The"Biggest Target" paradigm and its consequence

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Sun, 01 Oct 2006 21:39:18 +0200, Peter Köhlmann wrote:

> Just note the next sentence:
> "It just makes it more obscure because the techniques to attack it are less
> mature."
>
> Implying, that when attackers get "more mature" techniques, linux would be
> as easy to attack as windows

I'm not implying it. I'm outright saying it.

Sinister Midget · External Since: Jun 17, 2006 Posts: 746

On 2006-10-01, Peter KÃ¶hlmann <peter.koehlmann.RemoveThis@t-online.de> posted something concerning:
> Sinister Midget wrote:
>
>> On 2006-10-01, Erik Funkenbusch <erik.RemoveThis@despam-funkenbusch.com> posted
>> something concerning:
>>
>>> Yes, Windows is easier to compromise, and by definition hackers will take
>>> the easiest route, but that doesn't make Linux immune.
>>
>> Stop right there. Here and now: show where a linux user in COLA
>> said/says linux is immune from attack.
>>
>> And for every one you can show (that should be right around zero, give
>> or take zero) I can show you 1000 where the opposite was said. many of
>> them TO YOU when you made the same specious strawman claims as you did
>> above.
>>
>
> Just note the next sentence:
> "It just makes it more obscure because the techniques to attack it are less
> mature."
>
> Implying, that when attackers get "more mature" techniques, linux would be
> as easy to attack as windows

A false implication, of course. Attackers go after Windows because they
don't *have* to be more mature. If that was a requirement, they'd give
up.

Unfortunately, as long as MS-Crapware is around there will always be an
easy target.

> Erik "FUDdingmuch" Funkenbusch at his finest

--
C:\WINDOWS\RUN C:\WINDOWS\CRASH C:\ME\FDISK

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Sun, 01 Oct 2006 22:22:58 GMT, Sinister Midget wrote:

>> Implying, that when attackers get "more mature" techniques, linux would be
>> as easy to attack as windows
>
> A false implication, of course. Attackers go after Windows because they
> don't *have* to be more mature. If that was a requirement, they'd give
> up.

No, the attackers don't have to be mature, but the techniqes do. You know
how many man years has gone into the development of techniques to do remote
compromises? It's not something that happens by itself.

Richard Rasker · External Since: Jul 27, 2005 Posts: 170

Op Sun, 01 Oct 2006 13:19:22 -0500, schreef Erik Funkenbusch:

> On Sun, 01 Oct 2006 18:52:03 +0200, Richard Rasker wrote:
>
>> Op Sun, 01 Oct 2006 11:38:03 -0500, schreef Erik Funkenbusch:
>>
>>> On Sun, 01 Oct 2006 10:32:11 +0200, Richard Rasker wrote:
>>>
>>>>> Ahh... the cutting off one's nose to spite the face argument.
>>>>>
>>>>> How pedestrian.
>>>>
>>>> Don't you think that a smaller market share for Microsoft would be a Good
>>>> Thing? By your own logic, it'd be the only solution to current problems.
>>>
>>> No, it's not "by my own logic". It's better to be a target, with the
>>> largest market share than to be safe in obscurity.
>>>
>>>> Or do you propose we just "learn to live" with these problems ...
>>
>> I guess that's a resounding "yes", then.
>
> No, that's a "the entire industry needs to work on a solution that WORKS".
> The current "solution" only works if you're obscure enough to make it too
> much work to create an exploit.

Utter bullshit. Linux and other OSS isn't anywhere near obscure - it's
more transparent and open to anyone's eyes than Microsoft products will
ever be. And no, it's not obscure either in the sense that hardly anyone
has heard from it, or uses it. It's used on a huge scale in networking
applications, for starters. And if anyone wants to know how an OS is
constructed, Linux is the object of dissemination /par excellence/.

> Yes, Windows is easier to compromise, and by definition hackers will take
> the easiest route, but that doesn't make Linux immune.

How often must we repeat this: no-one here says that Linux is immune.

> It just makes it more obscure because the techniques to attack it are
> less mature.

Huh? Could you run that by me once again? No, on second thought, don't
bother. You should get your history right before shooting your mouth off.

The techniques used nowadays to attack Windows have for the most part been
*developed* on Linux, because of its open nature. Rootkits and buffer
overflow exploits were available for Linux long before these mechanisms
became the Windows scourge we know today. Windows attacks by then
consisted mainly of simple syscall redirects any highschool kid could
figure out, infecting executables, or even simpler auto-execute VBA-style
virus scripts.
The problem was that Linux didn't prove to be a good breeding ground for
these means of attack. Vulnerabilities were patched almost as soon as they
were discovered, and the permission system made it quite difficult to get
anything malicious to execute on users' systems.

The only "maturity" you can claim here is the packaging of these attack
mechanisms into handy building blocks, ready for use by any idiot.

For all the rest, all attack mechanisms were developed on Unix and Linux
before they found a really juicy target in Windows. FYI: I translated
several books on Linux/Unix hacking and general computer security
principles, so I think I know what I'm talking about.

> Security is one of those funny things. You can talk about being "more"
> secure, but there's no such thing. A vulnerability is a vulnerability,
> and even one makes you just as insecure as anyone else. Security is a
> binary condition, either you are or you aren't.

Phwooaar! Do you have ANY idea how silly you sound? "Security is a binary
condition"? Hahahaha! Well then, I'd better stop working on this
rehabilitation robot project, for which I'm developing security systems to
keep this 2,000 pound metal contraption from hurting people instead of
helping them heal. And I'd better tell project management first thing
in the morning that they just wasted $8,000 on me, as I can't guarantee
the binary "1" condition of total and absolute security.

There's a whole industry making loads of money assessing the chances of
things going wrong, and minimizing these chances where possible. Security
is all about *statistics*. And statistics both predict and show that Linux
is vastly more secure than Windows.
Binary security ... I guess you believe you have a 50% chance of winning
the lottery jackpot too - either you win, or you don't ...

> 10 years ago, talking about exploiting buffer overflows was laughed at.
> It was too difficult for any but the most advanced guru. Then a few
> tools were produced that made the job ridiculously simple, and suddenly
> buffer overflow exploits were everywhere.

The concept of buffer overflow exploits was developed on Linux/Unix. Once
people figured out how to do it, developing the tools was trivial - for
any architecture you care to mention. It just turned out that the Windows
platform was both an easy and (yes, a point for you) attractive target.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Peter KÃ¶hlmann · External Since: Jun 27, 2005 Posts: 1500

Tim Smith wrote:

> In article <t0h5v3-hqp.ln1.RemoveThis@clark.harry.net>,
> Sinister Midget <phydeaux.RemoveThis@manly_mail.net> wrote:
>> Stop right there. Here and now: show where a linux user in COLA
>> said/says linux is immune from attack.
>
> Explicitly, or is implicitly OK?
>

Explicitly only, as you trolls have a tendency to misrepresent what was
written, even if it is very clear
Especially Erik F has made a hobby out of redefining words

Even then you guys will claim that someone really /meant/ "B" when he
clearly wrote "A"
--
Support bacteria -- it's the only culture some people have!

B Gruff · External Since: Jun 17, 2004 Posts: 1639

On Sunday 01 October 2006 23:22 Sinister Midget wrote:

>> Just note the next sentence:
>> "It just makes it more obscure because the techniques to attack it are
>> less mature."
>>
>> Implying, that when attackers get "more mature" techniques, linux would
>> be as easy to attack as windows
>
> A false implication, of course. Attackers go after Windows because they
> don't have to be more mature. If that was a requirement, they'd give
> up.

Ah - now *that's* an interesting take!
I'm quite used to the argument that linux routers protect Windows, but now
*you* imply that we all owe a debt to Microsoft and its users...... through
being so insecure/daft, they sacrifice themselves on our behalf, just like
the zinc on galvanised steel:-)

Sinister Midget · External Since: Jun 17, 2006 Posts: 746

On 2006-10-01, B Gruff <bbgruff.TakeThisOut@yahoo.co.uk> posted something concerning:
> On Sunday 01 October 2006 23:22 Sinister Midget wrote:
>
>>> Just note the next sentence:
>>> "It just makes it more obscure because the techniques to attack it are
>>> less mature."
>>>
>>> Implying, that when attackers get "more mature" techniques, linux would
>>> be as easy to attack as windows
>>
>> A false implication, of course. Attackers go after Windows because they
>> don't have to be more mature. If that was a requirement, they'd give
>> up.
>
> Ah - now *that's* an interesting take!
> I'm quite used to the argument that linux routers protect Windows, but now
> *you* imply that we all owe a debt to Microsoft and its users...... through
> being so insecure/daft, they sacrifice themselves on our behalf, just like
> the zinc on galvanised steel:-)

Not quite what I meant. I meant that the total number of exploits is
directly proportional to the number of installed Windows boxes. Nearly
any other target requires both too much effort and enough skill to pull
it off. So, while others aren't totally impervious, they're never going
to be attractive targets.

If MS wanted to do us any favors, they'd pull Windows and send out
linux CDs along with an apology for the damage they've done. I
wouldn't even care if they kept all of the moeny they've acquired
through snakeoil sales as long as they stopped selling it.

As proof that they aren't trying to do anyone any favors, they're about
to (like, within the next 10 years, give or take) release another
malware magnet on the world that will only increase the pain for all of
us.

Anyway, if attackers had to have some maturity in their attacks, most
would start their own phishing sites instead of resending the same
malware that's been around for 10 years.

--
Bustoy: Innovative Microsoft peer-to-peer software.

Roy Culley · External Since: Aug 14, 2004 Posts: 647

begin risky.vbs
<4oaua7Fdka89U1.RemoveThis@individual.net>,
B Gruff <bbgruff.RemoveThis@yahoo.co.uk> writes:
> On Sunday 01 October 2006 23:22 Sinister Midget wrote:
>
>>> Just note the next sentence:
>>> "It just makes it more obscure because the techniques to attack it
>>> are less mature."
>>>
>>> Implying, that when attackers get "more mature" techniques, linux
>>> would be as easy to attack as windows
>>
>> A false implication, of course. Attackers go after Windows because
>> they don't have to be more mature. If that was a requirement,
>> they'd give up.
>
> Ah - now *that's* an interesting take!
> I'm quite used to the argument that linux routers protect Windows,
> but now *you* imply that we all owe a debt to Microsoft and its
> users...... through being so insecure/daft, they sacrifice
> themselves on our behalf, just like the zinc on galvanised steel:-)

If only. MS are the cause of the Internet being flooded by spam and
DDOS attacks.

Personally I would welcome the script kiddies / crackers going after
Linux, Solaris, HP-UX, AIX, ...

They won't because they know it is all but futile. If they did then
the bugs would get fixed. The Morris worm woke the world up to
Internet attacks. The world, bar MS, learned from this.

Of course, Erik still says the Morris worm was spread by email. His
FUD never ends but we are all much wiser to it now. Poor Erik.

--
Is god willing to prevent evil but not able? Then he is not omnipotent.
Is he able but not willing? Then he is malevolent. Is he both able and
willing? Then whence cometh evil? Is he neither able nor willing? Then
why call him god? - Epicurus (341-270 BCE)

Roy Culley · External Since: Aug 14, 2004 Posts: 647

begin risky.vbs
<pan.2006.10.01.20.36.26.593484.RemoveThis@linetec.nl>,
Richard Rasker <spamtrap.RemoveThis@linetec.nl> writes:
>
> [snip]

Excellent post Richard. I eagerly await Erik's reply. Doubt he will as
he's made such a fool of himself yet again already.

--
Is god willing to prevent evil but not able? Then he is not omnipotent.
Is he able but not willing? Then he is malevolent. Is he both able and
willing? Then whence cometh evil? Is he neither able nor willing? Then
why call him god? - Epicurus (341-270 BCE)

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> And, I doubt highly that Linux, in all it's 10's of thousands of beta apps,
> maintained and patched by 400 different distro maintainers, that there are
> fewer potential vulnerabilities lying in wait.
>
>> Second, there are various levels of access, and this adds to the
>> difficulty of exploiting a path into the depth one desires.
>
> Levels of access are largely irrelevant, since vulnerabilities can be
> blended to take advantage of different levels.

Nonetheless, it is not a binary situation.

--
Don't flip the Bozo Bit.

Peter Köhlmann · External Since: Jun 27, 2005 Posts: 795

Erik Funkenbusch wrote:

> On Sun, 01 Oct 2006 21:39:18 +0200, Peter Köhlmann wrote:
>
>> Just note the next sentence:
>> "It just makes it more obscure because the techniques to attack it are
>> less mature."
>>
>> Implying, that when attackers get "more mature" techniques, linux would
>> be as easy to attack as windows
>
> I'm not implying it. I'm outright saying it.

Yes. Because you are an idiot
--
Microsoft: The company that made email dangerous
And web browsing. And viewing pictures. And...

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

In comp.os.linux.advocacy, Richard Rasker
<spamtrap.RemoveThis@linetec.nl>
wrote
on Sun, 01 Oct 2006 10:32:11 +0200
<pan.2006.10.01.08.32.10.871368.RemoveThis@linetec.nl>:
> Op Sat, 30 Sep 2006 13:05:16 -0500, schreef Erik Funkenbusch:
>
>> On Sat, 30 Sep 2006 19:30:21 +0200, Richard Rasker wrote:
>>
>>> Apart from the fact that these people appear somewhat detached from
>>> reality, I found that they're actually digging their own grave.
>>> It's quite simple, really:
>>
>> ...
>>
>>> Microsoft's market share must be cut down drastically, by forced
>>> government measures if need be.
>>
>> Ahh... the cutting off one's nose to spite the face argument.
>>
>> How pedestrian.
>
> Don't you think that a smaller market share for Microsoft
> would be a Good Thing?

Not for Microsoft. (Not that we should base all decisions
on what's good for Microsoft. It didn't work for GM, either.)

> By your own logic, it'd be the only solution to current problems.

There are other solutions. One of the simpler ones would
be to force everyone to install Linux then (re?)install
Microsoft in a Vmware share. Assuming this works
sufficiently well, it would give people access to all of
their software in a protected environment.

Microsoft might also contemplate *selling* their systems this
way, with a Linux kernel enclosing a virtual Windows system.

>
> Or do you propose we just "learn to live" with these problems - and ever
> increasing ones, at that, as Microsoft wrestles, buys, undercuts and
> bribes its way into new markets?

Whatever takes the least amount of energy and money. Smile

If Microsoft were willing they might propose Microsoft
Windows Linuxia, which would be a modified Linux kernel
with Win32 on top. No X; Win32 or WinFX would talk
directly to the framebuffer.

Or something like that.

>
> Richard Rasker
>

--
#191, ewill3.RemoveThis@earthlink.net
Useless C++ Programming Idea #992398129:
unsigned u; if(u < 0) ...

Mark Kent · External Since: Feb 09, 2005 Posts: 5545

begin oe_protect.scr
Roy Culley <rgc RemoveThis @nodomain.none> espoused:
> begin risky.vbs
> <4oaua7Fdka89U1 RemoveThis @individual.net>,
> B Gruff <bbgruff RemoveThis @yahoo.co.uk> writes:
>> On Sunday 01 October 2006 23:22 Sinister Midget wrote:
>>
>>>> Just note the next sentence:
>>>> "It just makes it more obscure because the techniques to attack it
>>>> are less mature."
>>>>
>>>> Implying, that when attackers get "more mature" techniques, linux
>>>> would be as easy to attack as windows
>>>
>>> A false implication, of course. Attackers go after Windows because
>>> they don't have to be more mature. If that was a requirement,
>>> they'd give up.
>>
>> Ah - now *that's* an interesting take!
>> I'm quite used to the argument that linux routers protect Windows,
>> but now *you* imply that we all owe a debt to Microsoft and its
>> users...... through being so insecure/daft, they sacrifice
>> themselves on our behalf, just like the zinc on galvanised steel:-)
>
> If only. MS are the cause of the Internet being flooded by spam and
> DDOS attacks.
>
> Personally I would welcome the script kiddies / crackers going after
> Linux, Solaris, HP-UX, AIX, ...
>
> They won't because they know it is all but futile. If they did then
> the bugs would get fixed. The Morris worm woke the world up to
> Internet attacks. The world, bar MS, learned from this.

I still get regular attempts on my ssh port, but guessing combinations
of user names and passwords is not easy...

>
> Of course, Erik still says the Morris worm was spread by email. His
> FUD never ends but we are all much wiser to it now. Poor Erik.
>

--
| Mark Kent -- mark at ellandroad dot demon dot co dot uk |
In order to get a loan you must first prove you don't need it.

Jesse F. Hughes · External Since: Nov 04, 2004 Posts: 301

Erik Funkenbusch <erik.TakeThisOut@despam-funkenbusch.com> writes:

> Security is one of those funny things. You can talk about being
> "more" secure, but there's no such thing. A vulnerability is a
> vulnerability, and even one makes you just as insecure as anyone
> else. Security is a binary condition, either you are or you aren't.

Right. So why bother with passwords? Or firewalls? After all, there
are plenty of known security issues on Windows, so you're just wasting
your time.

--
"Eventually the truth will come out, and you know what I'll do then?
Probably go to the beach. I'll also hang out in some bars. Yup, I'll
definitely hang out in some bars, preferably near a beach."
-- JSH on the rewards of winning a mathematical revolution

chrisv · External Since: Nov 02, 2004 Posts: 1649

Erik Funkenbusch wrote:

>You can talk about being "more"
>secure, but there's no such thing. A vulnerability is a vulnerability, and
>even one makes you just as insecure as anyone else. Security is a binary
>condition, either you are or you aren't.

Dumbsh*t.

