From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: [inbox] Re: CyberInsecurity: The cost of Monopoly

It's late and I am going to bed. However before I do I have to address
this fallacious logic:

On or about 2003.09.29 00:36:42 +0000, Kristian Hermansen (khermansen@...technology.com) said:

> The reason that MOST people look to exploit software/OS's is so that they
> can gain priviledges [sic] on the system.

Well, BITD hackers looked to exploit software to gain elevated privileges
because computing power cost imaginary or real money. Today I would
postulate that a lot of the vulnerabilities are exploited because of 
other reasons, including but not limited to gaining root privileges.

The US government would have you believe that people exploit vulnerabilities
in order to tumble our fragile democracy, but it's late and I have no time
for that s**t...

Next!

> Windows machines make up 90-95% of the systems on the internet [sic], so
> people who discover an exploit for this widely used OS are likely to find
> a vulnerable machine which is easily exploitable and has the resources
> they want.

This is a law of averages argument, and it makes no sense!

Law of averages is in their favor, yes. However law of averages does not 
rebut the fact that most Windows operating systems are insecure. The 
insecurity is inherent in the code itself, in the way that the code
performs its logic (or fails to do so), and in the configuration of the
software. The exploit, by its very existence, is proof of this. 

The statement "Windows is everywhere, so someone who finds a hole in
Windows is likely to find a machine to exploit" has nothing to say about 
the hole that is found, nor about the motivation for seeking out either
the vulnerability or the method to exploit it.

Next!

> Unix/Linux systems are very powerful, and although they don't make up
> a large portion of the net, they are widely used as servers, which typically
> have vast resourses[sic] available by an exploiter.

Actually, Windows servers are just as "powerful" as UNIX servers, insofar
as "powerful" is defined by --- what? MIPS? Concurrent processes? Concurrent
users? At the hardware level, UNIX machines have the same resources as a
Windows machine. Resources depend on what's running as well as what the
hardware is.

Linux on a P2 versus W2K on an Athlon - gimme the W2K box!
Solaris on a pie pan (yuk) versus BSD on a Xeon - move over Solaris!

Next!

> Novell, on the other hand, are [sic] rare to run into.  How many people
> on this list have ever owned a Novell box?

See above - law of averages and capacity of the system do not dictate or
determine the security of a system. We already did this.

Next!

> This is partly the reason for the lack of security patches.

Another reason, presumably, is that the software isn't broken.

Next!

> If there are so few boxes on the net with relatively little use, why do
> we need Netware exploits? 

To get into them and 0wn them, of course :)

Next!

> If Netware were as popular as Windows, I'm sure a whole mess of bugs would
> be found.  Anyways, that's just like my opinion...man....(the dude)

So basically I hear you arguing that discovery of bugs/exploits is in
direct proportion to the popularity of an OS? Nah, not buying it...

UNIX has been around (in various incarnations) since 1969. Windows (unless
you want to count OS/2 as some bastardized pre-release version) didn't show
up until the late 1980s. Linux was birthed around 1991.  Netware ... well,
I don't really know when the first version of Netware shipped. The earliest
copyright on my old Netware 4 manuals is 1993, so I'll guess 1993.

Anyway, here's your homework assignment. Pick any single year in which all
four operating systems were available. Pick a variant of UNIX (not including
Linux, which started off hardly resembling UNIX but which kind of evolved
into a System V/BSD hybrid over time), a variant of Windows, a release of
Linux, and Netware. Catalog the number of local and remote exploits for 
those systems during one single calendar year.  See what you get. I assert 
that what you will find will *not* corollate with the number of installed
site licenses or any other quantitative measure. Linux may, but the others
almost certainly will not. And be glad that I am not dragging MVS or VMS
into this discussion :)

Now, I confess that this does not necessarily measure the popularity of
the OS. In fact, it completely ignores it, which is my point :) All this
exercise does is track vulnerabilities by operating system, which gives
you --- what? A quantitative measure of the security of the OS? No, I doubt
it. What it gives you is the number of exploits found that year. No idea
of how devastating they were, no idea of what motivated people to find them.
Because, frankly, there's no way to track that.  Given any OS, there exists
a finite number if vulnerabilities that will compromise the security of
that OS. How many of those are actually found and exploited? No f**king 
idea, but likely a subset of the whole.

When Aleph One and Mudge came out with buffer overflows, EVERYONE started
looking for them. Same with printf string vulnerabilities. People looked
on whatever operating system they had access to, or on whichever one they
thought most likely to bear fruit. Or whichever OS they were most
comfortable or most familiar with. Heck, I bet people tried to bust into 
OS/2 boxes <LOL>.

I sincerely doubt that the popularity of the OS had much to do with it. 
Availability, maybe. Popularity? Nope.

Night all =;^)

G

-- 
Gregory A. Gilliss, CISSP                             Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg@...liss.com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

Powered by blists - more mailing lists