PDA

View Full Version : Windows is not the only OS, which could get a security flaw



stu140103
10-11-2003, 12:58 PM
It looks like Windows is not the only OS which could get a security flaw ;) :D :p

Have a read of this:

Attempted attack on Linux kernel foiled (http://www.zdnet.com.au/newstech/security/story/0,2000048600,20280669,00.htm)

From ZDNet AU

mark.p
10-11-2003, 01:02 PM
Did anyone say it was?

metla
10-11-2003, 01:04 PM
If Linux was attacked by all the fools that focus on breaking Windows then it would be ripped apart.

Destroyed

Raped.

mark.p
10-11-2003, 01:04 PM
Oh and the key world is "attempted" ;)

mikebartnz
10-11-2003, 01:19 PM
Sorry Metla.
While I agree with you in that if it had the same numbers as Windows more attempts would be made it is inherently more secure otherwise the web would be crippled now as most web servers now run on Linux. eg it hasn't got everything bolted on to the kernal as in windows ( IE etc) and most services are defaulted to off unlike Windows eg what home PC would ever need UPnP which MS were warned about before shipping XP but chose to ignore in the rush to get it out the door.
You say it would be destroyed yet Windows has not been but they are starting to loose market share and for more reasons than just security.

rsnic
10-11-2003, 01:50 PM
Security in windows has always taken a back seat to delivering a money making product on time. The make now, fix the holes later policy. Hopefully recent attacks will make them change their strategy.

mark.p
10-11-2003, 02:07 PM
It guarentees thre will be a need to support-captured market as you will.
But think of all the wasted effort and downtimes cause because of it...

Gorela
10-11-2003, 06:46 PM
Hi Mike,

Don't forget that one reason for the additional security in linux is due to having "user accounts". The concern starts when you have people not bothering to create a user account and purely using the root account.

There have been people on this forum saying "Why should I have to have a seperate user? It's my computer!"

And then of course there is the latest version of Lindows which has default settings of no root and no password. :O

bmason
10-11-2003, 07:55 PM
Even openBSD (the only [common] OS that truely takes it seriously) has security flaws. It is unfortuantly inevitable (esp. while everyone is still using C).

What really matters is the track record of the OS or application:
- How frequently are holes discovered?
- Do they notify people so they can take preventative measues?
- How long until they are fixed?
- Did good design limit the extent of the problem?
- Are they making changes to prevent similar problems?
- etc.

ntddevsys
10-11-2003, 09:52 PM
Its a Popularity thing

Microsoft Super Popular = More Crackers Interested

One of the reasons why we havn't seen Cellphone Virus's yet. No-ones going to write a virus just for Sony Ericssion P300s for Example.

I also think its because the Crackers are on OpenSauce

JohnD
10-11-2003, 10:23 PM
As others have said, the issue is not really that any OS has security flaws - they all do - what else could you expect with the millions of lines of code they have! The real issue is what happens when a security flaw is identified? Do we wait for a fix from MS while they continue to make the best out of the marketing ploy of "Secure Computing", or do we get a quick and well written fix from the open source community?

Chilling_Silently
10-11-2003, 10:59 PM
That's the great thing about it being open-source.. everybody could see it and fix it. Imagine if Bill gates decided to modify the code a few days becore it was compiled for shipping and stuff.. Who'd stop him? Certainly not the customers who buy his product, correct?

And then there's the "virus" in linux.. it can really only do damage to the users personal files, but not the rest of the system or any other users personal files.

A properly setup PC in Linux (Say, a LFS system with Apache and a few other Apache dependancies) will be nearly impenetrable.

With Doze though, you still have to Update Internet Explorer even if you dont use the stupid thing!

bmason
10-11-2003, 11:10 PM
Bruce has a good point in todays aardvark (http://www.aardvark.co.nz/). If MS (or any other company, a sponsor in the case of opensource) really cared about security they would be offering a reward to anyone who finds a bug.

This would influence both developers and [h|cr]ackers. For the developer, every line of code they write will have a potential cost. For those looking to break it, it would be a much more respectable than ratting our your peers.

mikebartnz
10-11-2003, 11:33 PM
Yes that is a pathetic move by Lindows and could do a lot of damage to Linux in general

mikebartnz
10-11-2003, 11:36 PM
Sorry couldn't resist it but is that like Tomato sauce :D (source)

mikebartnz
10-11-2003, 11:43 PM
>For the developer, every line of code they write will have a potential cost.

When you take the fact that most open source developers do not gain any renumeration from their work that would actually kill the open source community so I think that scheme would do more damage than good. It would even make the closed source community fear too much.

mark.p
11-11-2003, 08:34 AM
> Its a Popularity thing
>
> Microsoft Super Popular = More Crackers Interested

Hmmm the thing is MS had been notified of vulnerabilities "before" releasing there latest incarnations of MS Windows.

> One of the reasons why we havn't seen Cellphone
> Virus's yet. No-ones going to write a virus just for
> Sony Ericssion P300s for Example.

So diversity is good
OSS gives folk that

>
> I also think its because the Crackers are on
> OpenSauce
Sause on crackers is good ;)

Where's all the proof that OSS folk are to blame? More like teen age script kidies out for a cheap thrill....................

cyberchuck
11-11-2003, 09:02 AM
> Yes that is a pathetic move by Lindows and could do a lot of damage to Linux in
> general

True, but you have to remember that even if people did have seperate accounts, how many users would give themselves privilages to access most of the system anyway? Some people [generally] only click to the fact that you can't access certain files after they get a virus or stuff something up big time.

There was a Sharktank thing about something like that a few weeks ago...
This control-freak IT manager just HAS to have the same rights that his
mainframe programmers and operators have. Then one day, the entire
transaction system vanishes suddenly for 400 users. "Even stranger, a
crisis had occurred, and the boss wasn't demanding a status report,"
says a pilot fish on the scene. Apparently, the boss had had trouble
logging out, so he used a very risky, very restricted,
warned-about-in-the-docs utility. "He logged himself out -- and took
400 users with him," says fish. "He let us take away his unnecessary
authorities after that. No arguments."

-=JM=-
11-11-2003, 09:14 AM
> Where's all the proof that OSS folk are to blame? More like teen age script > kidies out for a cheap thrill....................

Well to a little extent some of the crackers will be using non-MS systems (GNU/Linux for example) and are VERY anti-MS and hence go putting out the worms/viruses etc for Windows systems.

Just a guess though.

Chilling_Silently
11-11-2003, 09:53 AM
> > Yes that is a pathetic move by Lindows and could do
> a lot of damage to Linux in
> > general
>
> True, but you have to remember that even if people
> did have seperate accounts, how many users would give
> themselves privilages to access most of the system
> anyway? Some people [generally] only click to the
> fact that you can't access certain files after they
> get a virus or stuff something up big time.

I learned this after I used root for all my day-to-day things and removed the /initrd folder (Which was empty).
Had I been a regular user, it would have been write-protected and set off warning bells in my head.

Personally, I've put in restrictions on my PC, such as mounting my FAT32 partition which contains my Media and Installation files as 744, so I only have Read-Only access.. Once a week or so, when it comes time to update it, I'll su to root and modify it.

It just means I cant hurt it myself accidentally and that's a great thing.

In Doze, I didnt have that option, and many-a-time have my family killed their own media collections among other things!

mark.p
11-11-2003, 10:46 AM
If you had a NT based system with NTFS you would have been able to limit access. Its interesting that Linux can provide those restrictions on Fat32 drives and MS's own OS's can't. GNU/Linux does take a while to get one's head around. But it's like anything new/untried it takes time, a little research , trial and error. Using a restrictive user account to surf the internet just makes sence. Haven't gone completely MS free yet, but am getting there. After 12 years of being assimilated by the Borg its natural ;). And look fwd to Geoffs articles.

Chilling_Silently
11-11-2003, 11:46 AM
Yes, but people have to learn to use one OS or another...

Its like growing up on cows milk and getting used to soy milk.. Still milk right (OS), but just still different. Some people grow up on cows milk, some on soy milk...

Either way, it just takes a bit of "getting used to" the other type of milk.

I agree that it is rather amusing how MS cant even put those read-only restrictions on that file-system, yet Linux can :-)

And I agree about using a restrictive account... While I do tons of stuff every day as root (Such as compiling/installing apps, tweaking my system settings etc) the very fact that I have to type:
su
before I begin makes me realise that what Im doing is not something that can be fixed by creating a new user....!

