On Fri, 6 Jul 2001, Rich C wrote:
> OK, nit noted: I should have said "stock" Windows 9x machines are not
> capable of this.
"stock" Win9X machines are not capable of propagating email viruses, either.
They need to be compromised first. My point was that it is trivially easy to
compromise a Win9X machine. Once the system is compromised, the attacker can
do anything he or she wants.
> Win 2k DOES have a raw sockets API.
I'm confused. I thought Steve Gibson was up in arms because WinXP included
a raw sockets API for the first time. Is he wrong, or am I?
> If it were truly trivial, I would think it would be done more.
You're not a malicious hacker. Neither am I. I do not know what might
motivate such a person; all I can do is suppose. I can only guess that right
now, such people (I use the term advisedly) find it more fun to go after
unsecured Linux systems, because the tools are already present.
> The point is that this capability will be present BY DEFAULT on Windows XP
> machines.
Any computer capable of performing useful tasks on a network (by default or
otherwise) is capable of performing malicious tasks. Getting upset over one
specific instance is silly.
Steve Gibson actually comes close when he talks about accountability and
awareness: What needs to be done is people need to be made aware of the
security issues inherent in any public network, they need to be made aware
that *everyone* needs to worry, and they need to be held accountable for doing
so.
> If someone INTENTIONALLY installs a raw sockets capability ...
How many people "intentionally" install a virus?
> This doesn't stop trojans from being developed or deployed for Windows
> machines. This doesn't stop vulerabilities from being found in email
> programs to allow these programs to spread.
Which is it? Either the lack of a tool hinders attack, or it does not. On
one hand, you are saying the addition of a raw sockets API will make attacks
more common. On the other, you are saying the lack of tools doesn't stop
trojans from being developed. You can't have it both ways.
> Linux systems are not the best systems for DDOS attacks because there is
> not a high enough population of them yet.
DDoS attacks do not need packet spoofing to succeed. Indeed, spoofed
packets make a DDoS attack easier to detect. The reason DDoS attacks are so
hard to stop is that all the zombies are nominally legitimate machines sending
nominally legitimate requests.
A more traditional packet-flood DoS from a single host benefits from
spoofing the source address, since the victim cannot as easily trace the
packets to their source.
> Further, there is not a high enough population of machines owned by the
> ignorant.
This I disagree with. Linux has become easy enough to install and configure
that "even an idiot can do it". A significant fraction of total Linux systems
were stock Red Hat systems that got nailed by Ramen, Lion, and friends. All
of those compromises could have been stopped if people simply kept their
updates current.
> As Linux use increases, malicious hackers will be the downfall of Linux,
> IF we don't get our collective act together with regard to security.
I think you can replace "Linux" with "network" and still have a true
statement there. I personally believe the apathy about security is the
biggest threat facing information systems today.
> Unless we can demonstrate that open source improves security, no one will
> use it.
You cannot demonstrate the security of an open source cardboard box.
Unless people start taking security *as a whole* seriously, the security of
Linux is a moot point.
>> Anti-virus protection is a multi-million dollar market segment. Millions
>> and millions of dollars spent every year just because Microsoft can't
>> design a secure OS.
>
> It's not that they can't, it's that they don't hold it as a priority.
Fair enough. Unable or unwilling; the end result is the same.
>> Outlook-enabled email viruses can and still do bring corporate email
>> systems to their knees in minutes, and clog outside systems for hours or
>> days.
>>
>> What has changed?
>
> With XP, and Linux too for that matter (as with all OSes that can spoof
> source IPs) the compromised systems won't be detectable.
Excuse me? If the system is compromised, the attacker can do anything he
wants to subvert your system. Given the mess your average \WINDOWS\SYSTEM\
directory is, I hardly think one file more or less will be noticed. Assuming
you can even see it in the first place.
> My point was that a dedicated firewall will have fewer vulnerabilities
> than even a properly secured multi-purpose OS, Linux included.
This is not necessarily true. If you strip a general-purpose OS like Linux
down to nothing but the kernel, you can secure it as well as any embedded
firewall box. The embedded box runs software, too. That software can be
compromised, just like any other software. It happens often enough.
The real increased risk comes when you start running additional services on
the firewall. Running services on the same system as the firewall mean a
service vulnerability leading to root compromise can further open your network
to attack. A separate service host means the attacker is limited to what he
can do through the service host. If the service host is in a DMZ, that might
be very little.
> And such a dedicated firewall makes it easier to "plug all the holes."
"Easier" is the key point. Embedded firewalls mainly lower administration
costs; they don't necessarily increase overall security.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
