Women in Technology

Hear us Roar



Weblog:   Linux Users: Welcome to the World of Malware
Subject:   Not Quite
Date:   2004-10-28 01:47:18
From:   jwenting
Response to: Not Quite

Completely bogus arguments as usual from the linux priests :)


The 400 (I think it's closer to 4000, but say 400 major ones (right...)) distributions is in fact a major weakness as they divide the codebase and make fixing holes (and there are aplenty) almost impossible.
You'd have to fix the hole in 400 separate copies of the codebase, something version control was designed to prevent the need for but which linux groups seem to have abandoned...


And while you might be relatively safe from this type of malware attack (I don't think you are, most of you think you're so safe that you implicitly trust anything coming from someone claiming to be an authority...) you're still wide open to fishing scams which you by proxy claim to be invulnerable to.


As to waiting for updates to be released, this email claimed to be an update from Redhat and therefore exactly the stuff you claim to be waiting for :)
Most Windows users will not trust such messages, instead relying on Windows Update (a mechanism still unheard of for many linux distros).

Full Threads Oldest First

Showing messages 1 through 9 of 9.

  • Not Quite
    2004-10-29 16:30:13  riplin [View]

    > 400 major ones (right...)) distributions is in fact a major weakness

    No, it is a major strength. For example buffer overflows rely on the overwriting code to be in the exact right place for it to work at all. With Windows all copies of a program are identical, for a particular version.

    For Linux the compilation may have different CPU target (386,486,586,etc) and different options and different optimizations which mean that there are 400 different 'right places' to overwrite with a buffer overflow vulnerability, and that does count the variations that may occur if the user has recompiled.

    This means that a particular attack that is targetted at, say, RedHat 8, misses the target on Mandrake, SUSE, and all the other hundreds.

    The buffer overflow (given one exists) may crash the program, but it most likely won't cause execution of malicious code.

    As there is still only one actual source tree the problem may be fixed just once and then each distro, or the user, recompiles. Generally this makes it pointless for the malware writer to even bother trying.

    Think of it as shooting a gun randomly in a Zoo. In the Windows Zoo any bullet fired randomly will kill anything it hits. In a Linux Zoo each bullet has to tailored to a particular animal such that a Lion bullet won't kill a chimpanzee, though it may knock him off the tree.
  • Not Quite
    2004-10-29 08:10:24  unoengborg [View]

    You get it slightly wrong. Bugs are usually fixed in one codebase, the one that the maintainer of the broken program holds. The role of the distributers is quality assurance. They make sure the fix doesn't break anything in their distro. (As it normally shouldn't). So its more like the bug is fixed in one codbase and tested in 400.

    True, windows update is unheard of in the Linux world, instead we have aptget, yum, and some distibution dependent update mechanisms that work just as well as windows update, with the exeption that they update all programns not just the OS.
    As a further precasion most Linux distros use digital signatures to ensure the validity of the source of the update.
  • Not Quite
    2004-10-28 23:42:03  RichardJC [View]

    ``You'd have to fix the hole in 400 separate copies of the codebase, something version control was designed to prevent the need for but which linux groups seem to have abandoned...''

    Its somewhat better on Linux. Consider the recent flaw in a JPeg rendering library that hit both Microsoft and Linux systems. Because the Linux shared library system works so well, Linux users just update the one copy of the library on their systems. Tools like aptitude, a nice wrapper around apt, make that easy. Aptitude will even automatically remove the library if it is no longer needed. The end result - the library is fixed once; all applications benefit.

    Conversly, on Windows, every application has its own copy or is statically linked to the library. Its a workaround to DLL-Hell. Dot-Net promises a Linux like fix for it, but is not here enough yet, so Windows user have to get updates for every application on their system that uses the JPeg code.

    Windows Update only benefits Microsoft's own applications. Does it even benefit Office, or is it Windows System only? Whatever - it doesn't help that non-Microsoft photo viewer you got with your camera. Did you remember to update all of the programs on your system that use JPegs?

    The Linux Shared Library system was designed as a multi user system. Unlike Windows which, in the past was always single user to the core, and even now I think would load a seperate copy of each application and all its libraries into memory for every instance running, Linux shares library and even application code between running instances.

