lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003101c384c5$8d63af50$0c351c41@basement>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: CyberInsecurity: The cost of Monopoly

"Bruce Ediger" <eballen1@...st.net> wrote:
> On Fri, 26 Sep 2003, Rick Kingslan wrote:
>
> > I'll not argue that the Windows operating systems are the target of the
> > majority of virus', but that's typically what happens when a system is
used
> > by a known large group of people that might not be qualified to run a
> > computer, much less secure it.
>
> Doesn't this just constitute special pleading to use Microsoft's products?
> For example, this theory is totally unfalsifiable - only Microsoft
products
> are in such a position.
>
> Oh, wait.  Apache has about 2 times the market share of IIS, and I'm
> still getting Code Red and Nimda hits TWO YEARS after they were released.
>
> By contrast, I only got about 2 days worth of hits from Slapper.
[snip]

And, of course, this theory has complete relevance in the discussion -- oh
wait, Apache runs on dozens of different OSes, and by the time you include
individual distributors' binary packages, you're getting into ~100 different
Apache flavors (a conservative estimate).  IIS runs on OSes which are (under
the hood) quite alike -- Windows NT 4.0, Windows 2000, Windows XP, and
Windows Server 2003.

The reason you only get two hits a day from Slapper is because that worm
targeted a very small portion of Apache's install base (certain versions of
Apache 1.3 + mod_ssl installed + SSLv2 support + certain OpenSSL versions +
certain linux distributions, ...), while the only inhibiting factor to Nimda
was a vulnerable version of IIS.  Similarly, Code Red didn't require any
non-default settings (sadly), all it required was a vulnerable Windows 2000
Gold setup.  In some cases, the exploits used in Slapper are
language-dependant, whereas Code Red and Nimda were not, ...

I could go on all day.  When you see the first Apache exploit that works on
a third or half of vulnerable Apache installs with a single target (an event
I probably will not live to witness), then we can talk about
disproportionate numbers of attacks against systems.  When you get into
discussion about system monoculture, so to speak, you have to assess the
system at every level -- right down to the CPU in many cases.

This is the problem with the theory of system monoculture -- variations at
one level often create a tendency at another level.  For instance, the
reason IIS has remained limited to 30% of servers is because it runs on
fewer (Microsoft) platforms.  However, this makes IIS a more attractive
target in terms of attack success as the OS framework underneath it (which
plays a substantial role in exploitation) is similar.  Had the market
balance been shifted in favor of Apache even further, presumably in favor of
cross-platform portability (thus requiring any number of exploit methods for
one version), the attacker would then have a greater chance of guessing the
correct exploit method, as a greater number of potential victims is
available.  Similarly, had IIS been ported to multiple platforms and became
the majority server, Code Red would have perhaps seen a *decrease* in
infections due to crashing many potential victims.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