More tech fails to exorcise security risks

"Current IT systems are inherently insecure and growing complexity will
simply increase these risks, a leading academic has warned."

"Users should rebel and demand vendors compensate them for security
foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of
Hamburg."

http://www.securityfocus.com/news/11314

Imhotep

Imhotep

Imhotep <> writes:

>"Current IT systems are inherently insecure and growing complexity will
>simply increase these risks, a leading academic has warned."

>"Users should rebel and demand vendors compensate them for security
>foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of
>Hamburg."

It has always astonished me how the IT industry has managed to avoid the
having to pay for their incompetence and sloppyness. From the millenium bug
to all the security holes. No other industry could get away with it.

Unruh

On 15 Sep 2005 00:06:38 GMT, Unruh wrote:
>
> It has always astonished me how the IT industry has managed to avoid the
> having to pay for their incompetence and sloppyness. From the millenium bug

Since I had to modify code for y2k, I could understand where the
coder did not think the code would still be running 15 years later.
That and what was taught to them when they were in college.

> to all the security holes. No other industry could get away with it.

I would agree. It is a shame that IT management keeps agreeing
to the End User Licence on the best damn virus magnet software vendor.

Bit Twister

Imhotep wrote:
>
> "Current IT systems are inherently insecure and growing complexity will
> simply increase these risks, a leading academic has warned."
>
> "Users should rebel and demand vendors compensate them for security
> foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of
> Hamburg."

I'm surprised no one made any Exorcist jokes about this one!

Notan

Notan

Bit Twister wrote:

> On 15 Sep 2005 00:06:38 GMT, Unruh wrote:
>>
>> It has always astonished me how the IT industry has managed to avoid the
>> having to pay for their incompetence and sloppyness. From the millenium
>> bug
>
> Since I had to modify code for y2k, I could understand where the
> coder did not think the code would still be running 15 years later.
> That and what was taught to them when they were in college.
>
>> to all the security holes. No other industry could get away with it.
>
> I would agree. It is a shame that IT management keeps agreeing
> to the End User Licence on the best damn virus magnet software vendor.

Imagine a car company making car with so many flaws. It would be like tires
falling off while drive down the highway (twice a month). Yet they get away
with it. Biggest scam going...


Imhotep

Imhotep

Imhotep wrote:
on the best damn virus magnet software vendor.
>
>
> Imagine a car company making car with so many flaws. It would be like tires
> falling off while drive down the highway (twice a month). Yet they get away
> with it. Biggest scam going...
>
>
> Imhotep

Its called Job security. There is no such thing as a completely safe
computer connected to the net irrespective of OS. All OS's can be
operated reasonably safely including MS.

THERE ARE NO SAFE OS's! This includes Linux, HPUX, OSX, VMS, OS2 etc.

The key is configuring the system to meet the use requirement, mitigate
risk where possible, and detect inappropriate activity when it occurs,
and shut down communications immediately, if a breach is detected,
preferably before a data compromise takes place.

Windows is 90+% of the global computing market. see:
(http://www.wininsider.com/news/?224.

It is only natural if one is going to hack into a system generically,
one would spend their effort where one could optimize their efforts.
Hacking is not easy. If I expend the effort on a target I will look to
get the most bang for my time. I will want to exploit the most I can
for the least amount of effort.

Secunia lists 3449 known viruses and worms for Linux for example see:
http://secunia.com/search/?search=linux
These are against the LINUX base OS. Linux owns about 2.8% (I am being
generous here) of the global desktop market share and about 28% of the
global server share.

There are 11513 known viruses for Windows XP owning 35% of the global
desktop market. There are several ways to measure the MS server share
but in reality there are a number of very different OS's that make up
the MS server share. So for purposes of this article we will compare
virus vulnerability against the global desktop share. We could use
other metrics, but the results will be similar.

The Global Windows XP desktop market share is 12.7 times higher than the
LINUX desktop share.

By comparison of installed base Linux is 3.7 time more likely to be
compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
McAfee for Linux) Would you know if you had a compromise?

Ok, lets look at the newly discovered vulnerabilities. MS has a
disadvantage here due to the variety of services bundled in their
products. But for this we can just look at the most recent CERT
bulletin to compare:

http://www.us-cert.gov/cas/bulletins/SB05-250.html

I like Linux, I like WinX. I even like IRIX. One must mitigate threats
in any OS. But one should be very careful making blanket statements as
to the safety of any OS. Windows is attacked more it is the majority,
by anyones count of the installed base.

MS followed the wrong rules for setting up OS's until MS server 2003. I
believe this was a serious lapse in judgment turning all services on
instead of requiring an explicit open. MS has taken action to no longer
open all services by default but require explicit opens.

But to believe you are safe in any OS is one step from compromise.

Enough said.



Winged

Winged

Winged wrote:

> Imhotep wrote:
> on the best damn virus magnet software vendor.
>>
>>
>> Imagine a car company making car with so many flaws. It would be like
>> tires falling off while drive down the highway (twice a month). Yet they
>> get away with it. Biggest scam going...
>>
>>
>> Imhotep
>
> Its called Job security.

Or software sales security...

> There is no such thing as a completely safe
> computer connected to the net irrespective of OS. All OS's can be
> operated reasonably safely including MS.


Sure nothing is totally safe as nothing is perfect. Sure I can agree with
that. However, if you are replying to me, why the statement? If you think I
was singling out MS with my analogy of a car losing it's tires weekly, it
was more a statement about software companies. Sadly, it is not just MS
that is lacking in the software industry, it is most of the industry....


> THERE ARE NO SAFE OS's! This includes Linux, HPUX, OSX, VMS, OS2 etc.

Well, there is no absolute, sure.

> The key is configuring the system to meet the use requirement, mitigate
> risk where possible, and detect inappropriate activity when it occurs,
> and shut down communications immediately, if a breach is detected,
> preferably before a data compromise takes place.

Again, sure.

> Windows is 90+% of the global computing market. see:
> (http://www.wininsider.com/news/?224.
>
> It is only natural if one is going to hack into a system generically,
> one would spend their effort where one could optimize their efforts.
> Hacking is not easy. If I expend the effort on a target I will look to
> get the most bang for my time. I will want to exploit the most I can
> for the least amount of effort.

Well you also need to take into account what your purpose is. Is it to hack
a financial companies database? If so, it is probably not running MS it. It
is probably Solaris w/Oracle, etc, etc. However, if you are looking to
propagate an email worm, then you would target exchange....

> Secunia lists 3449 known viruses and worms for Linux for example see:
> http://secunia.com/search/?search=linux
> These are against the LINUX base OS. Linux owns about 2.8% (I am being
> generous here) of the global desktop market share and about 28% of the
> global server share.

OK, I have a problem with that statement. Using the link above, I see the
very first title 'Slackware update for util-linux". Looking into this, it
appears that this is a slackware utility. In other words, this is not linux
base OS issue but a Slackware issue.

Second, you state above "Secunia lists 3449 known viruses and worms for
Linux..." but this is neither a virus nor worm, this was a security flaw in
a Slackware utility....

Article #2 -- Is a legit Linux security flaw (not a virus or Worm)

Article #3 lists as "SGI Advanced Linux Environment Multiple Updates". Doing
some research it appears that this is SGI add-on software for linux to run
on their hardware. Read here:
http://techpubs.sgi.com/library/tpl/...LE26552-PARENT

Furthermore looking into listings for SGI's A.L.E I see:
CAN-2005-2360 -- Unknown vulnerability in the LDAP dissector in Ethereal
0.8.5 through 0.10.11 ..."

CAN-2005-2361 -- Unknown vulnerability in the (1) AgentX dissector, (2) PER
dissector...in ethereal 0.8.19 through 0.10.11"

CAN-2005-2362 -- Again ethereal

CAN-2005-2363 -- Again ethereal

CAN-2005-2364 -- Again ethereal

Well, I am going to stop here as I think I proved my point. Let's review. I
looked at the first three listings (total of 7 issues) and only one was a
legit Linux core security flaw...

Again, when reviewing or comparing like this carefull scrutiny is need for
the data to be truly revealing (this has been my problem with the "Get the
facts" campaign). For example, Ethereal (total of 5 of the 7 issues I read)
should never be listed as a Linux issue. After all, not only is ethereal a
third party application and has nothing to do with Linux but also, I can
run Ethereal on Windows also! Maybe Macs too???


> There are 11513 known viruses for Windows XP owning 35% of the global
> desktop market. There are several ways to measure the MS server share
> but in reality there are a number of very different OS's that make up
> the MS server share. So for purposes of this article we will compare
> virus vulnerability against the global desktop share. We could use
> other metrics, but the results will be similar.
>
> The Global Windows XP desktop market share is 12.7 times higher than the
> LINUX desktop share.
>
> By comparison of installed base Linux is 3.7 time more likely to be
> compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
> McAfee for Linux) Would you know if you had a compromise?

Review your data before making that calculation!

> Ok, lets look at the newly discovered vulnerabilities. MS has a
> disadvantage here due to the variety of services bundled in their
> products. But for this we can just look at the most recent CERT
> bulletin to compare:

> http://www.us-cert.gov/cas/bulletins/SB05-250.html
>
> I like Linux, I like WinX. I even like IRIX. One must mitigate threats
> in any OS. But one should be very careful making blanket statements as
> to the safety of any OS. Windows is attacked more it is the majority,
> by anyones count of the installed base.

I too like Linux, FreeBSD and also Macs (Our CEO has one and I have played
with it some, it is pretty cool I must say)....

> MS followed the wrong rules for setting up OS's until MS server 2003. I
> believe this was a serious lapse in judgment turning all services on
> instead of requiring an explicit open. MS has taken action to no longer
> open all services by default but require explicit opens.

They have had many goofs in judgment. Their patch management has also been
very troublesome...They have held out on informing their users when they
should not have...and don't even get me started on their marketing/business
practices....

> But to believe you are safe in any OS is one step from compromise.

True. I have always said the worse security is when you here someone say
something like "Ah, don't worry about it we have a firewall". Like having
a firewall was some kind of silver bullet....

> Enough said.

Ah, ok. But review your data. Honestly, I am interested in the results...

>
> Winged

Imhotep

Imhotep

Winged wrote:

<snip (alreay replied)>

> By comparison of installed base Linux is 3.7 time more likely to be
> compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
> McAfee for Linux) Would you know if you had a compromise?

I was wondering something. I reviewed your url (read my other post) and out
of the first 7 listings (again read my other post) only 1 was legitimately
a Linux security flaw.

So, you stated that there were 3449 security flaws in linux and 11513 for
XP. Now I reviewed the first 7, found only one was a legit Linux security
problem so that is 1/7. If the trend in the listings are in fact 1 out of 7
legit Linux security flaws that would make the 3449 really about what 500?
So, Linux has say what 3% desktop market, so 500 security flaws for 3% is
about 165...

Windows (in all fairness I did not review the data, I will leave that up to
you) 11513 security flaws for 35% of the desktop market so that is
what...329.

That translates to you are twice as likely to get infected with XP as
Linux...

Again, and to be fair, I do not believe in the formula of # security flaws /
market share. Rather, I like to look at the mean time to fix a security
flaw. That says a lot about the company. How serious are they to address
problems? How quick are they to fix it? Do they inform people right away
and let them know what to look out for? What is the total amount of
security problems? For what period of time?

<snip>


Imhotep

Imhotep