From: Helge Hafting <helgehaf@idb.hist.no>
To: "M. Edward Borasky" <znmeb@aracnet.com>, linux-kernel@vger.kernel.org
Subject: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison
Date: Mon, 01 Oct 2001 10:47:37 +0200 [thread overview]
Message-ID: <3BB82DA9.34499802@idb.hist.no> (raw)
In-Reply-To: <HBEHIIBBKKNOBLMPKCBBIENPDNAA.znmeb@aracnet.com>
"M. Edward Borasky" wrote:
>
> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
>
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame,
And the one to blame here isn't the virus writer. The ones to blame
are:
1. Whoever decided to install that vulnerable software.
This one isn't popular because it is someone inside the company.
But that's where the problem is. (Or possibly whoever hired
a clueless admin. Even less popular with the administration.)
Someone trusted with important software ought to have the
necessary skills. Nobody let a clueless guy design
_physical_ security for a bank...
2. Possibly the company making vulnerable software, although nobody
sane should select that kind of software. A bank don't use
an array of piggy banks for a vault. This is a question of
marketing - did they create the impression that their software
was safe from trivial attacks?
Of course releasing a virus is bad, but we should still expect
companies to take some measures themselves.
We do expect them to lock doors etc. - Someone who leave
their office building _unlocked_ & unguarded, money in open drawers
etc. will usually not be able to collect insurance because of
obvious neglect. They'll be laughed at, and nobody will cry
about more punishment for those who walks in and grabs some
stuff.
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).
Well, I believe Linux _is_ less vulnerable. Not invulnerable of course,
but at least fixes appear a lot faster for linux. That alone don't
usually leave enough timespan for a large-scale exploit.
And I see many firewalls that really is a pc router running linux.
Are there any _serious_ ones running windows?
> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community.
Many people read open source code looking for vulnerabilities. Yeah,
some are exploiters. But more of them are looking to plug the holes,
so this is a _big_ advantage for open source, not a _slight_ advantage
for crackers. A hole only needs plugging _once_ before nobody can use
it.
And the people capable of finding a hole by looking at source will
usually report it - you can get more prestige that way than by
writing a exploit. This boils down to who you want to impress -
a bunch of stupid script kiddies or a bunch of security-minded
experts? Some of the latter might even offer a paying job...
This don't work as well for closed source. The bugs are harder to find,
but some are found anyway by disassembly or trial-and-error. (What
happens
if I manufacture bad oversized input for this thing...)
What do you do about such a bug? A patch is impossible without
source. Reports seems to go silently ignored. A public report
might get you sued. "You are out to get us & our customers,
and your license forbids hacking on it...." People get bitter,
and gets incentives to make viruses. It becomes the only
way of getting serious attention.
This incentive mostly goes away with open source, much more fun to
be among the "good guys" who stamps out bugs & get their names
immortalized in changelogs.
Helge Hafting
next prev parent reply other threads:[~2001-10-01 8:48 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-09-24 23:22 [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison Paul G. Allen
2001-09-24 23:35 ` Alan Cox
2001-09-25 0:34 ` Michael Rothwell
2001-09-25 0:40 ` Dan Hollis
2001-09-27 14:21 ` Pavel Machek
2001-09-26 11:48 ` Luigi Genoni
2001-09-26 12:15 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison Eugenio Mastroviti
2001-09-24 23:37 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison Rik van Riel
2001-09-25 1:29 ` Jeff V. Merkey
2001-09-25 0:44 ` Crutcher Dunnavant
2001-09-25 0:52 ` David S. Miller
2001-09-25 1:32 ` Rik van Riel
2001-09-27 14:23 ` Pavel Machek
2001-09-30 21:16 ` M. Edward Borasky
2001-09-30 21:41 ` J Sloan
2001-09-30 22:40 ` M. Edward Borasky
2001-09-30 23:12 ` J Sloan
2001-10-01 1:15 ` Gerhard Mack
2001-10-01 1:29 ` Jan Harkes
2001-09-30 22:03 ` Alexander Viro
2001-09-30 23:24 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison D. Stimits
2001-10-01 0:17 ` Michael Bacarella
2001-10-01 0:33 ` M. Edward Borasky
2001-10-01 1:26 ` Stefan Smietanowski
2001-10-01 9:20 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by life Henning P. Schmiedehausen
2001-09-30 22:57 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison John Gluck
2001-09-30 23:32 ` D. Stimits
2001-10-01 8:47 ` Helge Hafting [this message]
2001-10-01 10:41 ` Manfred Bartz
2001-10-01 12:27 ` John Jasen
2001-10-01 12:54 ` Ookhoi
2001-10-01 11:47 ` [Moving rapidly away from LKM] (Was: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in) Henning P. Schmiedehausen
2001-10-01 13:12 ` Helge Hafting
2001-10-01 9:28 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison Bernd Petrovitsch
2001-10-01 12:00 ` Daniel Phillips
2001-10-02 9:40 ` Vojtech Pavlik
2001-09-25 11:04 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by life Henning P. Schmiedehausen
2001-09-27 14:18 ` [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2001-09-25 11:17 Nicholas Berry
2001-09-27 0:45 ` Dr. Kelsey Hudson
2005-07-02 0:07 jmerkey
2005-07-02 0:59 ` Alejandro Bonilla
2005-07-02 1:43 ` jmerkey
2005-07-02 3:53 ` randy_dunlap
2005-07-02 13:26 ` Jesper Juhl
2005-07-02 14:58 ` jmerkey
2005-07-02 2:39 ` Paul Jakma
2005-07-02 2:13 ` Alejandro Bonilla
2005-07-02 13:15 ` Jesper Juhl
2005-07-02 15:46 ` Kurt Wall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3BB82DA9.34499802@idb.hist.no \
--to=helgehaf@idb.hist.no \
--cc=linux-kernel@vger.kernel.org \
--cc=znmeb@aracnet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox