[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Paul G. Allen]

"Paul G. Allen" wrote:
> 
> If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> back in prison even though they have already paid for their crime (double jeopardy?).
> 
> http://www.securityfocus.com/news/257
> 
> PGA
> 
> --
> Paul G. Allen
> UNIX Admin II/Programmer
> Akamai Technologies, Inc.
> www.akamai.com
> Work: (858)909-3630
> Cell: (858)395-5043
> 
>         
-- 
Paul G. Allen
UNIX Admin II/Programmer
Akamai Technologies, Inc.
www.akamai.com
Work: (858)909-3630
Cell: (858)395-5043

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Alan Cox]

> > If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> > back in prison even though they have already paid for their crime (double jeopardy?).
> > 
> > http://www.securityfocus.com/news/257

Cuba is within small boat distance. I thought it was going to be twenty
years before the direction changed, now Im not so sure

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Rik van Riel]

On Mon, 24 Sep 2001, Paul G. Allen wrote:

> If this passes, everyone working in computer security can be
> arrested and thrown in prison for life. In addition, people such
> as Kevin Mitnick can be thrown back in prison even though they
> have already paid for their crime (double jeopardy?).
>
> http://www.securityfocus.com/news/257

So, would anybody have a nice piece of real estate in the
free world where silicon valley could be evacuated to ?

(time to find volunteers to maintain thefreeworld.net ?)

cheers,

Rik
--
IA64: a worthy successor to the i860.

		http://www.surriel.com/
http://www.conectiva.com/	http://distro.conectiva.com/

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Michael Rothwell]

On 25 Sep 2001 00:35:46 +0100, Alan Cox wrote:

> Cuba is within small boat distance. I thought it was going to be twenty
> years before the direction changed, now Im not so sure

My economics prefessor liked to say that the best test of a
socioeconomic system (vs. otehr systems) was the "Gates Test" -- open
the gates and see which way people run.

It will be interesting to see how the "land of the free" will treat its
own citizens in the next year or so.

Alan, how are things in the U.K. shaping up because of the WTC/Pentagon
events?

I wonder if I could be put in jail next week because of all that stupid
cuecat stuff I was involved in? 

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Dan Hollis]

On 24 Sep 2001, Michael Rothwell wrote:
> I wonder if I could be put in jail next week because of all that stupid
> cuecat stuff I was involved in?

The "WEP crack" fallout will be interesting to watch also.

In theory under the new law anyone whos computer was infected by
nimda/codered could be imprisoned for life -- the new law says nothing
about intent. So basically we would have a few million microsoft windows
users serving life sentences...

-Dan

-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Crutcher Dunnavant]

++ 24/09/01 18:29 -0700 - Jeff V. Merkey:
> On Mon, Sep 24, 2001 at 08:37:11PM -0300, Rik van Riel wrote:
> 
> When people are crashing planes into buildings and killing people
> by the thousands, hacking laws should be tough.  The US has shut off
> internet access from Cyprus and several other places, and I've 
> noticed a fall-off of hacking on my servers -- GOOD!.  

Why? In what way has the recent violent acts differed significantly from
acts which have been ongoing world-wide for, well, always? Is it that
"it doesn't happen here!"? This is an increadibly US centric world view.

When the world seems to be at peace, it is easy to ask for your rights.
It is when the war comes to you that you really need them, and that they
are hardest to request.

This was a violent crime, commited by men who were willing to die. It
was a failure of physical security; and massive databases will not make
it harder for someone who is willing to sacrifice themselves.

But they will affect the ability of the population to conduct acts of
civil disobediance and rebellion, upon which this and many other
contries are founded.

The war in the world is not new, we are simply used to ignoring it. And
for this, we are widely hated and scorned.

I will not grant the statement that "This sort of thing must be
prevented at all costs". There are some prices I will not pay, and some
that I will immediately distrust anyone who asks me to pay them.

I know that I am not making friends with this post, but my conscience
demands that I respond to your blind aquescense of rights. I want a
world in which my children can choose their life, even if the cost is
a reduction in 'security'.

Mr. Franklin had much to say on this topic, but he said it better.


And the term is 'cracking'.

-- 
Crutcher        <crutcher@datastacks.com>
GCS d--- s+:>+:- a-- C++++$ UL++++$ L+++$>++++ !E PS+++ PE Y+ PGP+>++++
    R-(+++) !tv(+++) b+(++++) G+ e>++++ h+>++ r* y+>*$

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[David S. Miller]

E-fucking-nough people.  Stop this thread now, it is off topic.

There are many places out there where constructive conversations on
this topic can be had, but vger is not one of them.

Please don't make Matti and I add more keyword filters to vger's list
system to prevent this.

Franks a lot,
David S. Miller
davem@redhat.com

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Jeff V. Merkey]

On Mon, Sep 24, 2001 at 08:37:11PM -0300, Rik van Riel wrote:

When people are crashing planes into buildings and killing people
by the thousands, hacking laws should be tough.  The US has shut off
internet access from Cyprus and several other places, and I've 
noticed a fall-off of hacking on my servers -- GOOD!.  

Maureen O'Gara at Client Server News is based in NY, and from what she 
describes, the entire city is in a terrible state.  Let anyone in New 
York know who is our friend on this list that the Utah Native American 
Church has sent James Mooney to New York City to conduct ceremonies for 
the victims and their families.   The mayor's office has given us 
permission to conduct our ceremonies there for these people without 
fear of police harassment.

I am sending him enough peyote to trip out half the city.  Anyone in NY 
who needs to find healing who is a member of our linux "Family" is 
welcome at these ceremonies.  These people involved in this terrifying 
ordeal need to sit in a tepee and go somewhere else for a couple of days
with the sacred medicine.  

New York folks who wish to be involved in these ceremonies can call 
212-755-0968 or 212-929-9396 to find out where and when.  We have so far
hosted thousands of the victims in these ceremonies.  All are welcome and 
their families.  The laws in New York allow non-Indians to use peyote 
for religious purposes of any race, unlike Utah.  Tell our brothers we 
open our doors to those in need of spiritual and emotional healing for 
the people of New York.

These ceremonies are **FREE**.  The Utah NAC is picking up the tab.

Do-na-da Go-hv-e

Wa-do

Jeff


> On Mon, 24 Sep 2001, Paul G. Allen wrote:
> 
> > If this passes, everyone working in computer security can be
> > arrested and thrown in prison for life. In addition, people such
> > as Kevin Mitnick can be thrown back in prison even though they
> > have already paid for their crime (double jeopardy?).
> >
> > http://www.securityfocus.com/news/257
> 
> So, would anybody have a nice piece of real estate in the
> free world where silicon valley could be evacuated to ?
> 
> (time to find volunteers to maintain thefreeworld.net ?)
> 
> cheers,
> 
> Rik
> --
> IA64: a worthy successor to the i860.
> 
> 		http://www.surriel.com/
> http://www.conectiva.com/	http://distro.conectiva.com/
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Rik van Riel]

On Mon, 24 Sep 2001, Jeff V. Merkey wrote:

> When people are crashing planes into buildings and killing people
> by the thousands, hacking laws should be tough.

I guess people who believe terrorists will be deterred
by software licenses and laws about computer programs
probably have the politicians they deserve.

cheers,

Rik
-- 
IA64: a worthy successor to i860.

http://www.surriel.com/		http://distro.conectiva.com/

Send all your spam to aardvark@nl.linux.org (spam digging piggy)

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life

[Henning P. Schmiedehausen]

Rik van Riel <riel@conectiva.com.br> writes:

>On Mon, 24 Sep 2001, Paul G. Allen wrote:

>> If this passes, everyone working in computer security can be
>> arrested and thrown in prison for life. In addition, people such
>> as Kevin Mitnick can be thrown back in prison even though they
>> have already paid for their crime (double jeopardy?).
>>
>> http://www.securityfocus.com/news/257

>So, would anybody have a nice piece of real estate in the
>free world where silicon valley could be evacuated to ?

I can offer you lots of real estate between here and munich. ;-)

But then again, we have the Bavarian illuminates in Ingolstadt and the
gnomes of Zuerich. =%-)

	Regards
		Henning


-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Luigi Genoni]

On Tue, 25 Sep 2001, Alan Cox wrote:

> > > If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> > > back in prison even though they have already paid for their crime (double jeopardy?).
> > >
> > > http://www.securityfocus.com/news/257
>
> Cuba is within small boat distance. I thought it was going to be twenty
> years before the direction changed, now Im not so sure
> -
I have been told of people covering this destance by swin, I do not know
if it is true, but a seawolf told me that from USA to cuba should
be easier to go. :).

I was thinking to  Richelieau princip:
Fare una legge e non farla rispettare significa
autorizzare il contrario.
(sorry, unable to translate in english, it is something like if you say a
law, and you are not
forcing people to respect it, people are allowed by law to do the
countrary).
Do you think Americans are considering this moral aspect?

Luigi

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison

[Eugenio Mastroviti]

Luigi Genoni wrote:
> 
> On Tue, 25 Sep 2001, Alan Cox wrote:

> Fare una legge e non farla rispettare significa
> autorizzare il contrario.

Issuing a law and not enforcing it means authorizing its opposite

(I think)

> Do you think Americans are considering this moral aspect?

It's not only moral - it's awfully practical, as we Italians know very
well (speed limits on the highways... ahem...)

Eugenio

-- 
Anxiety, n.:
        The first time you can't do it a second time.
Panic, n.:
        The second time you can't do it the first time.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Pavel Machek]

Hi!

> > If this passes, everyone working in computer security can be arrested and thrown in prison for life. In addition, people such as Kevin Mitnick can be thrown
> > back in prison even though they have already paid for their crime (double jeopardy?).

Is that proposed law or did it pass through senate/president?

If it is real law... I could proably get few free places in anti-nuclear 
bunker under Prague ;-).
								Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Pavel Machek]

Hi!

> > I wonder if I could be put in jail next week because of all that stupid
> > cuecat stuff I was involved in?
> 
> The "WEP crack" fallout will be interesting to watch also.
> 
> In theory under the new law anyone whos computer was infected by
> nimda/codered could be imprisoned for life -- the new law says nothing
> about intent. So basically we would have a few million microsoft windows
> users serving life sentences...

It would be fun to try to enforce that. Few million windows users in jail
-- that sounds like bad enough to kill stupid law.
								Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Pavel Machek]

Hi!

> When people are crashing planes into buildings and killing people
> by the thousands, hacking laws should be tough.  The US has shut off

What do hacking laws have in common with planes crashing?

It was not hackers who crashed the planes, right?
								Pavel
-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[M. Edward Borasky]

While I don't want to get involved in a comparison between the loss of some
7000 human lives in a terrorist attack on buildings with productivity lost
due to Code Red and Nimda attacks on the world's businesses, I'd like to
make two points:

1. The losses to businesses from just these two virus attacks are
*significant*, and people are angry about the fact. They're looking for
someone to blame, someone to propose a solution and tools to prevent future
attacks. I personally think stiff fines and long prison sentences for
releasing attack software into the world's business network should have been
instituted a long time ago. Life without parole seems to me quite reasonable
under the circumstances.

2. The Linux community should *not* believe that we are less vulnerable than
Microsoft! We are less vulnerable *now* only because Linux is not as
widespread as Windows. Were Linux, say, half of the market, the
vulnerability would be equal. The difference is strictly the number of
available hosts for these parasitic codes, not anything inherent in the
details of Windows or Linux, or in the organizational mechanisms (corporate
giant vs. "brutal meritocracy", closed source vs. open source, etc.).

In fact, I suspect that the open source for Linux gives creators of vicious
attack codes a *slight* advantage, since the vulnerabilities are there for
anyone to read and exploit before they are found by an alert Linux
community. And if Linux is to succeed in the enterprise, we in the community
owe it to ourselves to *enhance* that alertness -- indeed, to be more
vigilant on security issues -- even if it's at the expense of some of our
more favorite activities, like performance tweaking.
--
M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
http://www.borasky-research.net  http://www.aracnet.com/~znmeb
mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com

Q: How do you tell when a pineapple is ready to eat?
A: It picks up its knife and fork.

> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org
> [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of Pavel Machek
> Sent: Thursday, September 27, 2001 7:23 AM
> To: Jeff V. Merkey
> Cc: Rik van Riel; Paul G. Allen; linux-kernel@vger.kernel.org;
> jmerkey@utah-nac.org
> Subject: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by
> life in prison
>
>
> Hi!
>
> > When people are crashing planes into buildings and killing people
> > by the thousands, hacking laws should be tough.  The US has shut off
>
> What do hacking laws have in common with planes crashing?
>
> It was not hackers who crashed the planes, right?
> 								Pavel

[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[J Sloan]

"M. Edward Borasky" wrote:

> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows.

OK, the obvious question:

If apache is 60% of the market and IIS is 25%
(and I have heard that apache on Linux is about
33% of the web server market) how do you see
that as windows/iis being more popular than the
linux/apache platform? and yet, windows/iis has
the lions share of vulnerabilities - your arguments
lie in tatters....


> Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).

I think Unix's long history of multiuser, networked
operation gives it quite a bit more sophistication in
areas of security, as opposed to windows, a single
user system which has in the past few years
become widely networked.

I'm not saying Linux/Unix users should rest on their
laurels or be lulled into a sense of false security, but
come on, let's at least be realistic about the very real
advantages of Unix OSes over PC OSes in this area.

cu

jjs

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Alexander Viro]

On Sun, 30 Sep 2001, M. Edward Borasky wrote:

> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, someone to propose a solution and tools to prevent future
> attacks. I personally think stiff fines and long prison sentences for
> releasing attack software into the world's business network should have been
> instituted a long time ago. Life without parole seems to me quite reasonable
> under the circumstances.

Let's start with conslutants who kept pushing crap into said network.
And continue with those who had bred tons of worthless "certified"
wankers pretending to be sysadmins, driving the wages down and replacing
clued people with illiterate trash.  Getting rid of script kiddies is
nice, but fsckwits who are directly responsible for current situation
should be first against the wall.
 
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of

Like, say it, in case of apache?  It's _more_ widespread than target of
Code Red and Nimda.

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[M. Edward Borasky]

> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org
> [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of J Sloan
> Sent: Sunday, September 30, 2001 2:42 PM

[snip]

> OK, the obvious question:
>
> If apache is 60% of the market and IIS is 25%
> (and I have heard that apache on Linux is about
> 33% of the web server market) how do you see
> that as windows/iis being more popular than the
> linux/apache platform? and yet, windows/iis has
> the lions share of vulnerabilities - your arguments
> lie in tatters....

We need to distinguish between Linux/Apache and other-UNIX/Apache.
Specifically, there's at least Solaris, Tru64 and AIX besides Linux in this
market. It isn't just IIS; the Nimda beast exploited, IIRC, 18 separate
vulnerabilities in the Windows / IIS complex, including shared files.

I've actually heard of cases where *Linux* systems exporting filesystems
with Samba had Nimda code stuffed down their throats! If this code had been
Linux-executable rather than Windows-executable -- if the virus had been
smart enough to know it was dealing with a Samba rather than a Windows share
and had been able to differentiate between Windows executables and Linux
executables -- hmmm ... do you see what I'm getting at??? In other words,
UNIX systems of *all* stripes that export filesystems with Samba need to
track mods to executables just like a virus scanner does on a Windows
system. *That's* what I mean by vigilance.

[snip]

> I think Unix's long history of multiuser, networked
> operation gives it quite a bit more sophistication in
> areas of security, as opposed to windows, a single
> user system which has in the past few years
> become widely networked.

The security features are there in Windows if the users and sysadmins are
willing to implement them. Windows NT has had C2 available for quite some
time; they couldn't sell to DOD if they didn't. A good MSCE / security
specialist makes a lot of money. It's for the most part laziness on the part
of Windows users that allows malicious code to circulate, not any inherent
weakness in the Microsoft tool set. The technology exists.

> I'm not saying Linux/Unix users should rest on their
> laurels or be lulled into a sense of false security, but
> come on, let's at least be realistic about the very real
> advantages of Unix OSes over PC OSes in this area.

I don't see any such advantage. C2 is C2; crypto is crypto; authentication
is authentication; vigilance is vigilance.

Here, for your amusement, is a snippet of Perl code:

$stuff = `uname`;
if ($stuff =~ /is not recognized as an internal or external command,/ {
	# execute malicious Windows code
}
else {
	# look at the uname stuff and figure out what OS we're running
	# then execute OS-specific malicious code
}

Do you see what I'm saying?
--
M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
http://www.borasky-research.net  http://www.aracnet.com/~znmeb
mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com

Q: How do you tell when a pineapple is ready to eat?
A: It picks up its knife and fork.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[John Gluck]

Hi

While I can agree with most of your points, the "life without parole" is
extreme.
Yes, I agree that loss of money is significant but is is just money. It's
similar but not the same as someone digging into a bank vault and availing
himself of the contents.
The difference is that in the virus case, the perpetrator does not make money (
unless of course someone pays him).

There is also a marked difference between a script kiddie who may be
irresponsible and malicious, and a terrorist bent on causing destruction and
bringing the world to its knees.
In the same manner that banks have dealt with the problem of robbery by taking
stonger security measures. The computer / communication communities need to
beef up prevention. Excessive punishment will not solve the problem. It is
merely a way of saying "we can't protect ourselves so let's kill the
messengers". Yes, the attacks until now have been messages. They say "you are
vulnerable fix the vulnerabilities. Instead of being in such a rush to beat
your competition to the market with a crappy product, bring out a good
product".

I have long felt that most of the products on the market are deliberately
released with serious known defects just to bring in revenue. The problem isn't
with the developers, in many cases they would love to do a better product. It
rests with marketers and ultimately stockholders who often make unrealistic
demands for growth and sales.

Once some terrorist organisation hacks into the GPS satellites and uses them to
misguide planes into a assortment of buildings, oil refineries and such, it
will be too late to save those who died. Code Red upsets you, call it a wake up
call. These are just kids. It's not a concerted terrorist attack by fanatics.
In a sense we should perhaps be thanking these kids. They are saying "Hey, you
idoits, wake up. Your systems are incredibly vulnerable. Fix them now before
something really serious happens. Up to now you've only lost money."

