New IP based security hole in Windows 2000 (yet again)

Discussion in 'Computer Security' started by Imhotep, Aug 4, 2005.

  1. Imhotep

    Imhotep Guest

    Imhotep, Aug 4, 2005
    #1
    1. Advertising

  2. Imhotep

    Imhotep Guest

    Imhotep, Aug 4, 2005
    #2
    1. Advertising

  3. Imhotep

    Quaoar Guest

    Imhotep wrote:
    > Imhotep wrote:
    >
    >> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>
    >> Time for Linux/BSD everyone...
    >>
    >> Michael

    >
    > MS probably won't patch this as a ploy to get their "customers" to
    > upgrade...shaddy bastards...
    >
    > -Im


    M$ will patch; there are far too many businesses running Win2K to
    ignore.

    Q
    Quaoar, Aug 5, 2005
    #3
  4. Imhotep

    Imhotep Guest

    Quaoar wrote:

    > Imhotep wrote:
    >> Imhotep wrote:
    >>
    >>> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>>
    >>> Time for Linux/BSD everyone...
    >>>
    >>> Michael

    >>
    >> MS probably won't patch this as a ploy to get their "customers" to
    >> upgrade...shaddy bastards...
    >>
    >> -Im

    >
    > M$ will patch; there are far too many businesses running Win2K to
    > ignore.
    >
    > Q


    Maybe, but it would not surprise me, the article says that it is not
    patchable, that M$ might "encourage" their "customers" to upgrade. That is
    how they do business. Shaddy pr$ck$....

    Im
    Imhotep, Aug 5, 2005
    #4
  5. Imhotep

    Jason Guest

    * Imhotep <>:
    > Quaoar wrote:
    >
    >> Imhotep wrote:
    >>> Imhotep wrote:
    >>>
    >>>> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>>>
    >>>> Time for Linux/BSD everyone...
    >>>>
    >>>> Michael
    >>>
    >>> MS probably won't patch this as a ploy to get their "customers" to
    >>> upgrade...shaddy bastards...
    >>>
    >>> -Im

    >>
    >> M$ will patch; there are far too many businesses running Win2K to
    >> ignore.
    >>
    >> Q

    >
    > Maybe, but it would not surprise me, the article says that it is not
    > patchable, that M$ might "encourage" their "customers" to upgrade. That is
    > how they do business. Shaddy pr$ck$....
    >
    > Im


    Well they are in business to make money after all Imhotep. But it would
    be nice if they started out with a slighty more stable and secure
    system.

    Jason
    Jason, Aug 5, 2005
    #5
  6. Imhotep

    Winged Guest

    Imhotep wrote:
    > Imhotep wrote:
    >
    >
    >>http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>
    >>Time for Linux/BSD everyone...
    >>
    >>Michael

    >
    >
    > MS probably won't patch this as a ploy to get their "customers" to
    > upgrade...shaddy bastards...
    >
    > -Im


    The thing is I can't help bout wonder if this flaw isn't either the same
    flaw or related to the flaw in many NIC cards that allow exploitation at
    TCP/IP layer 2. Though cryptic, it sure sounds like someone figured
    out how to exploit it effectively.

    But thanks for the link, sure glad we left W2K behind, but I am curious
    to see if flaw has a wider scope than advertised.

    Winged
    Winged, Aug 5, 2005
    #6
  7. Imhotep

    Imhotep Guest

    Winged wrote:

    > Imhotep wrote:
    >> Imhotep wrote:
    >>
    >>
    >>>http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>>
    >>>Time for Linux/BSD everyone...
    >>>
    >>>Michael

    >>
    >>
    >> MS probably won't patch this as a ploy to get their "customers" to
    >> upgrade...shaddy bastards...
    >>
    >> -Im

    >
    > The thing is I can't help bout wonder if this flaw isn't either the same
    > flaw or related to the flaw in many NIC cards that allow exploitation at
    > TCP/IP layer 2. Though cryptic, it sure sounds like someone figured
    > out how to exploit it effectively.
    >
    > But thanks for the link, sure glad we left W2K behind, but I am curious
    > to see if flaw has a wider scope than advertised.
    >
    > Winged


    It sure could be a layer 2 security hole. It could be many things, even in
    layer 3, ICMP/IGMP a security hole in multicasts, etc, etc.

    I sure am glad I do not user Winblows...At work we are seriously looking
    into Red Hat and other technologies to get away from the Microsoft trap...

    Im
    Imhotep, Aug 5, 2005
    #7
  8. Imhotep

    Imhotep Guest

    Jason wrote:

    > * Imhotep <>:
    >> Quaoar wrote:
    >>
    >>> Imhotep wrote:
    >>>> Imhotep wrote:
    >>>>
    >>>>> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>>>>
    >>>>> Time for Linux/BSD everyone...
    >>>>>
    >>>>> Michael
    >>>>
    >>>> MS probably won't patch this as a ploy to get their "customers" to
    >>>> upgrade...shaddy bastards...
    >>>>
    >>>> -Im
    >>>
    >>> M$ will patch; there are far too many businesses running Win2K to
    >>> ignore.
    >>>
    >>> Q

    >>
    >> Maybe, but it would not surprise me, the article says that it is not
    >> patchable, that M$ might "encourage" their "customers" to upgrade. That
    >> is how they do business. Shaddy pr$ck$....
    >>
    >> Im

    >
    > Well they are in business to make money after all Imhotep. But it would
    > be nice if they started out with a slighty more stable and secure
    > system.
    >
    > Jason


    They are in business to make money: fair enough. However, it is *HOW*
    Microsuck goes about it, that I can not stand. I will assume you know what
    I mean...
    Imhotep, Aug 5, 2005
    #8
  9. Imhotep

    Jbob Guest

    "Imhotep" <> wrote in message
    news:nfwIe.51419$...
    > http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >
    > Time for Linux/BSD everyone...
    >
    > Michael


    You say that like Linux has no flaws(for a better word). If I'm not
    mistaken Linux has had more security patches over the last 6 months than MS
    has. I actually don't see most of this stuff as flaws but more as exploits.
    Crackers in a dark hole somewhere can crack anything if they hit it enough.
    Even the precious Linux Kernel.

    FWIW, I wish I new Linux better! :) I'm trying though.
    Jbob, Aug 5, 2005
    #9
  10. Imhotep

    Winged Guest

    Jbob wrote:
    > "Imhotep" <> wrote in message
    > news:nfwIe.51419$...
    >
    >>http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>
    >>Time for Linux/BSD everyone...
    >>
    >>Michael

    >
    >
    > You say that like Linux has no flaws(for a better word). If I'm not
    > mistaken Linux has had more security patches over the last 6 months than MS
    > has. I actually don't see most of this stuff as flaws but more as exploits.
    > Crackers in a dark hole somewhere can crack anything if they hit it enough.
    > Even the precious Linux Kernel.
    >
    > FWIW, I wish I new Linux better! :) I'm trying though.
    >
    >


    If the flaw is a level 2 flaw, there is a very high probability that
    Linux and a lot of other things may be impacted though the method may
    not yet be figured. The flaw I was referring to exists at the hardware
    /driver level. I only figured out one exploit that took advantage of
    the drivers (ping a computer with large window size, many NIC cards use
    memory to pad packet window. Read returned packet pad to capture what
    is in remote memory (often contains login / passwords). This method
    often bypasses firewalls if the level machine allows a ping response. A
    series of large ping packets often returns different memory segments).

    I do know the above does work on some Linux systems as well with the
    right NIC card(or wrong one depending on viewpoint). I suspect they
    have found something similar to the above method that allows more
    complex interaction.

    While I would never say this publicly, there is a lot of very similar
    code between Linux connector and the win sockets MS uses...I won't say
    MS copied Linux..but is is very similar...shrugs...guess we will wait n
    see.

    Winged
    Winged, Aug 5, 2005
    #10
  11. Imhotep

    Dazz Guest

    On Fri, 5 Aug 2005 01:45:26 -0500, "Jbob" <> wrote:

    >"Imhotep" <> wrote in message
    >news:nfwIe.51419$...
    >> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>
    >> Time for Linux/BSD everyone...
    >>
    >> Michael

    >
    >You say that like Linux has no flaws(for a better word). If I'm not
    >mistaken Linux has had more security patches over the last 6 months than MS
    >has. I actually don't see most of this stuff as flaws but more as exploits.
    >Crackers in a dark hole somewhere can crack anything if they hit it enough.
    >Even the precious Linux Kernel.
    >
    >FWIW, I wish I new Linux better! :) I'm trying though.


    Firstly, a lot of people assume that because an exploit is found in a
    service or software installed on Linux, such as Apache, PHP or
    Sendmail etc, that it is Linux that is as fault.

    This is false.

    When it comes to Linux (or other *nix based sysems), a sysadmin or
    user will generally have the option of installing software/services as
    they see fit.

    In most cases, *you* have the choice as to what you want to install or
    offer on a *nix based system.

    A good sysadmin will install the minimal amount to have a system
    operational.

    In the case of an M$ based server, you don't always have this option
    as M$ try to "incorporate" what they see as important
    features/services - whether you like them or not.

    Ever tried uninstalling Internet Explorer from Windows 2000, XP or
    Windows 2003 Server?

    Regardless of the OS, a system is only as secure as the person who
    configured it that way - and even then, you can't guarantee security.

    Dazz
    Dazz, Aug 5, 2005
    #11
  12. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, Jbob wrote:

    >"Imhotep" <> wrote:


    >> Time for Linux/BSD everyone...


    >You say that like Linux has no flaws(for a better word).


    *BSD* is not Linux. The four (BSD386, FreeBSD, NetBSD, OpenBSD) are
    similar in that they are like UNIX, but they are as different from one
    another (and Linux) as cars from different manufacturers.

    >If I'm not mistaken Linux has had more security patches over the last
    >6 months than MS has.


    Microsoft is trying to advertise that - yes, but oranges and tomatoes are
    different. Most Linux distributions come with hundreds of applications,
    but the applications are not part of the operating system. If the 200+
    Linux distributors each release a patch for the same problem in a web
    browser like Mozilla (one of many browsers that come with each distribution;
    the one I'm using at home has seven different browsers) is that one patch
    by your count, or two hundred? Or none, because it's a separate application.

    Then to, most Linux distributors release patches and errata immediately,
    instead of waiting to release one massive "Urgent Security Update" each
    month that contain an unknown number of patches that may or may not fix
    problems that have been around for a month to a year or more.

    >I actually don't see most of this stuff as flaws but more as exploits.
    >Crackers in a dark hole somewhere can crack anything if they hit it enough.


    -rw-rw-r-- 1 admin admin 46713120 Jul 15 21:57 linux-2.6.12.3.tar.gz

    That's a recent kernel source file - 46.7 Megabyte compressed, about
    four million lines of C code. The applications are separate. The average
    distribution includes another 2,500 Megabytes compressed of the source
    code for the applications. So the crackers have something like 250
    million lines of the sources - and they can't find stuff to crack in
    that? Microsoft has never released the entire source for the O/S or any
    application, and we have this huge business in anti-virus, anti-worm,
    anti-trojan, anti-spyware programs for windoze - why?

    >Even the precious Linux Kernel.


    It's been tried. The advantage is that everyone can see the source, and
    anyone seeing a problem can either fix it themselves, or tell the world
    about it, so that someone else can fix it. Looking at the ChangeLog file
    for the 2.6.12 kernel, I see 423 different people from around the world who
    supplied changes. Most bug fixes are available in hours, though the Intel
    'F00F' bug in 1997 took seven days (and microsoft has never bothered to fix
    because it was a hardware bug - google for it).

    >FWIW, I wish I new Linux better! :) I'm trying though.


    http://ibiblio.org/pub/linux/docs/HOWTO/
    http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html

    http://tldp.org/guides.html
    http://ibiblio.org/pub/linux/docs/linux-doc-project/

    http://www.distrowatch.com/

    http://distro.ibiblio.org/pub/linux/distributions/

    But as noted above, Linux isn't the only game in town, though the "popular"
    distributions like Fedora, Mandriva and SuSE try to make it a lot more
    newbie friendly than the *BSDs.

    Old guy
    Moe Trin, Aug 5, 2005
    #12
  13. Imhotep

    Jbob Guest

    "Moe Trin" <> wrote in message
    news:...
    >
    > *BSD* is not Linux. The four (BSD386, FreeBSD, NetBSD, OpenBSD) are
    > similar in that they are like UNIX, but they are as different from one
    > another (and Linux) as cars from different manufacturers.


    Agreed but I was mainly referring to Linux

    >
    >>If I'm not mistaken Linux has had more security patches over the last
    >>6 months than MS has.

    >
    > Microsoft is trying to advertise that - yes, but oranges and tomatoes are
    > different. Most Linux distributions come with hundreds of applications,
    > but the applications are not part of the operating system. If the 200+
    > Linux distributors each release a patch for the same problem in a web
    > browser like Mozilla (one of many browsers that come with each
    > distribution;
    > the one I'm using at home has seven different browsers) is that one patch
    > by your count, or two hundred? Or none, because it's a separate
    > application.


    Perhaps but I didn't read this stuff from MS. And besides what use is any
    Linux Disto without the extra apps that come with the kernel?

    >
    > Then to, most Linux distributors release patches and errata immediately,
    > instead of waiting to release one massive "Urgent Security Update" each
    > month that contain an unknown number of patches that may or may not fix
    > problems that have been around for a month to a year or more.
    >


    Again my issue is with flaws/exploits/etc and not how quickly they are
    patched.

    >>I actually don't see most of this stuff as flaws but more as exploits.
    >>Crackers in a dark hole somewhere can crack anything if they hit it
    >>enough.

    >
    > -rw-rw-r-- 1 admin admin 46713120 Jul 15 21:57 linux-2.6.12.3.tar.gz
    >
    > That's a recent kernel source file - 46.7 Megabyte compressed, about
    > four million lines of C code. The applications are separate. The average
    > distribution includes another 2,500 Megabytes compressed of the source
    > code for the applications. So the crackers have something like 250
    > million lines of the sources - and they can't find stuff to crack in
    > that? Microsoft has never released the entire source for the O/S or any
    > application, and we have this huge business in anti-virus, anti-worm,
    > anti-trojan, anti-spyware programs for windoze - why?
    >
    >>Even the precious Linux Kernel.

    >
    > It's been tried. The advantage is that everyone can see the source, and
    > anyone seeing a problem can either fix it themselves, or tell the world
    > about it, so that someone else can fix it. Looking at the ChangeLog file
    > for the 2.6.12 kernel, I see 423 different people from around the world
    > who
    > supplied changes. Most bug fixes are available in hours, though the Intel
    > 'F00F' bug in 1997 took seven days (and microsoft has never bothered to
    > fix
    > because it was a hardware bug - google for it).
    >


    Believe what you will. I just think if Linux was the main game in town it
    would be targeted much more than it is now and we'd be seeing even more
    serious indications of failures. It is my perspective that as long as a
    cracker is looking, someone is gonna find something to exploit whether it be
    MS or Linux or even Cisco IOS. lol

    >>FWIW, I wish I new Linux better! :) I'm trying though.

    >
    > http://ibiblio.org/pub/linux/docs/HOWTO/
    > http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html
    >
    > http://tldp.org/guides.html
    > http://ibiblio.org/pub/linux/docs/linux-doc-project/
    >
    > http://www.distrowatch.com/
    >
    > http://distro.ibiblio.org/pub/linux/distributions/
    >
    > But as noted above, Linux isn't the only game in town, though the
    > "popular"
    > distributions like Fedora, Mandriva and SuSE try to make it a lot more
    > newbie friendly than the *BSDs.


    I already am trying distros of Mandrake/Mandriva and Redhat/Fedora. I have
    tried Redhat from 7.1 and am now trying FC4. Also have Ubuntu and Knoppix
    to try. I just find it hard to make the switch. Just seems so hard to load
    anything outside of a web update for me. Just need to spend more time with
    it. Thanks for the links though.
    >
    > Old guy
    Jbob, Aug 6, 2005
    #13
  14. Imhotep

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, Jbob wrote:

    >Agreed but I was mainly referring to Linux


    Yes, but the O/P mentioned both as alternatives.

    >Perhaps but I didn't read this stuff from MS. And besides what use is any
    >Linux Disto without the extra apps that come with the kernel?


    What was the use of MS-DOS versions 1 thru 6.22? What about Windoze 3.1?
    No applications at all, and only a few support programs.

    Below, you mention you are trying FC 4. Boot that, and watch as it does.
    First you see the boot loader - GRUB (from the FSF) which is not Linux. It's
    used to load any thing, including windoze, *nix, *BSD - you name it.

    Then you see the kernel load and start - that's Linux. Next, you see a
    splash screen. and you run through starting up the various services. Only
    a small portion of that (serial drivers, network, firewall) is part of
    Linux. The rest is from the distributor (Red Hat in this case) or third
    parties. The 'libraries' that are used by the kernel - are not part of
    it. Nearly everyone is using 'glibc2' (GNU C Library version 2), but
    there are some who use others, like the Intel libraries.

    Booting to a command line? That's GNU Bash - not part of the kernel. Using
    a GUI? Well, the first thing is the X server (XFree or in your case X Org)
    then some window manager (the default on FC is GNOME - others use KDE)
    exactly none of which is part of Linux, because they run on any *nix that
    runs a window manager. You are running applications - like some browser,
    a mail tool, a news tool... if the names begin with a K, they're most
    likely part of KDE. Other stuff is GNOME. How much Linux have you seen?
    I run X to give me lots of terminals to type in - there isn't an icon to
    be seen on my desktop. But the commands I'm using?

