More tech fails to exorcise security risks

Discussion in 'Computer Security' started by Imhotep, Sep 14, 2005.

  1. Imhotep

    Imhotep Guest

    "Current IT systems are inherently insecure and growing complexity will
    simply increase these risks, a leading academic has warned."

    "Users should rebel and demand vendors compensate them for security
    foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of
    Hamburg."

    http://www.securityfocus.com/news/11314

    Imhotep
     
    Imhotep, Sep 14, 2005
    #1
    1. Advertising

  2. Imhotep

    Unruh Guest

    Imhotep <> writes:

    >"Current IT systems are inherently insecure and growing complexity will
    >simply increase these risks, a leading academic has warned."


    >"Users should rebel and demand vendors compensate them for security
    >foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of
    >Hamburg."


    It has always astonished me how the IT industry has managed to avoid the
    having to pay for their incompetence and sloppyness. From the millenium bug
    to all the security holes. No other industry could get away with it.
     
    Unruh, Sep 15, 2005
    #2
    1. Advertising

  3. Imhotep

    Bit Twister Guest

    On 15 Sep 2005 00:06:38 GMT, Unruh wrote:
    >
    > It has always astonished me how the IT industry has managed to avoid the
    > having to pay for their incompetence and sloppyness. From the millenium bug


    Since I had to modify code for y2k, I could understand where the
    coder did not think the code would still be running 15 years later. :(
    That and what was taught to them when they were in college. :)

    > to all the security holes. No other industry could get away with it.


    I would agree. It is a shame that IT management keeps agreeing
    to the End User Licence on the best damn virus magnet software vendor.
     
    Bit Twister, Sep 15, 2005
    #3
  4. Imhotep

    Notan Guest

    Imhotep wrote:
    >
    > "Current IT systems are inherently insecure and growing complexity will
    > simply increase these risks, a leading academic has warned."
    >
    > "Users should rebel and demand vendors compensate them for security
    > foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of
    > Hamburg."


    I'm surprised no one made any Exorcist jokes about this one!

    Notan
     
    Notan, Sep 15, 2005
    #4
  5. Imhotep

    Imhotep Guest

    Bit Twister wrote:

    > On 15 Sep 2005 00:06:38 GMT, Unruh wrote:
    >>
    >> It has always astonished me how the IT industry has managed to avoid the
    >> having to pay for their incompetence and sloppyness. From the millenium
    >> bug

    >
    > Since I had to modify code for y2k, I could understand where the
    > coder did not think the code would still be running 15 years later. :(
    > That and what was taught to them when they were in college. :)
    >
    >> to all the security holes. No other industry could get away with it.

    >
    > I would agree. It is a shame that IT management keeps agreeing
    > to the End User Licence on the best damn virus magnet software vendor.


    Imagine a car company making car with so many flaws. It would be like tires
    falling off while drive down the highway (twice a month). Yet they get away
    with it. Biggest scam going...


    Imhotep
     
    Imhotep, Sep 15, 2005
    #5
  6. Imhotep

    Winged Guest

    Imhotep wrote:
    on the best damn virus magnet software vendor.
    >
    >
    > Imagine a car company making car with so many flaws. It would be like tires
    > falling off while drive down the highway (twice a month). Yet they get away
    > with it. Biggest scam going...
    >
    >
    > Imhotep


    Its called Job security. There is no such thing as a completely safe
    computer connected to the net irrespective of OS. All OS's can be
    operated reasonably safely including MS.

    THERE ARE NO SAFE OS's! This includes Linux, HPUX, OSX, VMS, OS2 etc.

    The key is configuring the system to meet the use requirement, mitigate
    risk where possible, and detect inappropriate activity when it occurs,
    and shut down communications immediately, if a breach is detected,
    preferably before a data compromise takes place.

    Windows is 90+% of the global computing market. see:
    (http://www.wininsider.com/news/?2248).

    It is only natural if one is going to hack into a system generically,
    one would spend their effort where one could optimize their efforts.
    Hacking is not easy. If I expend the effort on a target I will look to
    get the most bang for my time. I will want to exploit the most I can
    for the least amount of effort.

    Secunia lists 3449 known viruses and worms for Linux for example see:
    http://secunia.com/search/?search=linux
    These are against the LINUX base OS. Linux owns about 2.8% (I am being
    generous here) of the global desktop market share and about 28% of the
    global server share.

    There are 11513 known viruses for Windows XP owning 35% of the global
    desktop market. There are several ways to measure the MS server share
    but in reality there are a number of very different OS's that make up
    the MS server share. So for purposes of this article we will compare
    virus vulnerability against the global desktop share. We could use
    other metrics, but the results will be similar.

    The Global Windows XP desktop market share is 12.7 times higher than the
    LINUX desktop share.

    By comparison of installed base Linux is 3.7 time more likely to be
    compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
    McAfee for Linux) Would you know if you had a compromise?

    Ok, lets look at the newly discovered vulnerabilities. MS has a
    disadvantage here due to the variety of services bundled in their
    products. But for this we can just look at the most recent CERT
    bulletin to compare:

    http://www.us-cert.gov/cas/bulletins/SB05-250.html

    I like Linux, I like WinX. I even like IRIX. One must mitigate threats
    in any OS. But one should be very careful making blanket statements as
    to the safety of any OS. Windows is attacked more it is the majority,
    by anyones count of the installed base.

    MS followed the wrong rules for setting up OS's until MS server 2003. I
    believe this was a serious lapse in judgment turning all services on
    instead of requiring an explicit open. MS has taken action to no longer
    open all services by default but require explicit opens.

    But to believe you are safe in any OS is one step from compromise.

    Enough said.



    Winged
     
    Winged, Sep 15, 2005
    #6
  7. Imhotep

    Imhotep Guest

    Winged wrote:

    > Imhotep wrote:
    > on the best damn virus magnet software vendor.
    >>
    >>
    >> Imagine a car company making car with so many flaws. It would be like
    >> tires falling off while drive down the highway (twice a month). Yet they
    >> get away with it. Biggest scam going...
    >>
    >>
    >> Imhotep

    >
    > Its called Job security.


    Or software sales security...

    > There is no such thing as a completely safe
    > computer connected to the net irrespective of OS. All OS's can be
    > operated reasonably safely including MS.



    Sure nothing is totally safe as nothing is perfect. Sure I can agree with
    that. However, if you are replying to me, why the statement? If you think I
    was singling out MS with my analogy of a car losing it's tires weekly, it
    was more a statement about software companies. Sadly, it is not just MS
    that is lacking in the software industry, it is most of the industry....


    > THERE ARE NO SAFE OS's! This includes Linux, HPUX, OSX, VMS, OS2 etc.


    Well, there is no absolute, sure.

    > The key is configuring the system to meet the use requirement, mitigate
    > risk where possible, and detect inappropriate activity when it occurs,
    > and shut down communications immediately, if a breach is detected,
    > preferably before a data compromise takes place.


    Again, sure.

    > Windows is 90+% of the global computing market. see:
    > (http://www.wininsider.com/news/?2248).
    >
    > It is only natural if one is going to hack into a system generically,
    > one would spend their effort where one could optimize their efforts.
    > Hacking is not easy. If I expend the effort on a target I will look to
    > get the most bang for my time. I will want to exploit the most I can
    > for the least amount of effort.


    Well you also need to take into account what your purpose is. Is it to hack
    a financial companies database? If so, it is probably not running MS it. It
    is probably Solaris w/Oracle, etc, etc. However, if you are looking to
    propagate an email worm, then you would target exchange....

    > Secunia lists 3449 known viruses and worms for Linux for example see:
    > http://secunia.com/search/?search=linux
    > These are against the LINUX base OS. Linux owns about 2.8% (I am being
    > generous here) of the global desktop market share and about 28% of the
    > global server share.


    OK, I have a problem with that statement. Using the link above, I see the
    very first title 'Slackware update for util-linux". Looking into this, it
    appears that this is a slackware utility. In other words, this is not linux
    base OS issue but a Slackware issue.

    Second, you state above "Secunia lists 3449 known viruses and worms for
    Linux..." but this is neither a virus nor worm, this was a security flaw in
    a Slackware utility....

    Article #2 -- Is a legit Linux security flaw (not a virus or Worm)

    Article #3 lists as "SGI Advanced Linux Environment Multiple Updates". Doing
    some research it appears that this is SGI add-on software for linux to run
    on their hardware. Read here:
    http://techpubs.sgi.com/library/tpl...X_StartHere/sgi_html/ch01.html#LE26552-PARENT

    Furthermore looking into listings for SGI's A.L.E I see:
    CAN-2005-2360 -- Unknown vulnerability in the LDAP dissector in Ethereal
    0.8.5 through 0.10.11 ..."

    CAN-2005-2361 -- Unknown vulnerability in the (1) AgentX dissector, (2) PER
    dissector...in ethereal 0.8.19 through 0.10.11"

    CAN-2005-2362 -- Again ethereal

    CAN-2005-2363 -- Again ethereal

    CAN-2005-2364 -- Again ethereal

    Well, I am going to stop here as I think I proved my point. Let's review. I
    looked at the first three listings (total of 7 issues) and only one was a
    legit Linux core security flaw...

    Again, when reviewing or comparing like this carefull scrutiny is need for
    the data to be truly revealing (this has been my problem with the "Get the
    facts" campaign). For example, Ethereal (total of 5 of the 7 issues I read)
    should never be listed as a Linux issue. After all, not only is ethereal a
    third party application and has nothing to do with Linux but also, I can
    run Ethereal on Windows also! Maybe Macs too???


    > There are 11513 known viruses for Windows XP owning 35% of the global
    > desktop market. There are several ways to measure the MS server share
    > but in reality there are a number of very different OS's that make up
    > the MS server share. So for purposes of this article we will compare
    > virus vulnerability against the global desktop share. We could use
    > other metrics, but the results will be similar.
    >
    > The Global Windows XP desktop market share is 12.7 times higher than the
    > LINUX desktop share.
    >
    > By comparison of installed base Linux is 3.7 time more likely to be
    > compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
    > McAfee for Linux) Would you know if you had a compromise?


    Review your data before making that calculation!

    > Ok, lets look at the newly discovered vulnerabilities. MS has a
    > disadvantage here due to the variety of services bundled in their
    > products. But for this we can just look at the most recent CERT
    > bulletin to compare:


    > http://www.us-cert.gov/cas/bulletins/SB05-250.html
    >
    > I like Linux, I like WinX. I even like IRIX. One must mitigate threats
    > in any OS. But one should be very careful making blanket statements as
    > to the safety of any OS. Windows is attacked more it is the majority,
    > by anyones count of the installed base.


    I too like Linux, FreeBSD and also Macs (Our CEO has one and I have played
    with it some, it is pretty cool I must say)....

    > MS followed the wrong rules for setting up OS's until MS server 2003. I
    > believe this was a serious lapse in judgment turning all services on
    > instead of requiring an explicit open. MS has taken action to no longer
    > open all services by default but require explicit opens.


    They have had many goofs in judgment. Their patch management has also been
    very troublesome...They have held out on informing their users when they
    should not have...and don't even get me started on their marketing/business
    practices....

    > But to believe you are safe in any OS is one step from compromise.


    True. I have always said the worse security is when you here someone say
    something like "Ah, don't worry about it we have a firewall". Like having
    a firewall was some kind of silver bullet....

    > Enough said.


    Ah, ok. But review your data. Honestly, I am interested in the results...

    >
    > Winged


    Imhotep
     
    Imhotep, Sep 15, 2005
    #7
  8. Imhotep

    Imhotep Guest

    Winged wrote:

    <snip (alreay replied)>

    > By comparison of installed base Linux is 3.7 time more likely to be
    > compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
    > McAfee for Linux) Would you know if you had a compromise?


    I was wondering something. I reviewed your url (read my other post) and out
    of the first 7 listings (again read my other post) only 1 was legitimately
    a Linux security flaw.

    So, you stated that there were 3449 security flaws in linux and 11513 for
    XP. Now I reviewed the first 7, found only one was a legit Linux security
    problem so that is 1/7. If the trend in the listings are in fact 1 out of 7
    legit Linux security flaws that would make the 3449 really about what 500?
    So, Linux has say what 3% desktop market, so 500 security flaws for 3% is
    about 165...

    Windows (in all fairness I did not review the data, I will leave that up to
    you) 11513 security flaws for 35% of the desktop market so that is
    what...329.

    That translates to you are twice as likely to get infected with XP as
    Linux...

    Again, and to be fair, I do not believe in the formula of # security flaws /
    market share. Rather, I like to look at the mean time to fix a security
    flaw. That says a lot about the company. How serious are they to address
    problems? How quick are they to fix it? Do they inform people right away
    and let them know what to look out for? What is the total amount of
    security problems? For what period of time?

    <snip>


    Imhotep
     
    Imhotep, Sep 15, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Um91Z2huZWNr?=

    What are risks of WLAN connections at internet cafes?

    =?Utf-8?B?Um91Z2huZWNr?=, Aug 10, 2005, in forum: Wireless Networking
    Replies:
    19
    Views:
    1,027
  2. Replies:
    2
    Views:
    5,124
    Martin Kayes
    Dec 15, 2005
  3. Babak Majidi
    Replies:
    3
    Views:
    633
    Babak Majidi
    Feb 6, 2006
  4. dfox138
    Replies:
    5
    Views:
    5,695
    Winged
    Jan 5, 2006
  5. Privacy

    Security Risks of Firewire and PCMCIA DMA

    Privacy, Jun 6, 2007, in forum: Computer Security
    Replies:
    10
    Views:
    974
    David Lesher
    Jun 12, 2007
Loading...

Share This Page