Linux vs MS Security

Now and then I encounter a Microsoftie who claims Linux
is as vulnerable as Windows because there are a comparable
number of security patches released. Not being a security
guru I don't have the facts to rebut. So here are my
questions.

1 (SPAM) What percentage of SPAM is transmitted by compromised
Linux systems compared to Microsoft?

2 How does Linux compare with Windows for spyware vulnerability?

3 How many Linux worms/virii in the last ten years??

--
Chuck Forsberg [email]caf@omen.com[/email] [url]www.omen.com[/url] 503-614-0430
Developer of Industrial ZMODEM(Tm) for Embedded Applications
Omen Technology Inc "The High Reliability Software"
10255 NW Old Cornelius Pass Portland OR 97231 FAX 629-0665

Chuck Forsberg WA7KGX N2469R wrote:
[color=blue]
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows because there are a comparable
> number of security patches released. Not being a security[/color]

If you go by the number, yes, maybe even more. However, what does this
number tell you? Not much. Nothing in fact, because the number isn't set of
against another measure. For example LOC. Or what the numbers are about.
[color=blue]
> 1 (SPAM) What percentage of SPAM is transmitted by compromised
> Linux systems compared to Microsoft?[/color]

A badly configured Linux box is just as dangerous in that respect as a
Windows box. In fact I can remember a client having trouble with Exchange
being configured as an open relay by default out of the box. Go figure. I
think however that the number of Linux boxen turned into a spamspew by
means of a trojan is far lower.
[color=blue]
> 2 How does Linux compare with Windows for spyware vulnerability?[/color]

What spyware? There are ways to do keyboard logging, but everybody uses ssh
nowadays and is behind a firewall. Even if one has a Linux box.
[color=blue]
> 3 How many Linux worms/virii in the last ten years??[/color]

There are numbers about that. I think the total number of virii for
UNIX/Linux lies around 300. That said, infections generally tend to be
contained because of the more rigorous security in UNIX.

--
Ruurd
..o.
...o
ooo

On Thu, 25 Aug 2005 10:39:23 -0700, Chuck Forsberg WA7KGX N2469R wrote:
[color=blue]
> Now and then I encounter a Microsoftie who claims Linux is as vulnerable
> as Windows because there are a comparable number of security patches
> released.[/color]

(Assuming this isn't a troll to start yet another pissing contest)

Security patches being released is a good thing... if they actually fix
the security problem and don't create new ones. The number of patches
released is no measure of the security of the OS... the response to
security issues from the developer is.

Linux patches usually fix the issue at hand and don't usually introduce
new issues.

Many of the Microsoft patches throughout the years have either not fixed
the issue at hand or created new and sometimes worse issues.

Microsoft has actually benefited from being compared to Linux on a
security front. There was a time when MS's policy about some of its
security issues was "It will be fixed in the next OS release"... RedButton
comes to mind.

Though I still don't trust any MS box being connected directly to the
internet without something in between it and the rest of the world, it is
safe to say that MS has vastly improved it's response to security issues
since the NT 4.0 days... whether they have been successful at making their
OS reasonably secure is a matter of opinion.
[color=blue]
> Not being a security guru I don't have the facts to rebut. So here are
> my questions.
>
> 1 (SPAM) What percentage of SPAM is transmitted by compromised Linux
> systems compared to Microsoft?[/color]

< .5% (high estimate) - the only way I can imagine a Linux box being
zombied to be a spam server is if the admin manually downloads and
installs a compromised piece of software. You will not have your Linux box
taken over by browsing a web page as you can in Windows.
[color=blue]
> 2 How does Linux compare with Windows for spyware vulnerability?[/color]

It's extremely difficult to install and run a program on a secure *nix
system. See answer to #1.
[color=blue]
> 3 How many Linux worms/virii in the last ten years??[/color]

Don't know... But most viruses and worms are written by people who aren't
very good programmers... so, naturally, they tend to write them for the
easiest systems to compromise. There hasn't been a TCP/IP specific worm
written since the early '80s.

I've never had a compromised *nix system... and, truthfully, I've had very
few compromised Windows systems, but I'm very security conscious and
usually use the *nix systems to protect the Windows systems.

The biggest issue with security lies with the operator, not the OS.

--
"Blessed is he who expects nothing, for he shall never be disappointed."
Benjamin Franklin (I didn't know he was a Buddhist)

Chuck Forsberg WA7KGX N2469R wrote:[color=blue]
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows <snip>[/color]

[url]http://www.techweb.com/wire/security/54201306[/url]

"Not surprisingly, Windows XP SP1 sans third-party firewall had the
poorest showing. In some instances, someone had taken complete control
of the machine in as little as 30 seconds."


--
Let's not complicate our relationship
by trying to communicate with each other.

On Thu, 25 Aug 2005 10:39:23 -0700, Chuck Forsberg WA7KGX N2469R wrote:[color=blue]
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows because there are a comparable
> number of security patches released.[/color]

No, having to wait for the second Tuesday of the month makes Windows
more vunlnerable.

Heh,heh look here to see what it takes to tighten XP.
[url]http://www.blackviper.com/WinXP/servicecfg.htm[/url]
Is there any chance of the casual user knowing what to disable or set
manual?

Guessing linux has more security patches released. Micro$oft does not
show all patches released. Keeps the comparison looking good for them.

Micro$oft used to get razzed about number of patches released and was
not too long after that they changed to once a month releases.
Reason given was that comercial customers could not keep up testing
and rolling out patches.

People are looking for linux expoits and updates usually ready within a
week and available for download.

You get to wait for second Tuesday of the month for M$.

Something to look at here
[url]http://www.eeye.com/html/research/upcoming/[/url]
[color=blue]
> Not being a security guru I don't have the facts to rebut. So here
> are my questions.[/color]
[color=blue]
> 1 (SPAM) What percentage of SPAM is transmitted by compromised
> Linux systems compared to Microsoft?[/color]

No way to tell unless you want to run code against ip addresses found
at [url]http://www.spamcop.net/[/url] to guess OS.

I would bet greater than 90% because malware downloads a smtp server
and starts spewing email messages.
[color=blue]
> 2 How does Linux compare with Windows for spyware vulnerability?[/color]

Majority of spyware will not install/run on linux.
[color=blue]
> 3 How many Linux worms/virii in the last ten years??[/color]

Not enough for the Antivirus Vendors to make a living with. :)

Grand total unix and linux is less than 300.

[Ivan Marsh][color=blue][color=green]
>> 1 (SPAM) What percentage of SPAM is transmitted by compromised Linux
>> systems compared to Microsoft?[/color][/color]
[color=blue]
> < .5% (high estimate) - the only way I can imagine a Linux box being
> zombied to be a spam server is if the admin manually downloads and
> installs a compromised piece of software.[/color]

Well. A linux box not beeing maintained or upgraded, or badly
installed in the first place, is very likely to get compromised. I
know there exists boxes that have been connected to the net for years
and years without any maintainance or upgrades beeing performed -
sysadmins eventually throwing up a firewall to hide the problem.

For one thing it is not so many years ago when most of the mail server
software by default was set up as open relays. It was also common to
have linux distributions where lots and lots of servers was set up by
default. It used to be normal to let servers run as root. Security
flaws have always existed, notoriously buffer-overflows. Thus, having
a linux box with servers running on Internet without patching up the
software every now and then is a quite risky affair, if a skilled
person gains root access to the box and starts installing back doors,
trojans, etc, then it will be extremely difficult to "clean up" the
system. Of course, this applies to windows as well.
[color=blue]
> You will not have your Linux box
> taken over by browsing a web page as you can in Windows.[/color]

Of course, a regular linux user would not run his browser as "root",
thus the box won't be taken over no matter how many holes there are in
the browser. Some Microsofties I'm regularly discussing security
with, would claim that the same applies to windows. When people are
running all their applications as "System Administrator" on their
windows boxes, it is (according to said Microsofties) due to
ignorance; everybody should learn a bit about computing before using
or owning a computer. Well, I tend to disagree, surfing the web
should be reasonably safe for anyone, and it should be possible for
Microsoft to deliver a virtually maintainance-free product, or
eventually, for dealers to do support/maintainance for dummies.

That beeing said, of course I feel miles safer running Mozilla than
MSIE, both because I expect Mozilla to be safer and because it is less
targeted.

--
This signature has been virus scanned, and is probably safe to read
Tobias Brox, 69°42'N, 18°57'E

Chuck Forsberg WA7KGX N2469R <caf@omen.com> wrote:[color=blue]
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows because there are a comparable
> number of security patches released.[/color]

As beeing said by others, this is a silly way to measure security.