    [compton ~]$ ls `echo $PATH | tr ':' ' '` | egrep -vc ':)|^$)'
    1302
    [compton ~]$ echo $HISTSIZE
    1000
    [compton ~]$ history | sed 's/^......//' | tr '|' '\n' | sed 's/^ *//' | cut
    -d' ' -f1 | sort -u | wc -l
    78
    [compton ~]$

    Each one of those lines is considered one command. The first line looks to
    see how many commands are in my PATH - 1302. The next line shows how many
    commands my shell remembers me using. The next line parses those 1000
    commands I've just used, and breaks them down into components - that line
    actually has seven commands cascaded to do something useful - and then sorts
    things out to see how many _different_ commands there are in use. So, of
    the 1300 commands on this system, I've used just 78, over and over (and I
    think you can see I have a bit of experience doing this). Use the 'man'
    command (start with 'man man' to get the man page on the man pages) to see
    what those commands are doing. The point of all this? Not one of those
    1300 commands is part of Linux. Nearly all are free versions that mimic the
    commands originally created by Bell Labs when they created UNIX 35+ years
    ago. More commands came from the various universities - but are still not
    part of any single O/S.

    >> most Linux distributors release patches and errata immediately, instead
    >> of waiting to release one massive "Urgent Security Update" each month
    >> that contain an unknown number of patches


    >Again my issue is with flaws/exploits/etc and not how quickly they are
    >patched.


    My response was "many" patches - there were some 300 errata over the life
    of Red Hat 9 for example - compared to a blob that contains an unknown
    number of patches.

    >Believe what you will. I just think if Linux was the main game in town it
    >would be targeted much more than it is now and we'd be seeing even more
    >serious indications of failures.


    Most of the servers you use on the net are not windoze - they are one or
    another of the *nix. The routers? Surely you don't think that stuff
    would be running windoze. Why are the crackers going after windoze?
    They like easy targets that often have big payoffs.

    >It is my perspective that as long as a cracker is looking, someone is
    >gonna find something to exploit whether it be MS or Linux or even Cisco
    >IOS. lol


    Well, hopefully, you have learned to use a "user account" in Linux, rather
    than 'root'. If so, you've already prevented about 3/4 of the possible
    cracks. Why? You don't have permission to do anything to the system. You
    don't need it, except for system maintenance, and a lot of that has been
    automated for you. You notice that ALL of the browsers available outside
    of windoze don't assume you have the intelligence of a rock, and don't
    try to auto-install, auto-open, auto-infect your system. Honestly,
    another major reason we don't have the virus/trojan/worm/spyware problem
    so prevalent in windoze is that this stuff is harder, and you need people
    who can actually think. Windoze doesn't need that.

    >I already am trying distros of Mandrake/Mandriva and Redhat/Fedora. I have
    >tried Redhat from 7.1 and am now trying FC4. Also have Ubuntu and Knoppix
    >to try. I just find it hard to make the switch.


    Understandable. This stuff _is_ different.

    >Just seems so hard to load anything outside of a web update for me.


    That's semi-intentional, and an artifact about the origins of the
    operating system. *nix was maintained by the IT staff, the people who
    had training and experience. When I started with UNIX many years ago, I
    went six months without knowing who the 'root' was. It was about 18
    months before I got the rough equivalent of a sudo account, that allowed
    me to shutdown the systems, mount/umount (not a typo) hard disks and
    tapes. It was 6 months MORE before I got a root account - call it two
    years after I started. Even so, I was absolutely terrified that I was
    going to fumble finger something, and have the system come crashing
    down about my ears, and have several hundred users after my head. Today,
    root is the first account you got.

    >Just need to spend more time with it. Thanks for the links though.


    Installing software is fairly easy, thanks to the package managers like
    rpm, YUM, aptget, dpkg, YAST, and so on. Until you are comfortable, you
    should limit yourself to packages supplied by your distributor. As you
    gain experience, you can try packages from other sources (not all are
    compatible, and that's part of the learning process). And you can really
    get gutsy, and install stuff from tarballs - that you have to configure
    the Makefile first (often done automagically), then 'make' (which does
    the compiling) and 'make install' which installs the executables.
    Take your time - learn what you are doing, and things will work out fine.

    Old guy
    Moe Trin, Aug 6, 2005
    #14
  15. Imhotep

    Imhotep Guest

    Jbob wrote:

    > "Imhotep" <> wrote in message
    > news:nfwIe.51419$...
    >> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>
    >> Time for Linux/BSD everyone...
    >>
    >> Michael

    >
    > You say that like Linux has no flaws(for a better word). If I'm not
    > mistaken Linux has had more security patches over the last 6 months than
    > MS
    > has.


