lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4643AE0D.2030503@s0ftpj.org>
Date: Fri, 11 May 2007 01:43:09 +0200
From: KJKHyperion <hackbunny@...tpj.org>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Linux big bang theory....

J. Oquendo wrote:
> KJKHyperion wrote:
>>
>>
>> why, Windows machines of course, I'm an attacker, not a fool! If you 
>> were a terrorist, what would you rather do?
>>
>> Crash the Twin Towers
>> Crash the dollar
>>
>> There is no such thing as an "attacker". All actions, even such an 
>> individual's, are driven by economical considerations.
> With this said, if I were an attacker with economics in mind
> why would I want to target a machine which has X amount of
> vendors sifting through the much of malware and viruses when
> I could spawn off an semi undetectable program and KEEP IT
> THERE without having to wait for the next best thing.

So many misconceptions, so little time.

First of all, I meant economical in not just a monetary sense, but the 
wider sense of balancing conflict in everyone's interest. And well, I 
got the impression you were thinking of outlandish lose-lose (hence 
anti-economical) scenarios where some loose cannon shuts down the whole 
internet, but on second thought I might have been wrong on that account. 
The idea was that, as effective an enemy-killer crashing the dollar 
would be, it would prove counterproductive, damaging irreparably the 
very currency that puts bread on your table and AK-47 on your shoulder. 
So a purely economical evaluation will bring you to choose, instead, the 
option causing the lesser evil (i.e. the virtual death of the airline 
terrorism market).

Second, don't kid yourself, the market of security suites for Windows 
is, at best, an open-air fish marketplace (a terrible stink, a lot of 
yelling and products with an inherently short freshness timespan the 
first similarities that come to mind, but I'm sure the mental picture 
will evoke you many others).

I have written Windows attack software for a living, and there's one 
thing I can write down and undersign in my own blood: Windows cannot be 
secured. Which is very bad news for the whole industry, Windows being 
the system with the highest security/feature richness ratio, or in other 
words the culmination of the state of the art of software engineering as 
we know it. We lack the semantic tools to even express *what* Windows 
does, much less how, much less to tell right from wrong

[The feeble-minded, confronted with this, retreat in the virtualization 
hugbox, forgetting the historic lesson that the Titanic sank because the 
flooding bypassed the (insufficiently fine-grained, at that) waterproof 
compartments by reaching *over* them -- and let's leave it at that, 
before runaway metaphorization makes me say something about how Leonardo 
Di Caprio fits that I will regret]

There is nothing, absolutely nothing you can do to isolate applications, 
or tell malicious from normal behavior. Hell, you can hardly tell apart 
applications from each other. An application is often just an EXE, but 
sometimes it's an EXE and a bunch of DLLs, and sometimes one of the DLLs 
is loaded in all active processes, and sometimes the EXEs are two or 
more, and sometimes a driver is thrown in the mix, and yet sometimes all 
you have is a single DLL, a DLL that, sometimes, must *necessarily* be 
loaded at random times in an arbitrary process (see: IMEs).

Not that it matters at all, since the biggest names in security suites 
fail even the most basic, trivial tests (god is my witness in how often 
I overengineered some protection routine, only to discover that 
expensive security suites that shall go unnamed didn't notice the whole 
trojan in the first place), but it's kind of comforting to know that the 
problem is unsolvable in principle, now isn't it?

So stop shelling out money to the snake oil salesmen or even giving them 
any credit. When humanity's flagship software product is in such a sorry 
state, you know there is nothing a random moron like you can do. Let the 
scientists discover the obvious, let the engineers put it in practice, 
and until then, for the love of god and all that is holy, _just_ _don't_ 
_swallow_.

[Microsoft being Microsoft, the most important software engineering 
proof-of-concept, ever, they have developed will probably become a 
product in ten years from now, if ever, be a huge flop at it and be 
forgotten soon. It's called Singularity, it's an operating system 
99.999% based on .NET, it will make your CPU simpler and faster and your 
software safer, it's sort of like what Inferno would be if it was 
actually meant to be used by human beings, *and* if your irrational 
racist hate of .NET or other kind of short-sightedness makes it seem any 
less than the... singularity that will take the world by storm and 
change it forever I see it as, *then* to me you are dead from the 
inside; <http://research.microsoft.com/os/singularity/> for more 
information]

> And if you think for a second that "Boohoo Linux users are more inclined
 > to be security conscious" then you are the fool here.

Haha, yes they are, according to their self-assessment. As for delusions 
of security consciousness, though, my favorite have to be the MacOSX 
users. They are just completely detached from reality. I have seen 
people I considered computer security gods sit in front of a Mac and 
turn into trusting, carefree idiots on the spot. They download warez 
from Limewire, crack it, share it with their Mac-using buddies, they 
will double-click on random auto-run DMGs without batting an eye, and 
they will know absolutely nothing about the system and still be proud of 
every shining new shareware widget like they made it themselves.

[random hint: MacOSX is not based on UNIX, it's based on Mach which has 
a lot more in common with Windows than any UNIX, ever; the upper layers 
come from NextStep, again not an UNIX by any stretch of imagination; the 
UNIX subsystem has only ever caused security issues and will keep 
causing them, because it's a poorly integrated add-on with almost purely 
advisory vetoing powers]

They use, again very proudly, an alternate "desktop" they download 
Javascript "widgets" to, and a screen saver that shows the latest 
headlines from their "feeds" of choice [alternate keywords: "active 
etc.", "items", "channels"]. They are, in other words, living in 1998, 
plus special effects. I could poison Limewire with backdoored Office 
2004 DMGs and own a planetful of these clueless, poor, trusting 
bastards. They'd be wearing their best shit-eating grin the whole time 
(built-in webcam if you need proof!), and you can hardly beat _that_, 
sheer numbers be damned.

> Of the couple of thousand of brute force bots I see, none are on
> Windows.

Of course, where would we run our millions of phishing bots otherwise?

> Whatever though, to each their own mechanisms of thought.
> If you truly believe its all fine and dandy and things
> won't get progressively worse by giving Linux to
> inexperienced users, you are in for a rude awakening.

You _can_ sleep?

> If you haven't stopped to read the facts that malware, *ware creators
 > are getting more savvy, then you seem to be stuck somewhere in a
 > world of fantasy.

You seem to assume nobody that programs on Windows could possibly get 
"savvy". I assume you are choosing to ignore that Windows hackers have 
completely hijacked the UNIX-born concept of "rootkit", bringing it to 
heights that probably give nosebleeds to most UNIX-heads. Despite this, 
and despite scaremongers the likes of Joanna Rutkowski, there has been 
no technological escalation in attacks because it's unnecessary -hence- 
antieconomical (could also be because kernel-mode rootkits suck? I'm a 
firm believer of user-mode rootkits. Vanaglorious boasters will lead you 
to believe you can do more in kernel mode, but experience soon shows you 
that you can actually do *less*, at a higher cost)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