The "closed source" and "open source"-community have two quite
different philosophies when it comes to security, and it is quite hard
to say that one is better than the other.

In the "open source"-community, everything is transparent. The bad
thing about this is, of course, that anyone can find the weak spots,
and eventually exploit them. The good thing is that the weak spots
gets found and fixed. Quite often the security faults gets announced
first, and fixed later - quite often the delay between the security
alert and the fix is small, often a proposed patch is applied with the
announcement, though it may take some time until the fix is official
and part of the linux distributions.

In the "closed source"-community, the code is secret. The good thing
about it is that the weak spots quite often are unknown, and thus not
exploited. The bad thing is, of course, that one can never know how
many weak spots there are, and eventually how many people have inside
information about those weak spots. Now I've heard two quite
different views on how good Microsoft is on patching up their security
holes, so I'd be pleased if anyone could fill me out on this:

- The Microsofties I'm regularly discussing security with, claims
that never (or almost never, or, at least not as they know) have a
security hole been publicly known _before_ an official patch for the
security hole were out.

- The other story I've heard is that Microsoft is very slow on making
patches, and that known security holes can stay open for as much as a
month unpatched.

--
This signature has been virus scanned, and is probably safe to read
Tobias Brox, 69°42'N, 18°57'E

On Thu, 25 Aug 2005 21:12:20 +0000 (UTC), Tobias Brox wrote:[color=blue]
>
> In the "closed source"-community, the code is secret.[/color]

But then again it is impressive that with M$ closed source how may
exploits are found.
[color=blue]
> The good thing about it is that the weak spots quite often are
> unknown, and thus not exploited. The bad thing is, of course, that
> one can never know how many weak spots there are, and eventually how
> many people have inside information about those weak spots.[/color]

Quit right. The black hats used to brag about the exploits. Now that
the criminals are into it, they keep the exploits to themselves.
Now that the are starting to advoid honeyposts, it is getting harder
to find out about the malware.
[color=blue]
> Now I've heard two quite
> different views on how good Microsoft is on patching up their security
> holes, so I'd be pleased if anyone could fill me out on this:[/color]

Saw a remarks from M$ execs where they did not bother with exploits
until found in the wild.
[color=blue]
> - The other story I've heard is that Microsoft is very slow on making
> patches, and that known security holes can stay open for as much as a
> month unpatched.[/color]

[url]http://www.eeye.com/html/research/upcoming/[/url]

Chuck Forsberg WA7KGX N2469R <caf@omen.com> wrote:[color=blue]
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows because there are a comparable
> number of security patches released.[/color]

This sounds like a fairly content-free OS-advocacy discussion. Are you
_sure_ you want to have one?

I.e., if you stop to think for just a moment, you'll realise multiple
reasons why the relative _number_ of security patches (a) cannot be
determined and (b) would be irrelevant to the question at hand, anyway:

1. Linux distributions differ drastically, from one to the next, as to
the number and scope of codebases (applications, daemons, etc.)
furnished with the base OS. E.g., there are over 17,000 packages (per
supported architecture) in Debian's stable branch. (_However_, basically
all Linux distributions offer a considerably greater number and scope
of codebases than do Microsoft's extremely spartan MS-Windows releases.
This is the biggest single "apples and oranges" portion of the problem,
though there are others.)

2. Distributions not only differ greatly about number and scope of
packages, but also typically offer considerable lattitude about whether
to install the kitchen sink, almost nothing, or anything in-between.
Not all software is likely to get installed -- or run, if it is
installed. However, security patches get released for all contents,
both often-used and almost-never-used.

For the preceding two reasons alone -- and there are others -- if there
were (hypothetically) a "comparable" number of patches released for
Debian-stable's 17,000 packages and for MS-Windows XP's bare OS +
Wordpad + MSIE + MS Outlook Express, wouldn't that seem (on just numbers)
to be an extremely damning indictment of _MS-Windows_?

3. However, not all "security patches" are created equal. First, some
are reactive and others are anticipatory. (Guess the tendencies of
Linux and MS-Windows security patches in that area: You'll probably
guess right.) Some are against theoretical attacks that may or may not
ever be made real. Some are to guard against remote privilege
escalation and system compromise, some are for local-only priviledge
escalation, some are for remote denial of service, some are for
local-only denial of service. Those are of radically differing
importance. E.g., one "hole" in Apache 1.3.x, some years back,
theoretically allowed a remote attacker to bump off Apache listening
processes, a few at a time -- and that's it. Apache 1.3's a
fork-and-exec daemon: You kill a few, it spawns off a bunch more. Big
deal.

Not all vulnerabilities are credible or serious. Not all exploits are
credible or serious.

Some remote attacks are much more likely to give you root/Administrator
privilege. (Guess which platform generally has a much greater problem
with remote-root attacks?)

Patches that aren't anticipatory, by definition, involve a "window" of
delay between the time the vulnerability is discovered to (1) the time
an exploit is discovered and deployed, and (2) the time a patch becomes
available and known. Guess which platform generally has a problem with
the patches that fix serious problems arriving in public much later than
the exploit code did?

Not all patches are non-problematic. Linux systems tend to have modular
functionality for, in particular, security-sensitive code: You can
upgrade or patch one part without adversely affecting another part.
MS-Windows systems, by contrast, have an ongoing problem in that area:
Sites delay deploying service packs and hotfixes because they break too
many other things, while fixing others.
[color=blue]
> 1 (SPAM) What percentage of SPAM is transmitted by compromised
> Linux systems compared to Microsoft?[/color]

I'm not sure how you'd even determine that.
[color=blue]
> 2 How does Linux compare with Windows for spyware vulnerability?[/color]

Spyware is essentially unknown on Linux to my knowledge. Certainly,
there is nothing at present remotely like the forest of such things that
beset MS-Windows XP systems of recent vintage. The only thing I can
think of, historically, that might qualify is certain releases a long
time ago of Real Networks's RealPlayer, which were said to have code in
them, put there by the publisher, to spy on the media-browsing
activities of users and report back. (I'm not sure that code was
present in the Linux version.)

What is in common among MS-Windows spyware packages is that it is
spy-on-the-user code installed accidentally by the user along with some
software package the user deliberately installs because believes he wants
it (the latter). That is, in a way, an artifact of the way MS-Windows
users operate: installing and running software from any-old-where, with
a notable lack of caution. This tends not to happen on Linux because
they rely more heavily on monitored distribution chains, because Linux
users already have much of the software they need, and because Linux Web
browsers deliberately lack some dangerous install-from-remote functions,
notably ActiveX.
[color=blue]
> 3 How many Linux worms/virii in the last ten years??[/color]

Here's a survey. Note the information about vulnerability windows,
and the fact that the packages in question are in general relevant only
to machines run in server roles, deliberately exposed as such to public
networks:

[url]http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5[/url]

--
Cheers, "Due to circumstances beyond our control, we regret to
Rick Moen inform you that circumstances are beyond our control."
[email]rick@linuxmafia.com[/email] --Paul Benoit

Tobias Brox wrote:
[color=blue]
> The "closed source" and "open source"-community have two quite
> different philosophies when it comes to security, and it is quite hard
> to say that one is better than the other.[/color]

Okay, then simply compare the relative amount of internet servers
compromised.
A hint: Microsoft wins that race every time.
[color=blue]
> In the "open source"-community, everything is transparent. The bad
> thing about this is, of course, that anyone can find the weak spots,
> and eventually exploit them.[/color]

They'd have to be fairly competent programmers to find them in the first
place - better than the creators of said software, anyway.
The offhand comment that "anyone can find the weak spots" is too
hilarious to take seriously.
[color=blue]
> In the "closed source"-community, the code is secret. The good thing
> about it is that the weak spots quite often are unknown, and thus not
> exploited.[/color]

Yeah, right - so where do the roughly 10 exploits a month come from that
are publicly revealed ? Psychics ?
If what you say holds (and it still may) that means there are so much
boogs and holes in M$ software it would put a Swiss cheese to shame.
[color=blue]
> - The Microsofties I'm regularly discussing security with, claims
> that never (or almost never, or, at least not as they know) have a
> security hole been publicly known _before_ an official patch for the
> security hole were out.[/color]

Actually, it's the other way around - other people have to tell M$ every
time that there are huge gaping holes before they will even deign to
look at it - M$'s official stance is "if people don't complain, we aint
spendin' money on it".
[color=blue]
> - The other story I've heard is that Microsoft is very slow on making
> patches, and that known security holes can stay open for as much as a
> month unpatched.[/color]

The average leans towards the 3+ months, actually.

Jeroen Geilman <news@adaptr.nl> wrote:[color=blue]
> Tobias Brox wrote:[/color]
[color=blue][color=green]
>> - The other story I've heard is that Microsoft is very slow on making
>> patches, and that known security holes can stay open for as much as a
>> month unpatched.[/color]
>
> The average leans towards the 3+ months, actually.[/color]

My favourite anecdote about that is the F00F bug. See:
"F00F Bug" on [url]http://linuxmafia.com/kb/Hardware/[/url]

It was a grave bug in Pentium / PPro processors, discovered in 1997,
that Intel managed to talk its way out of fixing by some subtle
misdirection that somehow convinced people that the CPU defect was OS
vendors' problem.

(Any affected CPU would immediately lock up if induced to load and run
the instruction "F0 0F C7 C8" by anything at all, with any authority.)

Regardless, after the bug was publicised on 1997-11-10, the BSDi people
were first to produce a fix, using information they received from Intel
under NDA -- in something like 2-3 days. The Linux kernel coders,
working _without_ NDA information, were able to do likewise within, if
memory serves, about one day more.

Microsoft? They got around to hotfixing some but not all of their
then-supported OS releases about six months later.

--
Cheers, "Due to circumstances beyond our control, we regret to
Rick Moen inform you that circumstances are beyond our control."
[email]rick@linuxmafia.com[/email] --Paul Benoit

Rick Moen wrote:
[color=blue]
> My favourite anecdote about that is the F00F bug. See:
> "F00F Bug" on [url]http://linuxmafia.com/kb/Hardware/[/url]
>
> It was a grave bug in Pentium / PPro processors, discovered in 1997,
> that Intel managed to talk its way out of fixing by some subtle
> misdirection that somehow convinced people that the CPU defect was OS
> vendors' problem.
>
> (Any affected CPU would immediately lock up if induced to load and run
> the instruction "F0 0F C7 C8" by anything at all, with any authority.)[/color]

I always wondered about that one - I know any non-ancient Linux kernel
shows it checking for the f00f bug on boot, but I thought it was limited
to the original Pentiums ? (P54C)
Or is this not the same as the math rounding error ?
Perhaps that one was in the original chip...

Anyway, just goes to show.

Jeroen Geilman <news@adaptr.nl> wrote:

[F00F bug:]
[color=blue]
> I always wondered about that one - I know any non-ancient Linux kernel
> shows it checking for the f00f bug on boot, but I thought it was limited
> to the original Pentiums ? (P54C)
> Or is this not the same as the math rounding error ?[/color]

A lot of people get those confused. No, this was not the same as the
infamous FDIV (floating point) error that was such a scandal. Part of
what was so remarkable was that it was a great deal _worse_, and yet
Intel managed to palm off the problem onto OS vendors, to fix it with
software countermeasures.

The latter did eventually work well for end-customers, with (as I said)
the time-to-fix depending greatly on which OS it was.

In the Usenet newsgroup comp.os.linux, in article
<440e$432800b9$c690c3ba$12436@TSOFT.COM>, Rick Moen wrote:
[color=blue]
>It was a grave bug in Pentium / PPro processors, discovered in 1997,
>that Intel managed to talk its way out of fixing by some subtle
>misdirection that somehow convinced people that the CPU defect was OS
>vendors' problem.[/color]

----------------------------------------
] Path: excalibur.flash.net!nntp.flash.net!sunqbc.risq.qc.ca
!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!cs.utexas.edu
!geraldo.cc.utexas.edu!not-for-mail
] From: [email]noname@noname.com[/email]
] Newsgroups: comp.os.linux.advocacy
] Subject: This code will lock up any P5 machine, even usermode Linux!
(F0 0F C7 C8)
] Date: Thu, 06 Nov 1997 21:57:33 -0800
] Organization: The University of Texas at Austin, Austin, Texas
] Lines: 7
] Message-ID: <3462ADCD.135B@noname.com>
] NNTP-Posting-Host: dial-102-5.ots.utexas.edu
] Mime-Version: 1.0
] Content-Type: text/plain; charset=us-ascii
] Content-Transfer-Encoding: 7bit
] X-Mailer: Mozilla 3.0 (Win95; I)
]
] Hi,
]
] Check this out. If you execute F0 0F C7 C8 on a P5 it will lock the
] machine up. This is true for any operating system including usermode
] Linux. It's pretty cool. Basically, the opcodes are an invalid form
] of cmpxchg8b eax with a lock prefix. Has anyone seen this before? The
] problem doesn't show itself for the Pentium Pro or Pentium 2.
----------------------------------------

I don't think anyone ever identified the discoverer. There was some talk
that whoever it was worked for Cyrix and was reverse engineering the chip.
Others claimed that it was more likely a computer science student at the
University of Texas at Austin. I imagine if Intel were serious, they could
have filed a complaint and the police would have had a look the the dialin
logs - never heard a word about that.
[color=blue]
>Regardless, after the bug was publicised on 1997-11-10,[/color]

Are you sure of the date? The original posting (above) was late on the
sixth, and the next few days were like someone stomped on a fire ant nest.
[color=blue]
>the BSDi people were first to produce a fix, using information they
>received from Intel under NDA -- in something like 2-3 days.[/color]

google groups has a thread in comp.unix.bsd.freebsd.misc dated Tue, 11
Nov 1997 16:38:48 -0700 announcing the BSDi fix. It was withdrawn on the
12th apparently because it was released in violation of the NDA, and there
was a lot of bickering in that group over the Linux fix.
[color=blue]
>The Linux kernel coders, working _without_ NDA information, were able to
>do likewise within, if memory serves, about one day more.[/color]

-------------------------------------------
]From: [email]torvalds@transmeta.com[/email] (Linus Torvalds)
]Newsgroups: comp.os.linux.misc,comp.os.linux.hardware
]Subject: Pentium bug workaround, please test!
]Date: 12 Nov 1997 19:27:02 GMT
]Organization: Transmeta Corporation, Santa Clara, CA
]Lines: 20
]Message-ID: <64cvu6$b3f$1@palladium.transmeta.com>
]NNTP-Posting-Host: penguin.transmeta.com
]
]I just made 2.1.63 available on the normal ftp site (ftp.kernel.org,
]directory pub/linux/kernel/v2.1). The most exciting change is probably
]the preliminary patch by Ingo Molnar that should work around the by now
]well-known Pentium lock-up bug. Many thanks to Ingo who put together
]the patch from various snippets of information floating around.

[...]

]Please give it a good testing, especially the Pentium bug workaround.
]Throw all the tests you have at it, to see that it really works. We'll
]be doing a 2.0.x patch for that too, but it's probably not going to
]appear for a few days, so in the meantime testing this fix on 2.1.x
]would be a GoodThing(tm)...
]
] Linus
-------------------------------------------

and

-------------------------------------------
]From: [email]set-usenet-879492588@reality.samiam.org[/email] (Sam Trenholme)
]Newsgroups: comp.os.linux.development.system,comp.os.linux.advocacy,
comp.os.linux.misc
]Subject: F00F bug *fixed* in 2.0.x kernels
]Date: 14 Nov 1997 07:27:58 GMT
]Organization: Linux reality.samiam.org 2.0.30 #2 Mon Sep 15 1997 i686 unknown
]Lines: 41
]Message-ID: <64guhu$p7k@news9.noc.netcom.net>
]NNTP-Posting-Host: reality.samiam.org
]X-NETCOM-Date: Fri Nov 14 1:27:58 AM CST 1997
]
]Linux 2.0.x users:
]
]The Linux developers have, again, done the impossible. Within seven days
]of the serious FOOF bug in the Pentium being discovered, the kernel
]developers have not only figured out a software fix for the problem, but
]have patches for *both* the 2.1.63 and the 2.0.31 kernels which make
]Linux immune to the F00F bug.
]
]The patch for the F00F bug successfully works on the latest pre-2.0.32
]version. As I type these words on my Pentium Linux laptop, the sequence
]F0 0F C7 C8 is being run over and over again in an infinite loop.
-------------------------------------------
[color=blue]
>Microsoft? They got around to hotfixing some but not all of their
>then-supported OS releases about six months later.[/color]

Did they ever fix it at all? I know Novell didn't. My understanding was
that they claimed there was no need to fix it, as no compiler would
produce that machine code. Obviously wrong, as anyone who has ever coded
ANYTHING knows (how do they think it was discovered in the first place,
magic?), but that was their story at the time.

Old guy

Moe Trin <ibuprofin@painkiller.example.tld> wrote:

[F00F bug:]
[color=blue][color=green]
>>Regardless, after the bug was publicised on 1997-11-10,[/color]
>
> Are you sure of the date? The original posting (above) was late on the
> sixth, and the next few days were like someone stomped on a fire ant nest.[/color]

No, I was actually up during the middle of the night after donating
blood and then crashing for several hours, really had no business
attempting to be coherent on Usenet at that time, and only partially
succeeded. Ordinarily, I'd have properly re-found the date stamp on the
original newsgroup posting before saying that, but I was just too tired.
(That's a poor excuse, I know. I knew I was likely to get it slightly
wrong, but was exhausted and momentarily didn't care. My lazy
guesstimate about the number of months until Microsoft's NT patch was
off, too -- but in the ballpark.)

[Microsoft:]
[color=blue]
> Did they ever fix it at all?[/color]

Now that you mention it.... Hmm, I notice that their earlier
[url]http://premium.microsoft.com/support/kb/articles/q163/8/52.asp[/url] page that
they posted in 1998 doesn't exist, any more. Ah, here:

[url]http://support.microsoft.com/kb/163852/EN-US/[/url]

I found that by googling for Intel's mind-numbing moniker for the
problem, "Invalid Operand with Locked CMPXCHG8B Instruction". Page
claims that NT 3.51 got some sort of hotfix, but they don't actually
name or link that hotfix. NT 4.0 got a fix as part of SP 4.0. Win95
_never_ got any sort of fix, it seems -- just as I was saying in '98.

It's a bit frightening to think that I might personally have been -- for
a while -- the best-informed commentator on this problem other than
Robert Collins (who wasn't saying much). And I was a rank amateur. ;->
[color=blue]
> I know Novell didn't. My understanding was that they claimed there
> was no need to fix it, as no compiler would produce that machine code.
> Obviously wrong, as anyone who has ever coded ANYTHING knows (how do
> they think it was discovered in the first place, magic?), but that was
> their story at the time.[/color]

Yes, that was quite bogus. Here's the actual vendor statement, from
Intel's inforamtional page:

"Novell's network operating system NetWare/IntranetWare is not
affected by the invalid instruction erratum found in the Pentium
processor. NetWare/IntranetWare requires proper authentication to run
NLM's [sic] and applications on the server. Due to this secure
access, NetWare/IntranetWare is not susceptible to NLM's [sic] or
applications that would use the invalid opcode. For further
information, please contact Novell at 1-801-861-5533 or www.novell.com."

Tom Oldroyd
Senior Marketing Manager
Novell Inc.

--
Cheers, "Due to circumstances beyond our control, we regret to
Rick Moen inform you that circumstances are beyond our control."
[email]rick@linuxmafia.com[/email] --Paul Benoit

Rick Moen wrote:

....
[color=blue][color=green]
>>1 (SPAM) What percentage of SPAM is transmitted by compromised
>>Linux systems compared to Microsoft?[/color]
>
> I'm not sure how you'd even determine that.[/color]

Trace the chain back to the originating IP? I suspect that the majority, if
not all, of spam from compromised systems come from Windows systems.

....
[color=blue][color=green]
>>3 How many Linux worms/virii in the last ten years??[/color][/color]

A Linux virius is muchless likely due to the hostile nature of the OS (to
such programs) - most breaches are normally not by an automatic virius, but
by a remote user initiated script once they've found a service with a hole.

With respect to the running of viruses, here's someone's attempts at running
(and benchmarking) some viruses [for Windows] (via wine on Linux), enjoy:

[url]http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss[/url]

Robert Newson <ReapNewsB@bullet3.fsnet.oc.ku> wrote:
[color=blue][color=green][color=darkred]
>>>1 (SPAM) What percentage of SPAM is transmitted by compromised
>>>Linux systems compared to Microsoft?[/color]
>>
>> I'm not sure how you'd even determine that.[/color]
>
> Trace the chain back to the originating IP?[/color]

In theory, yes. Hope you have a funding grant for that. ;->
[color=blue]
> I suspect that the majority, if not all, of spam from compromised
> systems come from Windows systems.[/color]

Yes, seems likely. I was just trying to stick to what I knew for sure.
[color=blue][color=green][color=darkred]
>>>3 How many Linux worms/virii in the last ten years??[/color][/color]
>
> A Linux virius is muchless likely due to the hostile nature of the OS (to
> such programs) - most breaches are normally not by an automatic virius, but
> by a remote user initiated script once they've found a service with a hole.[/color]

Part of the point of my long-standing Linux virus "rants" (essays) on
the Web was that, as a novice Linux admin, you have a lot bigger worries
than malware -- and that Linux malware as a general category is a
trivial aftereffect of much more basic and severe underlying
administrative deficiencies, which logically should get your attention,
instead.
[color=blue]
> With respect to the running of viruses, here's someone's attempts at running
> (and benchmarking) some viruses [for Windows] (via wine on Linux), enjoy:
>
> [url]http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss[/url][/color]

Yes. In as much as Matt Moen (the author) and I appear to be part of
the far-flung extended Moen clan, and since we've both written about
Linux viruses, we made a point of having dinner together during the
recent LinuxWorld in San Francisco. He's a nice guy (and I wrote him
fanmail when his article first appeared).

