[huskerlug] Re: Security from A to Z: Open source MYTHS

• From: Jim Worrest <jworrest@xxxxxxxxxxxxxxxx>
• To: huskerlug@xxxxxxxxxxxxx
• Date: Thu, 08 Feb 2007 06:33:42 -0600

        I never use IE :-P , unless it was to check for upgrades for a Window
operating system. The Mozilla programs can have holes, like any other software,
but those holes are much fewer and more quickly plugged than on IE, to be
fair to CNET, they have always recommended FireFox over IE.  ---Jim

GreyGeek wrote:
> You can bet your life that you'll need anti-virus and Trojan software,
> along with a REAL firewall to replace the ICF that Microsoft supplies.  
> If you use IEn and click on any of many web pages you'll get infected. 
> Period.
> 
> I just got an email from ZDNet.  The lead story is that Microsoft's
> anti-virus package in VISTA FAILS to protect VISTA from viruses!
> What new?
> JLK
> 
> Jim Worrest wrote:
>> The article really was complaining about bugs in Firefox, and there have been
>> some found in it.  The article was about open source software, and I'd dare 
>> say
>> that more people have heard and used Firefox than they have Linux.
>>
>> I sometimes think some virus programs are a virus themselves. I removed AVG
>> instead of getting the paid version, and my Windows 98 on that program would 
>> not
>> let any updated or new program access the Internet! :-(  Yes I turned of the
>> firewall and even put in a new one, but that didn't solve the problem.  While
>> one need spyware programs, I don't know if you even need a virus program if
>> don't read email on Windows.  ---Jim
>>
>> GreyGeek wrote:
>>   
>>> " Microsoft, leader of the closed-source world, makes more headlines
>>> than any other software maker when it comes to security. But that's
>>> because the company's products are used by nearly all PC users, not
>>> because Microsoft software has more vulnerabilities."
>>>
>>>
>>> That sentence sums up the purpose of that article... to exonerate
>>> Microsoft of its many security sins, while impeaching Linux and FOSS
>>> projects WITHOUT proof.    Now they are paying Stanford and Symantec to
>>> HUNT for bugs in popular FOSS apps?
>>>
>>> That shouldn't be hard for Symantec.  They can "find" them out of thin air.
>>>
>>> In 2002 I searched their virus database for viable Linux bugs.  I found
>>> 42.   Of those, only six had been found in the wild,  the most recent
>>> being 4 years prior.  The other 36 bugs were found on "2 0r fewer" PCs
>>> and had "low" (read NO) risk.   Now, I wondered how Symantec could find
>>> so many sterile bugs on so few PCs?  For a bug to be caught it has to be
>>> ACTIVE and it has to catch the attention of the victim, who then reports
>>> it to developers or security orgs.     This CAN'T happen 36 times with
>>> JUST "TWO PCs, OR FEWER".  My conclusion was that these bugs were failed
>>> virus projects by Symantec, tying to cook up viral agents to seed their
>>> Linux anti-virus mine, but being used to seed their Linux virus "count".
>>>
>>> A couple years later someone on LT asked about Linux vulnerability and
>>> stated the same myth that C/Net repeated in this "news" article.  I went
>>> back to Symantec to do another search and found they had over 400 Linux
>>> viruses listed!   Wow!  I decided to research them.  However, Symantec
>>> had changed its format for displaying Linux viruses and it now took 
>>> half a dozen drill downs to arrive at the crucial data -- method of
>>> attack, severity of attack, and threat level -- for a single virus.   
>>> This needless increase in complexity was, in my opinion, NO accident.   
>>> I drilled down on about 125 of them,  taking the better part of a day, 
>>> and discovered that ALL of them were actually WINDOWS viruses (*.exe's
>>> or *.jpg's) with the word "Linux" in their names!  This was during that
>>> time when there was a lot of media hysteria about WIndows AND Linux
>>> being susceptible to "cross platform" graphic viruses.    Most of the
>>> articles at that time mentioned Windows but primarily fanned anti-Linux
>>> flames.   The "proof" was a URL link to Symantec's Linux virus list. 
>>> Most readers are gullible or lazy and would do only a cursory
>>> examination before concluding that a "10 fold increase" sure indicates
>>> tha Linux is no safer than WIndows -- the conclusions these articles
>>> wish the reader to assume.   Time has proven the "threat" to be a hoax
>>> as far as Linux is concerned and, for the most part, Windows too.   If I
>>> were still doing homicide investigations I'd "follow the money" and see
>>> where these Submarine Stories (a.k.a Paul Graham) came from..... IF I
>>> had any doubts.
>>>
>>> The other thing you have to look at are the body counts.    Where are
>>> they??  
>>>
>>>  FOSS runs about 70% of the Internet, while Windows only runs 28%, yet
>>> the VAST MAJORITY (99.99999%) of viral agents are launched from Windows
>>> servers and desktops.    IF Linux were as vulnerable as Windows then
>>> simple logic would dictate that 20% of all body counts would be
>>> compromised Linux boxes.   While the last active Linux bug, Slapper,
>>> infected 15,000 computers world wide in 2003, CodeRed was infecting
>>> MILLIONS at the same time.  Since Slapper the Windows body count has
>>> continued to pile up in LARGE NUMBERS, at great expense to Windows users
>>> and their personal data, but rarely do we read about even a single Linux
>>> box getting infected.... only these kind of scare stories.  Just a few
>>> weeks ago TJMax and Marshals,  on the same network, reported that their
>>> W2K servers were hacked into and 250,000 CC numbers and passwords were
>>> stolen.  This break-in actually took place in October of last year.  The
>>> crackers gained access because the IT boss at TJMax emailed a Word
>>> document to a supplier.   Microsoft buries identifying and personal info
>>> into Word and Excel documents and it appears that this document
>>> contained the server passwords.  The email was "acquired" because the
>>> supplier's Windows boxes had been compromised.  By, the way, this info
>>> was published on C/Net at the time, but two days later, when someone
>>> challenged me on these facts, I discovered the URL had been taken down. 
>>> The Internet Archive had no record of it.    A google search will show
>>> some URL's referring to that original article but that's all.
>>>
>>> I'm glad the Dept of Homeland Security is paying to find FOSS bugs, but
>>> I suspect it is really an anit-Linux ploy, especially since Symantec has
>>> a vest interest in "finding" Linux bugs.   Still, it's better than
>>> paying to find proprietary bug$.
>>> JLK
>>>
>>> Jim Worrest wrote:
>>>     
>>>>    This can be of interest to Linux users, but to others as well.  ---Jim
>>>>
>>>>
>>>> <http://news.com.com/Security+from+A+to+Z+Open+source/2100-7355_3-6138647.html>
>>>>
>>>>
>>>>   
>>>>       
>>>     
>> ----
>> Husker Linux Users Group mailing list
>> To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
>> with a subject of UNSUBSCRIBE
>>
>>
>>   
> 

----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

• References:
  • [huskerlug] Security from A to Z: Open source | CNET News.com
    • From: Jim Worrest
  • [huskerlug] Re: Security from A to Z: Open source MYTHS
    • From: GreyGeek
  • [huskerlug] Re: Security from A to Z: Open source MYTHS
    • From: Jim Worrest
  • [huskerlug] Re: Security from A to Z: Open source MYTHS
    • From: GreyGeek

Other related posts:

• » [huskerlug] Re: Security from A to Z: Open source MYTHS
• » [huskerlug] Re: Security from A to Z: Open source MYTHS
• » [huskerlug] Re: Security from A to Z: Open source MYTHS
• » [huskerlug] Re: Security from A to Z: Open source MYTHS

1. Home
2. huskerlug
3. Archive
4. 02-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---