Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Somehow I don't think I'm going to see this story on slashdot any time soon :)

Somehow I don't think I'm going to see this story on slashdot any time soon :)

  • Comments 66

Michael Howard sent the following news article to one of our internal DL's this morning.  For some reason, I don't think it's going to hit the front page of Slashdot any time soon:

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

                                                :

"When we went in and did a further investigation, we found that there was an IRC bot installed on the system," Marshall said.

So Antioch's Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.  Both of which the slashdot crowd claim only happens on "Windoze" machines.

At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue?  Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow "windows only".  Ubuntu even published a blog post that claimed that they "won" (IMHO they didn't, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows).  The reality is that nobody "wins" these contests (except maybe the security researcher who gets a shiny new computer at the end).  It's just a matter of time before the machine will get 0wned.

Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers.  It's far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.

 

Edit: Ubunto->Ubuntu (oops :))

  • That's why a "root kit" isn't called a "BUILTIN\ADMINISTRATOR kit" :)

  • "My co-workers who run Windows hate Tuesdays"

    Funny... On my Ubuntu system at home, it downloads new patches every second day (on average). Once a month is a blessing!

  • Isn't it also about scale? If there's a problem in Windows it affects gazillions of people and busineses. If there's a Linux/OSX/Solaris/Whatever problem it doesn't affect as many people or businesses.

    Thus Linux/OSX/Solaris/Whatever's currently have Immunity from Bad Press. As their popularity increases any exploits etc will have a bigger affect, thus damaging their perceived "goodness".

    Therefore... what? Microsoft had better get their security in order, because if they don't, they will lose market share, possibly even if they're pereceived to be "equally secure".

    Oh hang on, that's exactly what they're doing. Someone made a smart decision a few years ago.

    [I am not a fan of "Your computer was rebooted because of an important update." If it reopened the 26 applications I had running I'd be a little happier].

  • "It's my understanding that our forensics folks who have looked at customers machines that got 0wned often found the fix for the vulnerability on the customers machine just waiting for a reboot."

    "The *nix patching mechanism (unlink the old binary, copy in the new binary) is "interesting", but if we  adopted that, we'd still have the same problem - you don't actually close the hole in that case, because the vulnerable code is still running on the machine (until all processes on the machine get recycled)."

    What about showing the user a list of tasks that the user will have to close down and restart in order to avoid the need for a reboot?  (A list of tasks such as the applications list in Task Manager, or a list of processes if they don't have visible windows.)

    'That's why a "root kit" isn't called a "BUILTIN\ADMINISTRATOR kit" :)'

    Yeah, it needs to be a NT_AUTHORITY\TRUSTED_INSTALLER kit  ^_^

  • Is it only me who turns his Windows machine on when he's going to use it, and back off when he's done with it? I don't mind rebooting for a patch or fix.

    Maybe people should be using client OS machine (ie XP, Vista) for server work? Rebooting a client Windows machine shouldn't be too much of a problem for anyone.

  • Actually, I've personally seen a improperly configured (they turned off the SELinux AND the firewall... wtf......) Fedora server turned into private RO (a online game) server...

    No matter you use what OS, if the administrator(s) aren't worth their salt, being owned is a matter of time only...

  • Erik:While programmers are NOT exempted from these difficulties when developing on a Unix/Linux kernel, the "safety net" on *nix system when something wrong happened is used to be better than Win9X versions. Unless something serious happened in kernel level, you're not able to bring down the whole system with single badly written user mode program.

    This has been greatly improved in WinXP and improved more in Vista, but I'd afraid that those ******* are unable to see now and future, just like those ******* who still claim you have to compile the packages one by one yourself in order to run Linux system... better just ignore them.

  • SteveG: Vista actually has an API to deal with the 26 apps that were open, it's called the restart manager - if an app crashes that's registered with the restart manager, it will restart it (and it'll restart after a patch reboot, I believe).

    Norman, for many patches the list of things that need to be restarted is every process on the system.  This is especially true for system components.  But the system is getting better at analyzing what needs to be restarted - that's a part of the reason Vista has fewer reboots.

    Drak, it's just you :).  

    To be fair: I'm just as annoyed at the mandatory patch reboots as everyone who's commented.  I wish that they didn't happen (because they DO kill productivity).  I just deal with them as a once-a-month necessary evil.  And I recognise that Vista's patches have typically involved less reboots than previous OS's.  But it's not perfect.

  • Exactly which CVE was purportedly exploited?

    In my quick review I could only find CVE-2003-1075 which is a DoS - not ownership!

    Perhaps the dudes running this uni are the risk?  FCS who runs an ftp daemon on a high security/privacy system - period!

  • After an update, when I get the "Your system needs to be rebooted" message, I open the Services administrator tool and stop the "Automatic Update" service.

    The messages go away.  Next time I restart my computer the Automatic Update service starts up again and everything's back to how it was without the reboot your computer message popping up every 5 minutes.

  • This is a great argument for IBM's AIX, which (IIRC) can apply updates and even install an entirely new kernel without any downtime.

  • Slashdot crowd = People who speak loudly but know little.

  • What about hot patchability? I read about it on another msdn blog and thought Microsoft would use that so that it was possible to patch things without a reboot. Then again maybe there's some limit on it.

    this post

    http://blogs.msdn.com/freik/archive/2006/03/07/x64-Hotpatchability.aspx

    ... seems to say that only 30% of the x86 kernel is hot patchable.

    But from what he says it sounds like a function is hot patchable if it starts with a two byte instruction (which can be overwritten with jmp $-6) and has six bytes of padding afterwards (which can be overwritten with jmp NewFunc). But it seems like you could make the compiler guarantee that. So you build the kernel with the new compiler and then send it out as an update, which would require a reboot. But after that, no more reboots.

  • Steve Yegge reminds us in this talk that it takes a full generation to change your branding:

    http://blip.tv/file/319044/

    My generation of computer experts (I'm in my mid-20's) formed its opinions of Microsoft based on Windows 95 and 98.  We have helped many friends and family members clean up virus and adware infested computers and we learned to measure uptime in hours, not days or months.  We tried Linux and FreeBSD and we didn't have stability or security problems.  These experiences have left lasting impressions and it will take a lot of time and counter-examples to change our minds.  These kinds of sour grapes posts only go to reinforce our impression that Microsoft employees are defensive and insecure about it (no pun intended).

  • @Norman: The only problem I see with showing the user about programs that need to be restarted: what if it's a core part of the OS? It's not like you can just stop and start the kernel... though I'd hate to see the logic that tries to identify who's running what.

    @SteveG & Larry: The problem with the restart manager is that the program needs to register for it and support it in the first place, and people programming for that seem to be quite few. I have yet to actually see a program support it.

    @Drak: I don't shutdown and startup every day, but I do put my machine into hibernation and turn everything else off while I'm off of work. I try to do what little I can to save energy.

Page 2 of 5 (66 items) 12345