Fog Creek Software
Discussion Board




Recent article in the Washington Post

Makes some sense.

"The usual theory has been that Windows gets all the attacks because almost everybody uses it. But millions of people do use Mac OS X and Linux, a sufficiently big market for plenty of legitimate software developers -- so why do the authors of viruses and worms rarely take aim at either system? "

Because you can take candy from a baby or from a biker.  Where do you want to go today?

http://www.washingtonpost.com/ac2/wp-dyn/A34978-2003Aug23?language=printer

Too Late
Monday, August 25, 2003

<g> being an owner of a mac computer that argument appeals strongly.

But Im not really convinced, someone trying to spread a virus is _not_ equivalent to someone making a living from selling software.

If I wanted to bring the internet crashing to its knees to prove my manhood (or to be able to continue spreading spam) there is absolutely no point in my choosing any operating system to attempt it with than windows.

If I infect 100% of mac users with my damaging worm, Im not sure the rest of the world would even notice, whereas if I infect 5-10% of the windows world Ill be causing real problems.

So I am still more convinced by the "its because more people use it" argument.

An interesting counter argument that does more to convince me that that article did is that MSserver is actually a smaller market/# of users than the OSS equivalent (I believe anyway), but it is _still_ targeted more than anything else.

<shrug>  the why hardly matters anyway I suspect, either way the only solution is going to be to find & plug the security holes before the hackers find them, and starting with windows cannot be a bad thing.

FullNameRequired
Monday, August 25, 2003

I'm going to write a worm today. To get the best bang for my buck, the worm needs:
1) A target with a high probability of finding similar hosts (given an infected host, I want high odds that from there I'll find a similar host)

2) A large absolute number of hosts

3) A diverse distribution of hosts

(2 & 3 reflect the idea that sure, there are 10,000 linux boxes in a beowulf cluster, but once you've infected that, where do you go?)

4) Odds that the box's owner doesn't take adequate safety precautions

5) Odds that the box is close to or on an unprotected connection

Now I want someone to look at that list and tell me that there is any answer except "recent versions of Windows"
Then note I didn't say anything about the vulnerability of the OS.

Philo

Philo
Monday, August 25, 2003

They target Windows for the same reason you posted this -- they're blinded by "idealogy".  Some people like to tear down that which is successful because it makes them feel like they're on the same level or superior. 

Besides that, the premise of the article is false -- "But nobody with a Mac or a Linux PC has had to lose a moment of sleep over these outbreaks ".  Obviously, Linux has been the target of quite a few attacks -- the ftp.gnu.org incident being the biggest recent example. 

The linked article gets bizarre when the author refers to enabling XP's firewall as a "five-step task" and says the Mac firewall is "much simpler to enable".  Huh?  The XP firewall is one checkbox. 

SomeBody
Monday, August 25, 2003

"Then note I didn't say anything about the vulnerability of the OS."  It kind of goes without saying

You are in denial
Monday, August 25, 2003

The point you leave off, Philo, is that there are obvious vulnerabilities in Windows that aren't closed at the factory, which greatly enhances the effectiveness of any virus. 

To put it another way, if Windows, Mac and Linux split the OS market three ways evenly, the essential, out-of-the-box vulnerabilities (that the author lists) of Windows would still make Windows the target of choice for the majority of virus writers.

Justin Johnson
Monday, August 25, 2003

" is that there are obvious vulnerabilities in Windows that aren't closed at the factory,"

So obvious that it wasn't exploited in the seven years the vulnerability was extant. It only seems to have been attacked four weeks after the vulnerability was announced by Microsoft with the publication of the patch.

Philo

Philo
Monday, August 25, 2003

An issue I haven't seen raised is that the the motivation for the vandal who created the worm seems to have been oss zealotry.

That was the gist of his message, and he released it at a time when the oss world is going crazy trying to push its agenda.

So, who is really the villain here? Is it Windows. Or oss zealotry?

Bigfoot Number 2
Monday, August 25, 2003

"So, who is really the villain here? Is it Windows. Or oss zealotry?"

LOL,

I *love* it.
Lets blame OSS for the security flaws in windows.

Its beautiful.

zealotry of any kind is nearly always a bad thing.

<g> but then so is turning on every possible service by default and then acting surprised when people without integrity write code to take advantage of those open services.

FullNameRequired
Monday, August 25, 2003

There are few servers less secure than say a Red Hat installation using all the defaults.  In fact it takes considerable work to make a Linux box secure, once it is secure its less likely to be vulnerable than an MS box where nothing has been done.

But for out of the box security an MS 2000 Server and probably a 2003 server is going to be safer.

Simon Lucy
Monday, August 25, 2003

Another major point is the press. Compare the press coverage on Slapper vs. Slammer. Any Windows exploit is "big news", where even major non-windows exploits do not even register on the radar screen.

Just me (Sir to you)
Monday, August 25, 2003

Just Me (Sir), is it, perhaps, because no Linux / Unix / MacOS / BeOS / ZX Spectrum worm recently caused millions of dollars (some say billions) of damages to the economy at large? You know, that economy thing that people like the media to report on?

Last time that did happen, the internet went down, and it _did_ get lots of coverage in all media. That was some 15 years ago, and the internet wasn't as important to everyday life as it is now, so I don't think it's surprising that it didn't get comparable coverage to what it would have gotten today.

Most of the public internet (mail, DNS, web sites, etc) runs on Unix and variants. If something happened to it, the media WOULD notice and WOULD publish. The fact that for several years now, all major outbreaks that all internet and computer users feel are Windows exclusive, indicates that this _isn't_ a coincidence.

The fact that Windows desktops are the the most popular attack target does not mean that they are not the easiest as well. IIS is, and always has been, much less popular than Apache yet it somehow got much more attention from the worm writers and script kiddies. Because it was easier.

Ori Berger
Monday, August 25, 2003

Ori,

IIS's vulnerability does not make Apache secure. Although Slapper was SSL, not Apache, I'd stills ay it was pretty big.
anyways.

  2003-07-24:  Apache HTTP Server Multiple Vulnerabilities
  2003-07-24:  Apache Web Server Type-Map Recursive Loop Denial Of Service Vulnerability
  2003-07-22:  Apache Web Server FTP Proxy IPV6 Denial Of Service Vulnerability
  2003-07-22:  Apache Web Server Prefork MPM Denial Of Service Vulnerability
  2003-07-22:  Apache Web Server SSLCipherSuite Weak CipherSuite Renegotiation Weakness
  2003-07-16:  Apache APR_PSPrintf Memory Corruption Vulnerability
  2003-07-16:  Apache Basic Authentication Module Valid User Login Denial Of Service Vulnerability
  2003-06-04:  Apache AB.C Web Benchmarking Buffer Overflow Vulnerability
  2003-06-04:  Apache AB.C Web Benchmarking Read_Connection() Buffer Overflow Vulnerability
  2003-06-04:  Apache Web Server Scoreboard Memory Segment Overwriting SIGUSR1 Sending Vulnerability
  2003-06-04:  Apache Server Side Include Cross Site Scripting Vulnerability
  2003-05-28:  Apache Web Server OS2 Filestat Denial Of Service Vulnerability
  2003-05-13:  Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability
  2003-05-06:  OpenSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability
  2003-04-30:  Apache Web Server File Descriptor Leakage Vulnerability
  2003-04-30:  Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
  2003-03-06:  Apache 2 WebDAV CGI POST Request Information Disclosure Vulnerability
  2003-02-25:  Apache Web Server MIME Boundary Information Disclosure Vulnerability
  2003-02-25:  Apache Web Server ETag Header Information Disclosure Weakness
  2003-01-22:  Apache Web Server Default Script Mapping Bypass Vulnerability
  2003-01-22:  Apache Web Server MS-DOS Device Name Denial Of Service Vulnerability
  2003-01-22:  Apache Web Server MS-DOS Device Name Arbitrary Code Execution Vulnerability
  2003-01-22:  Apache Web Server Illegal Character HTTP Request File Disclosure Vulnerability

but so what? All I wanted to point out is that the media (for whatever reason) seems quite trigger happy regarding any MS vulnerability/exploit, but is very hush hush about any other platform. Part of this is undeniably because of the "militias" surrounding platforms like OSS and Apple, while another part is certainly the public recognition of the MS brand as opposed to the others.

Just me (Sir to you)
Monday, August 25, 2003

I never claimed Apache is secure.

You listed 20 or so vulnerabilities, all discovered in the last 8 months. How much have you personally suffered from them? Ok, now go to your co workers / family / anyone you can find, and ask them how much these vulnerabilities affected them.

That's why the media doesn't talk about it.

Most of the vulnerabilities you listed are of the DoS type. Very serious, but cannot be used for propagation. Symantec lists the Slapper worm you mentioned earlier with "over 3500 infected hosts" after two or three weeks in the wild. Slammer had infected a hundred times more machine within minutes.

That's why the media doesn't talk about slapper, but does talk about slammer.

Not conspiracy, no militias, not nearly as much brand recognition. Measurable damage, with which everyone is familiar.

Ori Berger
Monday, August 25, 2003

Do'h! Meant to say "brand recognition plays a part, but doesn't explain enough".

Ori Berger
Monday, August 25, 2003

"There are few servers less secure than say a Red Hat installation using all the defaults."

Redhat also has a firewall that is ON by default. 

"but so what? All I wanted to point out is that the media (for whatever reason) seems quite trigger happy regarding any MS vulnerability/exploit, but is very hush hush about any other platform."

Probably for two reasons:  Most people have Windows so the security story relates well.  Secondly, after you see a bridge collapse for the thousandth time, it is natural to question the builders (MS).

Mike
Monday, August 25, 2003

Mike, your first reason is what I tried to convey with "brand recognition". Your second reason is valid, but the analogy flawed. Our instict is that bridges seldom collaps. For software the truth is everything is collapsing all the time, but some of those other brand X bridges lie in far out counties where there aren't too many journalists living, and where the occasional critical journalist wandering in is chased out by a hail of bullets the moment he dips a quill in the inkwell.

Just me (Sir to you)
Monday, August 25, 2003

Ori,

in all fairness, here is the same list for IIS.

  2003-07-22:  Microsoft Multiple IIS 6.0 Web Admin Vulnerabilities
  2003-06-03:  Microsoft IIS WebDAV PROPFIND and SEARCH Method Denial of Service Vulnerability
  2003-05-30:  Microsoft IIS SSINC.DLL Server Side Includes Buffer Overflow Vulnerability
  2003-05-28:  Microsoft IIS ASP Header Denial Of Service Vulnerability
  2003-05-28:  Microsoft IIS Redirection Error Page Cross-Site Scripting Vulnerability
  2003-05-28:  Microsoft Internet Information Service Multiple Vulnerabilities
  2003-05-13:  Multiple Vendor Invalid X.509 Certificate Chain Vulnerability
  2003-05-07:  Microsoft IIS WebDAV Denial Of Service Vulnerability
  2003-05-03:  Microsoft IIS User Existence Disclosure Vulnerability
  2003-02-10:  Multiple Vendor HTTP CONNECT TCP Tunnel Vulnerability
  2003-02-07:  Microsoft IIS False Logging Weakness
  2003-02-06:  Microsoft IIS Malformed HTTP Get Request Denial Of Service Vulnerability

Just me (Sir to you)
Monday, August 25, 2003

Arguing that Microsoft is more secure is a fools task.  You'll be taken seriously as soon as Sysiphus gets that boulder to stay on the top of the hill.

Don't suffer fools
Monday, August 25, 2003

"The linked article gets bizarre when the author refers to enabling XP's firewall as a "five-step task" and says the Mac firewall is "much simpler to enable".  Huh?  The XP firewall is one checkbox."

But how many clicks does it take to get to the check box?  (Serious question, I have no idea.)

Jim Rankin
Monday, August 25, 2003

According to Windows XP Help (first hit searching for "firewall")

<<
1. Open Network Connections

[ To open Network Connections, click Start, point to Settings, click Control Panel, and then double-click Network Connections. ]

2. Click the Dial-up, LAN or High-Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.

3. On the Advanced tab, under Internet Connection Firewall, select one of the following:

To enable Internet Connection Firewall (ICF), select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.

To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.
>>

Devil's Advocate
Monday, August 25, 2003

The XP firewall only blocks incoming traffic. You could be infected by a malicious web page or an infected file or a floppy or whatever and you would have no way of realizing that your computer was sending info put.

The free version of Zone Alarm is easy to confgiure, and works a dream.

Stephen Jones
Monday, August 25, 2003

>> But how many clicks does it take to get to the check box? <<

Devil's Advocate provided accurate info from XP help but it's also worth noting that step 1 in the instructions is a hyperlink that directly opens Network Connections making it a little easier on the user who looks in Help. 

According to instructions I found doing a google search, to enable the Mac OS X firewall, you must:

1. From the Finder, select: Apple Menu > System Preferences.
2. Click on the Show All icon to ensure all preferences are visible.
3. Click on the Sharing icon.
4. Click on the Firewall Tab.
5. Click on the Start button.

They sound like fairly similar tasks to me.  I don't see how Apple's can be described as "much simpler". 

Also, XP's firewall is enabled by default assuming the network connection is created through the wizard and that the user doesn't change the default "Connect to the Internet" connection type to "Connect to the network at my workplace" or "Set up an advanced connection". 

SomeBody
Monday, August 25, 2003

I dare say most of these virus writers have a thing against Microsoft. Microsoft could have the Mac OS market share and would still get pummeled because they - the virus writers - target them specifically. Just look at the LovSav virus; it attacked windowsupdate and had a message telling bill gates to "fix his software".

I think this sums up most virus writers pretty well.

Mickey Petersen
Monday, August 25, 2003

cf muggers and bashers attacking people on the street, it's quite clear who the villain is.

Bigfoot number 2
Tuesday, August 26, 2003

I think the Washington Posts article and this discussion is somewhat too academic.

As a PC user, I don't care *why* I get the virus: "Oh, my OS is popular, so it's OK that I get a virus?" No, it's not!
What I care about is that I *get* or *don't get* the virus!

If I can avoid loss of work and valuable time by using Mac or Linux instead of Windows, I'll do so.

A recent survey showed that Linux and Windows are comparably easy to use - neither is rocket science.
( http://www.comon.dk/index.php?page=news:show,id=14747 in danish)

So, if some day Linux becomes the most popular OS, and therefore the most popular virus/worm target, I'll consider using Windows or Mac instead. Until then, please feel free to discuss your excuses for being virus targets.

Martin A. Boegelund
Tuesday, August 26, 2003

Agreed Martin.

Many winbigots contend that Windows is just as secure as anything else, it is only our large market share that makes us vulnerable.  It has nothing to do with Universal pnp, gaping holes in network services, executable email, unneeded services running, etc.  Nope. Couldn't be any of those.  Gotta be market share and admins not patching.  Yeah, that's the ticket.

Grok
Tuesday, August 26, 2003

*  Recent Topics

*  Fog Creek Home