Where's the "one click exploit" for Linux?

Roy Schestowitz · External Since: Jun 26, 2005 Posts: 24199

__/ [ B Gruff ] on Sunday 01 October 2006 23:20 \__

> On Sunday 01 October 2006 19:10 Roy Schestowitz wrote:
>
>> Imagine the cowardly
>> Gates who now retires, having promised in the beginning of 2004 that SPAM
>> would vanish within 48 months.
>
> Nope.
>
> He said "2 years from now", and that was in January 2004.
> If you claim you've had spam after January 2006, one of you is wrong...
>
> http://www.cbsnews.com/stories/2004/01/24/tech/main595595.shtml

Oops. I meant to write 24 months. I was thinking days (24hr) instead of
months.

Peter KÃ¶hlmann · External Since: Jun 27, 2005 Posts: 1500

Erik Funkenbusch wrote:

> On Sun, 01 Oct 2006 20:48:45 +0200, Richard Rasker wrote:
>
>> Op Sun, 01 Oct 2006 13:09:31 -0500, schreef Erik Funkenbusch:
>>
>>> On Sun, 01 Oct 2006 19:33:12 +0200, Richard Rasker wrote:
>>>
>>>> Op Sun, 01 Oct 2006 18:01:29 +0100, schreef B Gruff:
>>>>
>>>>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>>>>
>>>>>> But I have one request: please show me those one-click exploits for
>>>>>> Linux. I can't seem to find any, except for Windows (where they seem
>>>>>> to be the rule rather than the exception).
>>>>>
>>>>> How about this:-
>>>>>
>>>>> http://www.whitedust.net/speaks/3006/
>>>>
>>>> Well well, that'd be one of the very first. OK then, if this one is for
>>>> real and Linux proves vulnerable, my question is answered - alas :-/
>>>
>>> Which just proves my point. Lack of attack does not equal lack of
>>> vulnerability. You really need to stop with this attitude of thinking
>>> you're immunue until proven otherwise.
>>
>> Will you Wintrolls please stop putting words in our mouths! Linux is
>> *not* invulnerable - we all know that. It's just way more secure than
>> Windows.
>
> There is no such thing as "more secure" Either you are secure or you're
> not. Either someone can break into your system or not. There is no "kind
> of".
>

Here we go again. Erik pointing out that "security" is either present or
not. No stuff like 99.9% secure. Or 5% secure. Or 1% secure (as in windows)

Nope, Erik tells us that there aren't any shades of "security"

Tell you what, Erik: You are full of it. You are an imbecile

--
To start your shiny new Pentium IV in Gameboy mode just enter
C:\win

Richard Rasker · External Since: Jul 27, 2005 Posts: 170

Op Sun, 01 Oct 2006 20:13:15 -0500, schreef Erik Funkenbusch:

> On Sun, 01 Oct 2006 20:48:45 +0200, Richard Rasker wrote:
>
>>> Which just proves my point. Lack of attack does not equal lack of
>>> vulnerability. You really need to stop with this attitude of thinking
>>> you're immunue until proven otherwise.
>>
>> Will you Wintrolls please stop putting words in our mouths! Linux is *not*
>> invulnerable - we all know that. It's just way more secure than Windows.
>
> By the way, i'm not putting words in your mouth. You have given that
> impression by saying "Where's the exploits?". The only way to read that is
> "If we were vulnerabile, someone would be exploiting us". ie, you think
> youi're invulnerable because you haven't been exploited.

You did it again ... I asked "Where's the _one click_ exploit?" - in other
words: is there an *easy* way to compromise Linux (as there are countless
such ways in Windows).

I don't think I'm invulnerable. I just think I'm far less likely to fall
victim to exploits as we've seen in Windows for years, where normal,
everyday computer/Internet use has become a sort of Russian roulette with
five live rounds in a six-shooter.

I have a nice house in a quiet neigbourhood, with good bolts and locks.
Am I more secure here than someone living in a cardboard box downtown?
Yes, most definitely. Now, do I imply with this that I'm invulnerable to
burglary? I don't think so.

> Otherwise, your comments simply make no sense. Why would you question the
> existence of exploits if you know they're possible? That's like
> questioning why you've never been hit by a truck.

I *know* there are Linux exploits - hell, I translated some 2,500 book
pages about 'em. There just aren't (m)any EASY Linux exploits, at least
none that are effective today. As I mentioned before, a few of them pop up
every year. And some even cause a stir of a kind. But the situation gets
nowhere near as bad and desperate as with Windows - the security
equivalent of living in a cardboard box.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Mon, 02 Oct 2006 09:21:40 +0200, Richard Rasker wrote:

> Op Sun, 01 Oct 2006 20:13:15 -0500, schreef Erik Funkenbusch:
>
>> On Sun, 01 Oct 2006 20:48:45 +0200, Richard Rasker wrote:
>>
>>>> Which just proves my point. Lack of attack does not equal lack of
>>>> vulnerability. You really need to stop with this attitude of thinking
>>>> you're immunue until proven otherwise.
>>>
>>> Will you Wintrolls please stop putting words in our mouths! Linux is *not*
>>> invulnerable - we all know that. It's just way more secure than Windows.
>>
>> By the way, i'm not putting words in your mouth. You have given that
>> impression by saying "Where's the exploits?". The only way to read that is
>> "If we were vulnerabile, someone would be exploiting us". ie, you think
>> youi're invulnerable because you haven't been exploited.
>
> You did it again ... I asked "Where's the _one click_ exploit?" - in other
> words: is there an *easy* way to compromise Linux (as there are countless
> such ways in Windows).

Just answer me this. Are you, or are you not claiming that Linux is
incapable of being exploited by the same style of exploit used so
successfully on Windows?

Come on, make a statement. Don't mince words.

> I don't think I'm invulnerable. I just think I'm far less likely to fall
> victim to exploits as we've seen in Windows for years, where normal,
> everyday computer/Internet use has become a sort of Russian roulette with
> five live rounds in a six-shooter.

"far less likely". Perhaps, based on what we, and the black hats know
today. "less likely" implies "too difficult" to exploit. What if tomorrow
releases a tool that exploits a previously unknown 0-day vulnerability in
Firefox, along with a previously unknown 0-day local root exploit to gain
root privileges on Linux, and also hijacks a well known and popular web
server to insert malicious code into every site it hosts?

Sound farfetched? That's almost exactly what happened recently, except the
host was a Linux based hosting company, and it was a Windows 0-day exploit.
But who would do that? What's the point? What does a hacker gain by
rooting a few Linux desktop boxes? Not much.

"not as likely" means security through obscurity, period. If it's
"unlikely" then that means there are factors which work against it becoming
a common attack, such as a limited user base, and less maturity in the
exploitation of 0-xay vulnerabilities.

> I have a nice house in a quiet neigbourhood, with good bolts and locks.
> Am I more secure here than someone living in a cardboard box downtown?
> Yes, most definitely. Now, do I imply with this that I'm invulnerable to
> burglary? I don't think so.

No, you're no more secure than someone living in a cardboard box downtown.
Nearly all locks can be defeated in seconds with something called a "bump
key"

http://www.engadget.com/2006/08/07/bump-keying-1-keys-open-any-lock/
http://www.engadget.com/2006/08/24/the-lockdown-locked-but-not-secure-part-i/

The person living in the cardboard box downtown, however, KNOWS they're not
secure, unlike the guy out in the suburbs that assumes he is.

>> Otherwise, your comments simply make no sense. Why would you question the
>> existence of exploits if you know they're possible? That's like
>> questioning why you've never been hit by a truck.
>
> I *know* there are Linux exploits - hell, I translated some 2,500 book
> pages about 'em. There just aren't (m)any EASY Linux exploits, at least
> none that are effective today. As I mentioned before, a few of them pop up
> every year. And some even cause a stir of a kind. But the situation gets
> nowhere near as bad and desperate as with Windows - the security
> equivalent of living in a cardboard box.

Look, if you discover that your lock can be broken into within seconds, you
might decide to upgrade it. The lock company might even offer a free
replacement (unlikely) though. You might get 1% of the people to upgrade
their locks in a timely manner, and if your installed base is 100 people,
then you can even go around to everyone and make sure they're all upgraded.
But if your installed base is 1 BILLION people, just the sheer numbers of
unprotected people, even if 99% of them upgraded, would still be huge.

Johan Lindquist · External Since: Mar 25, 2004 Posts: 522

So anyway, it was like, 10:22 CEST Oct 02 2006, you know? Oh, and, yeah,
Erik Funkenbusch was all like, "Dude,
> On Mon, 02 Oct 2006 09:21:40 +0200, Richard Rasker wrote:

[snips]

>> I have a nice house in a quiet neigbourhood, with good bolts and
>> locks. Am I more secure here than someone living in a cardboard box
>> downtown? Yes, most definitely. Now, do I imply with this that I'm
>> invulnerable to burglary? I don't think so.
>
> No, you're no more secure than someone living in a cardboard box
> downtown. Nearly all locks can be defeated in seconds with something
> called a "bump key"

So that's "nearly all locks" and /if/ someone has that magical key,
which most people passing by the locked house will not have. On the
other hand, walking right into the cardboard box and picking up
whatever you like would be a temptation some (if not many, in today's
society) people wouldn't be able to resist.