High Plains Thumper · External Since: Mar 06, 2005 Posts: 716

Peter KÃ¶hlmann wrote:
> Erik Funkenbusch wrote:
>> Peter KÃ¶hlmann wrote:
>>
>>> Just note the next sentence:
>>> "It just makes it more obscure because the techniques to
>>> attack it are less mature."
>>>
>>> Implying, that when attackers get "more mature"
>>> techniques, linux would be as easy to attack as windows
>>
>> I'm not implying it. I'm outright saying it.
>
> Yes. Because you are an idiot

http://news.netcraft.com/archives/2006/09/overallc.gif

Yep, even though market share for Apache is 62% and Microsoft is
31% (September 2006), attacks are up. Yah, right ....

This chart says it all:

http://www.networkworld.com/graphics/2002/1118inf1.gif

One 4-CPU Intel server with RedHat Linux replaces 40 to
50 single-processor Windows E-mail, Web file and print
servers.

Linux wins 40:1.

--
HPT

High Plains Thumper · External Since: Mar 06, 2005 Posts: 716

Erik Funkenbusch wrote:
> Sinister Midget wrote:
>
>>> Implying, that when attackers get "more mature"
>>> techniques, linux would be as easy to attack as windows
>>
>> A false implication, of course. Attackers go after Windows
>> because they don't *have* to be more mature. If that was a
>> requirement, they'd give up.
>
> No, the attackers don't have to be mature, but the
> techniqes do. You know how many man years has gone into
> the development of techniques to do remote compromises?
> It's not something that happens by itself.

Here is something that didn't happen by itself:

http://news.netcraft.com/archives/2006/09/overallc.gif

Apache market share at 62% and Windows at 31% (Sep 2006).
Yep, the technique boys are at it again.

And here something else that didn't happen by itself:

http://www.networkworld.com/graphics/2002/1118inf1.gif

Linux rocks, 40:1!

--
HPT

Peter KÃ¶hlmann · External Since: Jun 27, 2005 Posts: 1500

chrisv wrote:

> Erik Funkenbusch wrote:
>
>>You can talk about being "more"
>>secure, but there's no such thing. A vulnerability is a vulnerability,
>>and
>>even one makes you just as insecure as anyone else. Security is a binary
>>condition, either you are or you aren't.
>
> Dumbsh*t.

No. They have taken that lunatic "Erik F" from the asylum, as the other one
is on a reprogramming course at the "One Redmont Way"
That would be the one who will explain us what those words really mean later
--
What happens if a big asteroid hits Earth? Judging from realistic
simulations involving a sledge hammer and a common laboratory frog,
we can assume it will be pretty bad. --- Dave Barry

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Tue, 3 Oct 2006 09:21:39 +0000 (UTC), High Plains Thumper wrote:

> http://news.netcraft.com/archives/2006/09/overallc.gif
>
> Yep, even though market share for Apache is 62% and Microsoft is
> 31% (September 2006), attacks are up. Yah, right ....
>
> This chart says it all:
>
> http://www.networkworld.com/graphics/2002/1118inf1.gif
>
> One 4-CPU Intel server with RedHat Linux replaces 40 to
> 50 single-processor Windows E-mail, Web file and print
> servers.
>
> Linux wins 40:1.

What kind of logic is that?

First, you are comparign single processor boxes to a quad processor box, so
you would have to divide that number by 4 which would be 10:1.

Second, we don't know how old those Windows boxes are. The new core could
easily perform 10x as fast the core in one of the windows boxes, meaning
it's now effectively the same horsepower. 1:1

Let me give you and example. I recently installed Windows 2003 Server on a
new Quad Core (2 Dual core processors) Dell PowerEdge 2950. The install
took a total of 14 minutes from "press any key to boot from CD..." prompt
to login screen. I was simply astounded by how fast these new Dual Core
Xeon chips are (Xeon 5150). On an older PowerEdge the install took almost
45 minutes.

So, yeah, great apples to oranges comparison there.

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Tue, 3 Oct 2006 10:36:54 +0000 (UTC), High Plains Thumper wrote:

> Here is something that didn't happen by itself:
>
> http://news.netcraft.com/archives/2006/09/overallc.gif
>
> Apache market share at 62% and Windows at 31% (Sep 2006).
> Yep, the technique boys are at it again.

Stop making that same stupid mistake. That's not "Market Share". "Market
Share" is how many physical servers Apache or IIS is installed on. The
netcraft survey counts hostnames, not servers.

According to the last Netcraft survey where they published physical server
counts, Microsoft accounted for > 50% of the physical servers.

That's Market Share.