    Thats how applications can be quoted as "10M RAM plus 2M per additional user". The JPeg library need only be on the system in one place, and need only be loaded into RAM once, no matter how many applications or even distinct users are using it.
  • Not Quite, jwenting
    2004-10-28 07:50:21  bairdcarr1 [View]

    Perhaps you haven't used Linux in a while...

    Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros. Apt, urpmi, up2date ring a bell? Not only for updates, but for upgrading your entire OS and all the software over the internet (at least with Apt, which comes with debian based systems, and is installable on rpm based systems). Very impressive, and very cool. There is just no comparison with Windows. Forget all your commercial and pirated CDs, Linux/Open Source is just plain easier.

    Microsoft only occasionally provides updates to its own software. Windows Update is vital, and at one time I thought it was even cool. But it is only good for MS products, and with the possible exception of SP2, has utterly failed to provide any solution to the desperate onslaught of attacks on their products.

    SP2 is a step in the right direction for home users, but I imagine the benefits to many companies like mine are negligible due to the fact that we have to turn off some of the new features in order to continue using several pieces of software unique to us. All is FAR from perfect in the Windows world, as if it weren't obvious to everyone.

    OSX even has a better update "mechanism" than Windows Update. And OSX is stable, has superior security, and is very easy to use. Being a Linux user, it is still very limiting for me, but at least I enjoy the sound it makes when you turn the computer on.

    I realize I am a Linux zealot, but who is more trustworthy in promoting a product, someone who has a financial stake in the product, or someone who loves it? That love has been earned. There was noone talking to me about Linux when I first started using it. I was on my own. It proved itself by just working, not with cool sounds, pretty pictures, or promotional videos.

    I have been a Windows/Amiga/Mac/Unix/Linux admin for 11 years at the same company. The vast majority of machines run Windows. It was my experiences with Windows that led/drove me to Linux, and I am continually in awe of the power and resources available to me with this one OS.

    I am constantly running to keep up with problems on our Windows workstations. I have only touched our Linux workstations (constantly used, multiple users) once in 2 years, and then only to start a network upgrade of the system. Simply amazing. The same is true with our various Unix/Linux servers. They just continue to work, I almost forget they are there. A few haven't been rebooted in a couple of years or more.

    That is in stark contrast to any Windows workstation/server at work, home, at a friends home, or at another client's office. Whereever you go, the story is the same. People write articles about "The Linux Hype", but ignore "The Windows Hype". The windows hype is that Microsoft makes a useable OS that is easy to use, requires less administration, has a lower TCO.

    Let me clear that up for you. If my network were all Linux, I could be the only Admin at my company, sitting at home in my boxers, eating cheetos, connected in via secure shell, working on systems without the users having to leave their chairs or know I am there. Such a peaceful network that would be... sigh...

    Sure, we would save a lot of money and not require the constant workstation upgrades to keep up with the Windows world, etc, etc...

    But then again, most admins like me are just leeches living off all the problems people have with Windows. I wouldn't enjoy all the extra work, job security, etc if we lived in a Linux world. So you see, I am dependent upon Windows sucking.

    --- end of rant
    • Not Quite, jwenting
      2004-10-28 23:01:36  jwenting [View]

      I've used Debian earlier this year and apt works nicely indeed.

      But as to your "Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros" that's simply not true.
      It works as least as well as does apt.

      "Microsoft only occasionally provides updates to its own software."
      Microsoft releases updates every week, more often if needed.
      I'd hardly call that "only occasionally". They just don't issue major press releases when going from version 0.0.3.1.5.2.5.43b3 rc1 to 0.0.3.1.5.2.5.43b3 rc2 like Linux groups are wont to.

      "someone who has a financial stake in the product, or someone who loves it?"
      Neither. That would be someone who has the capability of looking at that product from a distance without emotional or financial attachment.
      Your love for Linux clouds your vision so you don't see the shortcomings of the platform (or as I've seen by many Linux zealots actually call those shortcomings strong points).