To me, that means the cardboard box is less secure than the locked
house, since the risk of someone walking in and grabbing all the stuff
is higher, and given the choice I would rather live in the house than
the cardboard box.

And yet, you would feel equally insecure, burglary wise, living in
either one? You're certainly a different type of person than most
I've met.

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
10:30:40 up 16:24, 1 user, load average: 0.00, 0.00, 0.00
Linux 2.6.18 x86_64 GNU/Linux Registered Linux user #261729

Jerry McBride · External Since: Sep 05, 2004 Posts: 533

B Gruff wrote:

> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>
>> But I have one request: please show me those one-click exploits for
>> Linux. I can't seem to find any, except for Windows (where they seem to
>> be the rule rather than the exception).
>
> How about this:-
>
> http://www.whitedust.net/speaks/3006/

Interesting to note, there's a fix for "it" mentioned in the same article...

--

Jerry McBride

ws · External Since: Jul 26, 2005 Posts: 82

Roy Culley wrote:
> begin risky.vbs
> <pan.2006.10.01.18.48.43.458431 DeleteThis @linetec.nl>,
> Richard Rasker <spamtrap DeleteThis @linetec.nl> writes:
>> Op Sun, 01 Oct 2006 13:09:31 -0500, schreef Erik Funkenbusch:
>>
>>> Which just proves my point. Lack of attack does not equal lack of
>>> vulnerability. You really need to stop with this attitude of
>>> thinking you're immunue until proven otherwise.
>> Will you Wintrolls please stop putting words in our mouths! Linux is
>> *not* invulnerable - we all know that. It's just way more secure
>> than Windows.
>
> Funkenbusch is the MS apologist for a reason. He cannot accept any
> deficiency / criticism of MS. If he ain't paid he should be.
>
>> And even if lack of attack were the actual cause, that wouldn't
>> change the fact that one should stay away from Windows if one cares
>> about security.
>
> His pathetic attempt to compare fundamental OS security of Windows to
> Linux is just a joke. Windows is insecure by design. Vista will be
> insecure by design. I use the word design very loosely here.
>

Well, if the security guru at MS is to be trusted, then we should expect
more of the same. I kinda shudder at how MS and thus Vista, still looks
at the whole paradigm of "executability" - to coin a word - of stuff you
receive over the net.

http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx

"Consider a scenario. Say you receive an attachment in email. When you
save it, it’s written with low integrity because it came from the
Internet—an untrusted source. When you execute the attachment, its
process runs at low integrity because the file object is labeled low;
therefore, your data (labeled medium or high) is protected from
malicious writes by the attachment. It will, however be able to read
your data. MIC implements a form of the Biba model, which ensures
integrity by controlling writes and deletions. Contrast this with the
more well-known Bell-LaPadula model, which describes levels of
confidentiality by controlling reads."

BTW, Jesper - the other security guy - left MS to join Amazon.

Regards,
ws

--
change to leews to mail

Handover Phist · External Since: May 04, 2005 Posts: 504

Erik Funkenbusch :
> On Sun, 01 Oct 2006 20:48:45 +0200, Richard Rasker wrote:
>
>> Op Sun, 01 Oct 2006 13:09:31 -0500, schreef Erik Funkenbusch:
>>
>>> On Sun, 01 Oct 2006 19:33:12 +0200, Richard Rasker wrote:
>>>
>>>> Op Sun, 01 Oct 2006 18:01:29 +0100, schreef B Gruff:
>>>>
>>>>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>>>>
>>>>>> But I have one request: please show me those one-click exploits for Linux.
>>>>>> I can't seem to find any, except for Windows (where they seem to be the
>>>>>> rule rather than the exception).
>>>>>
>>>>> How about this:-
>>>>>
>>>>> http://www.whitedust.net/speaks/3006/
>>>>
>>>> Well well, that'd be one of the very first. OK then, if this one is for
>>>> real and Linux proves vulnerable, my question is answered - alas :-/
>>>
>>> Which just proves my point. Lack of attack does not equal lack of
>>> vulnerability. You really need to stop with this attitude of thinking
>>> you're immunue until proven otherwise.
>>
>> Will you Wintrolls please stop putting words in our mouths! Linux is *not*
>> invulnerable - we all know that. It's just way more secure than Windows.
>
> There is no such thing as "more secure" Either you are secure or you're
> not. Either someone can break into your system or not. There is no "kind
> of".

There are degrees of security. A locked door is more secure than an
unlocked door, one requires a tool like a crowbar to get through. This
argument is faulty. According to it everything is completely unsecure
because there is the possibility that it can be broken into. My server
doesn't allow root logins through SSH, that makes it more secure than a
server that DOES allow root logins through SSH, because most brute force
attacks concentrate on guessing the correct root password.

I dont think you were thinking straight when you wrote the above.

>> And even if lack of attack were the actual cause, that wouldn't change the
>> fact that one should stay away from Windows if one cares about security.
>
> I think you mean "if one cares about being attacked".

No, if one cares about security. Linux is more secure than windows.

--
Linux: The OS people choose without $200,000,000 of persuasion.
-- Mike Coleman

http://www.websterscafe.com

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

In comp.os.linux.advocacy, Jerry McBride
<mcbrides9 RemoveThis @comcast.net>
wrote
on Mon, 02 Oct 2006 14:36:14 -0400
<lp28v3xc7h.ln2 RemoveThis @supertux.my.domain>:
> B Gruff wrote:
>
>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>
>>> But I have one request: please show me those one-click exploits for
>>> Linux. I can't seem to find any, except for Windows (where they seem to
>>> be the rule rather than the exception).
>>
>> How about this:-
>>
>> http://www.whitedust.net/speaks/3006/
>
> Interesting to note, there's a fix for "it" mentioned in
> the same article...
>

A workaround, not a fix.

--
#191, ewill3 RemoveThis @earthlink.net
Windows. Multi-platform(1), multi-tasking(1), multi-user(1).
(1) if one defines "multi" as "exactly one".

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> As long as there are vulnerabiliies, there is no security.

All right, get into the full lotus position right now and achieve
nirvana.

Another dogmatic whopper by Erik Funkenbusch.

--
Intel: where Quality is job number 0.9998782345!

chrisv · External Since: Nov 02, 2004 Posts: 1648

Erik Funkenbusch wrote:

>As long as there are vulnerabiliies, there is no security.

Dumbsh*t.

B Gruff · External Since: Jun 17, 2004 Posts: 1639

On Monday 02 October 2006 21:00 The Ghost In The Machine wrote:

> In comp.os.linux.advocacy, Jerry McBride
> <mcbrides9.DeleteThis@comcast.net>
> wrote
> on Mon, 02 Oct 2006 14:36:14 -0400
> <lp28v3xc7h.ln2.DeleteThis@supertux.my.domain>:
>> B Gruff wrote:
>>
>>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>>
>>>> But I have one request: please show me those one-click exploits for
>>>> Linux. I can't seem to find any, except for Windows (where they seem to
>>>> be the rule rather than the exception).
>>>
>>> How about this:-
>>>
>>> http://www.whitedust.net/speaks/3006/
>>
>> Interesting to note, there's a fix for "it" mentioned in
>> the same article...
>>
>
> A workaround, not a fix.

It now turns out that it was a hoax anyway (see below) Smile

----------------------------------

On Tuesday 03 October 2006 04:59 arachnid wrote:

> Update: Possible Vulnerability Reported at Toorcon
>
> We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker
> that reported the potential javascript security issue referenced
> earlier. He gave us more code to work with and also made this
> statement and agreed to let me post it here:
>
> The main purpose of our talk was to be humorous.
>
> As part of our talk we mentioned that there was a previously
> known Firefox vulnerability that could result in a stack overflow
> ending up in remote code execution. However, the code we
> presented did not in fact do this, and I personally have not
> gotten it to result in code execution, nor do I know of anyone
> who has.
>
> I have not succeeded in making this code do anything more than
> cause a crash and eat up system resources, and I certainly
> haven't used it to take over anyone else's computer and
> execute arbitrary code.
>
> I do not have 30 undisclosed Firefox vulnerabilities, nor did I
> ever make this claim. I have no undisclosed Firefox
> vulnerabilities. The person who was speaking with me made this
> claim, and I honestly have no idea if he has them or not.
>
> I apologize to everyone involved, and I hope I have made
> everything as clear as possible.

Johan Lindquist · External Since: Mar 25, 2004 Posts: 522

So anyway, it was like, 13:36 CEST Oct 03 2006, you know? Oh, and, yeah,
Linonut was all like, "Dude,
> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

>> As long as there are vulnerabiliies, there is no security.
>
> All right, get into the full lotus position right now and achieve
> nirvana.
>
> Another dogmatic whopper by Erik Funkenbusch.

"There is no security", sounds like a catchphrase from the upcoming
blockbuster "Matrix IV - recracked".

--
Time flies like an arrow, fruit flies like a banana. Perth ---> *
13:51:50 up 1 day, 19:46, 4 users, load average: 0.09, 0.09, 0.02
Linux 2.6.18 x86_64 GNU/Linux Registered Linux user #261729

The Ghost In The Machine · External Since: Aug 04, 2005 Posts: 3878

In comp.os.linux.advocacy, Johan Lindquist
<spam.RemoveThis@smilfinken.net>
wrote
on Tue, 3 Oct 2006 13:53:06 +0200
<2iv9v3-rrl.ln1.RemoveThis@news.smilfinken.net>:
> So anyway, it was like, 13:36 CEST Oct 03 2006, you know? Oh, and, yeah,
> Linonut was all like, "Dude,
>> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>
>>> As long as there are vulnerabiliies, there is no security.
>>
>> All right, get into the full lotus position right now and achieve
>> nirvana.
>>
>> Another dogmatic whopper by Erik Funkenbusch.
>
> "There is no security", sounds like a catchphrase from the upcoming
> blockbuster "Matrix IV - recracked".
>

Either that, or he's reading the script from "Logan's Run" upside down.

--
#191, ewill3.RemoveThis@earthlink.net
Useless C++ Programming Idea #7878218:
class C { private: virtual void stupid() = 0; };

Richard Rasker · External Since: Jul 27, 2005 Posts: 170

Op Sun, 01 Oct 2006 19:33:12 +0200, schreef Richard Rasker:

> Op Sun, 01 Oct 2006 18:01:29 +0100, schreef B Gruff:
>
>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>
>>> But I have one request: please show me those one-click exploits for Linux.
>>> I can't seem to find any, except for Windows (where they seem to be the
>>> rule rather than the exception).
>>
>> How about this:-
>>
>> http://www.whitedust.net/speaks/3006/
>
> Well well, that'd be one of the very first. OK then, if this one is for
> real and Linux proves vulnerable, my question is answered - alas :-/

OK, it turned out it wasn't for real (ah, the wonderful feeling of always
taking every possibility into account) - it was a hoax.
So, all you Microsoft apologists and Wintrolls, the question still stands
strong: where is the one click exploit for Linux? Well?

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Tue, 03 Oct 2006 21:03:27 +0200, Richard Rasker wrote:

> Op Sun, 01 Oct 2006 19:33:12 +0200, schreef Richard Rasker:
>
>> Op Sun, 01 Oct 2006 18:01:29 +0100, schreef B Gruff:
>>
>>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>>
>>>> But I have one request: please show me those one-click exploits for Linux.
>>>> I can't seem to find any, except for Windows (where they seem to be the
>>>> rule rather than the exception).
>>>
>>> How about this:-
>>>
>>> http://www.whitedust.net/speaks/3006/
>>
>> Well well, that'd be one of the very first. OK then, if this one is for
>> real and Linux proves vulnerable, my question is answered - alas :-/
>
> OK, it turned out it wasn't for real (ah, the wonderful feeling of always
> taking every possibility into account) - it was a hoax.

It wasn't a hoax. It was a real vulnerability that the Mozilla team has
responded to.

The comments were apparently taken out of context, though. The presenter
said "I have not succeeded in making this code do anything more than cause
a crash and eat up system resources, and I certainly haven¢t used it to
take over anyone else¢s computer and execute arbitrary code."

What' he's saying is that he hasn't figured out how to make it execute
arbitrary code, not that the vulnerability isn't capable of it.

In other wods, it's a DoS exploit, but could be an arbitrary code execution
exploit.

> So, all you Microsoft apologists and Wintrolls, the question still stands
> strong: where is the one click exploit for Linux? Well?

Back to this lame duck argument again, eh?

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> It wasn't a hoax. It was a real vulnerability that the Mozilla team has
> responded to.
>
> The comments were apparently taken out of context, though. The presenter
> said "I have not succeeded in making this code do anything more than cause
> a crash and eat up system resources, and I certainly haven¢t used it to
> take over anyone else¢s computer and execute arbitrary code."
>
> What' he's saying is that he hasn't figured out how to make it execute
> arbitrary code, not that the vulnerability isn't capable of it.
>
> In other wods, it's a DoS exploit, but could be an arbitrary code execution
> exploit.
>
>> So, all you Microsoft apologists and Wintrolls, the question still stands
>> strong: where is the one click exploit for Linux? Well?
>
> Back to this lame duck argument again, eh?

(This is the guy whom DFS claims rulez COLA?)

--
I had only one nerve left, and -dang- if you didn't git on it!

Richard Rasker · External Since: Jul 27, 2005 Posts: 170

Op Mon, 02 Oct 2006 03:22:39 -0500, schreef Erik Funkenbusch:

> On Mon, 02 Oct 2006 09:21:40 +0200, Richard Rasker wrote:
>
>> Op Sun, 01 Oct 2006 20:13:15 -0500, schreef Erik Funkenbusch:
>>
>>> On Sun, 01 Oct 2006 20:48:45 +0200, Richard Rasker wrote:
>>>
>>>>> Which just proves my point. Lack of attack does not equal lack of
>>>>> vulnerability. You really need to stop with this attitude of thinking
>>>>> you're immunue until proven otherwise.
>>>>
>>>> Will you Wintrolls please stop putting words in our mouths! Linux is *not*
>>>> invulnerable - we all know that. It's just way more secure than Windows.
>>>
>>> By the way, i'm not putting words in your mouth. You have given that
>>> impression by saying "Where's the exploits?". The only way to read that is
>>> "If we were vulnerabile, someone would be exploiting us". ie, you think
>>> youi're invulnerable because you haven't been exploited.
>>
>> You did it again ... I asked "Where's the _one click_ exploit?" - in other
>> words: is there an *easy* way to compromise Linux (as there are countless
>> such ways in Windows).
>
> Just answer me this. Are you, or are you not claiming that Linux is
> incapable of being exploited by the same style of exploit used so
> successfully on Windows?

Sure, in theory Linux is susceptible to the same type of exploits. But for
all practical intents and purposes, Linux IS secure from these exploits.

> Come on, make a statement. Don't mince words.

I don't mince words. I can't say that Linux is immune - besides, it would
be impossible to prove, even if it were true. But judging from the past,
Linux seems very secure all the same. Exploits that can be called even
remotely succesful are few and far between. Every few years, someone
comes up with an exploit for some application or another, but it
invariably fails to spread, the application is fixed within a matter of
hours or days at most, and that's the end of it.

It's a completely different world from the endless stream of critical
remote one-click-exploits that plague Windows.

Still you Winvocates appear to be saying, "Hey, better stay with Windows,
because one day, Linux *may* become just as insecure!", urging people to
choose the guaranteed most insecure option to avoid an option which might
be insecure in the future (and that'll be when hell freezes over, IMHO).

>> I don't think I'm invulnerable. I just think I'm far less likely to fall
>> victim to exploits as we've seen in Windows for years, where normal,
>> everyday computer/Internet use has become a sort of Russian roulette with
>> five live rounds in a six-shooter.
>
> "far less likely". Perhaps, based on what we, and the black hats know
> today. "less likely" implies "too difficult" to exploit. What if tomorrow
> releases a tool that exploits a previously unknown 0-day vulnerability in
> Firefox, along with a previously unknown 0-day local root exploit to gain
> root privileges on Linux, and also hijacks a well known and popular web
> server to insert malicious code into every site it hosts?
>
> Sound farfetched? That's almost exactly what happened recently, except the
> host was a Linux based hosting company, and it was a Windows 0-day exploit.
> But who would do that? What's the point? What does a hacker gain by
> rooting a few Linux desktop boxes? Not much.
>
> "not as likely" means security through obscurity, period. If it's
> "unlikely" then that means there are factors which work against it becoming
> a common attack, such as a limited user base, and less maturity in the
> exploitation of 0-xay vulnerabilities.

Erik, this is FUD. Pure, unadulterated, stinking FUD.

You say that Linux having an excellent security track record for years on
end (and still unbroken) doesn't mean anything - as tomorrow, it could be
wiped out by the Mother of all Exploits. It's like trying to scare a kid
with the bogeyman. No-one's ever seen a bogeyman, and most people with
brains in their heads are quite convinced that he doesn't exist - but you
still can't be a 100% sure, so it's better to watch out for him all the
same.

To this very day, Linux is a secure operating system, with no signs that
this'll change on short notice. And to this very day, Windows has proved
itself to be a horribly insecure operating system, also with no signs that
this'll change on short notice.

Now then, if a smart person had to make a choice between these two, and
security was paramount on his wish list, which OS should he choose? And
which OS should he most definetely avoid? (Note: this is not a trick
question.)

>> I have a nice house in a quiet neigbourhood, with good bolts and locks.
>> Am I more secure here than someone living in a cardboard box downtown?
>> Yes, most definitely. Now, do I imply with this that I'm invulnerable to
>> burglary? I don't think so.
>
> No, you're no more secure than someone living in a cardboard box downtown.
> Nearly all locks can be defeated in seconds with something called a "bump
> key"
>
> http://www.engadget.com/2006/08/07/bump-keying-1-keys-open-any-lock/
> http://www.engadget.com/2006/08/24/the-lockdown-locked-but-not-secure-part-i/

> The person living in the cardboard box downtown, however, KNOWS they're not
> secure, unlike the guy out in the suburbs that assumes he is.

The percentage of people getting mugged, robbed, assaulted and molested is
a few orders of magnitude higher among the population of cardboard box
dwellers than those living the suburbians.

So, in REAL LIFE, who is more secure? You may cling to your theoretical
security model like late Imelda Marcos to her last pruple pump, but it's
still dead wrong. We're not talking about theoretical possibilities here.
We're talking about things that actually happen. And Bad Things happen
way, way more often to Windows than to Linux. Which makes Linux de facto
a more secure operating system.

>>> Otherwise, your comments simply make no sense. Why would you question the
>>> existence of exploits if you know they're possible? That's like
>>> questioning why you've never been hit by a truck.
>>
>> I *know* there are Linux exploits - hell, I translated some 2,500 book
>> pages about 'em. There just aren't (m)any EASY Linux exploits, at least
>> none that are effective today. As I mentioned before, a few of them pop up
>> every year. And some even cause a stir of a kind. But the situation gets
>> nowhere near as bad and desperate as with Windows - the security
>> equivalent of living in a cardboard box.
>
> Look, if you discover that your lock can be broken into within seconds, you
> might decide to upgrade it. The lock company might even offer a free
> replacement (unlikely) though. You might get 1% of the people to upgrade
> their locks in a timely manner, and if your installed base is 100 people,
> then you can even go around to everyone and make sure they're all upgraded.
> But if your installed base is 1 BILLION people, just the sheer numbers of
> unprotected people, even if 99% of them upgraded, would still be huge.

Even a 100% upgraded and patched and anti-virused Windows system is still
vulnerable for a significant amount of time. Which means it's insecure
beyond responsible use, and should be actively banned.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

Erik Funkenbusch · External Since: May 27, 2005 Posts: 2362

On Tue, 03 Oct 2006 22:28:14 +0200, Richard Rasker wrote:

> Op Mon, 02 Oct 2006 03:22:39 -0500, schreef Erik Funkenbusch:
>
>> On Mon, 02 Oct 2006 09:21:40 +0200, Richard Rasker wrote:
>>
>>> Op Sun, 01 Oct 2006 20:13:15 -0500, schreef Erik Funkenbusch:
>>>
>>>> On Sun, 01 Oct 2006 20:48:45 +0200, Richard Rasker wrote:
>>>>
>>>>>> Which just proves my point. Lack of attack does not equal lack of
>>>>>> vulnerability. You really need to stop with this attitude of thinking
>>>>>> you're immunue until proven otherwise.
>>>>>
>>>>> Will you Wintrolls please stop putting words in our mouths! Linux is *not*
>>>>> invulnerable - we all know that. It's just way more secure than Windows.
>>>>
>>>> By the way, i'm not putting words in your mouth. You have given that
>>>> impression by saying "Where's the exploits?". The only way to read that is
>>>> "If we were vulnerabile, someone would be exploiting us". ie, you think
>>>> youi're invulnerable because you haven't been exploited.
>>>
>>> You did it again ... I asked "Where's the _one click_ exploit?" - in other
>>> words: is there an *easy* way to compromise Linux (as there are countless
>>> such ways in Windows).
>>
>> Just answer me this. Are you, or are you not claiming that Linux is
>> incapable of being exploited by the same style of exploit used so
>> successfully on Windows?
>
> Sure, in theory Linux is susceptible to the same type of exploits. But for
> all practical intents and purposes, Linux IS secure from these exploits.

So that's a yes. You are in fact claiming immunity "in practice"? What
precisely do you mean by "IS secure from"?

>> Come on, make a statement. Don't mince words.
>
> I don't mince words.

Actually, you just did. Rather than answering my explicit question, you
answered something close, but weasely instead.

> I can't say that Linux is immune - besides, it would
> be impossible to prove, even if it were true.

I didn't ask you to prove it. I asked you if that was your claim.

> But judging from the past, Linux seems very secure all the same.

Yes, because even though all your doors and windows are unlocked, based on
the fact you've never been burglarized, you "seem very secure all the
same".

> Exploits that can be called even
> remotely succesful are few and far between. Every few years, someone
> comes up with an exploit for some application or another, but it
> invariably fails to spread, the application is fixed within a matter of
> hours or days at most, and that's the end of it.

Linux's user base is so small that it's possible to get the majority of
users to upgrade as soon as a flaw is discovered. That's one of the
mitigating factors that the "obscurity" defense provides. And, the
majority of those users (or at least administrators) are security
conscious, unlike 99% of the rest of the computer users out there.

> It's a completely different world from the endless stream of critical
> remote one-click-exploits that plague Windows.

For many years, the majority of exploit code was written AFTER the patch
was available, but yet despite having automatic update mechanisms in place,
the majority of users didn't patch. It's only been relatively recent that
0-day exploits have become common.

> Still you Winvocates appear to be saying, "Hey, better stay with Windows,
> because one day, Linux *may* become just as insecure!", urging people to
> choose the guaranteed most insecure option to avoid an option which might
> be insecure in the future (and that'll be when hell freezes over, IMHO).

I'm saying no such thing. I'm saying that yes, your odds of getting
attacked (unless you're running a server) are less on Linux TODAY, but
migrating to a new architecture is a costly process, in both time and
money. What's more, migrating may in fact hurry that "eventually up".

It's like when you're driving in heavy traffic, and you notice the other
lane is moving faster, so you change lanes. Unfortunately, a ton of other
people had the same idea and suddenly the lane you just left is now moving
faster.

>> "not as likely" means security through obscurity, period. If it's
>> "unlikely" then that means there are factors which work against it becoming
>> a common attack, such as a limited user base, and less maturity in the
>> exploitation of 0-xay vulnerabilities.
>
> Erik, this is FUD. Pure, unadulterated, stinking FUD.

No, it's common sense.

> You say that Linux having an excellent security track record for years on
> end (and still unbroken) doesn't mean anything

No, I say Linux does *NOT* have an excellent security track record at all.
In fact, the statistics i've seen from Zone-h and the like show that
whenever Linux becomes a target (such as in the server marketplace) it is
almost *ALWAYS* compromised far more often.

You are seriously confusing "probability of being attacked" with
"security". They are not the same thing.

Let's put this another way. In the cryptography world, someone is always
claiming to have come up with a more secure encryption methodology.
However, most cryptographers laugh at this and can usually break whatever
method it is trivially. However, your probability of your messages being
decoded when using this cryptography is far less than using none at all.
Does that make you "more secure"? No. not at all. You're just as
insecure, you just have less chance of someone targeting you to read your
messages.

> - as tomorrow, it could be
> wiped out by the Mother of all Exploits. It's like trying to scare a kid
> with the bogeyman. No-one's ever seen a bogeyman, and most people with
> brains in their heads are quite convinced that he doesn't exist - but you
> still can't be a 100% sure, so it's better to watch out for him all the
> same.

There are very real boogey men out there on the internet. Your analogy is
flawed.

> To this very day, Linux is a secure operating system, with no signs that
> this'll change on short notice. And to this very day, Windows has proved
> itself to be a horribly insecure operating system, also with no signs that
> this'll change on short notice.

Lol. Your statements really give away how little you really understand
about security. "no signs this'll change on short notice". That's like
saying "There's no sign that we'll be suddenly anhiallated by an unseen
asteroid hurtling towards earth".

Hint: If there were signs, it wouldn't be "short notice".

> Even a 100% upgraded and patched and anti-virused Windows system is still
> vulnerable for a significant amount of time. Which means it's insecure
> beyond responsible use, and should be actively banned.

Gee, then why haven't I been compromised in many years? Using your logic,
I must be invulnerable too.

Linonut · External Since: Mar 31, 2006 Posts: 3492

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:

> You are seriously confusing "probability of being attacked" with
> "security". They are not the same thing.

No. You want the expected harm: the sum of (probabilities of attack
weighted by the effect of the attack).

On the desktop, Linux seems ahead of Windows in both parts of the
equation.

Anyway, Erik, you are obviously doomed to get killed by someone, since
there are many ways of getting at you. All someone has to do is find
out where you live, and skulk around with a knife.

It's binary I tell you. You're either a 1 or a 0.

<rolls eyes>

--
Apple executive Peter Hoddie asked Microsoft officials, "'Are you asking us
to kill playback? Are you asking us to knife the baby?'" He said Microsoft
official Christopher Phillips responded, "'Yes, we want you to knife the baby.'
It was very clear."