lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402210045.i1L0j1kw026724@mailserver1.hushmail.com>
Date: Fri, 20 Feb 2004 16:45:00 -0800
From: <auto397706@...hmail.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Yet Another Instance of mi2g's Incompetence...


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nothing says 'infuriating' better than a publicly published report that
is seemingly rife with inaccuracies and conclusions drawn from poor data.
 As attrition.org so kindly points out with historical evidence, mi2g
has a long history of lying and flagrant ineptitude with respect to the
general public:

http://www.attrition.org/errata/charlatan/mi2g-history.html

In a report boldly titled "The World's safest [sic] Operating System,
" mi2g claims that of all attacks to a particular segment (and they seemingly
extrapolate this to mean the rest of the computing world at large), Linux
was the target of 80% of the overall attacks, Windows 12%, and BSD/OSX
a combined 3%.  From their website, and I quote, "The study also reveals
that Linux has become the most breached online server OS in the government
and non-government spheres for the first time, while the number of successful
hacker attacks against Microsoft Windows based servers have [sic, again..
hire a grammar checker before you publish reports, people... the article
here refers back to "the number," which is singular, and not "servers.."
this should be 'has' and not 'have'] fallen consistently for the last
ten months."

Excuse me?!  This is some of the most flawed logic I have seen in AGES.
 Read more of what I'm about to comment on here, first:

http://maccentral.macworld.com/news/2004/02/20/osxserver/
and
http://www.mi2g.com/cgi/mi2g/press/190204_2.php

First of all, I question their data mining abilities -- attrition.org
should give you more than enough reason to feel this way as well.  Also
consider that these numbers, as always, only reflect the number of attacks
discovered and reported.  How many Windows boxes out there have been
compromised and are run by clueless admins who don't ever discover they've
been broken into?  Admittedly, there are also lots of Linux boxes, no
doubt, that are broken into and never discovered.  However due to the
ubiquity of Windows, I would venture to guess that there are a lot more
Windows boxes in this state.  I would *highly* suspect their number of
2,005 Windows attacks versus 13,654 for Linux.  Highly.  How about a
source for this, mi2g?

Not factored into the public details are the machine counts.  How many
deployments of each OS exist and are considered in the study?  DK Matai,
 the man who can't make up his mind what he's doing with his life, let
alone actually FINISH something, claims that "Windows administrators
deserve some credit for having consistently reduced the proportion of
successful online hacker attacks," but I would argue that as well, as
that only hinges on the initial flawed conclusion.

Let's consider the biggest, most glaring flaw in here.  "mi2g noted that
the numbers exclude attacks caused by viruses, worms and Trojan Horses."
 Excuse me?  I find this type of omission absolutely egregious.  How
can you completely discount a group of problems that comprise, by far,
 the most impactful of all security issues facing Windows admins today?
 Or did Mr. Matai and mi2g just not feel like finishing that part of
the report?  The number would be astronomical, comparatively, no doubt.
 And how does one appropriately separate attacks by malware from attacks
by individuals employing similar techniques?  We've all seen worms circulate
that were initially vulnerabilities turned script kiddie exploits - does
the average Windows admin know how to tell the difference if their AV
scanner doesn't pick it up initially?

Excluding these numbers here is not only a flaw, but it is indicative
of mi2g's baseless view on security -- in effect, they're saying these
things are just not serious enough to be included.  This is QUITE a dangerous
conclusion to make, because it leads to grossly inaccurate results --
 like this "report."  Look at the recently discovered Kaitex.E Trojan.
 It connects back to a computer and allows the originator to execute
arbitrary commands.  And that wouldn't be included?  That's far worse
to me than somebody getting 'nobody' access on a chrooted apache server,
 which if properly setup can't even modify a single file.  Or even worse,
 the recently discovered MyDoom.F, which not only includes a remote access
vector similar to Kaitex.E, but also deletes all local files with extensions
like .xls, .doc, .mdb, amongst others.  It also propogates across shared
network drives.  ( http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101038
)  "So what?  It's low profile," you say?  So it hits only a few hundred
or few thousand hosts?  Well that's a few thousand machines that have
now lost potentially business critical data.  Ask their managers which
they'd rather have happen.

Now before anybody says a word about the hushmail source of this, I am
openly admitting that I am doing this solely because I work at a different
security company -- a real one, unlike mi2g -- and I do not want my employer
to be associated with derogatory statements against another.  Because
this is a personal concern of mine, completely unrelated to business.
 And I will admit to not having seen the actual full report, as I'm not
willing to pay over $40 for this drivel.  I can't imagine there would
be more publicly acceptable data that would strengthen their point inside
of it that they would choose to not reveal, or even suggest at.

So to mi2g... why don't you do something useful, and just go back to
selling automotive info or making e-commerce sites.  Stop misleading
the public with bogus reports created from flawed data.  It's this kind
of bullshit that gives the industry a bad name, and makes people question
those who actually do something useful.

Signed,
An Anonymous Info-Sec Geek and Longtime Hobbyist
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkA2qRgACgkQpTen0WI2ooXyZQCffE9jqtldHvX98rnfvLASsR7VCmQA
nAxkOeIKchj+XmNjRAEFPHysfVqx
=+Atd
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