[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Anyone else notice that Swen is slowing down?

on Wed, Oct 01, 2003 at 07:43:51PM -0400, Dan Anderson (dan@mathjunkies.com) wrote:
> > Please share this knowledge.  What executables are you awaree of
> > affecting non-Microsoft systems which are in general circulation and
> > which auto-execute on receipt by arbitrary systems in stock
> > configuration?
> > 
> Although I would agree that most flavors of *nix are much less prone to
> exploits then Windoze, I would like to point out that security loopholes
> for Linux programs do exist and anyone stupid enough to leave a
> configuration as is out of the box could have a problem.

Few if any of these are self-propogating.  Code Red is one of the few
widely spread exploits in recent memory affecting GNU/Linux systems, and
it was specific to Apache.

While I agree that there is a _theoretical_ vulnerability of 'Nix
systems to self-propogating worms a' la Microsoft, the current
vulnerability is nil, and the likely future vulnerability is very, very,
very low.

The reasons are well summarized in the recently released CyberInsecurity
white paper:

    Tight integration, whether of applications with operating systems or
    just applications with each other, violates the core teaching of
    software engineering, namely that loosely- coupled interfaces make
    maintenance easier and life-cycle costs lower.  Academic and
    commercial studies supporting this principle are numerous and
    long-standing.  Microsoft well knows this; Microsoft was an early
    and aggressive promoter of modular programming practices within its
    own development efforts.  What it does, however, is to expressly
    curtail modular programming and loose-coupling in the interfaces it
    offers to others.  For whatever reason, Microsoft has put aside its
    otherwise good practices wherever doing so makes individual modules
    hard to replace.  This explains the rancor over Prof. Ed Feltens
    Internet Explorer removal gadget just as it explains Microsofts
    recent decision to embed the IE browser so far into their operating
    system that they are dropping support for IE on the Macintosh
    platform.  Integration of this sort is about lock-ins through
    integration too tight to easily reverse buttressed by network
    effects that effectively discourage even trying to resist.

    "CyberInsecurity:  The Cost of Monopoly", Dan Geer, Rebecca Bace,
    Peter Gutmann, et al., p 13.

> That said, when they announced the OpenSSH exploits (or was it OpenSSL)
> I never heard of anything coming of it.  Perhaps because the *nix
> community is generally smart enough to subscribe to security
> announcement lists and never get hit. 

Both OpenSSH and OpenSSL have had vulnerabilities in the past year.

There are several factors at play.

  - Atomicity of updates for GNU/Linux systems.  It's possible to
    install/update just the single vulnerable system, contrasted with
    the competition, which ties updates into "service pack" bundles, and
    even confounds its more disaggregated updates.

  - Modular systems.  Neither OpenSSH nor OpenSSL are required systems
    for a GNU/Linux box.  Standalone deskotps need have neither.
    OpenSSH can be installed without services enabled.  The reduces the
    scope of vulnerable systems, and makes exploit propogation a slower

  - Licensing uniformity. It's _very_ seldom that an update changes
    licensing terms (Python and Perl come to mind), and less often that
    the changes have significance to the end user.  Distributions such
    as Debian with its DFSG and Red Hat with its less formalized, but
    still significant, focus on free software solutions, assure users
    that terms will continue to be OSI or DFSG compliant.  Of course,
    the GNU GPL does more than that.

  - Live updates.  Distros such as Debian allow for package or even
    major updates to occur without requiring a system boot (or even
    dropping to single-user).  This makes update-application windows
    broader -- there are few situations in which it's not feasible to
    update a GNU/Linux system.  Legacy MS Windows, by contrast almost
    always needs one or more reboots.

  - Secure / sane by default.  While this isn't true in all cases, it's
    becoming more so over time.  'Nix systems are designed for a hostile
    environment, and are getting more so all the time.  Recent RH builds
    offer very few external services.

All of these contribute to a security profile for 'Nix systems that far
exceeds that of Microsoft.  While raw counts of exploits might produce
comperable or even higher numbers of vulnerabilities (after all, Debian
now comprises over 13,500 packages, more than there are *files* in a
stock Microsoft rollout), the total effective vulnerability is still

> Although the GNU site was hacked a couple months ago so I guess
> nobody's immune.

Via a local root exploit.  In other words:  a user with access
privileges hacked the system.  Insider jobs will always be a leading
cause of system compromise, particularly targeted compromises as in the
case of the GNU Project.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   What doesn't kill you makes you stranger.
     -- Karsten M. Self, misreading as usual, San Marcos Pass Rd., 1988

Attachment: signature.asc
Description: Digital signature

Reply to: