Computer virus creates peer-to-peer terror network.

www.WorldTribune.com ^ | Copyright 2002 | Scott McCollum

[Scott McCollum]

"The 13,800+ Linux servers infected by the Slapper worm have created a huge, intelligent P2P network that according to Symantec virus analysts can efficiently redirect network traffic, data and even router information from targeted networks back to the compromised Linux servers."

[AdA$tra]

[AdA$tra]

[AaronAnderson]

M$ set up the brass ring when they used illegal anti-competitive tactics to manipulate the market and create a monopoly. If they have the only OS on the market, then it damn sure better be beyond reproach and better than the competition they illegally hindered in all respects.

Red Hat may have donated code and money, but why should they be any more responsible than the person who runs openSSL who has free access to the code and can modify it themselves? At least one has a chance to fix perceived problems rather than reading their EULA that says if something goes wrong with OUR product, YOUR screwed.

You alluded to the windoze exploit where user error was to blame, yet you neglected to mention that all the distributions you enumerated have their firewalls configured to block the ssh and ssl ports and the user has to manually configure those services and open up the ports.

No one has argued that any program is guaranteed to be secured as that is an impossible claim to back up. Obviously when configuring internet services the utmost care and maintenance is necessary. I feel that the former is in a seperate category from casual web browsing and email interaction that seem to form the basis of most M$ exploits.

[AdA$tra]

[Knitebane]

If you put two targets up on a rifle range. Label one Linux and the other Microsoft. Then you point ALL the guns at the target labeled Microsoft. Then apply the logic that Microsoft makes the least secure OS because it has more holes in it.

This type of allegation has been debunked in other threads.

Microsoft has more serious flaws than other operating systems, even when taking into account the difference in the installed base.

Since Apache is more widely used than IIS, this particular worm should be a quick demonstration of this.

[AdA$tra]

[AdA$tra]

This type of allegation has been debunked in other threads.

NOT!

[AdA$tra]

[rdb3]

You do graphic work?

[AdA$tra]

Yeah, bur I am a bit rusty. Tonight I was trying to dust off a few basic skills. Lightwave 3D and making fast logos.

[AdA$tra]

These all look poorly lit on my glass monitor. They looked much brighter on my laptop. Let me know if you ever want a quick and dirty graphic. I can (could at one time) make about any object.

[John Lenin]

I have had a number of alerts recently on my firewall with the perp trying to use a unix login.

[Robert_Paulson2]

some folks think open ssl IS linux... or perhaps they have something to gain by asserting this misconception.

Anybody who does not monitor exploitive access and use of their own system... is likely a person, used to another op system... who is unaware that they can program as much security into their system as they need. I imagine that some of them don't even know they have installed multiple servers on their machines... and must then configure them for security appropriate to their needs....

They often don't even read the manual that comes with the software.

For some folks the idea of having to actually think and then input code on their own, is a bit confusing... but to those who know how (not me of course) it is a real blessing...

the bad thing is folks have to assess and configure security needs periodically...

and the good thing is folks CAN reassess and configure security needs periodically. Oh well.

[AdA$tra]

SU#

There....I am in

[Robert_Paulson2]

I don't know about you... but linux emails me every week with security advice, patches and exploitation information... along with any files I need to install.

Seems simple to me... look and see what is accessing me without permissions (some folks don't set permissions), install the patches... make the changes... and usually I don't even have to reboot.

It's pretty damned nice... no hassles, no surprises and no cost attached to buying a "new and improved" upgrade to fix the bugs...

I DO have to read the updates, understand the coding a little and actually adjust the settings myself... I guess that is considered a weakness to the "mouse only" sysop folks.

[Dominic Harr]

Now this looks like an interesting way to make everyone in the room hate me for wasting bandwidth:

from Security Focus Online

---

Number of OS Vulnerabilities by Year
OS	1997	1998	1999	2000	2001
AIX	21	38	10	15	6
BSD/OS	7	5	4	1	3
BeOS	0	0	0	5	1
Caldera	4	3	14	28	27
Connectiva	0	0	0	0	0
Debian	3	2	31	55	28
FreeBSD	5	2	17	36	17
HP-UX	9	5	11	26	16
IRIX	28	15	9	14	7
MacOS	0	1	5	1	4
MacOS X Server	0	0	1	0	0
Mandrake	0	0	2	46	36
NetBSD	2	4	10	20	9
Netware	1	0	4	3	1
OpenBSD	1	2	4	17	14
RedHat	6	10	47	95	54
SCO Unix	3	3	10	2	21
Slackware	4	8	11	11	10
Solaris	24	33	34	22	33
SuSE	0	1	23	31	21
TurboLinux	0	0	2	20	2
Unixware	2	3	14	4	9
Windows 3.1x/95/98	3	1	46	40	14
Windows NT/2000	10	8	78	97	42

Top Vulnerable Packages 2001
Packages	# Vulns
MandrakeSoft Linux Mandrake 7.2	33
RedHat Linux 7.0	28
MandrakeSoft Linux Mandrake 7.1	27
Debian Linux 2.2	26
Sun Solaris 8.0	24
Sun Solaris 7.0	24
Microsoft Windows 2000	24
MandrakeSoft Linux Mandrake 7.0	22
SCO Open Server 5.0.6	21
RedHat Linux 6.2 i386	20
MandrakeSoft Linux Mandrake 6.1	20
MandrakeSoft Linux Mandrake 6.0	20
Wirex Immunix OS 7.0-Beta	19
Sun Solaris 2.6	19
RedHat Linux 6.2 sparc	18
RedHat Linux 6.2 alpha	18
Debian Linux 2.2 sparc	18
Debian Linux 2.2 arm	18
Debian Linux 2.2 alpha	18
Debian Linux 2.2 68k	18

