John E. Perry wrote:
Joachim Schrod wrote:
...
Let me propose another hilarious 5-step process:
1. Read the LWN.net security page.
OK, so I did.
2. Detect how many exploits are based on data files, and not
on executables. just last week: ...
Not a single exploit listed. Many vulnerabilities, almost all qualified
as "user-assisted" or "local.
I wrote that they are local. That's what step 4 was for. User
assisted is not relevant here, when these are exploits that are
triggered by looking at images, or videos, or ads on web pages (the
flash plugin exploit), or PDF files that are fetched from the
Internet. Please note that exploits exists for most of these
vulnerabilities, as described in the CVEs. Also, please note that
exploits for similar vulnerabilities in the Windows world are
actively used. Black hats don't attack Linux desktops on a large
scale because they try to create large botnets with leveraged
(distributed) C&C control, and there are not enough Linux desktops
out there to make them a worthwile target.
If Linux systems are really attacked, it is currently for specific
targeting. But that's a matter of interest on the black hat's side,
not a matter of missing vulnerabilities with existing exploits in
deployed systems. When we do security and penetration tests at our
customers, we can take over Linux boxes with 90% confidentiality.
In 50% of the cases, something as simple as running metasploit is
sufficient.
But, as you can read from the other answers to my post, these
results are obvioulsy dreamed by me and my customers pay for
nothing, because "every linux/unix/*ix box on the planet is not
owned by hackers and spammers while so many possible exploits
exist", as Ken Jennings put it so succinctly. No, no, no. "Every
... is not owned" -- guys, now I've got it: There are *NO* owned
Linux boxes out there, none at all. You read it here, so it's true.
I should close down the part of my company that's testing and
securing linux/unix systems for my customers; it's not necessary.
Well, by public acclamation, I seem to be wrong, and rest my case.
Joachim
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod Email: [EMAIL PROTECTED]
Roedermark, Germany
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
