DNAunion

I just happened to pick up a book I haven’t read for a while and came across this…

Photocrat

*Ahem*

I think you may not know whereof you speak...

For example, do you know of the 'shatter' attack? It's a flaw in the design, there is no fix. If you want to compare it to suid root scripts, please give me a simple script to scan for the windows running under admin, since one can easily be written to check on all suid root scripts.

Now, please explain how something like the signed integer problem in bitmaps would pass even the most novice code reviews? And lest you say it never happens, I remember reading advisories on bugtraq from 'Gobbles' who seems to enjoy grabbing random scripts and auditing them...

And that's not to mention all the people trying to establish a reputation by posting lots of advisories (or who at least seem that way, from my readings).

Now then, Microsoft does seem to be improving, but I can name a number of old, outstanding issues that could have been corrected ages ago... (actually, I will give them credit that they're starting to address some of them of late, but only just recently and I could have told you of them years ago...).

In the mean time, given a coder with a sufficiently malicious inclination, I believe that it would be feasible to destroy a significant percentage of the Windows computers online simply by waiting for an appropriate vulnerability with a pre-written payload and a few canned examples of 'boot strapping' type code (e.g. the code to overflow buffers with and whatnot). I'm not the only nor the first to envision this.

Ponder that for a while.

sakrilege

All of these systems were created before security was an issue. Have there been any systems created just for security? Is it possible to do?

AtheistSalmon

Our mid-sized fish plant cannot afford to pay for crappy expensive M$ software, so we use Linux Red Hat 9.0. A virus that destroys our data or leaks critical records would result in lots of pissed off employees, biologists, and fishermen who depend on our security to deliver their payroll, biological, and harvest records. In regards to Linux Gnu Open Source becoming a monoculture, no because as Linux grows so does the diversity of available software and distros which differ from each other.

Photocrat

Err, the military has certainly had security standards for some time now. However, most of the ones that have ever been met consist of simply offering various types of access controls (I believe that the standards are in the 'red book' from the 'rainbow books' series of government publications). Very few have ever met the top levels (which requires the system to undergo a formal verification). I think that one did, and I know there's a list available via Google, but the specifics escape me just now.

Anyhow, one of the virtues of the Macintosh is that they have very few services running on them, generally (e.g. they're not running all the crap that various default installations of NT or Linux may be), and thus have fewer things to attack, at least by default. They also have some archetectural differences that some make exploits more difficult (IIRC, they use Pascal-type strings instead of C-type strings, which prevents certain issues--there are a number of other differences in the filesystem, as well... but it's been too long since I used macs very much, so I'm sure that much of my knowledge is out of date.)

I should also mention that they generally receive less attention from the security community. They are by no means invulnerable, however, and there are folks who specialize in hacking them. They do have, generally, a reasonably sound design and they aren't overly prone to some of the excesses and legacy issues of other platforms, so they are reasonably secure, provided you don't ignore securing them out of some misguided notion that they're 'invincible' simply because most script kiddies don't know what to do with them.

As for a system designed for security, there are several systems which have undergone higher levels of government testing. I'm sure that google would turn up their names. Still, since most of those systems are either ancient or need to be configured according to the specs published by the NSA, I would tell you that unless you're going to set it up their way, you might want to try Open BSD.

Open BSD has a number of advanced security features, which reduce the scope of potential security issues (e.g. it has stack protection measures which help to mitigate buffer overflow problems, etc.) It also places a lot of emphasis (some have described it as 'downright paranoid') on being secure in the default installation (e.g. the theory being that you would have to misconfigure it yourself). It is often used as a firewall/proxy/etc. and is known to be a favorite of many security professionals, especially for servers that sit at the 'edge' of your network, exposed completely to the rest of the internet, protecting the servers behind it.

If you want more references for various security issues to research further, I suggest you look to sites like securityfocus.com (a security news/exploits portal), incidents.org (almost like a useful version of those terror alerts, but giving info on which worms are going about, what ports are being attacked, what scripts are all the kiddies running against everyone these days, and how it compares to 'normal' levels of activity, etc.), subscribe to bugtraq (a moderated security mailing list), etc.

Corona688

In my experience, Linux installs also come with very small numbers of default services. You can turn them on after you install, but if you didn't enable MySQLD, Samba, Apache, proftpd, sshd, and so forth, then they're not running.

Photocrat

True, true. It does depend on the installation options and just how you choose things, though I've seen some novices manage to hose Red Hat installations because they thought they were being a power user (or something?).

The point, of course, is that you have to care for all those services you decide to have running, and some people just don't seem to do that...

That, and I don't mean to make it out as though any computer is somehow invulnerable. You just need to know what all your computer is running, make sure you get your software from a reliable source, not fall for all the stupid scams/viruses trying to load you up with worms/trojans/whatever, etc.

In short, the only way to keep a machine secure is to know what you're doing, in which case you can probably keep out most intruders, and have them logged enough to mitigate their intrusion when you cannot.

ajmilne

Re Charney's comment:

Har har.

Microsoft flatters itself. As usual.

Progress is not an OS that runs half the speed on twice the hardware.

And, more to the point, I really have to say, there's a real irony in the claim, and one I think particularly revealing of Microsoft's way of thinking.

Microsoft through pushing its monoculture has poisoned the well of more than a few once interoperable technologies. And it's precisely this thinking behind it.

Yes, we could implement the standard, stick to the protocol, so *you* can run our browser, and someone else can run another, and the guy on the other end writing the page doesn't have to care which it is. Yes, we could have done the same for our Java VM.

But we won't. Where the margin in that? We want you all running our stuff. That's how we all work together. Not by agreeing on the protocols, and playing well with other OSes and apps. By everyone doing it our way, and running the same thing.

So it's adopt and extend, sabotage, and brinksmanship. TNEF instead of MIME, and never mind that MIME was just fine. And the end result is: if you're not running our stuff, you're a second class citizen on the net.

Not because it has to be that way. But because we're greedy.

It bears repeating:

I strongly doubt that. Here's my quote:

Without Microsoft's intransigence, we'd have had more progress. And without Microsoft's incompetence, we'd have fewer worms.

ajmilne

Should add: I have a B.Sc. in Biology, and worked for a few years in secure VPN, cryptography stuff (and my current clients, when they've got virus issues, they still call me, even though it's not technically on my list of duties, 'cos I can track down where the worm has slithered in in nothing flat, when it's pounding on the inside of the firewall, trying to get out to MS's update service).

So I know a bit of biology. And I know a bit of computer security. And I think the monoculture metaphor is pretty good. And for the record, the idea of biological/epidemiological metaphors applying to viruses, worms, and so on has been around a while. It is rather a natural. Biological organisms are self-propagating. A virus is self-propagating software. Some of the earliest were experiments inspired by biology.

And it's a bit odd MS should take any issue with the metaphor. Because, if anything, it gives them a break.

As in: the reason you get a steady, annoying flow of viruses and worms in the inbox at any very public address (like the wire one of which I am current custodian), and there are a million compromised systems out there dumping it up to the mail servers (to the bewilderment of my Debian box) is not that MS doesn't know what they're doing. It's just that there are so many MS machines around.

In fact, though I do find their software annoying, and I do think they could do better (and I subscribe to the CERT advisories, and have clients who run IIS on Win2K, and am always, it seems, forwarding them the latest warning re IIS) I do have to agree. Probably, if there were another monoculture, it would be the primary target, for the same reason (and yeah, tonight's warning was re OpenSSL, all in the interest of equal time).

But whether the black hats would get as far, with just about *any* of MS's current competition, well, I rather doubt that.

Photocrat

It is difficult to imagine a system which *won't* ever suffer any attacks.

The difference is in how well the risk of attack can be mitigated.

Consider the point that much of the security research (e.g. making new security systems) seems to go on on Open Source software (Open BSD, the NSA's SELinux project, etc.) ...

And yes, we've already had a few worms on *nix, but for the most part, the damage was underwhelming when compared to all the other worm attacks we've suffered (hell, I don't think it even made the mainstream news, or at least not any local channels for me, not that that proves much, even if the newspeople seem to like to run a computer virus story every so often).

But one other point to consider is that even if Linux dominated things, *everyone* can customize their software, which results in a LOT more diversity, and thus it would be a bit more difficult to make worms that worked on larger segments of the computer population... And before you say it, yes, lots of folks do customize their systems, they apply various kernel patches, they use different filesystems, they have different versions of the basic libraries, etc. etc. etc.

The closest windows generally comes to that is that they haven't updated to the next security fix because they haven't run windows update recently (because sometimes these mistakenly roll *back* patches for various issues...), or they're missing the vbrun*.dll the virus needs, or they're still running Windows for Workgroups