....

That BS. I have been running MS Windows OS'es since 1991-92; I have
never had any virus, or worm on my various computers and OS'es.
I dont have the source code to those OS'es. Neither do I need it to make
my computers and the OS'es that run on them secure.
It's like this Ed. There is a lot the ordinary user can do when running
Windows to make their computer and it's OS safe as possible without
needing to access/view the source code. In Windows it's as simple and as
basic as installing a firewall, and anti-virus program, and keeping up
to date with MS updates.
The 'ordinary' user in OSS/Linux has to do a damned sight more than that
to achieve the same result.....

> (No, these
> things are not guaranteed! But they *are* tendencies.)

> A clueless user will screw up just about anything. In particular, a
> badly-managed Linux box is worse than a well-managed Windows box.
> I, for one, will not dispute that for a moment; I've had to clean up
> after too many clueless users...

>> Then why the 'down' on Microsoft when that happens on that OS, and
>> the defence of OSS/Linux when that happens on that OS?
>> It seems to me that you have an a 'biased' approach to the problem of
>> clueless users....

> I like the analogy that someone else brought up: "Both systems will
> let you shoot yourself in the foot, but Linux requires you to actually
> find the gun, find the bullet, find your foot, and pull the trigger;
> Windows will load and aim for you, and pull the trigger for you if you
> accidentally lean your elbow on the wrong side of the bar."

And that's BS as well, and it's hardly advocacy for Linux/OSS...
Any insecure Linux/OSS system is just as insecure as any MS Windows

>> Nothing like COLA. There are some real 'nutcases' in that forum who
>> 'advocate' for OSS/Linux.....
>> Saying things like OSS/Linux is going to save the whole world from a
>> new dark age, that using Linux set's you 'free,' that it's such a
>> liberating 'experience' to become a Linux user, etc, etc.....

> These are also oversimplifications.

They're the *EXACT* words of Linux 'advocates' it that forum. Perhaps
you should take their 'over simplifications' up with them huh.... ;-)

> Using Linux sets you free *if*
> you approach it in the right way. It doesn't magically implement the
> "Do What I Mean" chip instruction...

Set me free from *what exactly?* They're JUST computer operating systems

> That doesn't mean they should be logged in as "administrator" all
> the time. They should do it (or switch to it, or whatever) only
> when they actually need to administrate something.

>> Or run their computer securely so they dont need to switch accounts
>> to maintain the computer.

> Please define what you mean by "run their computer securely".

Like I do.....
The basics; Firewall, up to date anti-virus protection, up to date with
updates and patches. That will take care of 99% of the risks.
Then there's keeping up to date with the risks that are 'in the wild'
and making sure that your system is as immune as possible from those
Then for pro-active security read/participate in forums that offer
advice on tweaking to cover the last 1%......

>> BTW have you ever tried to setup XP HE with a user account for daily
>> use, and get it to work with all the applications?
>> It's not a rewarding experience....

> Of course not-- it's XP HE. All of Microsoft's "home" editions piss
> me off no end. The "professional" versions are tolerable. (My
> favorite
> is Win2K. XP has a few UI tweaks that I'd like, but more that I'd
> hate.)

>>>> See the list of OSS/Linux websites that update at least once a
>>>> week, if not more often, all the vulnerabilities and flaws in
>>>> Linux/OSS..... For a secure OS, and applications, there sure are a
>>>> LOT of vulnerabilities and flaws listed....

>>> A more interesting measure would be the average delay time between
>>> the introduction of a vulnerability and its discovery.

>> No it wouldn't. Not when the claim is that it's inherently secure.

> Inherently *more* secure.

It isn't. The default Linux install is no more secure that a default
Windows install.....

> The only *truly* secure system is one that
> isn't hooked up to any networks at all, and for which you have
> personally built *all* the software from the ground up. Including
> writing the initial compiler in assembler. (Have you read
> "Reflections on Trusting Trust?") Obviously, anything approaching
> *that* level of security is incredibly inconvenient, hence used only
> by certain projects in the Department of Defense etc. that really
> need it. The rest of us settle for something that we feel is
> sufficiently secure.

>>> For the RPC
>>> vulnerability behind Blaster, wasn't this delay time something on
>>> the order of *twelve years*?

>> Cite please?

> *looks* Well, damned if I can find one. Which is why I didn't state
> it as fact. Anyone want to jump in on this point?

>> It only became a vulnerability once someone had figured out how to
>> exploit it; before that it was (still is?) and programming flaw....

> Security by obscurity. Bad approach. (Trapdoor ciphers are a good
> counterexample: even with complete source code for the encryption
> and decryption algorithms, and an encoding key, it takes huge amounts
> of computation to find the corresponding decoding key.)

That 'security by obscurity must apply to Linux/OSS then, given all the
fixes that are listed on the Linux websites.... They're flaws in the OS
and apps that get discovered and fixed. No one knows about them (not
even the programmer apparently) until they are discovered and fixed.
Security by obscurity......

So here's what it does mean: Linux is a normal operating system; so is
XP. Both have bugs, some major, some minor. Anyone who tells you that
Linux is "inherently more secure" or "much less buggy" than XP simply
isn't working from current facts. The reality is that bugs happen, even
in Linux: Get over it.
story 2003/01/24

Replace the obvious with paradise to email me.
See Found Images at: