From owner-freebsd-chat Thu Dec 13 5:16: 4 2001 Delivered-To: freebsd-chat@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id 48CAA37B41C for ; Thu, 13 Dec 2001 05:15:58 -0800 (PST) Received: from pool0039.cvx21-bradley.dialup.earthlink.net ([209.179.192.39] helo=mindspring.com) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16EVhs-0001AI-00; Thu, 13 Dec 2001 05:15:25 -0800 Message-ID: <3C18A9F1.2C2978D3@mindspring.com> Date: Thu, 13 Dec 2001 05:15:29 -0800 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Anthony Atkielski Cc: Mike Meyer , Technical Information , FreeBSD Chat Subject: Re: EzBSD aint for me! Was: A breath of fresh air.. References: <20011211140107.A67653@FreeBSD.org><0112071641320B.01380@stinky.akitanet.co.uk><01121010202100.00345@stinky.akitanet.co.uk><20011211144049.A14693@acidpit.org><20011211214943.A4489@tisys.org><15382.29599.349155.309028@guru.mired.org><20011211230257.A5157@tisys.org><4.3.2.7.2.20011212181551.015734a8@threespace.com><15384.11772.363959.693167@guru.mired.org><003701c18398$07091d30$0a00000a@atkielski.com> <15384.17244.476714.955574@guru.mired.org> <004901c1839d$b273c440$0a00000a@atkielski.com> <3C18693A.D2093A32@mindspring.com> <00a101c183b2$0c496b00$0a00000a@atkielski.com> <3C1876E5.E2FF3B1D@mindspring.com> <00ad01c183d1$22294ca0$0a00000a@atkielski.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anthony Atkielski wrote: > Terry writes: > > You already did, by installing Windows. > > This is the sort of hyperbole that reflects very poorly on virtually every > group using software other than Windows. You obviously don't read email headers. This is not hyperbole; I could reflect your entire "counterargument" back to you based on your statements about UNIX. > > You would be absolutely appalled at the cyber > > warfare capabilities that are already out there, > > dpeloyed by crackers, aided and abetted by > > Windows' poor security. > > If the Mac were the leading desktop platform, crackers would be > concentrating on methods of compromising that system's security instead. > This has nothing to do with the intrinisic security of an OS, and everything > to do with the market dominance of an OS. Targeting Windows gives you far > more potential targets than targeting any other OS. This is not true. The majority of problems are obvious, and easy to either fix or mitigate. It s trivial, for example, to write a firewall program that hooks in at the WINSOCK level, and prevents active external attacks. Microsoft sells such a program, as a seperate add-on, when in reality it would be a much more valuable intrinsic to the OS than, for example, Internet Explorer. The remainder of the problems are Trojan related; unfortunately, almost every program which uses the HTML rendering component for data from an outbound connection to the net can be manipulated, since there are not stringent controls on the pigybacking of data or commands to the local machine, on top of legitimate traffic, whereby an outbound connection on port 80 can be forced on the software in question. This is true of the MSN, AOL, and Yahoo instant messengers, Real Player, Quicktime, Shockwave Flash, etc., etc..; not to mention email based transmission of attacks via OutLook, most of which could be corrected by correct parsing of RFC 2141, such that meaning was not assigned to message headers or a MIME part until all the data had been downloaded, rather than attempting to interpret it based on partial data _during_ download. Any client/server program, where the control stream is not restricted to particular command sequences is at risk of such exploitation. Add to this the amplification effects of CDN's like Akamai, where a single hacked sucbscriber server can thereafter distribute worms, "Back Orifice", and other code, and you have a formidable set of agregate risks. > In the area of security, it might be wise for UNIX users not to > point any fingers, as UNIX security is very poor indeed. Please back up these claims. I'll accept any OpenBSD root compromise you can name as evidence. > I shudder to think what sorts of problems we would be having if > UNIX were on every desktop. Blantant inability to run the most popular viruses? ID based Compartmentalization of exploits to non-privileged user IDs limiting attack damage significantly? In truth, hetrogeneous environments offer the most saftey, where there is no single dominant system, and therefore no single dominant weakness available to exploit. So it is the very "success" of a single platform which endangers us all. It was very tempting, a few months back, to write code that would use one of the known IIS exploits to install FreeBSD, Apache, Front Page Extensions, and ASP services (under Linux emulation) on any IIS server which had not been patched, and then copy the previous content back onto the system, including a "boot screen" image of whatever was on the console screen at the time of the crack. As obviously inmical as such an idea is, I'm sure that the vast majority of sites so cracked would get their first clue that an attack had taken place when they realized they didn't have to reboot their web server that week. It would have been an amusing demo at "DefCon"... -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message