More tech fails to exorcise security risks

Discussion in 'Computer Security' started by Imhotep, Sep 14, 2005.

  1. Imhotep

    Imhotep Guest

    "Current IT systems are inherently insecure and growing complexity will
    simply increase these risks, a leading academic has warned."

    "Users should rebel and demand vendors compensate them for security
    foul-ups, said pugnacisous Professor Klaus Brunnstein of the University of

    Imhotep, Sep 14, 2005
    1. Advertisements

  2. Imhotep

    Unruh Guest

    It has always astonished me how the IT industry has managed to avoid the
    having to pay for their incompetence and sloppyness. From the millenium bug
    to all the security holes. No other industry could get away with it.
    Unruh, Sep 15, 2005
    1. Advertisements

  3. Imhotep

    Bit Twister Guest

    Since I had to modify code for y2k, I could understand where the
    coder did not think the code would still be running 15 years later. :(
    That and what was taught to them when they were in college. :)
    I would agree. It is a shame that IT management keeps agreeing
    to the End User Licence on the best damn virus magnet software vendor.
    Bit Twister, Sep 15, 2005
  4. Imhotep

    Notan Guest

    I'm surprised no one made any Exorcist jokes about this one!

    Notan, Sep 15, 2005
  5. Imhotep

    Imhotep Guest

    Imagine a car company making car with so many flaws. It would be like tires
    falling off while drive down the highway (twice a month). Yet they get away
    with it. Biggest scam going...

    Imhotep, Sep 15, 2005
  6. Imhotep

    Winged Guest

    Imhotep wrote:
    on the best damn virus magnet software vendor.
    Its called Job security. There is no such thing as a completely safe
    computer connected to the net irrespective of OS. All OS's can be
    operated reasonably safely including MS.

    THERE ARE NO SAFE OS's! This includes Linux, HPUX, OSX, VMS, OS2 etc.

    The key is configuring the system to meet the use requirement, mitigate
    risk where possible, and detect inappropriate activity when it occurs,
    and shut down communications immediately, if a breach is detected,
    preferably before a data compromise takes place.

    Windows is 90+% of the global computing market. see:

    It is only natural if one is going to hack into a system generically,
    one would spend their effort where one could optimize their efforts.
    Hacking is not easy. If I expend the effort on a target I will look to
    get the most bang for my time. I will want to exploit the most I can
    for the least amount of effort.

    Secunia lists 3449 known viruses and worms for Linux for example see:
    These are against the LINUX base OS. Linux owns about 2.8% (I am being
    generous here) of the global desktop market share and about 28% of the
    global server share.

    There are 11513 known viruses for Windows XP owning 35% of the global
    desktop market. There are several ways to measure the MS server share
    but in reality there are a number of very different OS's that make up
    the MS server share. So for purposes of this article we will compare
    virus vulnerability against the global desktop share. We could use
    other metrics, but the results will be similar.

    The Global Windows XP desktop market share is 12.7 times higher than the
    LINUX desktop share.

    By comparison of installed base Linux is 3.7 time more likely to be
    compromised by viruses. Do you run an anti-virus tool for LINUX? (I use
    McAfee for Linux) Would you know if you had a compromise?

    Ok, lets look at the newly discovered vulnerabilities. MS has a
    disadvantage here due to the variety of services bundled in their
    products. But for this we can just look at the most recent CERT
    bulletin to compare:

    I like Linux, I like WinX. I even like IRIX. One must mitigate threats
    in any OS. But one should be very careful making blanket statements as
    to the safety of any OS. Windows is attacked more it is the majority,
    by anyones count of the installed base.

    MS followed the wrong rules for setting up OS's until MS server 2003. I
    believe this was a serious lapse in judgment turning all services on
    instead of requiring an explicit open. MS has taken action to no longer
    open all services by default but require explicit opens.

    But to believe you are safe in any OS is one step from compromise.

    Enough said.

    Winged, Sep 15, 2005
  7. Imhotep

    Imhotep Guest

    Or software sales security...

    Sure nothing is totally safe as nothing is perfect. Sure I can agree with
    that. However, if you are replying to me, why the statement? If you think I
    was singling out MS with my analogy of a car losing it's tires weekly, it
    was more a statement about software companies. Sadly, it is not just MS
    that is lacking in the software industry, it is most of the industry....

    Well, there is no absolute, sure.
    Again, sure.
    Well you also need to take into account what your purpose is. Is it to hack
    a financial companies database? If so, it is probably not running MS it. It
    is probably Solaris w/Oracle, etc, etc. However, if you are looking to
    propagate an email worm, then you would target exchange....
    OK, I have a problem with that statement. Using the link above, I see the
    very first title 'Slackware update for util-linux". Looking into this, it
    appears that this is a slackware utility. In other words, this is not linux
    base OS issue but a Slackware issue.

    Second, you state above "Secunia lists 3449 known viruses and worms for
    Linux..." but this is neither a virus nor worm, this was a security flaw in
    a Slackware utility....

    Article #2 -- Is a legit Linux security flaw (not a virus or Worm)

    Article #3 lists as "SGI Advanced Linux Environment Multiple Updates". Doing
    some research it appears that this is SGI add-on software for linux to run
    on their hardware. Read here:

    Furthermore looking into listings for SGI's A.L.E I see:
    CAN-2005-2360 -- Unknown vulnerability in the LDAP dissector in Ethereal
    0.8.5 through 0.10.11 ..."

    CAN-2005-2361 -- Unknown vulnerability in the (1) AgentX dissector, (2) PER ethereal 0.8.19 through 0.10.11"

    CAN-2005-2362 -- Again ethereal

    CAN-2005-2363 -- Again ethereal

    CAN-2005-2364 -- Again ethereal

    Well, I am going to stop here as I think I proved my point. Let's review. I
    looked at the first three listings (total of 7 issues) and only one was a
    legit Linux core security flaw...

    Again, when reviewing or comparing like this carefull scrutiny is need for
    the data to be truly revealing (this has been my problem with the "Get the
    facts" campaign). For example, Ethereal (total of 5 of the 7 issues I read)
    should never be listed as a Linux issue. After all, not only is ethereal a
    third party application and has nothing to do with Linux but also, I can
    run Ethereal on Windows also! Maybe Macs too???

    Review your data before making that calculation!
    I too like Linux, FreeBSD and also Macs (Our CEO has one and I have played
    with it some, it is pretty cool I must say)....
    They have had many goofs in judgment. Their patch management has also been
    very troublesome...They have held out on informing their users when they
    should not have...and don't even get me started on their marketing/business
    True. I have always said the worse security is when you here someone say
    something like "Ah, don't worry about it we have a firewall". Like having
    a firewall was some kind of silver bullet....
    Ah, ok. But review your data. Honestly, I am interested in the results...
    Imhotep, Sep 15, 2005
  8. Imhotep

    Imhotep Guest

    Winged wrote:

    I was wondering something. I reviewed your url (read my other post) and out
    of the first 7 listings (again read my other post) only 1 was legitimately
    a Linux security flaw.

    So, you stated that there were 3449 security flaws in linux and 11513 for
    XP. Now I reviewed the first 7, found only one was a legit Linux security
    problem so that is 1/7. If the trend in the listings are in fact 1 out of 7
    legit Linux security flaws that would make the 3449 really about what 500?
    So, Linux has say what 3% desktop market, so 500 security flaws for 3% is
    about 165...

    Windows (in all fairness I did not review the data, I will leave that up to
    you) 11513 security flaws for 35% of the desktop market so that is

    That translates to you are twice as likely to get infected with XP as

    Again, and to be fair, I do not believe in the formula of # security flaws /
    market share. Rather, I like to look at the mean time to fix a security
    flaw. That says a lot about the company. How serious are they to address
    problems? How quick are they to fix it? Do they inform people right away
    and let them know what to look out for? What is the total amount of
    security problems? For what period of time?


    Imhotep, Sep 15, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.