      " I wouldn't enjoy all the extra work, job security, etc if we lived in a Linux world."
      You'd have even more work to do as every cracker in the world would use the availability of the source code to find and exploit the holes.
      At the moment you get only a few hardcore ones interested at breaking in to juicy corporate LANs and hold them ransom or steal information, but in your ideal world you'd have to deal with script kiddies using hacking kits written by others which is exactly what most attacks on Windows platforms are today (attacks which would almost invariably fail if people weren't listening to anti-Microsoft propaganda and failing to keep their machines up to date be they "don't trust Microsoft".
      • Not Quite, jwenting, Continued...
        2004-10-29 21:05:53  bairdcarr1 [View]

        Sorry, man, you missed the point again. Windows Update only updates Windows and few other things. Apt (and a few others like it) updates the OS and everything else you have installed. My "Pale by Comparison" remark is more than accurate, as there is nothing even possible of being comparable in the Windows world. Not a criticism, just a point of fact.

        Perhaps my loving Linux comment wasn't quite accurate, however. I am in awe of it. Not meritless, blind adoration as you suppose. I am utterly amazed by the resources that come in even your most basic distro. It's amazing how many Windows applications can be replaced by simple shell scripts.

        If you count machines and time spent working on a particular OS, I am primarily a Windows admin. My disgust with Windows is rooted in fact. Documented by the hour, machine, and problem.

        I'm glad you tried Debian. Not the most polished distro, but for some reason my personal favorite. Maybe you should try Suse or Mandrake until you get your feet wet. Any Windows admin would feel comfortable with them, they have pretty good gui admin features from what I have seen.

        Anyway, keep at it, you will eventually see what everyone likes about Linux.
      • Not Quite, jwenting
        2004-10-29 11:01:15  alucinor@mail.com [View]

        "It works as least as well as does apt"

        Except it only updates products from Microsoft.

        -

        "I'd hardly call that "only occasionally". They just don't issue major press releases when going from version 0.0.3.1.5.2.5.43b3 rc1 to 0.0.3.1.5.2.5.43b3 rc2 like Linux groups are wont to."

        "Major Press Releases" = update noted on their sourceforge homepage.

        -

        "Your love for Linux clouds your vision so you don't see the shortcomings of the platform (or as I've seen by many Linux zealots actually call those shortcomings strong points)"

        He said that he loves it for several reasons. And in this case, "love" is likely a synecdoche for "approves of", "endorses", or "strongly recommends".

        -

        "You'd have even more work to do as every cracker in the world would use the availability of the source code to find and exploit the holes."

        The NSA doesn't seem to think so.

        Access to source code actually speeds fixes, not breaks, since the "white hats" in the hacker community greatly outnumber the "black hats" (it's just that the latter get far more publicity).
      • Not Quite, jwenting
        2004-10-29 08:35:19  unoengborg [View]


        But as to your "Windows Update is a very pale comparison to the "mechanism" built into many (most/all) linux distros" that's simply not true.
        It works as least as well as does apt.


        Perhaps it is me that knows too little about windows but what I miss in Windows update is some way to get information about installed files.
        So far I havn't been able to find some place in windows where you can get information on what progaram a certain file or dll belongs to, o r a description of what it does or what other programs that depend on it. I have also failed to find some way to list all files that is installed with a certain peace of software.




  • Argument from ignorance is frustrating
    2004-10-28 07:37:36  Anonymous_Coward [View]

    A battle of wits and my opponent is unarmed. Oh, well.

    There are not 400[0] copies of the codebase, there is typically one, sometimes 2, rarely 3. That's not how it works. Perhaps your distro has a small collection of favourite patches for large items like the kernel or OpenOffice, perhaps not, but it's all built from and folded into one set of sources.

    We do not claim to be invulnerable to phishing scams. We just claim that installing the kinds of malware which plagues MS-Windows is orders of magnitude harder. As in this case. You'd have to have the root password to install the malware, and we generally don't give the users that because unlike MS-Windows we don;t need to run, for example, accounting programs as Administrator.

    Anyone with the root password is going to know that their updates arrive on the canonical file server and are automatically picked up and installed by their package manager (apt, URPMI, yum, yast, pkg, whatever) provided that the crypto keys match.

    How much else don't you know?

Showing messages 1 through 9 of 9.