--
Cheers, "Due to circumstances beyond our control, we regret to
Rick Moen inform you that circumstances are beyond our control."
[email]rick@linuxmafia.com[/email] --Paul Benoit

In the Usenet newsgroup comp.os.linux, in article
<44a5b$4328dda6$c690c3ba$27741@TSOFT.COM>, Rick Moen wrote:
[color=blue][color=green]
>>[Microsoft:][/color]
>[color=green]
>> Did they ever fix it at all?[/color]
>
>Now that you mention it.... Hmm, I notice that their earlier
>[url]http://premium.microsoft.com/support/kb/articles/q163/8/52.asp[/url] page that
>they posted in 1998 doesn't exist, any more.[/color]

Well, it was a few years ago ;-) Besides, who is trying to run XP
on a puny little Pentium 266? (My firewall is a 386SX-16, and I have several
486 and early Pentiums running as servers.)
[color=blue]
>Page claims that NT 3.51 got some sort of hotfix, but they don't actually
>name or link that hotfix. NT 4.0 got a fix as part of SP 4.0. Win95
>_never_ got any sort of fix, it seems -- just as I was saying in '98.[/color]

That's ridiculous. Of course, there are so many other ways to screw up
a windoze box, maybe they were thinking of priorities (yeah, right).
[color=blue][color=green]
>> I know Novell didn't. My understanding was that they claimed there
>> was no need to fix it, as no compiler would produce that machine code.[/color][/color]
[color=blue]
>Yes, that was quite bogus. Here's the actual vendor statement, from
>Intel's inforamtional page:
>
> "Novell's network operating system NetWare/IntranetWare is not
> affected by the invalid instruction erratum found in the Pentium
> processor.[/color]

That is false, but
[color=blue]
> NetWare/IntranetWare requires proper authentication to run
> NLM's [sic] and applications on the server. Due to this secure
> access, NetWare/IntranetWare is not susceptible to NLM's [sic] or
> applications that would use the invalid opcode.[/color]

That part is sorta true. You can't run user-land crap on a Novell server,
and all of the CNE/CNA that I know wouldn't let a luser within ten paces
of the server. Netware replaces DOS as the O/S, with completely different
libraries, and so on. DOS was only used to boot the server, and could be
(and usually was) removed from memory once the server started. There was
a 'removedos' command to do so, freeing up memory for cache. Additionally,
the creation of NLMs and applications that run on the server is quite
limited (compared to DOS/Win or *nix), such that you _usually_ know where
the binary came from and is thus much less likely to be bent. It's a form
of 'security by obscurity' (nobody writes code for "that" old P.O.S), but
it works to a limited extent. It certainly wasn't impossible to create a
malicious binary - it was just a lot harder to get it installed in a place
where it would be run. Screwing up the workstations was easy, because
they ran DOS/Windoze with a networking shim added. Any luser could run a
virus and wedge the workstation, but that had no effect on the server.

Old guy

Chuck Forsberg WA7KGX N2469R wrote:[color=blue]
> Now and then I encounter a Microsoftie who claims Linux
> is as vulnerable as Windows because there are a comparable
> number of security patches released. Not being a security
> guru I don't have the facts to rebut. So here are my
> questions.
>
> 1 (SPAM) What percentage of SPAM is transmitted by compromised
> Linux systems compared to Microsoft?
>
> 2 How does Linux compare with Windows for spyware vulnerability?
>
> 3 How many Linux worms/virii in the last ten years??
>[/color]
I was one of the first to deploy a linux box (slackware 1.?) with a
cable modem and left it run for 7years untouched had 3.3MB of attempts
in the auth.log not one got in 7 YEAR's
that was when linux first came out kernel 1.3x I think benn along time ago
#include <xenophed@charter.net>
#DIFINE M$ = "sucks"