Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Somehow I don't think I'm going to see this story on slashdot any time soon :)

Somehow I don't think I'm going to see this story on slashdot any time soon :)

  • Comments 66

Michael Howard sent the following news article to one of our internal DL's this morning.  For some reason, I don't think it's going to hit the front page of Slashdot any time soon:

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

                                                :

"When we went in and did a further investigation, we found that there was an IRC bot installed on the system," Marshall said.

So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.  Both of which the slashdot crowd claim only happens on "Windoze" machines.

At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue?  Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow "windows only".  Ubuntu even published a blog post that claimed that they "won" (IMHO they didn't, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows).  The reality is that nobody "wins" these contests (except maybe the security researcher who gets a shiny new computer at the end).  It's just a matter of time before the machine will get 0wned.

Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers.  It's far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.

 

Edit: Ubunto->Ubuntu (oops :))

  • "At what point do people pull their heads out of the sand and realize..."

    Eh, for someone to pull his head out of sand he first needs to have a head. That may prove to be a problem for some people :).

  • Totally agree, and about time somebody said it.

  • Also, don't forget the $ in "Micro$soft".

    I think that most Slashdot readers are reasonable people; it's just that the prepubescent mouth-breathers make the most noise.

  • But it's not just /. -- it's also the non-/.-reading public, the mainstream media, and such.

    I often point out to people that the reason we hear about people taking advantage of Windows vulnerabilities is that the vast majority of people use Windows -- so it's the most sensible target.  If 90% of the world used Linux or Mac systems, most of the attacks would be aimed at Linux, or at Mac systems, and it's guaranteed that they'd find things to exploit there too.

    But when I point that out, everyone seems to glaze over around the word "vulnerabilities".

  • You might want to at least spell "Ubuntu" correctly so there's one fewer thing to pick on.

  • Correction: it's Ubuntu, not Ubunto...

  • Perhaps if you all stopped worrying about what people on Slashdot think and did some actual security work, maybe people wouldn't have the perceptions they do.

    My co-workers who run Windows hate Tuesdays, because it means they most likely have to reboot their system due to security flaws.  As long as that still happens, you still have a problem.  It doesn't matter if "everyone else is doing it to".  You guys have the billions of dollars to throw around, we expect more from you.

  • @vince: If there is anything you should know about programming, it is that there will never be a 100% unexploitable, completely secure piece of software.

    It just isn't possible. Frankly, I've been quite happy with the slightly fewer reboots required for patching Vista.

    -----

    Now, unfortunately, you know everyone is going to turn a blind eye to this... nobody cares about exploits on other systems other than Windows. It just isn't "cool".

    Even at my work I feel like I'm the only one supporting Microsoft anymore, even though 80% of our network is running Windows and authenticates against Active Directory.

  • Well said.

    Secure programming is a difficult task.  The Slashdot crowd seems predisposed to believe programmers are exempted from these difficulties when developing on a Unix/Linux kernal, which is absurb.  It's the mental task that's difficult, not the platform.

    If they wish to argue whether the general user's familiarity with Windows outweighs the security risks due to hackers' preference to target the dominant platform, or whether the fact that Linux/Unix is less frequently attacked by hackers outweighs the platforms' obscurity- fine, that's a valid discussion.

    Unfortunately the Slashdot crowd often falls back on idiological claims about the impenetrable security of Linux/Unix as if the open source development community is exempt from the challenges of secure programming and the choice is between total security and insecurity.  I don't buy their argument that proprietary development is the cause of security bugs.  The mental difficulties of programming is the cause- not whether the development is open or not.  And the relative popularity of the software/platform is the determining factor in the number of hacker attacks, and therefore, the number of security issues found.

  • Barry, I wish I disagreed with you.  And I've got to say that Apple's ad campaigns haven't helped.  

    At least their engineers seem to have figured it out - the most recent security fixes to quicktime opts into a bunch of the security mitigations we have in Windows - DEP, ASLR and /GS.  It's a sign that they're starting to understand that they're also not immune to security issues.  Now if their marketing people would just figure it out :).

  • I agree that there aren't that many Unix viruses. More common in Unix are hackers that do targeted attacks against particular systems.

  • "a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach"

    So this particular breach wasn't even due to a former flaw in a proprietary system, it was due to administrators neglecting to install an existing patch.

    Open source developers might get patches out 100 times faster than proprietary vendors, but their users can get hacked just as fast when administrators are equally negligent in installing patches.

    By the way around 5 years ago I read about some company getting infected by Slammer because administrators in that company had neglected to install existing patches.  So it doesn't matter whether the source code is open to the world, closed to the world, or available only to that company's self, if the company's system administrators neglect to install their own patches.

  • It not Linux vs. Windows. Even for most of the /. readers.

    It was always been closed vs. open source products.

    You misinterpret the results from Pwn2Own contest and Shane's words. Even if the guy have "attacked" Ubuntu - the attack vector was again buggy and un-patched on time closed source application.

    Cheers

  • Sunny:  Open vs Closed source doesn't matter.  It's been shown time and time again that the number of vulnerabilities in closed source applications is essentially identical to the number of vulnerabilities in open source applications.

    What matters is deploying a security focused development methodology like the SDL (something that the FreeBSD folks absolutely get).  The SDL has been directly responsible for the unquestionable reduction in vulnerabilities in MSFT code.  I don't see any indications that open source vendors other than FreeBSD have applied any sort of security focused development methodology (if so, where are their threat models?).

    And please don't trot out the "many eyes make shallow bugs" line, that particular argument was thoroughly debunked many years ago.

  • Btw, Vince: patching is <i>hard</i>.  Essentially you're torn between two poles: Users hate rebooting, so reboots are bad.  On the other hand, users also hate security vulnerabilities, and there ample evidence that users would go for months at a time without rebooting after the patches were downloaded and ready to be installed on their machines.  It's my understanding that our forensics folks who have looked at customers machines that got 0wned often found the fix for the vulnerability on the customers machine just waiting for a reboot.

    The reality is that there is no good strategy.  Every release of Windows, we've gotten better at deploying patches that don't require a reboot, in fact, the same analysis that led to the minwin effort also helps to drive our patching effort; Vista is vastly better than previous OS's.

    The *nix patching mechanism (unlink the old binary, copy in the new binary) is "interesting", but if we  adopted that, we'd still have the same problem - you don't actually close the hole in that case, because the vulnerable code is still running on the machine (until all processes on the machine get recycled).

    I don't think anyone "likes" patch tuesday.  But it's better than the alternative - at least patch Tuesday is predictable.

Page 1 of 5 (66 items) 12345