Top Vulnerable Packages 2000
Packages	# Vulns
Microsoft Windows NT 4.0	71
RedHat Linux 6.2 i386	65
RedHat Linux 6.2 sparc	53
RedHat Linux 6.2 alpha	53
Microsoft Windows 2000	52
Debian Linux 2.2	48
RedHat Linux 6.1 i386	47
Microsoft Windows 98	40
RedHat Linux 6.1 sparc	39
RedHat Linux 6.1 alpha	39
MandrakeSoft Linux Mandrake 7.0	37
Microsoft Windows 95	35
RedHat Linux 6.0 i386	33
Microsoft IIS 4.0	29
Microsoft BackOffice 4.5	29
Microsoft BackOffice 4.0	29
RedHat Linux 7.0	28
MandrakeSoft Linux Mandrake 7.1	26
RedHat Linux 6.0 alpha	25
Conectiva Linux 5.1	25

Top Vulnerable Packages 1999
Packages	# Vulns
Microsoft Windows NT 4.0	75
Microsoft Windows 98	44
Microsoft Windows 95	40
Microsoft Windows NT 4.0SP3	33
Microsoft Windows NT 4.0SP1	32
Microsoft Windows NT 4.0SP2	31
Microsoft Windows NT 4.0SP4	30
Microsoft Internet Explorer 5.0 for Windows 98	29
Microsoft Internet Explorer 5.0 for Windows NT 4.0	28
Microsoft Internet Explorer 5.0 for Windows 95	28
Microsoft BackOffice 4.0	28
Microsoft BackOffice 4.5	27
Sun Solaris 7.0	26
Microsoft IIS 4.0	25
Microsoft Windows NT 4.0SP5	23
RedHat Linux 5.2 i386	22
Sun Solaris 7.0_x86	21
Sun Solaris 2.6_x86	21
Sun Solaris 2.6	21
RedHat Linux 6.0 i386	21

Top Vulnerable Packages 1998
Packages	# Vulns
IBM AIX 4.3	36
IBM AIX 4.2.1	29
IBM AIX 4.2	29
Sun Solaris 2.6	28
Sun Solaris 2.6_x86	25
IBM AIX 4.1	25
IBM AIX 4.1.5	24
IBM AIX 4.1.4	24
IBM AIX 4.1.3	24
IBM AIX 4.1.2	24
IBM AIX 4.1.1	24
Sun Solaris 2.5.1_x86	23
Sun Solaris 2.5.1	23
Sun Solaris 2.5_x86	22
Sun Solaris 2.5	21
Sun Solaris 2.4	18
Sun Solaris 2.4_x86	17
Sun Solaris 2.3	13
Sun Solaris 2.5.1_ppc	10
SGI IRIX 6.4	10

Top Vulnerable Packages 1997
Packages	# Vulns
SGI IRIX 6.2	25
Sun Solaris 2.5.1	23
Sun Solaris 2.5	23
SGI IRIX 5.3	23
Sun Solaris 2.5_x86	22
Sun Solaris 2.5.1_x86	22
Sun Solaris 2.4	22
Sun Solaris 2.4_x86	21
SGI IRIX 6.3	20
IBM AIX 4.1	19
Sun Solaris 2.3	18
SGI IRIX 6.1	18
IBM AIX 4.2	17
SGI IRIX 5.2	15
SGI IRIX 6.4	14
IBM AIX 4.1.5	14
IBM AIX 4.1.4	14
IBM AIX 4.1.3	14
IBM AIX 4.1.1	14
Sun Solaris 2.5.1_ppc	13

---

Several things should be taken into consideration when interpreting these numbers:

• These numbers are dated; the collection and calculation of data stopped in early August 2001 due to a site migration issue. We are currently working on this issue and should have it resolved in the near future.

• There is a distinct difference in the way that vulnerabilities are counted for Microsoft Windows and other operating systems. For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers.

• This is a simple raw count of the vulnerabilities in our database that are associated directly with an operating system. The factors mentioned above were not taken into consideration when generating these graphs.

The numbers presented below should not be considered a metric by which an accurate comparison of the vulnerability of one operating system versus another can be made.

---

[general_re]

Now this looks like an interesting way to make everyone in the room hate me for wasting bandwidth:

Nah, that's boring. And it's highly compressible text, so it's not even wasting much bandwidth. Try again with some pictures of Anna Kournikova or something ;)

[Dominic Harr]

Try again with some pictures of Anna Kournikova or something ;)

:-D

I thought that post might be generate some entertaining responses for later reading . . . not as entertaining as Anna, of course.

Especially now that she's winning! Who knew she could actually play tennis?

[general_re]

She plays tennis?

:^)

[Dominic Harr]

She plays tennis?

In between photo shoots, actually she does!

Those numbers could start a pretty interesting holy war, eh? I know the numbers aren't the whole story, but they are interesting none the less.

I'm not much of a mac guy, haven't used one since my Apple IIe, but those mac numbers are pretty amazing.