[LINK] Security: from a different direction
cas at taz.net.au
Tue Dec 14 19:25:44 EST 2004
On Tue, Dec 14, 2004 at 05:56:11PM +1100, rchirgwin at ozemail.com.au wrote:
> >1. even "protected" machines can be brought down by a DDoS attack
> >from unprotected machines. or be unable to reach a site because that
> >site (or one of the routers in the path) is under DDoS attack.\
> OK. Amendment: someone else's infection doesn't change MY security
> status. It changes my accessibility status.
it's more than just DDoS that you're (potentially) vulnerable to.
you're still ignoring worms/viruses/attacks that you don't know about yet.
just because you're pretty sure you're safe against all currently known ones
doesn't mean you're safe against some as-yet-uninvented attack. you might be
safe, or you might not be. you don't know, and you have no way of knowing.
there might not be much, if anything, you can do about them - except to avoid
believing "i'm secure now, so i'll be secure in the future".
> > 2. there is no such thing as a "protected machine". there is only a
> > machine that is protected against the security holes you currently
> > know about.
> That's equally true of all OSs.
theoretically, yes. practically, no.
or, to put it another way: all operating systems are equal, but some are more
equal than others :)
> I would only plead that in 17 years of owning computers, I have not
> suffered a virus attack.
either have i. but there's always a first time (and much more likely for you
than for me. i don't run windows so it's extremely unlikely. i've probably
got better odds of winning a lottery).
you're running an OS that is particularly vulnerable to viruses, and which lets
them do anything to change or control the system. it's pretty much only a
matter of time. no matter how careful you are, eventually you will be tired or
not paying attention or whatever and make a mistake. or there'll be a
brand-new exploit technique which you're not protected against.
or you may not even know you're running something that is vulnerable. one of
the reasons the SQL worm was so wide-spread was because all the security
advisories says "affects MS SQL". most of them didn't (for a while) mention
the fact that many end-user applications also included the MS SQL engine, so
many application users were running vulnerable MS SQL without even knowing it.
if they even saw the advisory, they thought "i'm not running MS SQL, so i'm
> >unless the virus checks for and disables ZoneAlarm or reconfigures
> >it for wide-open access. many already check for and disable common
> >anti-virus programs. if there aren't any that also disable personal
> >firewall software yet, then it's only a matter of time.
> But you have to fail the IQ test to activate the virus. Here, I'm not
> talking about Joe Sixpack, who regularly fails the test.
some viruses don't need the IQ test, they can execute without any action
required on the part of the user. ok, yes, choosing to run outlook or IE is
failing the IQ test all by itself, but those two aren't the only vulnerable
applications that can be made to auto-execute code. there's any number of
them, including MS SQL and IIS to name two that have been (and still are)
even mozilla and firefox and thunderbird etc aren't perfect. all software has
bugs. they are bound to have security holes that haven't been discovered yet.
that will be a much bigger deal on windows than it will be on *nix because of
the lack of priviledge separation on windows. compromise someone's browser or
mail client on windows and you have complete control of the system. compromise
the same on *nix and the worst you can do is delete that user's files.
> I'm saying that if I can secure Windows, then "it can be done".
for small values of "done".
craig sanders <cas at taz.net.au> (part time cyborg)
More information about the Link