LWN: Comments on "Linux hacks hit all-time high (vnunet)"

Linux hacks hit all-time high (vnunet)

scharkalvin — Thu, 19 Jun 2003 12:50:24 +0000

Reminds me of a friend of mine.
He developed the skill of being able to
re-key locks (came in REAL handy at college being
able to gain access to certain locked computer labs.)
He might have ended up in jail, instead he became
a locksmith.

Linux hacks hit all-time high (vnunet)

jeleinweber — Thu, 12 Jun 2003 19:06:07 +0000

If you read the article, what the slipshod journalism was counting
was total number of defaced websites at some (virtual) hosting sites.

This has practically _nothing_ to do with rates of attacks on systems
exposed to the internet.

At the firewall for my small organization, a conservative analysis
shows that at least 85% of the blocked packets are attempts against
Microsoft boxes. And for my parent organization, most of the
recent incidents of compromised hosts are windows-2000 boxes invaded
by password guessing attacks over the SMB and CIFS file sharing ports.

All may not be sweetness and light in the land of Linux security, but
the truth is the opposite of what the article claims: the bulk
of the attacks, the release of new exploits, and the compromise of
hosts all impact Windows a lot more heavily than Unix.

I'm in FIRST, and one of the botnets discussed there from earlier
this year had over 170,000 compromised windows boxes under a single
miscreant's control. Nothing remotely comparable has been seen on
the Unix side.

-- Jim Leinweber, BadgIRT, U. of Wisconsin - Madison

Linux hacks hit all-time high (vnunet)

Baylink — Sun, 08 Jun 2003 02:36:19 +0000

Precisely. On both points.

It's sort of like being proficient (to grab a perfectly-on-point example from MIT) with lockpicks.

Because you can break into locked rooms doesn't make you a criminal -- locksmiths do it all the time. And many MIT vadders in fact *were* licensed as locksmiths -- precisely (AIUI) so that they wouldn't get arrested for "possession of burglary tools".

But yeah, the skillsets are often the same.

That does *not* mean that the press should labels criminals as "hackers" -- you don't do a news story about "locksmith breaks into houses"... unless it's to make the point that it's even worse, since by definition, he should have exercised a higher level of care.

Linux hacks hit all-time high (vnunet)

Baylink — Sun, 08 Jun 2003 02:31:56 +0000

Alas, it's the nature of public opinion that, no, this story *can't* merely be "tossed in the garbage", it must be refuted publicly, at a high enough level that the press will cover the folo because it, too, is news.

Linux hacks hit all-time high (vnunet)

stuart — Fri, 06 Jun 2003 22:52:37 +0000

No, they were made prior to the DMCA. But with new ones, who knows and I suspect the answer is, certainly from Linus, who cares? Just ignore the DMCA as the piece of crap it is.

Oh and don't visit the USA.

Stu.

Linux hacks hit all-time high (vnunet)

Peter — Fri, 06 Jun 2003 18:25:00 +0000

I hope I spelled al that right.

heh.

Anyway, I should probably stop drinking Mountain Dew before breakfast...

What's the problem? To me, Mountain Dew is breakfast.

Linux hacks hit all-time high (vnunet)

tjc — Fri, 06 Jun 2003 17:27:43 +0000

Crackers are hackers, but not all hackers are crackers.

Oh I like that. It's so succinct. As the mathematicians among us would say, being a hacker is a neccessary but not sufficient prerequisite to being a cracker.

I hope I spelled al that right. Anyway, I should probably stop drinking Mountain Dew before breakfast...

GNU/Linux cacks? Which components?

tjc — Fri, 06 Jun 2003 17:03:14 +0000

Most people run a lot more than a kernel. I run GNU/Linux for instance. :-)

I'm running GNU/BSD/X11/Linux myself. :-)

But that's awkward to say, so I just call it Linux...

Linux hacks hit all-time high (vnunet)

mem — Fri, 06 Jun 2003 15:49:15 +0000

Hmm... why is that sad?

And JFYI, you missed the tongue in cheek. No, that's not the reason.

GNU/Linux cacks? Which components?

ber — Fri, 06 Jun 2003 12:56:43 +0000

Are you running Linux because it's a niche OS?

Most people run a lot more than a kernel. I run GNU/Linux for instance. :-)

More seriously: It would help if people understood the modularity of current software. Many attacks will have been made at Free Software components which also run on GNU/Hurd or OpenBSD. Then the choice of distribution for GNU/Linux is another crucial point.

maybe a more valuable target...

beejaybee — Fri, 06 Jun 2003 12:46:25 +0000

Well, you're _partially_ right...

"And the main failure of a system that lets intruders in, regardless of the general systems security degree, will always be lazy administrators refusing to protect their sys with the latest (or at least moderately recent) versions or patches."

There are two bigger problems than this:

a) lazy sysadmins failing to turn off services which are not essential. If a service is disabled (or better still uninstalled) you don't have to keep it patched, nevertheless you will never be vulnerable through this service.

b) OS/applications installers and/or lazy or incompetent sysadmins who set up configuration files in a way which allows them to be modified without root privelege. A system running with insecure configurations can be penetrated even though the service software is kept fully up to date, so vulnerabilities in the software are never exposed.

Linux hacks hit all-time high (vnunet)

jdthood — Fri, 06 Jun 2003 10:58:36 +0000

Crackers are hackers, but not all hackers are crackers.

So while it is not wholly wrong to use the less specific term,
it does tend to give hackers in general a bad name. And it
can mislead: when I saw the title of this article I thought
it was going to say merely that the number of participants
in Linux development had reached some interesting figure.

P.S. Are all crackers hackers? The term 'script kiddie'
seems to have been invented to describe crackers who aren't
hackers.

maybe a more valuable target...

Corvus — Fri, 06 Jun 2003 10:24:45 +0000

(Regardless of the credibility of those "statistics")

I'd say, windows boxes are not anymore worth cracking, compared to a linux
box, when you look at what can be done with the system when someone
aquired privileges.

And the main failure of a system that lets intruders in, regardless of the general
systems security degree, will always be lazy administrators refusing to protect
their sys with the latest (or at least moderately recent) versions or patches.

So if you were going to crack a system, you wont be going for those stupid
dayfly systems of deficient systems with inadequate capabilitys to do "stuff",
would you?

No, you would go for real systems.
-Systems you would be in control of what is going on, where just a list of
active processes dont require download and install of extra stuff.
-Systems you could work with like it would be your very own.
-Systems you can be sure wont be rebooted any second, doe to some internal
segfault in a kernel lib that hasnt anything to do with your cracking attempt at
all.

Am I right?

Corvus Corax

Linux hacks hit all-time high (vnunet)

hensema — Fri, 06 Jun 2003 10:21:55 +0000

Are you running Linux because it's a niche OS? That's sad.

Linux hacks hit all-time high (vnunet)

mem — Fri, 06 Jun 2003 07:33:54 +0000

Start looking for another niche operating system which hasn't been spoiled by tons of users unwilling to read documentation or *gasp* think before typing^Wclicking?

Linux hacks hit all-time high (vnunet)

rjamestaylor — Fri, 06 Jun 2003 06:01:56 +0000

Random though, since a lot of device drivers in the kernel were writen by reverse-engineering the devices, would that mean that the linux kernel could be considered a violation of the DMCA? perhaps you just nailed SCO's legal strategy theory.

Linux hacks hit all-time high (vnunet)

maotig — Fri, 06 Jun 2003 05:58:24 +0000

Worst yet, write a program that allows you to use something you have already bought on a system of your choosing.

Err even better, just put a link on your website.

Random though, since a lot of device drivers in the kernel were writen by reverse-engineering the devices, would that mean that the linux kernel could be considered a violation of the DMCA?

Linux hacks hit all-time high (vnunet)

jzb — Fri, 06 Jun 2003 05:02:22 +0000

It's hard to work in a good 10-minutes car chase scene with some guy who writes device drivers...

With John Ashcroft in office? All they have to do is try to write something that might violate the DMCA...

Linux hacks hit all-time high (vnunet)

tjc — Fri, 06 Jun 2003 03:32:58 +0000

I wonder why people continue to confuse between hackers and crackers?

Two seperate communities have claimed the title. A lot of the people who we call "crackers" call themselves "hackers." Besides, some guy breaking into a government computer system and wrecking havoc makes for a more interesting movie plot than some guy writing device drivers. It's hard to work in a good 10-minutes car chase scene with some guy who writes device drivers...

Linux hacks hit all-time high (vnunet)

lyda — Fri, 06 Jun 2003 01:39:18 +0000

look, here's a new worm for windows. it's hit 115 countries. if it just infects 200 computers per country it's more than 19k infections.

oh, and look, it targets financial institutions.

people pay for this stuff?

Linux hacks hit all-time high (vnunet)

parimi — Fri, 06 Jun 2003 01:26:11 +0000

I wonder why people continue to confuse between hackers and crackers? "Linux hacks" would mean smarter way of doing things with a linux box. Hackers have always been good to the community as opposed to crackers who do serious damage to the network/boxen they compromise.

--ravi

oops -- Originally from the Register

rjamestaylor — Fri, 06 Jun 2003 01:23:59 +0000

silly me...posting without sleep...

The post I referred to specifically points to the originating source, an article by John Leyden at The Register

Linux hacks hit all-time high (vnunet)

lyda — Fri, 06 Jun 2003 01:18:46 +0000

19k breakins in a month?

wow, even if that's true isn't that the rate for windows email worms per hour?

mi2g -- Remember 1999? Remember DK Matai?

rjamestaylor — Fri, 06 Jun 2003 01:17:37 +0000

Remember the stupid y2k predictions in 1999? The worst, perhaps, came from DK Matai, founder of mi2g. I knew the name rang a bell. Via Google, I found a posting which refreshed my memory. Here's an excerpt:

The chief charge against mi2g is its regular predictions of withering
cyber-assaults which, critics say, rarely seem to materialise.

For example, Forno draws our attention to a "spooky November 11"
briefing by mi2g which talks about the need for
"counter-attack-forces" to deal with the threats of "digital
terrorism" in the "5th dimension defence shield" against "digital mass
attacks" and notes that it's "not a question of if, but when" such
attacks will occur.

"Coining neat buzzwords in the cybersecurity realm makes for
interesting reading, but does little to offer real solutions to the
security challenges faced today," Forno writes, arguing that the
material only "serves to fan the flames of public misperception".

"Even more disturbing is the report's feeble attempt to capitalise on
the public's visceral fear of real terrorism by trying to relate the
'insider threat' of disgruntled employees to the al-Qaeda members
responsible for the September 11 attacks," he adds.

According to mi2g, in November 2002 there have been 57,977 'overt
digital attacks' to date, and that such 'overt' attacks will cost $7.3
billion worldwide for 2002. Forno scoffs at these figures, pointing
out the difficulty of estimating losses resulting from cyber-attacks.

"One wonders how much mathematical masturbation takes place when
analysing and generating these numbers," he writes.

He also questions mi2g's credentials and experience in the security
industry, arguing that most of its staff appear to be without
"significant operational IT security experience". mi2g denies this and
states that it employs experienced risk managers.

mi2g started off in the mid-1989s as an e-business enabler focused on
operating portal sites (such as Carlounge.Com and Lawlounge.Com)
before repositioning itself as a security integrator consultant
specialising in providing "be-spoke security architectures" and
security intelligence.

It burst into the IT security scene with a highly controversial, and
colourful prediction, in late 1999 that a Y2K virus would cause
widespread loses by moving corporate clocks forward. Anti-virus firms
dismissed the alert and the subsequent non-appearance of any
significant Y2K-related problems cast further doubts on mi2g's initial
warnings, which are often the main exhibit in the case against the
company.

Indeed this alert can still be found on mi2g's Web site along with its
many reports of hacking assaults, which are frequently successful in
generating high-profile media coverage. To declare an interest, I
should state here that I have reported on a small number of mi2g
events and announcements. The company has good contacts in the city
and in government, and is one of the few which can regularly attract
IT directors from blue chip City financial firms to its events.

Read the whole post for mi2g's answer.

Linux hacks hit all-time high (vnunet)

zepe — Fri, 06 Jun 2003 00:29:18 +0000

did a google search of Mi2g and microsoft and the first link contains this.

'The issue may come down to which vulnerabilities get counted and which don't.

In a statement, Mi2g said that the company is in touch with Microsoft at a senior level and that the two companies are working together to deal with the issue of vulnerability counting.'

no wonder all of a sudden and out of the blue the number of vulerabilities exploded for linux. this story can put tossed in the garbage.

Linux hacks hit all-time high (vnunet)

Baylink — Thu, 05 Jun 2003 23:29:18 +0000

Wonderful!

No, *really*.

Do those two lines sound like an Apple ad anyone remembers? I'm glad to hear
this: it means we've gone mainstream, folks. I think our plans for World Domination
are just about complete.

What do we do next?

Linux hacks hit all-time high (vnunet)

LinuxLobbyist — Thu, 05 Jun 2003 23:18:33 +0000

It surprises me to see a both lwn and linuxtoday point to this with nary a comment on mi2g's shoddy history of 'security analysis'. I thought the name sounded eerily familiar. I simple google search on mi2g turns a lot stuff that brings back memories of sensationalism and lack of real security experience (at least according to some in the security field).