[huskerlug] Re: Security from A to Z: Open source MYTHS

• From: GreyGeek <jkreps@xxxxxxxxxx>
• To: huskerlug@xxxxxxxxxxxxx
• Date: Wed, 07 Feb 2007 15:25:55 -0600

You can bet your life that you'll need anti-virus and Trojan software,
along with a REAL firewall to replace the ICF that Microsoft supplies.  
If you use IEn and click on any of many web pages you'll get infected. 
Period.

I just got an email from ZDNet.  The lead story is that Microsoft's
anti-virus package in VISTA FAILS to protect VISTA from viruses!
What new?
JLK

Jim Worrest wrote:
> The article really was complaining about bugs in Firefox, and there have been
> some found in it.  The article was about open source software, and I'd dare 
> say
> that more people have heard and used Firefox than they have Linux.
>
> I sometimes think some virus programs are a virus themselves. I removed AVG
> instead of getting the paid version, and my Windows 98 on that program would 
> not
> let any updated or new program access the Internet! :-(  Yes I turned of the
> firewall and even put in a new one, but that didn't solve the problem.  While
> one need spyware programs, I don't know if you even need a virus program if
> don't read email on Windows.  ---Jim
>
> GreyGeek wrote:
>   
>> " Microsoft, leader of the closed-source world, makes more headlines
>> than any other software maker when it comes to security. But that's
>> because the company's products are used by nearly all PC users, not
>> because Microsoft software has more vulnerabilities."
>>
>>
>> That sentence sums up the purpose of that article... to exonerate
>> Microsoft of its many security sins, while impeaching Linux and FOSS
>> projects WITHOUT proof.    Now they are paying Stanford and Symantec to
>> HUNT for bugs in popular FOSS apps?
>>
>> That shouldn't be hard for Symantec.  They can "find" them out of thin air.
>>
>> In 2002 I searched their virus database for viable Linux bugs.  I found
>> 42.   Of those, only six had been found in the wild,  the most recent
>> being 4 years prior.  The other 36 bugs were found on "2 0r fewer" PCs
>> and had "low" (read NO) risk.   Now, I wondered how Symantec could find
>> so many sterile bugs on so few PCs?  For a bug to be caught it has to be
>> ACTIVE and it has to catch the attention of the victim, who then reports
>> it to developers or security orgs.     This CAN'T happen 36 times with
>> JUST "TWO PCs, OR FEWER".  My conclusion was that these bugs were failed
>> virus projects by Symantec, tying to cook up viral agents to seed their
>> Linux anti-virus mine, but being used to seed their Linux virus "count".
>>
>> A couple years later someone on LT asked about Linux vulnerability and
>> stated the same myth that C/Net repeated in this "news" article.  I went
>> back to Symantec to do another search and found they had over 400 Linux
>> viruses listed!   Wow!  I decided to research them.  However, Symantec
>> had changed its format for displaying Linux viruses and it now took 
>> half a dozen drill downs to arrive at the crucial data -- method of
>> attack, severity of attack, and threat level -- for a single virus.   
>> This needless increase in complexity was, in my opinion, NO accident.   
>> I drilled down on about 125 of them,  taking the better part of a day, 
>> and discovered that ALL of them were actually WINDOWS viruses (*.exe's
>> or *.jpg's) with the word "Linux" in their names!  This was during that
>> time when there was a lot of media hysteria about WIndows AND Linux
>> being susceptible to "cross platform" graphic viruses.    Most of the
>> articles at that time mentioned Windows but primarily fanned anti-Linux
>> flames.   The "proof" was a URL link to Symantec's Linux virus list. 
>> Most readers are gullible or lazy and would do only a cursory
>> examination before concluding that a "10 fold increase" sure indicates
>> tha Linux is no safer than WIndows -- the conclusions these articles
>> wish the reader to assume.   Time has proven the "threat" to be a hoax
>> as far as Linux is concerned and, for the most part, Windows too.   If I
>> were still doing homicide investigations I'd "follow the money" and see
>> where these Submarine Stories (a.k.a Paul Graham) came from..... IF I
>> had any doubts.
>>
>> The other thing you have to look at are the body counts.    Where are
>> they??  
>>
>>  FOSS runs about 70% of the Internet, while Windows only runs 28%, yet
>> the VAST MAJORITY (99.99999%) of viral agents are launched from Windows
>> servers and desktops.    IF Linux were as vulnerable as Windows then
>> simple logic would dictate that 20% of all body counts would be
>> compromised Linux boxes.   While the last active Linux bug, Slapper,
>> infected 15,000 computers world wide in 2003, CodeRed was infecting
>> MILLIONS at the same time.  Since Slapper the Windows body count has
>> continued to pile up in LARGE NUMBERS, at great expense to Windows users
>> and their personal data, but rarely do we read about even a single Linux
>> box getting infected.... only these kind of scare stories.  Just a few
>> weeks ago TJMax and Marshals,  on the same network, reported that their
>> W2K servers were hacked into and 250,000 CC numbers and passwords were
>> stolen.  This break-in actually took place in October of last year.  The
>> crackers gained access because the IT boss at TJMax emailed a Word
>> document to a supplier.   Microsoft buries identifying and personal info
>> into Word and Excel documents and it appears that this document
>> contained the server passwords.  The email was "acquired" because the
>> supplier's Windows boxes had been compromised.  By, the way, this info
>> was published on C/Net at the time, but two days later, when someone
>> challenged me on these facts, I discovered the URL had been taken down. 
>> The Internet Archive had no record of it.    A google search will show
>> some URL's referring to that original article but that's all.
>>
>> I'm glad the Dept of Homeland Security is paying to find FOSS bugs, but
>> I suspect it is really an anit-Linux ploy, especially since Symantec has
>> a vest interest in "finding" Linux bugs.   Still, it's better than
>> paying to find proprietary bug$.
>> JLK
>>
>> Jim Worrest wrote:
>>     
>>>     This can be of interest to Linux users, but to others as well.  ---Jim
>>>
>>>
>>> <http://news.com.com/Security+from+A+to+Z+Open+source/2100-7355_3-6138647.html>
>>>
>>>
>>>   
>>>       
>>     
>
> ----
> Husker Linux Users Group mailing list
> To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
> with a subject of UNSUBSCRIBE
>
>
>   

-- 
=========
GreyGeek
=========
Remember, a consumer is a customer with no choice.
DRM 'manages access' in the same way that jail 'manages freedom.' 


----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

• Follow-Ups:
  • [huskerlug] Re: Security from A to Z: Open source MYTHS
    • From: Jim Worrest

• References:
  • [huskerlug] Security from A to Z: Open source | CNET News.com
    • From: Jim Worrest
  • [huskerlug] Re: Security from A to Z: Open source MYTHS
    • From: GreyGeek
  • [huskerlug] Re: Security from A to Z: Open source MYTHS
    • From: Jim Worrest

Other related posts:

• » [huskerlug] Re: Security from A to Z: Open source MYTHS
• » [huskerlug] Re: Security from A to Z: Open source MYTHS
• » [huskerlug] Re: Security from A to Z: Open source MYTHS
• » [huskerlug] Re: Security from A to Z: Open source MYTHS

1. Home
2. huskerlug
3. Archive
4. 02-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---