shirish शिरीष <shirisha...@gmail.com> writes: > while it was primarily targeted towards Windows machines, maybe we > could tailor a response which shows how Debian is more secure and > possibilities of such infections are low/non-existent .
I don't believe such a statement would be factually correct, so no, we shouldn't make it. This ransomware used a government-developed exploit that was patched by Microsoft a month before the malware was released (only because someone did the right thing and gave them a private heads-up), and gets a toehold via phishing. There is absolutely nothing about Debian that would prevent exactly the same thing from happening to us; the reason why it doesn't is quite simply because Debian is much less widely used than Windows, and in particular has less penetration into markets that run obsolete operating systems on "cannot patch" systems using older and very insecure protocols. Which is extremely common in the health care industry. This is not a case where Microsoft did something clearly wrong, or even differently than we would have done, or where free software would have helped significantly. (Maybe if the whole SMB stack were free software this bug would have been discovered sooner, but quite possibly not; the free software world certainly has many security bugs that have gone undiscovered for ten years or more.) I'm extremely proud of Debian's security team, and we're often quickest to patch among major Linux distributions. Our security team does amazing work. But nothing a distribution or OS vendor can do can help with unpatched systems, or against government-funded adversaries that hoard unreleased zero-day vulnerabilities and exploit tools. Those are very hard problems, and we should not mistake our lack of *incidents* from having a smaller and differently-focused user base for a lack of *vulnerability*. The entire computer industry is vulnerable to attacks like this, and Debian is absolutely not an exception. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>