Aside from that, if im going to let somebody else use my PC, why should I let them have the ability to change my network settings, remove my apps, and ultimately format my PC? Yet in Windows, my two year old brother has this... and I've actually found him in a lot of place he should be, such as changing from a static IP to a DHCP IP!!! He's two years old!

</Rant>


Chill.

cyberchuck
11-11-2003, 11:55 AM
> I agree that it is rather amusing how MS cant even put those read-only restrictions
> on that file-system, yet Linux can :)

I thought that was because in Linux you had to mount Windows Fat32 partitions and in mounting something you can specify if you want to have R/W access to a drive or just read access... Whereas in Windows you can't mount a drive that's already mounted and by default if a user can read a mounted drive they can effectively write to it (exception of course with CDRom media)? That's the nature of the FAT32 file system...
Although I'm sure that there are some registry tweaks around which allow you to use C: drive as read only..?

Then again I suppose it'd be as useful as having a root password of 'password'... Security/Safety is a 2 sided coin don't forget.

rsnic
11-11-2003, 12:21 PM
Then again it could be an x-microsoft employee shafted for taking pictures of bill gates playing minesweeper on a mac, the skies the limit. The fingers always pointed at the competition, no matter what side of the fence your on.

mark.p
11-11-2003, 12:29 PM
So true. Considering MS employees have to eat there own dog food it's quite possible X MS employees are involved ;)

flyer590
11-11-2003, 01:34 PM
> Yes that is a pathetic move by Lindows and could do a
> lot of damage to Linux in general

I am using LindowsOS right now and am logged in as root. This does not really bother me at all - even with LindowsOS logged in as root it is more secure than Windows. There is nothing stopping me from creating a user account but I choose not to because it causes more inconvenience when installing programs, modifying system files, etc. If I accidentally destroy something the system needs then it doesn't bother me, because I will learn that I shouldn't do that next time. :D

-=JM=-
11-11-2003, 01:40 PM
> ...and ultimately format my PC? Yet in Windows, my two year old brother has this... and I've actually found him in a lot of place he should be, such as changing from a static IP to a DHCP IP!!! He's two years old!

Not sure about anyone else, but I know that when formatting a PC I can usually do it without needing to use the operating system that is used :-P

Windows can be configured in a way to prevent a user allowing IP changes and similar I'm sure, haven't played around with it myself seeing as I'm a sole user on this computer.

As you said though. It is very much a different strokes for different folks type situation and of course what role the computer is going to be playing.

metla
11-11-2003, 02:22 PM
i disagree strongly,Soymilk is not milk by any stretch of the imagination and should be wiped out.


That goes for false meat products as well.


And decaffinated coffee.



................................................HA

Susan B
11-11-2003, 02:49 PM
<troll>

Call me cynical but isn't it strange that the Open Source community seem to all be such goodie-goodie-two-shoes types that would never write malicious code into a program or even into the Linux OS to gain them access to other people's machines or whatever? It would be so easy to do and done cleverly enough may take a long while to be noticed by anyone else.

After all, lots of people accuse Microsoft of dirty tactics such as snooping around hard drives when registering/checking for updates, etc to see what the hardware is and/or what programs are being run, etc. Why wouldn't there be a small section in the Linux programmers community with similar "sinister" motives, or worse? Are there none at all? It is human nature to have a few black sheep amongst the crowd after all....

</troll>

cyberchuck
11-11-2003, 03:06 PM
> Call me cynical but isn't it strange that the Open Source community seem to all be
> such goodie-goodie-two-shoes types that would never write malicious code into a
> program or even into the Linux OS to gain them access to other people's machines
> or whatever? It would be so easy to do and done cleverly enough may take a long
> while to be noticed by anyone else.

I'm sure I've read about that somewhere.. Just can't remember where to get a decent link..
This was also raised on NZLug a few days ago (IIRC) and the general concensus was that it would be harder as OpenSource means open source and people can publically go and view the code so someone would be bound to pick up the flaw.
The other side of the arguement was that not everyone looks at source code - they just want a program that works and who cares how it runs. And with the number of OpenSource applications I'd be surprised if someone hadn't tried it as it's practically impossible to monitor all the projects.
But you have to remember that it depends how the program is setup first - eg: lets say Gaim has a backdoor to it and I run Gaim under my account - then it means that Gaim is running with my privilages and can only access what I can access. However, if I get super user privilages and then set gaim up as a system service (no Idea why I'd want to do that, but yeah) then assuming it loads on startup, it would have root privilages and access to the entire system - although the point is I'd have to manually tell it to run on startup before it got root privilages and even then I try and get programs to use their 'own' special accounts which get locked down as much as I possibly can to stop that happening. Just means that if Gaim was running under it's own account it could only access the files it needs to run and everything else is off limits...