As long as kids can screw up your computers and communication network with
relatively simple tools, I submit that the real problem isn't the kids, it's
the crap that's being used to run the networks. Fix the real problem before the
fact and you won't need to scream about the costs of cleanup after the fact.

OK I've repeated myself quite a few times, I hope it sinks in.

John

"M. Edward Borasky" wrote:

> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
>
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, someone to propose a solution and tools to prevent future
> attacks. I personally think stiff fines and long prison sentences for
> releasing attack software into the world's business network should have been
> instituted a long time ago. Life without parole seems to me quite reasonable
> under the circumstances.
>
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).
>
> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community. And if Linux is to succeed in the enterprise, we in the community
> owe it to ourselves to *enhance* that alertness -- indeed, to be more
> vigilant on security issues -- even if it's at the expense of some of our
> more favorite activities, like performance tweaking.
> --
> M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
> http://www.borasky-research.net  http://www.aracnet.com/~znmeb
> mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com
>
> Q: How do you tell when a pineapple is ready to eat?
> A: It picks up its knife and fork.
>
> > -----Original Message-----
> > From: linux-kernel-owner@vger.kernel.org
> > [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of Pavel Machek
> > Sent: Thursday, September 27, 2001 7:23 AM
> > To: Jeff V. Merkey
> > Cc: Rik van Riel; Paul G. Allen; linux-kernel@vger.kernel.org;
> > jmerkey@utah-nac.org
> > Subject: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by
> > life in prison
> >
> >
> > Hi!
> >
> > > When people are crashing planes into buildings and killing people
> > > by the thousands, hacking laws should be tough.  The US has shut off
> >
> > What do hacking laws have in common with planes crashing?
> >
> > It was not hackers who crashed the planes, right?
> >                                                               Pavel
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

[OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[J Sloan]

"M. Edward Borasky" wrote:

> We need to distinguish between Linux/Apache and other-UNIX/Apache.
> Specifically, there's at least Solaris, Tru64 and AIX besides Linux in this
> market.

Yes, IIRC total apache = 60%, linux/apache = 33%

> It isn't just IIS; the Nimda beast exploited, IIRC, 18 separate
> vulnerabilities in the Windows / IIS complex, including shared files.

Sure are a lot of vulnerabilities there...

> I've actually heard of cases where *Linux* systems exporting filesystems
> with Samba had Nimda code stuffed down their throats!

Define "stuffed down their throats".

We have samba servers here (Linux, Solaris, HPUX)
and while the windows clients stored infected files on
the samba fileservers, the servers themselves were
totally unaffected.

> If this code had been
> Linux-executable rather than Windows-executable -- if the virus had been
> smart enough to know it was dealing with a Samba rather than a Windows share
> and had been able to differentiate between Windows executables and Linux
> executables --

Yes, the command most likely would fail, since
it would run as the remote samba user, not
root.

> hmmm ... do you see what I'm getting at??? In other words,
> UNIX systems of *all* stripes that export filesystems with Samba need to
> track mods to executables just like a virus scanner does on a Windows
> system. *That's* what I mean by vigilance.

Oh yes, vigilance is indeed due, but please let's
not lump all OSes together and pretend there
are no differences!

> The security features are there in Windows if the users and sysadmins are
> willing to implement them.

Shipped very unsecure, and most windows
programs would cease to operate or could
not be installed if the security measures
were implemented.

> Windows NT has had C2 available for quite some
> time; they couldn't sell to DOD if they didn't.

Ah yes, the checklist item - C2, as long as there is
no floppy disk, and no network interface - you install
either of those items, and no more C2 for windows.

The difference is, there are Unix systems that are
both secure, and fully functional.

> I don't see any such advantage.

OK, then.

We are not living in the same world.

cu

jjs

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison

[D. Stimits]

Alexander Viro wrote:
> 
> On Sun, 30 Sep 2001, M. Edward Borasky wrote:
> 
> > 1. The losses to businesses from just these two virus attacks are
> > *significant*, and people are angry about the fact. They're looking for
> > someone to blame, someone to propose a solution and tools to prevent future
> > attacks. I personally think stiff fines and long prison sentences for
> > releasing attack software into the world's business network should have been
> > instituted a long time ago. Life without parole seems to me quite reasonable
> > under the circumstances.
> 
> Let's start with conslutants who kept pushing crap into said network.
> And continue with those who had bred tons of worthless "certified"
> wankers pretending to be sysadmins, driving the wages down and replacing
> clued people with illiterate trash.  Getting rid of script kiddies is
> nice, but fsckwits who are directly responsible for current situation
> should be first against the wall.

Don't forget the management that is interested in paper skills, rather
than ability to do the job. Unless you can add some things on paper,
like particular certifications, you can't even get an interview.

D. Stimits, stimits@idcomm.com

> 
> > 2. The Linux community should *not* believe that we are less vulnerable than
> > Microsoft! We are less vulnerable *now* only because Linux is not as
> > widespread as Windows. Were Linux, say, half of the market, the
> > vulnerability would be equal. The difference is strictly the number of
> 
> Like, say it, in case of apache?  It's _more_ widespread than target of
> Code Red and Nimda.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[D. Stimits]

John Gluck wrote:
> 
> Hi
> 
> While I can agree with most of your points, the "life without parole" is
> extreme.
> Yes, I agree that loss of money is significant but is is just money. It's
> similar but not the same as someone digging into a bank vault and availing
> himself of the contents.
> The difference is that in the virus case, the perpetrator does not make money (
> unless of course someone pays him).
> 
> There is also a marked difference between a script kiddie who may be
> irresponsible and malicious, and a terrorist bent on causing destruction and
> bringing the world to its knees.
> In the same manner that banks have dealt with the problem of robbery by taking
> stonger security measures. The computer / communication communities need to
> beef up prevention. Excessive punishment will not solve the problem. It is
> merely a way of saying "we can't protect ourselves so let's kill the
> messengers". Yes, the attacks until now have been messages. They say "you are
> vulnerable fix the vulnerabilities. Instead of being in such a rush to beat
> your competition to the market with a crappy product, bring out a good
> product".


Think of it as a test of maturity, whether the government knows the
difference between justice and revenge. The law hasn't passed yet,
that's why it's nice to see it scrutinized now. But it won't do any good
if people act as if it is already law...the fat lady hasn't sung yet.

D. Stimits, stimits@idcomm.com

> 
> I have long felt that most of the products on the market are deliberately
> released with serious known defects just to bring in revenue. The problem isn't
> with the developers, in many cases they would love to do a better product. It
> rests with marketers and ultimately stockholders who often make unrealistic
> demands for growth and sales.
> 
> Once some terrorist organisation hacks into the GPS satellites and uses them to
> misguide planes into a assortment of buildings, oil refineries and such, it
> will be too late to save those who died. Code Red upsets you, call it a wake up
> call. These are just kids. It's not a concerted terrorist attack by fanatics.
> In a sense we should perhaps be thanking these kids. They are saying "Hey, you
> idoits, wake up. Your systems are incredibly vulnerable. Fix them now before
> something really serious happens. Up to now you've only lost money."
> 
> As long as kids can screw up your computers and communication network with
> relatively simple tools, I submit that the real problem isn't the kids, it's
> the crap that's being used to run the networks. Fix the real problem before the
> fact and you won't need to scream about the costs of cleanup after the fact.
> 
> OK I've repeated myself quite a few times, I hope it sinks in.
> 
> John
> 
....

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison

[Michael Bacarella]

On Sun, Sep 30, 2001 at 05:24:00PM -0600, D. Stimits wrote:
> > wankers pretending to be sysadmins, driving the wages down and replacing
> > clued people with illiterate trash.  Getting rid of script kiddies is
> > nice, but fsckwits who are directly responsible for current situation
> > should be first against the wall.
> 
> Don't forget the management that is interested in paper skills, rather
> than ability to do the job. Unless you can add some things on paper,
> like particular certifications, you can't even get an interview.

Quick survey:

How many people here really want to work at a company where
management tosses resumes that don't say MCSE or CCNA or RHCE?

---
Michael Bacarella <mbac@nyct.net>
Technical Staff / System Development,
New York Connect.Net, Ltd.

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison

[M. Edward Borasky]

I personally do not have a certification and I personally find my career
paths limited as a result. This is something I plan to rectify; it's simply
a matter of time, money and a willingness on my part to do the work. I
suggest that you look at it the same way, rather than knocking the
certification process or employers who require it.

I have chosen a mathematical / scientific / programmer career path rather
than a system / network administration career path, so I will most likely
seek an MSCD or perhaps the Red Hat equivalent if there is one. There are a
great many more *applicants* for jobs than there are jobs, and lack of a
certification or presence of illegal substances in an applicant's urine are
*legal* ways of eliminating some of these applicants, whereas skin color,
gender or age are not. Deal with it; I have.

--
M. Edward (Ed) Borasky, Chief Scientist, Borasky Research
http://www.borasky-research.net  http://www.aracnet.com/~znmeb
mailto:znmeb@borasky-research.net  mailto:znmeb@aracnet.com

Q: How do you tell when a pineapple is ready to eat?
A: It picks up its knife and fork.

> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org
> [mailto:linux-kernel-owner@vger.kernel.org]On Behalf Of Michael
> Bacarella
> Sent: Sunday, September 30, 2001 5:18 PM
> To: linux-kernel@vger.kernel.org
> Subject: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by
> lifein prison
>
>
> On Sun, Sep 30, 2001 at 05:24:00PM -0600, D. Stimits wrote:
> > > wankers pretending to be sysadmins, driving the wages down
> and replacing
> > > clued people with illiterate trash.  Getting rid of script kiddies is
> > > nice, but fsckwits who are directly responsible for current situation
> > > should be first against the wall.
> >
> > Don't forget the management that is interested in paper skills, rather
> > than ability to do the job. Unless you can add some things on paper,
> > like particular certifications, you can't even get an interview.
>
> Quick survey:
>
> How many people here really want to work at a company where
> management tosses resumes that don't say MCSE or CCNA or RHCE?
>
> ---
> Michael Bacarella <mbac@nyct.net>
> Technical Staff / System Development,
> New York Connect.Net, Ltd.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
>

RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Gerhard Mack]

On Sun, 30 Sep 2001, M. Edward Borasky wrote:
> The security features are there in Windows if the users and sysadmins are
> willing to implement them. Windows NT has had C2 available for quite some
> time; they couldn't sell to DOD if they didn't. A good MSCE / security
> specialist makes a lot of money. It's for the most part laziness on the part
> of Windows users that allows malicious code to circulate, not any inherent
> weakness in the Microsoft tool set. The technology exists.

Ok I'll bite .. and only because I'm stuck dealing with W2k on occasion..
Yea look and drool at the fined grained access controls MS has .. then go
try getting IIS to run as anything other than administrator.. 

Access controls are good only when used.  MS security doesn't ever seem to
take possible flaws in daemons into account.

Now add the fun of things mysteriously breaking when hotfixes are applied.
Wonder why admins are afraid to apply them?  I have a W2k Machine that now
crashes twice weekly since the latest updates were applied. That's up from
a crash every 1 or 2 months.

Off hand I'd call that an inherent weakness.

Meanwhile Apache on my boxes either runs as "nobody" or as a user
dedicated to the web server.  Linux may not have the cool access controls
but at least the existing security controls are actually USED.
 
> 
> > I'm not saying Linux/Unix users should rest on their
> > laurels or be lulled into a sense of false security, but
> > come on, let's at least be realistic about the very real
> > advantages of Unix OSes over PC OSes in this area.
> 
> I don't see any such advantage. C2 is C2; crypto is crypto; authentication
> is authentication; vigilance is vigilance.
> 

C2 is only a standard for user permissions and access tracking .. it is
NOT security. Same goes for crypto.. I'm very sick of people telling me
they can't be "hacked" because they have "encryption"

Unix and clones tend to be more secure not because of some whiz bang
buzzword compliant toy but because on the whole it's designers have tended
to look at *why* a given hack was done or *why* a given worm spread and
chased the problem instead patching the current bug and relying on band
aid software that attempts to track a given problem based on it's
signature.  

I'm honestly surprised more exploits aren't polymorphic for the express
purpose of evading the anti virus programs.

patches and AV -vs- buffer overflow detecting libraries and compilers not
to mention the principal of least privilege.

	Gerhard

--
Gerhard Mack

gmack@innerfire.net

<>< As a computer I find your faith in technology amusing.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by lifein prison

[Stefan Smietanowski]

Hi.

>>Don't forget the management that is interested in paper skills, rather
>>than ability to do the job. Unless you can add some things on paper,
>>like particular certifications, you can't even get an interview.
>>
> 
> Quick survey:
> 
> How many people here really want to work at a company where
> management tosses resumes that don't say MCSE or CCNA or RHCE?

The outcome of that is really irrelevant IMHO. People have to woro to 
make money to live. Agreeing with management of the company you work for 
(not just in this issue) is often not the defining point behind getting 
a job at said company or not.

You can get a job at company A _NOW_ so you can pay your bills etc or 
you can get a job at company B in 6 months making you not be able to pay 
your bills in that time. I'm sure most would get the job at company A 
and in the meanwhile look for company B which may or may not come. These 
are harder economical times than before.

It's the 'I don't agree with company policy on X' that makes it 'us vs 
them' quite often.

The same question can be applied on 'How many want to live in a country 
where the leaders have X, pass law Y or something?'. Same question 
really. The answer often lies in : There's no real way of changing it. 
Sure, go vote and stuff. Change it that way. It makes a difference, 
albeit some would argue the change is minimal.

Now, don't get me wrong, I'm not the anarchist type or anything, I just 
don't see the relevance of said question cause morally most would say 
"of course I don't want to work at said company!" but reality dictates 
that sometimes people have no choice.

// Stefan

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Jan Harkes]

On Sun, Sep 30, 2001 at 03:40:27PM -0700, M. Edward Borasky wrote:
> Here, for your amusement, is a snippet of Perl code:
> 
> $stuff = `uname`;
> if ($stuff =~ /is not recognized as an internal or external command,/ {
> 	# execute malicious Windows code
> }
> else {
> 	# look at the uname stuff and figure out what OS we're running
> 	# then execute OS-specific malicious code
> }
> 
> Do you see what I'm saying?

You run untrusted snippets of perl-code as root?

To return to your original argument,

If a company sells me a car that has a rust-proof guarantee under the
conditions that I keep it garaged 24/7 (similar to the Windows NT C2
rating). And when I take it for a spin someone sprays it with a garden
hose. The car falls apart from the rust. Do I have the right to lock
_any guy with a garden hose_ up in prison because they could cause
irrepairable damage to cars? Or maybe that car shouldn't have left the
factory in the first place.

Any further discussion can go to /dev/null.

Jan

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Helge Hafting]

"M. Edward Borasky" wrote:
> 
> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
> 
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, 

And the one to blame here isn't the virus writer.  The ones to blame
are:
1. Whoever decided to install that vulnerable software.
   This one isn't popular because it is someone inside the company. 
   But that's where the problem is.  (Or possibly whoever hired
   a clueless admin.  Even less popular with the administration.)

   Someone trusted with important software ought to have the
   necessary skills.  Nobody let a clueless guy design
   _physical_ security for a bank...

2. Possibly the company making vulnerable software, although nobody
   sane should select that kind of software.  A bank don't use
   an array of piggy banks for a vault.  This is a question of 
   marketing - did they create the impression that their software
   was safe from trivial attacks?

Of course releasing a virus is bad, but we should still expect
companies to take some measures themselves.

We do expect them to lock doors etc. - Someone who leave
their office building _unlocked_ & unguarded, money in open drawers 
etc.  will usually not be able to collect insurance because of
obvious neglect.  They'll be laughed at, and nobody will cry
about more punishment for those who walks in and grabs some
stuff.


> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).

Well, I believe Linux _is_ less vulnerable.  Not invulnerable of course,
but at least fixes appear a lot faster for linux.  That alone don't
usually leave enough timespan for a large-scale exploit.  
And I see many firewalls that really is a pc router running linux.
Are there any _serious_ ones running windows?


> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community. 

Many people read open source code looking for vulnerabilities.  Yeah,
some are exploiters.  But more of them are looking to plug the holes,
so this is a _big_ advantage for open source, not a _slight_ advantage
for crackers.  A hole only needs plugging _once_ before nobody can use
it.

And the people capable of finding a hole by looking at source will
usually report it - you can get more prestige that way than by
writing a exploit.  This boils down to who you want to impress - 
a bunch of stupid script kiddies or a bunch of security-minded
experts?  Some of the latter might even offer a paying job...

This don't work as well for closed source.  The bugs are harder to find,
but some are found anyway by disassembly or trial-and-error.  (What
happens
if I manufacture bad oversized input for this thing...)

What do you do about such a bug?  A patch is impossible without 
source.  Reports seems to go silently ignored.   A public report
might get you sued.  "You are out to get us & our customers,
and your license forbids hacking on it...."  People get bitter,
and gets incentives to make viruses.  It becomes the only
way of getting serious attention.

This incentive mostly goes away with open source, much more fun to
be among the "good guys" who stamps out bugs & get their names
immortalized in changelogs.

Helge Hafting

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life

[Henning P. Schmiedehausen]

Alexander Viro <viro@math.psu.edu> writes:

>Like, say it, in case of apache?  It's _more_ widespread than target of
>Code Red and Nimda.

I still would like to see the IIS/Apache/iPlanet distribution results
if you only consider the top 1% busiest web servers on this planet.

Yes, there are literally millions of "Apache on <whatever>" driven
servers that get maybe one hit per day. Subtract these and _then_ the
figures are interesting.

While the Netcraft survey is something to <censored> off while reading
(we've beaten M$ _once_ again!), in a business context it is largely
irrelevant.

And even wrong. I know of at least one really busy german (sports) web
site which is shown as "driven by Apache on Linux" but in reality it
is about a dozen IIS on NT4/2000 behind a reverse proxy cluster (which
runs on Linux). I helped building the reverse proxy, so I should know. =:-)

	Regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Bernd Petrovitsch]

[-- Attachment #1: Type: text/plain, Size: 3644 bytes --]

In message <HBEHIIBBKKNOBLMPKCBBIENPDNAA.znmeb@aracnet.com>, "M. Edward Borasky
" wrote:
>2. The Linux community should *not* believe that we are less vulnerable than
>Microsoft! We are less vulnerable *now* only because Linux is not as

I need not believe - I just see it now.

>widespread as Windows. Were Linux, say, half of the market, the
>vulnerability would be equal. The difference is strictly the number of

Plain simply wrong - Linux has more than 50% in the "Internet 
server market" (even if some company's propaganda department's do not 
admit this).
Attacker choose the weakest target (this is usually also the largest, 
but not necessarily).

>available hosts for these parasitic codes, not anything inherent in the
>details of Windows or Linux, or in the organizational mechanisms (corporate
>giant vs. "brutal meritocracy", closed source vs. open source, etc.).

It is "the details" that matter in this area.
M$ sells their software with the "everyone can install it, use, etc. 
because it is user-friendly[0], it does exactly what the user needs, 
it does everything automatically, etc." argument (which is plain simply
wrong[1]). 
Therefore lots of people install and run servers on the web without really
knowing what they are doing. Apparently they think that they install 
it and it runs on its own (which is wrong).
The learning curve on a U*ix system with some appropriate server 
software on it s much steeper. So if you get such a system on the web
you are forced to know more about it (and usually at one point 
you get to people who basically force you to think about security or 
other areas).

You could run a "secure" Win*server or workstations on the Net, but his means
that
-) you install all relevant patches immediately (not ASAP - immediately).
-) you disable all kinds of automatic code execution features (which
   means disabling all the nifty features, setting all hosts to 
   "internet zone", disable Active-X and JavaScript[2] completely, etc.).
If you would do this, you could as well run the service on a U*ix 
system because the functional features are the same and you get 
patches much earlier (how long took the tear-drop patch for WinNT ?).

>In fact, I suspect that the open source for Linux gives creators of vicious
>attack codes a *slight* advantage, since the vulnerabilities are there for

You should also list the disadvantages, not only one argument if you 
you want to be serious.

>anyone to read and exploit before they are found by an alert Linux
>community. And if Linux is to succeed in the enterprise, we in the community
>owe it to ourselves to *enhance* that alertness -- indeed, to be more
>vigilant on security issues -- even if it's at the expense of some of our
>more favorite activities, like performance tweaking.

Read the usenet and you will see a significant difference.
Until then you are trolling.

[ TOFU-Mail deleted ]

	Bernd

[0] : Does anyone know why there are that much Win*-Books on the
      shelves if the software is so easy to use ?
[1] : If a server is badly administered the sysadmin of that server is
      also partly guilty (even if he didn't have a clue) - you should 
      also blame them.
[2] : This should actually be disabled on all browsers on the world.
      Actually this should be removed completely.
-- 
Bernd Petrovitsch                              Email : bernd@gams.at
g.a.m.s gmbh                                  Fax : +43 1 205255-900
Prinz-Eugen-Straße 8                    A-1040 Vienna/Austria/Europe
                     LUGA : http://www.luga.at



[-- Attachment #2: Type: application/pgp-signature, Size: 254 bytes --]

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Manfred Bartz]

Helge Hafting <helgehaf@idb.hist.no> writes:

> .. but at least fixes appear a lot faster for linux.  That alone
> don't usually leave enough timespan for a large-scale exploit.

I wouldn't count on time, regardless of the OS.  How about 15 minutes
to infect all vulnerable hosts on the Internet?  See:

        <http://www.cs.berkeley.edu/~nweaver/warhol.html>

-- 
Manfred Bartz

[Moving rapidly away from LKM] (Was: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in)

[Henning P. Schmiedehausen]

Helge Hafting <helgehaf@idb.hist.no> writes:

>And the one to blame here isn't the virus writer.  The ones to blame
>are:
>1. Whoever decided to install that vulnerable software.

"The ones to blame are not the people that build the bombs. The ones
to blame are the people that live in normal houses with normal locks
or even let their doors open instead of living in fortified bunkers
and shoot everyone on sight".

Come on. I may not know what's right, but I know this can't be it.

The blame is on both sides. On the people that write the stuff and the
ones that are not able to install the most basic defenses on their
business critical systems.

>   This one isn't popular because it is someone inside the company. 

I don't think so. I'd say 6 of 10 systems in larger companies are
installed either by the vendor via their own "consulting branch" or by
a "vendor certified partner" or by a hired consulting branch. Most of
the bigger companies have _enough_ to do with just keeping this stuff
running. Or they even hire outside resources to run their stuff.

[...Your argumentation goes downhill from here...]

Fact is: Most companies don't install IIS just because they're
Microsoft slaves. They install it, because another 3rd party
application that depends on yet another application that needs another
piece of software to run is only available on (you may already have
guessed it) WIN32. OLE, Visual Basic and all the heavily glued
together windows stuff. That is what drags people to the WIN32.
And once you're here, you use IIS. Not Apache. Not iPlanet.

Not just the "nice icons to click" that most of the clueless here seem
to think.

Try to set up an Oracle development shop in an "all Solaris, all
Linux" environment. You can't get 99% of the frontends for your
platform? Too bad. Others do and they're working faster than you."

Try that with Intershop. With Cache. Other Borland stuff. SAP R/3. You
get all the backends for Linux. The frontends?

Even Java development is easier with WIN32 (though JBuilder and
NetBeans run quite usable under Linux). But the native SUN JDK runs
faster on Win32 than on their own Sparc platform. Than on Linux. Why?
Because Sun throws all of its engineering efforts into WIN32 and not
into Sparc?

I know all about the "ok, let's use Linux in our back office and WIN32
just on the desktops" mentality. But you might not understand that
companies then have to hire not just one but two people. One to admin
the desktops, one for the back ends. In times when getting a single
clueful individual is hard to do. And budget cuts say "we get _one_
admin. Not two."

So you go for an uniform solution to the problem. Use one platform for
everything. Linux loses in such shops every time.

When companies like IBM, Oracle and SAP spell "commitment to Linux" as
"we port _everything not just our servers to Linux", then Linux get a
chance here. I don't see this.

And what has all of this to do with Linux kernel? 

	Regards
		Henning




-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Daniel Phillips]

On September 30, 2001 11:16 pm, M. Edward Borasky wrote:
> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows.

I try hard not to feed the trolls or engage in advocacy on this list, but 
this time I can't resist supplying a quote from your mail headers:

    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

I'll give you the benefit of the doubt and assume you're really just a 
half-deprogrammed dual-booter[1] rather than a genuine troll, so consider 
this please:  Linux is less vulnerable to worm attacks because our security 
is an open process in which everybody participates.  End of story.

Note that this does not give us any reason to relax: it's a process, it has 
to continue.

If you must debate this further could you please respond privately.

[1] It's not a reason to be ashamed, many of us have been there

--
Daniel

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[John Jasen]

> Helge Hafting <helgehaf@idb.hist.no> writes:
>
> > .. but at least fixes appear a lot faster for linux.  That alone
> > don't usually leave enough timespan for a large-scale exploit.

Someone forget bind and rpc.statd worms of about 6 months ago?

Or, the exploitability of ntp?

--
-- John E. Jasen (jjasen1@umbc.edu)
-- In theory, theory and practise are the same. In practise, they aren't.

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Ookhoi]

> > > .. but at least fixes appear a lot faster for linux.  That alone
> > > don't usually leave enough timespan for a large-scale exploit.
> 
> Someone forget bind and rpc.statd worms of about 6 months ago?

With bind, the admin could have patched his bind before the worms came
alive, he could have upgraded to a new major release, he could have run
bind not as root, and he could have run bind chrooted. (for 'he' you can
also read 'she').

This for sure was not the fault of the os.

	Ookhoi

Re: [Moving rapidly away from LKM] (Was: Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in)

[Helge Hafting]

"Henning P. Schmiedehausen" wrote:
> 
> Helge Hafting <helgehaf@idb.hist.no> writes:
> 
> >And the one to blame here isn't the virus writer.  The ones to blame
> >are:
> >1. Whoever decided to install that vulnerable software.
> 
> "The ones to blame are not the people that build the bombs.
Oh, they too.  They too.  My first sentence was wrong, I'm just
trying to say that increasingly harder punishment against
_dead easy_ crime won't work.  And that people actually are
responsible for taking simple precautions.  


> The ones
> to blame are the people that live in normal houses with normal locks
> or even let their doors open instead of living in fortified bunkers
> and shoot everyone on sight".

I am not that extreme.  But if someone leaves their car with the engine
running all day they are stupid and shouldn't be surprised when
it is stolen.
Someone who leave a unattended company car with the engine running 
deserve to get fired when it is stolen.  This is neglect.

Of course the thief is a criminal too, and the worst one.  But
not taking any precautions is neglecting responsibility.

[...] 
> Fact is: Most companies don't install IIS just because they're
> Microsoft slaves. They install it, because another 3rd party
> application that depends on yet another application that needs another
> piece of software to run is only available on (you may already have
> guessed it) WIN32. OLE, Visual Basic and all the heavily glued
> together windows stuff. That is what drags people to the WIN32.
> And once you're here, you use IIS. Not Apache. Not iPlanet.
> 
You can run your internet server on windows.  Nothing inherently
wrong in that.  But then you'd better put a good firewall in front 
of it.  And you'll run the latest virus checkers.  And you'll
turn _off_ particularly unsafe "features".  Windows servers can
be safe, but many aren't.

Not doing this is like storing your money in a heap on the street.
A thief taking your pile is still a thief but there is less
punishment because he didn't break in or threaten anybody.  

Helge Hafting

Re: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

[Vojtech Pavlik]

On Sun, Sep 30, 2001 at 02:16:40PM -0700, M. Edward Borasky wrote:

> While I don't want to get involved in a comparison between the loss of some
> 7000 human lives in a terrorist attack on buildings with productivity lost
> due to Code Red and Nimda attacks on the world's businesses, I'd like to
> make two points:
> 
> 1. The losses to businesses from just these two virus attacks are
> *significant*, and people are angry about the fact. They're looking for
> someone to blame, someone to propose a solution and tools to prevent future
> attacks. I personally think stiff fines and long prison sentences for
> releasing attack software into the world's business network should have been
> instituted a long time ago. Life without parole seems to me quite reasonable
> under the circumstances.

I think the major mistake behind this law is that it doesn't take into
account that not the whole world is America. Still, virus creators from
other countries won't be scared by this law, and I don't believe it'll
stop American virus writer either - they won't believe they'll be ever
caught.

> 2. The Linux community should *not* believe that we are less vulnerable than
> Microsoft! We are less vulnerable *now* only because Linux is not as
> widespread as Windows. Were Linux, say, half of the market, the
> vulnerability would be equal. The difference is strictly the number of
> available hosts for these parasitic codes, not anything inherent in the
> details of Windows or Linux, or in the organizational mechanisms (corporate
> giant vs. "brutal meritocracy", closed source vs. open source, etc.).
> 

Linux *is* less vulnerable to worm attacks, because of diversity.

There is just a few different versions of IIS, for example, just a few
different binaries floating around. And thus it is easy to choose the
most common one and write a buffer overflow exploit for it.

On the other way, there are many many different versions of Apache and
Linux around, and even for same versions the code is compiled with
different options by every Linux maker, which gives you at least a
couple hundreds of different binaries. This won't stop a hacker from
getting into your computer, but it will slow down worm spreading a lot -
it either has to know every different binary out there and be able to
guess which one is running on the system it plans to infect before it
attacks (because otherwise the server can just crash without being
infected, which is counterproductive for the virus), or hope to be able
to attack the most common binary, which will then have a much smaller
impact on the whole 'net.

It's much like biology: When you have genetic diversity, your species
won't become extinct after just one heavy plague - some will survive. If
you're a monoculture, then you're dead.

> In fact, I suspect that the open source for Linux gives creators of vicious
> attack codes a *slight* advantage, since the vulnerabilities are there for
> anyone to read and exploit before they are found by an alert Linux
> community. And if Linux is to succeed in the enterprise, we in the community
> owe it to ourselves to *enhance* that alertness -- indeed, to be more
> vigilant on security issues -- even if it's at the expense of some of our
> more favorite activities, like performance tweaking.

Being alert is always good. :) It just becomes tiring after some time.

-- 
Vojtech Pavlik
SuSE Labs