    OK hold it right there...do you actually read the patches? How many are from
    linux vs third party apps. Take that number ad compare to the number of
    windows patches...then we will talk.

    > I actually don't see most of this stuff as flaws but more as
    > exploits. Crackers in a dark hole somewhere can crack anything if they hit
    > it enough. Even the precious Linux Kernel.
    >
    > FWIW, I wish I new Linux better! :) I'm trying though.


    Learn there are plenty of classes and online info...

    Im
    Imhotep, Aug 8, 2005
    #15
  16. Imhotep

    Imhotep Guest

    Moe Trin wrote:

    > In the Usenet newsgroup alt.computer.security, in article
    > <>, Jbob wrote:
    >
    >>"Imhotep" <> wrote:

    >
    >>> Time for Linux/BSD everyone...

    >
    >>You say that like Linux has no flaws(for a better word).

    >
    > *BSD* is not Linux. The four (BSD386, FreeBSD, NetBSD, OpenBSD) are
    > similar in that they are like UNIX, but they are as different from one
    > another (and Linux) as cars from different manufacturers.
    >
    >>If I'm not mistaken Linux has had more security patches over the last
    >>6 months than MS has.

    >
    > Microsoft is trying to advertise that - yes, but oranges and tomatoes are
    > different. Most Linux distributions come with hundreds of applications,
    > but the applications are not part of the operating system. If the 200+
    > Linux distributors each release a patch for the same problem in a web
    > browser like Mozilla (one of many browsers that come with each
    > distribution; the one I'm using at home has seven different browsers) is
    > that one patch by your count, or two hundred? Or none, because it's a
    > separate application.
    >
    > Then to, most Linux distributors release patches and errata immediately,
    > instead of waiting to release one massive "Urgent Security Update" each
    > month that contain an unknown number of patches that may or may not fix
    > problems that have been around for a month to a year or more.
    >
    >>I actually don't see most of this stuff as flaws but more as exploits.
    >>Crackers in a dark hole somewhere can crack anything if they hit it
    >>enough.

    >
    > -rw-rw-r-- 1 admin admin 46713120 Jul 15 21:57 linux-2.6.12.3.tar.gz
    >
    > That's a recent kernel source file - 46.7 Megabyte compressed, about
    > four million lines of C code. The applications are separate. The average
    > distribution includes another 2,500 Megabytes compressed of the source
    > code for the applications. So the crackers have something like 250
    > million lines of the sources - and they can't find stuff to crack in
    > that? Microsoft has never released the entire source for the O/S or any
    > application, and we have this huge business in anti-virus, anti-worm,
    > anti-trojan, anti-spyware programs for windoze - why?
    >
    >>Even the precious Linux Kernel.

    >
    > It's been tried. The advantage is that everyone can see the source, and
    > anyone seeing a problem can either fix it themselves, or tell the world
    > about it, so that someone else can fix it. Looking at the ChangeLog file
    > for the 2.6.12 kernel, I see 423 different people from around the world
    > who
    > supplied changes. Most bug fixes are available in hours, though the Intel
    > 'F00F' bug in 1997 took seven days (and microsoft has never bothered to
    > fix because it was a hardware bug - google for it).
    >
    >>FWIW, I wish I new Linux better! :) I'm trying though.

    >
    > http://ibiblio.org/pub/linux/docs/HOWTO/
    > http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html
    >
    > http://tldp.org/guides.html
    > http://ibiblio.org/pub/linux/docs/linux-doc-project/
    >
    > http://www.distrowatch.com/
    >
    > http://distro.ibiblio.org/pub/linux/distributions/
    >
    > But as noted above, Linux isn't the only game in town, though the
    > "popular" distributions like Fedora, Mandriva and SuSE try to make it a
    > lot more newbie friendly than the *BSDs.
    >
    > Old guy



    Very nicely said Moe....

    Im
    Imhotep, Aug 8, 2005
    #16
  17. Imhotep

    Imhotep Guest

    Moe Trin wrote:

    > In the Usenet newsgroup alt.computer.security, in article
    > <>, Jbob wrote:
    >
    >>Agreed but I was mainly referring to Linux

    >
    > Yes, but the O/P mentioned both as alternatives.
    >
    >>Perhaps but I didn't read this stuff from MS. And besides what use is any
    >>Linux Disto without the extra apps that come with the kernel?

    >
    > What was the use of MS-DOS versions 1 thru 6.22? What about Windoze 3.1?
    > No applications at all, and only a few support programs.
    >
    > Below, you mention you are trying FC 4. Boot that, and watch as it does.
    > First you see the boot loader - GRUB (from the FSF) which is not Linux.
    > It's used to load any thing, including windoze, *nix, *BSD - you name it.
    >
    > Then you see the kernel load and start - that's Linux. Next, you see a
    > splash screen. and you run through starting up the various services. Only
    > a small portion of that (serial drivers, network, firewall) is part of
    > Linux. The rest is from the distributor (Red Hat in this case) or third
    > parties. The 'libraries' that are used by the kernel - are not part of
    > it. Nearly everyone is using 'glibc2' (GNU C Library version 2), but
    > there are some who use others, like the Intel libraries.
    >
    > Booting to a command line? That's GNU Bash - not part of the kernel. Using
    > a GUI? Well, the first thing is the X server (XFree or in your case X
    > Org) then some window manager (the default on FC is GNOME - others use
    > KDE) exactly none of which is part of Linux, because they run on any *nix
    > that
    > runs a window manager. You are running applications - like some browser,
    > a mail tool, a news tool... if the names begin with a K, they're most
    > likely part of KDE. Other stuff is GNOME. How much Linux have you seen?
    > I run X to give me lots of terminals to type in - there isn't an icon to
    > be seen on my desktop. But the commands I'm using?
    >
    > [compton ~]$ ls `echo $PATH | tr ':' ' '` | egrep -vc ':)|^$)'
    > 1302
    > [compton ~]$ echo $HISTSIZE
    > 1000
    > [compton ~]$ history | sed 's/^......//' | tr '|' '\n' | sed 's/^ *//' |
    > [cut
    > -d' ' -f1 | sort -u | wc -l
    > 78
    > [compton ~]$
    >
    > Each one of those lines is considered one command. The first line looks to
    > see how many commands are in my PATH - 1302. The next line shows how many
    > commands my shell remembers me using. The next line parses those 1000
    > commands I've just used, and breaks them down into components - that line
    > actually has seven commands cascaded to do something useful - and then
    > sorts
    > things out to see how many _different_ commands there are in use. So, of
    > the 1300 commands on this system, I've used just 78, over and over (and I
    > think you can see I have a bit of experience doing this). Use the 'man'
    > command (start with 'man man' to get the man page on the man pages) to see
    > what those commands are doing. The point of all this? Not one of those
    > 1300 commands is part of Linux. Nearly all are free versions that mimic
    > the commands originally created by Bell Labs when they created UNIX 35+
    > years ago. More commands came from the various universities - but are
    > still not part of any single O/S.
    >
    >>> most Linux distributors release patches and errata immediately, instead
    >>> of waiting to release one massive "Urgent Security Update" each month
    >>> that contain an unknown number of patches

    >
    >>Again my issue is with flaws/exploits/etc and not how quickly they are
    >>patched.

    >
    > My response was "many" patches - there were some 300 errata over the life
    > of Red Hat 9 for example - compared to a blob that contains an unknown
    > number of patches.
    >
    >>Believe what you will. I just think if Linux was the main game in town it
    >>would be targeted much more than it is now and we'd be seeing even more
    >>serious indications of failures.

    >
    > Most of the servers you use on the net are not windoze - they are one or
    > another of the *nix. The routers? Surely you don't think that stuff
    > would be running windoze. Why are the crackers going after windoze?
    > They like easy targets that often have big payoffs.
    >
    >>It is my perspective that as long as a cracker is looking, someone is
    >>gonna find something to exploit whether it be MS or Linux or even Cisco
    >>IOS. lol

    >
    > Well, hopefully, you have learned to use a "user account" in Linux, rather
    > than 'root'. If so, you've already prevented about 3/4 of the possible
    > cracks. Why? You don't have permission to do anything to the system. You
    > don't need it, except for system maintenance, and a lot of that has been
    > automated for you. You notice that ALL of the browsers available outside
    > of windoze don't assume you have the intelligence of a rock, and don't
    > try to auto-install, auto-open, auto-infect your system. Honestly,
    > another major reason we don't have the virus/trojan/worm/spyware problem
    > so prevalent in windoze is that this stuff is harder, and you need people
    > who can actually think. Windoze doesn't need that.
    >
    >>I already am trying distros of Mandrake/Mandriva and Redhat/Fedora. I
    >>have
    >>tried Redhat from 7.1 and am now trying FC4. Also have Ubuntu and Knoppix
    >>to try. I just find it hard to make the switch.

    >
    > Understandable. This stuff _is_ different.
    >
    >>Just seems so hard to load anything outside of a web update for me.

    >
    > That's semi-intentional, and an artifact about the origins of the
    > operating system. *nix was maintained by the IT staff, the people who
    > had training and experience. When I started with UNIX many years ago, I
    > went six months without knowing who the 'root' was. It was about 18
    > months before I got the rough equivalent of a sudo account, that allowed
    > me to shutdown the systems, mount/umount (not a typo) hard disks and
    > tapes. It was 6 months MORE before I got a root account - call it two
    > years after I started. Even so, I was absolutely terrified that I was
    > going to fumble finger something, and have the system come crashing
    > down about my ears, and have several hundred users after my head. Today,
    > root is the first account you got.
    >
    >>Just need to spend more time with it. Thanks for the links though.

    >
    > Installing software is fairly easy, thanks to the package managers like
    > rpm, YUM, aptget, dpkg, YAST, and so on. Until you are comfortable, you
    > should limit yourself to packages supplied by your distributor. As you
    > gain experience, you can try packages from other sources (not all are
    > compatible, and that's part of the learning process). And you can really
    > get gutsy, and install stuff from tarballs - that you have to configure
    > the Makefile first (often done automagically), then 'make' (which does
    > the compiling) and 'make install' which installs the executables.
    > Take your time - learn what you are doing, and things will work out fine.
    >
    > Old guy



    ...Again very nice put. Maybe we should call you Professor Old Guy???

    Im
    Imhotep, Aug 8, 2005
    #17
  18. On Fri, 5 Aug 2005 01:45:26 -0500, in alt.computer.security , "Jbob"
    <> in <> wrote:

    >"Imhotep" <> wrote in message
    >news:nfwIe.51419$...
    >> http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >>
    >> Time for Linux/BSD everyone...
    >>
    >> Michael

    >
    >You say that like Linux has no flaws(for a better word). If I'm not
    >mistaken Linux has had more security patches over the last 6 months than MS
    >has. I actually don't see most of this stuff as flaws but more as exploits.
    >Crackers in a dark hole somewhere can crack anything if they hit it enough.
    >Even the precious Linux Kernel.
    >
    >FWIW, I wish I new Linux better! :) I'm trying though.
    >

    I can't see how number of security patches tell us anything about the
    security of a system. Tracking the number of known security holes fix
    over time would tell us something as would the length of time from
    discovery to getting fixed. The trend line would give us an indication
    of the number of bugs as yet undiscovered or fixed.



    --
    Matt Silberstein


    And now our bodies are oh so close and tight
    It never felt so good, it never felt so right
    And we're glowing like the metal on the edge of a knife
    C'mon! Hold on tight!
    C'mon! Hold on tight!

    Though it's cold and lonley in the deep dark night
    I can see paradise by the dashboard light
    Paradise by the dashboard light

    Jim Steinman
    Matt Silberstein, Aug 16, 2005
    #18
  19. On Thu, 04 Aug 2005 22:01:55 GMT, in alt.computer.security , Imhotep
    <> in
    <nfwIe.51419$> wrote:

    >http://www.vnunet.com/vnunet/news/2140780/windows-2000-wide-open
    >
    >Time for Linux/BSD everyone...
    >

    Is this flaw the one exploited by the current worm in the news?

    http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html



    --
    Matt Silberstein


    And now our bodies are oh so close and tight
    It never felt so good, it never felt so right
    And we're glowing like the metal on the edge of a knife
    C'mon! Hold on tight!
    C'mon! Hold on tight!

    Though it's cold and lonley in the deep dark night
    I can see paradise by the dashboard light
    Paradise by the dashboard light

    Jim Steinman
    Matt Silberstein, Aug 16, 2005
    #19
  20. Imhotep

    Imhotep Guest

    Imhotep, Aug 17, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Z
    Replies:
    1
    Views:
    411
    Splibbilla
    Jul 23, 2005
  2. AM

    Is it a security hole?

    AM, Jan 5, 2005, in forum: Cisco
    Replies:
    5
    Views:
    453
  3. Alex Vinokur
    Replies:
    23
    Views:
    897
    Kenneth E. Spress
    Jul 15, 2003
  4. Jay Calvert

    Security Hole: Windows Internet Connection Firewall

    Jay Calvert, Oct 14, 2004, in forum: Computer Security
    Replies:
    10
    Views:
    664
    Roger Merriman
    Oct 17, 2004
  5. Pascal Vyncke

    New IE6 security hole

    Pascal Vyncke, Jun 9, 2005, in forum: Computer Security
    Replies:
    1
    Views:
    489
    Moe Trin
    Jun 9, 2005
Loading...

Share This Page