ABM Considered Harmful (was: piercing corporate)

[bscott at ntisys.com]

On Mon, 9 Feb 2004, at 5:17am, invalid at pizzashack.org wrote:
> On Sat, Feb 07, 2004 at 11:11:03PM -0500, bscott at ntisys.com wrote:
>> Case in point: One of your recent messages made reference to VBscript and
>> Windows Scripting Host as "Virus Propagation Languages".  If you want to
>> call them tools for virus propagation, then you must also call Perl,
>> Python, TCL, and the Unix shell tools for virus propagation.  They all
>> have equal potential and usage.
> 
> I find that I again have to disagree strongly.  None of these scripting
> languages, to my knowledge, is built into any user tool which is regularly
> used by hoards of users of Linux/Unix systems, which are themselves
> configured to automatically and even invisibly execute arbitrary code
> embedded in application data.

  The problem you're doubtless referring to is the fact that older versions
of Microsoft Outlook (specifically, Outlook 95 and 97) would automatically
"preview" Office files, and in the process execute any macros embedded in
said file.  This is, obviously, a Monumentally Stupid Design Decision(TM),
of the kind Microsoft is famous for.  (They have fixed this problem since,
FWIW.)

  VBScript and WSH are something else.  They're basically a system scripting
language, just like Perl or Python (and, indeed, you can connect both of
those to WSH).  The luser has to "double click" to open the attachment and
run the script.  That is equally possible under Linux.

> ... most systems still run W98 or even W95...

  Now, in this very forum, I have seen you strongly assert that a
compromised Linux system was the fault of the operator not keeping their
software current.  If it works that way for Linux, why does it not work that
way for Windows?  Sure, Microsoft has a history of really bad security
design in their past, but they are not alone in that, either.  Unix, in the
olden days, had plenty of design flaws.  gets(), anyone?  Some of them still
exist (Sendmail's continued and excessive use of "root" privileges has long
been decried as a Very Bad Thing).

  Now, if you want to argue that you're better off running Linux, because
*nix has been around longer, and most of the mistakes have been made, I
might buy that.  OTOH, we don't seem to be getting any better about buffer
overflows...  :-(

> As I pointed out before, I still agree with this statement and certain
> related sentiments, but you seem to be saying that there's nothing
> inherently better about security on Linux, and I have to say it just ain't
> true.

  Actually, I do believe there *are* things on Linux that make it inherently
more secure then Microsoft products.  (I've even said so, in this forum,
recently.)  More importantly, I believe it is easier and cheaper to operate
a Linux system in a secure fashion then to do the same with a Windoze
system.

  I just don't believe *any* of those advantages come into play when you
look at the current exploit techniques being used again Windoze.  They all
attack (1) hideously insecure system configurations, (2) plainly out-of-date
software, and/or (3) blatant user ignorance.  Linux is equally vulnerable to
all three of those.

  Again, it doesn't matter how good your locking mechanism is, if the
problem is that people don't lock the door in the first place.

  I've explained this, at length, to countless people, and some of them
*still* won't do what is needed to fix things.  Ever *after* multiple
compromises.  I find it nothing less then dumbfounding.

  That's the real problem.  Linux can do nothing to fight it.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |