In comp.os.linux.advocacy, Ezekiel
<f@xxxxx>
wrote
on Tue, 15 Jul 2008 19:56:23 -0400
<138b$487d392a$21280@xxxxxxxxxxxxxxxxx>:
>
> "The Ghost In The Machine" <ewill@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:78dvk5-v1o.ln1@xxxxxxxxxxxxxxxxxxxxxxxxxx
>> In comp.os.linux.advocacy, Ezekiel
>> <y@xxxxx>
>> wrote
>> on Tue, 15 Jul 2008 14:50:19 -0400
>> <c5418$487cf16d$11172@xxxxxxxxxxxxxxxxx>:
>>>
>>> "Rex Ballard" <rex.ballard@xxxxxxxxx> wrote in message
>>> news:3a7feffc-5662-4845-80f1-9f3c075d5b70@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> On Jul 15, 9:56 pm, Roy Schestowitz <newsgro...@xxxxxxxxxxxxxxx>
>>>>
>>>> Now, anyone want a guess as to how many weeks or months a Linux
>>>> desktop system will run before it's infected?
>>>
>>> I don't know... how long did it take them to infest all of the pages on
>>> Roy
>>> Schestowitz's website with malware and trojans? How long did it take
>>> them to
>>> get the Ubuntu servers to start attacking each other?
>>
>> Probably far less than 8 seconds, actually, by an automated
>> scanner unit that knew exactly what to look for. (The 8
>> seconds refers to the average time between attack packets
>> from any already-compromised source. You are asking how
>> long the infection took -- a different question. Bear in
>> mind that transmission rates to Roy's server are probably
>> on the order of megabits per second, if not hundreds of megabits;
>> a 1460-byte packet would therefore take 146 microseconds
>> to receive on a 100 Mb/s system, and only a few packets are
>> usually needed, though it depends on the vulnerability's nature.)
>>
>> One wonders what IIS/6 is vulnerable to.
>>
>> As of 4 days ago:
>>
>> http://www.us-cert.gov/cas/techalerts/TA06-192A.html
>>
>> suggests the following:
>>
>> VU#395588 - Microsoft Internet Information Services vulnerable to remote
>> code execution via specially crafted ASP file
>> VU#189140 - Microsoft Server Service Mailslot vulnerable to heap
>> overflow
>>
>> (there are others in the article but they are not related to IIS, and
>> I'm not sure 189140 is either).
>>
>> Patches are available, of course. This was Roy's greatest failing,
>> presumably: not keeping his system up to date.
>
> So why wasn't the system kept up to date?
He got sloppy, why else? If you want specifics, you'd have
to ask him.
> There have been many, many posts
> here in COLA about how "easy" and "ultra reliable" linux updates are.
They are neither easy nor ultra reliable, though for the most part
they're relatively painless. However...
- ask anyone who's had to transition through the XFree86->XOrg update,
not that long ago. The Firefox 2->3 transition looks to be
problematic as well, mostly because there's several browsers
depending on Firefox 2 code.
- ask anyone on Gentoo who's had to revdep-rebuild a bunch of crap
because a lowlevel library mutated, or, more likely, found out
afterwards that a main tool such as galeon is broken because of
a library version mismatch.
- ask anyone who's had to rebuild OpenOffice over the course of
3 days. (To be fair, there is an openoffice-bin, but that
only works on x86, AFAIK.)
- for that matter, ask anyone who's tried to do something
with Gentoo then found out their tree is so out of date
that they can't update their systems as the download's gone.
(Have I mentioned GAMBAS is marked for removal? Seems that
the upstream has died.)
Contrast that to Microsoft Magic Fingers Update, which just
does its thing, and breaks whatever the user is running
at the time by rebooting, but that's a minor detail;
you didn't *really* need that long-running rendering job,
did you?
> People have said how they just have their system update automatically
> because the package managers are so smart and sophisticated.
They have some intelligence, but Gentoo's is not automatic -- unless
one does 'emerge --sync' as part of a cron script, and I for one
don't care for that sort of thing.
> Yet in the
> real world we see time and time again linux systems that are not being
> updated regularly.
And therefore compromised. It is a problem.
The price of freedom from viruses is eternal vigilance.
>
> I suspect that updates are not as "trouble-free and reliable" as people
> claim they are.
Correct.
> Take the Ubuntu servers that were hacked for example...
> they weren't updated because the new kernel no longer supported the NIC's
> in the machines. How can anyone claim trouble-free and reliable updates
> when Ubuntu didn't updated their own servers because the /knew/ that the
> NIC's were no longer supported and wouldn't work. What's that all about?
Confusion, that's what it's about. What do you expect, miracles?
>
> ** Posted from http://www.teranews.com **
--
#191, ewill3@xxxxxxxxxxxxx
Useless C/C++ Programming Idea #11823822:
signal(SIGKILL, catchkill);
** Posted from http://www.teranews.com **
|
|
