[taxcontrol]

[sigh]

Ok folks, a little truth in advertising.

Slapper does not exploit Linux. Slapper exploits vulnerabilities in OpenSSL. It just so happens that most of the OpenSSL implementations happen to be on Linux because Microsoft does not ship OpenSSL. It also happens to be used by Apache the web server that ships with most Linux packages. Further, 14,000 of servers infected are a very minor percent of the total Linux server population.

Also, OpenSSL is still pre-release code. The current version number is 0.9.6. Any sysadmin who builds a web page using essentially a BETA product should know that they risk vulnerabilities because the code has not been fully tested.

The vulnerability exploited by the worm was announced in July and is a classic buffer overflow vulnerability. Further, the solution for this problem (upgrade to 0.9.6e)
was published in Aug.

To "cry alarm" and disparage Linux is the same as blaming a car manufacture who offers 'Joe's radio and CD player' option for their car, who then finds that Joe's player can cause an electrical fault, who then issues a recall, and then a month later, a bunch of fires happen to their cars that have this radio installed.

My point to all of this is that the problem is not Linux. If a system gets burned, it's because the Sysadmin is using Beta software and the sysadmin is not keeping that software up to date.

[Full disclosure]
I hold the industry's highest security certification (CISSP) and network certification (CCIE). I also have years of experience building some of the worlds most secure networks outside of the military.

[ricer1]

Wow TC,
I just read your bio page... pretty neat stuff.

Have your read rbd3's bio? You two sound like you'd make a hot team! Not familiar with where Thornton is...

Our family took a vacation up to Colo. Springs area 3 months ago and had a blast. It had been over 30 years since I'd been to Colorado last.... I don't know why I waited so long.

[Scott McCollum]

[sigh] Ok folks, a little truth in advertising. Slapper does not exploit Linux. Slapper exploits vulnerabilities in OpenSSL. It just so happens that most of the OpenSSL implementations happen to be on Linux because Microsoft does not ship OpenSSL. It also happens to be used by Apache the web server that ships with most Linux packages.

Every major Linux distribution (Red Hat, Mandrake, SuSE, and Debian) used in enterprise computing ships with either OpenSSL or ApacheSSL to handle their "secure transactions" on the web. All major Linux distributors sell Linux with the Apache or OpenSSL components as an integrated/built-in web server for their customers as a value-added convenience. "Slackware" is apparently the only Linux distribution that doesn't bundle everything together but does offer Apache as part of it's "N-Series" networking pack. Slackware Linux is also affected by the "Slapper" virus.

Only Linux servers are infected by Slapper. Only Linux servers are bundled with OpenSSL or ApacheSSL. Apache is available for Windows NT but only Linux servers are affected. Unfortunately the binding thread here is Linux and Linux in this case is the problem.

Linux fans have always criticized anyone for daring to say that components of Linux like Apache or OpenSSL are flawed, making Linux flawed and Linux cannot be held accountable. If anyone says "Microsoft is to blame" because of a Microsoft IIS flaw, how is this different than saying ApacheSSL or OpenSSL makes Linux liable?

Linux defenders will claim that Microsoft is responsible for the IIS code and is accountable for it's flaws. Yet everyone should also be made aware that Red Hat Linux bundles OpenSSL and Apache with Red Hat server products and actively contributes to both OpenSSL and Apache projects.

Bottom line: If you or your organization have Linux servers on the Internet and have not patched the OpenSSL or ApacheSSL modules handling your encrypted Internet traffic, you are in danger of becoming part of a large, intelligent P2P cyberterror network.

[rdb3]

Man, you got Cisco on lock. When I was still in Corporate America, I shied away from Cisco training. Don't know why. Just did.

But that can be changed, right? ;^)

[Robert_Paulson2]

I don't know about you... but linux emails me every week with security advice, patches and exploitation information... along with any files I need to install.

Seems simple to me... look and see what is accessing me without permissions (some folks don't set permissions), install the patches... make the changes... and usually I don't even have to reboot.

It's pretty damned nice... no hassles, no surprises and no cost attached to buying a "new and improved" upgrade to fix the bugs...

I DO have to read the updates, understand the coding a little and actually adjust the settings myself... I guess that is considered a weakness to the "mouse only" sysop folks.