Although it's nothing a good firewall shouldn't pick up...


CyberChuck

-=JM=-
11-11-2003, 04:42 PM
> Just means that if Gaim was running under it's own account it could only access the files it needs to run and everything else is off limits...

Such as the log files. There can be A LOT of information in those ;-)

-=JM=-
11-11-2003, 04:48 PM
> Just means that if Gaim was running under it's own account it could only access the files it needs to run and everything else is off limits...

Such as the log files. There can be A LOT of information in those ;-)

Graham L
11-11-2003, 04:55 PM
Not as easy as that, Susan. But it would also be very easily detected.

Those who write the code might not do it for money, but they do it for recognition. That recognition is not just the respect of the community --- it often pays off in that they get very good job offers. There's enough hard work involved in getting OS code right that anyone who got their fun by sabotage wouldn't last long enough to get malicious code into the system.

I think it was Dennis Ritchie who owned up to having put a backdoor in the C compiler in the very early days. That was very cleverly done ... and it was so subtle that it was pretty well undetectable. But --- he was the programming community involved. If there had been dozens of people involved, he couldn't have done it.

Chilling_Silently
11-11-2003, 05:57 PM
Susan>
Ive written a "Virus" for linux... This is pretty much all the damage that can be done in ANY linux system:
rm -rf ~/

You know what? Good backups means that this doesnt really matter either, coz I'll be able to restore a backup, say from CD, and in 5 minutes be back up and running!

The great thing about opensource is that if some numbnuts trys anything like that, Its not terribly hard for Joe Bloggs down the road to remove that part of the code and start his own branch of SoftwareXYZ :-)

PoWa
11-11-2003, 08:20 PM
> The other side of the arguement was that not everyone looks at source code - they just want a program that works and who cares how it runs. And with the number of OpenSource applications I'd be surprised if someone hadn't tried it as it's practically impossible to monitor all the projects.

Exactly. Also practically everyone downloads the rpms or whatever that are easier to install. Now what if the author decided to include some small, malicious code just in the rpm file - but leaves the source code available without the flaw, so no-one would suspect anything. Now it could be said that whoever is trusted with the final job of compiling the source code, could insert anything they liked into it just before compiling and then distributing it.

segfault
11-11-2003, 08:26 PM
Thats true, but again, it would be very bad (recognition wise) for the person involved. If you don't trust third party rpm's, then don't use them.

The thing that seems to be overlooked is that this situation is no better on windows.

agent
11-11-2003, 09:20 PM
Can we stop with the getting paranoid about Linux source code thing?

You're starting to worry me... at least before I was only concerned about the dangers in Windows, but now you've shed a whole new light on something... just starting to make me concerned about what I download to try on Linux.

Bless Linux' lack of support for my modem, or else I'd be really paranoid by now :D

bmason
11-11-2003, 10:36 PM
> Can we stop with the getting paranoid about Linux source code thing?

OK, how about the compiler (http://cm.bell-labs.com/who/ken/trust.html) instead? :D

mikebartnz
12-11-2003, 12:17 AM
You have not made the true move yet.

mikebartnz
12-11-2003, 12:21 AM
Bah

mikebartnz
12-11-2003, 12:28 AM
Pure spectulation. One of the reasons MS is hit so hard is that the OS is not a secure modal

mark.p
12-11-2003, 09:02 AM
> > Yes that is a pathetic move by Lindows and could do
> a
> > lot of damage to Linux in general
>
> I am using LindowsOS right now and am logged in as
> root. This does not really bother me at all - even
> with LindowsOS logged in as root it is more secure
> than Windows. There is nothing stopping me from
> creating a user account but I choose not to because
> it causes more inconvenience when installing
> programs, modifying system files, etc. If I
> accidentally destroy something the system needs then
> it doesn't bother me, because I will learn that I
> shouldn't do that next time. :D

Connecting to the internet on any operating system using a "root/superuser/administrator" account is asking for trouble. I guess you haven't dicovered the ALT-F* functions yet............................................... ...................

Kame
12-11-2003, 12:02 PM
Every program/source should have a checksum for integrity/validity, without this I would not trust a package install if no checksum is provided, I would however download the source without a checksum, as I am capable of understanding it.

Chilling_Silently
12-11-2003, 12:23 PM
> I would
> however download the source without a checksum, as I
> am capable of understanding it.

Im not :p

And do you really want to go viewing the WHOLE source code to make sure nobody's screwing round in it?
I mean, sure, if you suspected something might be a bit fishy about it, but for general apps? GNOME? Kde? X?

;-)

Dolby Digital
12-11-2003, 01:14 PM
>>After all, lots of people accuse Microsoft of dirty tactics such as snooping around hard drives when registering/checking for updates, etc to see what the hardware is and/or what programs are being run, etc. Why wouldn't there be a small section in the Linux programmers community with similar "sinister" motives, or worse?
Susan, wash your mouth out :D
Of course Microsoft do it under the guise of business. You are probably right that there are naughty Open Source programmers out there but with Open Source, the source gets vetted before going anywhere near a alpha release, let alone a production release (for trojans embedded in a piece of Open Source software as opposed to trojans in the wild).
You get more fame (and fortune?) for writing something for the biggest market share.

mark.p
12-11-2003, 02:52 PM
I hope the two progies I just installed from source code didn't have any :( My first attempt and all went well. Who said installing proggies from source in Linux was differcult?

Graham L
12-11-2003, 03:17 PM
Those who think that nasty Linux people could (and, of course, would :O)put viruses in RPMs, show us the evidence.

I can't find any reports of this happening with Google. I can find "more than one" reports of viruses/spy/malware in downloads for "another OS".

If you get an RPM from a normal source you can get a signature with it, which guarantees that what you have got is exactly what the author released. You generally find the places from which to unload an RPM from postings by happy campers, who by definition have not had problems, or from the official sites of distribution companies, who are very careful indeed.

The certificate which shows that MS packages are "approved" can be easily faked. The method is trivial.

mark.p
12-11-2003, 09:42 PM
Carefull G.L. Some folk may say it's because linux is a hobbiest OS and doesn't have the market penetration (slap-ouch!!) MS Doze does ;). Another point is -why hasn't there been a large number of java exploitations in Linux compared those on MS Windows. With it being multi-platform and all.

segfault
12-11-2003, 09:45 PM
Thats because Microsoft use their own java implementation on windows. They don't use Sun's version of Java.

Chilling_Silently
12-11-2003, 09:46 PM
> Another point is -why
> hasn't there been a large number of java
> exploitations in Linux compared those on MS Windows.
> With it being multi-platform and all.

I think this comes back to the whole fact that in Linux, Im given R/W access to:
/home/Chilling_Silence
/tmp
and that's about it.. I can make other folder R/W... but they arent normally....
so I cant really do damage like that to my PC if I cant write to the Program Files equiv in Linux can I?!

metla
12-11-2003, 09:51 PM
> Thats because Microsoft use their own java
> implementation on windows. They don't use Sun's
> version of Java.

heh?

You will find that only early releases of winxp used the windows version,and after court procedings that was dropped complety,Service pack disables the windows version.

segfault
12-11-2003, 09:53 PM
Correct. But no-where did I mention that this was specific to only Windows XP.

mark.p
12-11-2003, 10:05 PM
I beleive when XP was released java was not included but downloadable from MS. XP SP1 included it ( because of bussiness market presssure)and the consequent SP1a had it removed again and MS took it of their website.

-=JM=-
12-11-2003, 10:37 PM
Isn't the home directory one of the MOST important area to have programs not be able to access. Seeing as that is where one would store documents created by ones self.

I don't know anyone that uses the Windows JVM they all use the Sun one.

segfault
12-11-2003, 10:47 PM
It really depends what your set up is. I have all my files (documents, music, videos, etc) mounted over an NFS share. If I lost my home directory, it would take me about 30 minutes to recreate. Most of the files in there are configuration files for the apps that I use.

It always pays to have backups though.

Chilling_Silently
12-11-2003, 10:48 PM
Sorta.. and Sorta not...

Think about this:
Would you rather:
A. Have all your documents and settings lost and have to revert back to last weeks backups?
Or:
B. Lose your whole OS, have to format and re-install all your apps, re-apply updates, patches, service packs, and settings, then restore your documents too?
Its not that hard in Linux to make a backup of my folder.. I have a folder called /transfer which is accessible over the LAN.
all I have to do is:
cp ~/ /transfer/backup
and thats it.. a few mins later I have a fully working backup.

Should I damage my user somehow majorly, its a simple matter of deleting my user, re-adding it, and re-copying the files back across my HDD :-)

However.. If you dont do regular backups then you're screwed anyways ;-) :p

-=JM=-
12-11-2003, 11:01 PM
the OS is irrelevant, it's how the OS is setup. it's all in the admin/user

Chilling_Silently
12-11-2003, 11:11 PM
True, but WinXP defaults to Administrator accounts... Win9x was useless for local security...

You are right though :-)

agent
13-11-2003, 08:36 AM
Well part of it is also personal preference...

For my account in Windows XP, all I did was rename the default administrator account to my name.

And call me ignorant and stupid for always using the administrator account, but it is my personal preference. I did once try having a separate account, in my previous installation, but it was too much hassle. Because I am constantly installing, uninstalling, configuring services, testing apps, trying out things that are new to me, etc.

The point is, it was too much hassle for me to be constantly right clicking on things and selecting 'Run as... administrator'. The least I can do is install a firewall, run on-access virus scanners, and be knowledgeable about what I run (I learnt that after I released Nimda on my network... don't know how I actually got it in the first place, because it obviously got past my virus scanner, but yeah... I was using Windows ME back then).

mark.p
13-11-2003, 08:59 AM
> Well part of it is also personal preference...
,SNIP>
> The point is, it was too much hassle for me to be
> constantly right clicking on things and selecting
> 'Run as... administrator'. The least I can do is
> install a firewall, run on-access virus scanners, and
> be knowledgeable about what I run (I learnt that
> after I released Nimda on my network... don't know
> how I actually got it in the first place, because it
> obviously got past my virus scanner, but yeah... I
> was using Windows ME back then).
This is where Linux has it over XP. You press alt-F* logon as root and do the biz.

Chilling_Silently
13-11-2003, 09:55 AM
Yeah.. Or just open a konsole/gnome-terminal and type:
su
and you're root... Do as you please as root, but it really makes you think twice about what you're doing. Its a minor inconvenience for the piece of mind I have about security.

You can always do xnest :D

whetu
13-11-2003, 10:04 AM
you could always just switch user in xp... more accurately its an advantage that lunix has over 2k where you have to log out and then log in as an admin...

just suffice to say that every os has its pros and cons, different strokes for different folks and at the end of the day, especially when it comes to security, it all boils down to who setup the OS and how they set it up. I know admins who could setup a more secure win32 box than joe.random.lunix.user's default redhate install... I also know admins who could setup a lunix desktop infinately more secure than a win server setup by joe.random

(and for those wondering about all the use of "lunix" and "redhate" - it's a somethingawful.com (http://somethingawful.com) thing, and this is where it all peaked:
http://somethingawful.com/articles.php?a=127
which is really SA specific.. you've got to read a bit of SA to get it

oh and something else to consider:
http://www.linuxisforbitches.com

Chilling_Silently
13-11-2003, 10:25 AM
Very nicely put :-)

Too true as well :-)

agent
13-11-2003, 11:05 AM
You could indeed use Fast User Switching in Windows XP.

But I prefer to use the more secure Windows 2000 style login interface, and the ability to 'lock' the computer, than Fast User Switching and having it show things like running applications, number of emails waiting, let alone allowing you to switch off/hibernate/restart/suspend the computer, or press Ctrl-Alt-Del and try any number of user logins (that's debatable, but at least with the Win2K style, as the administrator is the user logged in, there is only one user who can log in {despite the fact I'm the only user, unless you count the disabled guest account}). And I log all logins, whether they are successful or not, so yeah...

-=JM=-
13-11-2003, 01:59 PM
XP can be set up to not allow multiple logins.

agent
13-11-2003, 03:58 PM
Ah well... I like having to press Ctrl-Alt-Del to login...