Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: The"Biggest Target" paradigm and its consequence

  • Subject: Re: The"Biggest Target" paradigm and its consequence
  • From: Richard Rasker <spamtrap@xxxxxxxxxx>
  • Date: Sun, 01 Oct 2006 22:36:27 +0200
  • Newsgroups: comp.os.linux.advocacy
  • Organization: Linetec
  • References: <pan.2006.> <dr2o9u7tdxn8.dlg@funkenbusch.com> <pan.2006.> <150itbeaan3gk$.dlg@funkenbusch.com> <pan.2006.> <tn9sapuzcil3$.dlg@funkenbusch.com>
  • User-agent: Pan/ (As She Crawled Across the Table)
  • Xref: news.mcc.ac.uk comp.os.linux.advocacy:1163087
Op Sun, 01 Oct 2006 13:19:22 -0500, schreef Erik Funkenbusch:

> On Sun, 01 Oct 2006 18:52:03 +0200, Richard Rasker wrote:
>> Op Sun, 01 Oct 2006 11:38:03 -0500, schreef Erik Funkenbusch:
>>> On Sun, 01 Oct 2006 10:32:11 +0200, Richard Rasker wrote:
>>>>> Ahh... the cutting off one's nose to spite the face argument.
>>>>> How pedestrian.
>>>> Don't you think that a smaller market share for Microsoft would be a Good
>>>> Thing? By your own logic, it'd be the only solution to current problems.
>>> No, it's not "by my own logic".  It's better to be a target, with the
>>> largest market share than to be safe in obscurity.
>>>> Or do you propose we just "learn to live" with these problems ...
>> I guess that's a resounding "yes", then.
> No, that's a "the entire industry needs to work on a solution that WORKS".
> The current "solution" only works if you're obscure enough to make it too
> much work to create an exploit.

Utter bullshit. Linux and other OSS isn't anywhere near obscure - it's
more transparent and open to anyone's eyes than Microsoft products will
ever be. And no, it's not obscure either in the sense that hardly anyone
has heard from it, or uses it. It's used on a huge scale in networking
applications, for starters. And if anyone wants to know how an OS is
constructed, Linux is the object of dissemination /par excellence/.

> Yes, Windows is easier to compromise, and by definition hackers will take
> the easiest route, but that doesn't make Linux immune.

How often must we repeat this: no-one here says that Linux is immune.

> It just makes it more obscure because the techniques to attack it are
> less mature.

Huh? Could you run that by me once again? No, on second thought, don't
bother. You should get your history right before shooting your mouth off.

The techniques used nowadays to attack Windows have for the most part been
*developed* on Linux, because of its open nature. Rootkits and buffer
overflow exploits were available for Linux long before these mechanisms
became the Windows scourge we know today. Windows attacks by then
consisted mainly of simple syscall redirects any highschool kid could
figure out, infecting executables, or even simpler auto-execute VBA-style
virus scripts.
The problem was that Linux didn't prove to be a good breeding ground for
these means of attack. Vulnerabilities were patched almost as soon as they
were discovered, and the permission system made it quite difficult to get
anything malicious to execute on users' systems.

The only "maturity" you can claim here is the packaging of these attack
mechanisms into handy building blocks, ready for use by any idiot.

For all the rest, all attack mechanisms were developed on Unix and Linux
before they found a really juicy target in Windows. FYI: I translated
several books on Linux/Unix hacking and general computer security
principles, so I think I know what I'm talking about.

> Security is one of those funny things.  You can talk about being "more"
> secure, but there's no such thing.  A vulnerability is a vulnerability,
> and even one makes you just as insecure as anyone else.  Security is a
> binary condition, either you are or you aren't.

Phwooaar! Do you have ANY idea how silly you sound? "Security is a binary
condition"? Hahahaha! Well then, I'd better stop working on this
rehabilitation robot project, for which I'm developing security systems to
keep this 2,000 pound metal contraption from hurting people instead of
helping them heal. And I'd better tell project management first thing
in the morning that they just wasted $8,000 on me, as I can't guarantee
the binary "1" condition of total and absolute security.

There's a whole industry making loads of money assessing the chances of
things going wrong, and minimizing these chances where possible. Security
is all about *statistics*. And statistics both predict and show that Linux
is vastly more secure than Windows.
Binary security ... I guess you believe you have a 50% chance of winning
the lottery jackpot too - either you win, or you don't ...

> 10 years ago, talking about exploiting buffer overflows was laughed at.
> It was too difficult for any but the most advanced guru.  Then a few
> tools were produced that made the job ridiculously simple, and suddenly
> buffer overflow exploits were everywhere.

The concept of buffer overflow exploits was developed on Linux/Unix. Once
people figured out how to do it, developing the tools was trivial - for
any architecture you care to mention. It just turned out that the Windows
platform was both an easy and (yes, a point for you) attractive target.

Richard Rasker

Linetec Translation and Technology Services


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index