Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it’s their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution – who will the Redmond-finger-pointing people hold responsible?
A Linux distribution is made up of various components written by lots of different projects. Those projects, in turn, are comprised of lots of individuals who contribute code in a loose manner. Microsoft Windows is also made up of various different components, written by several different departments (“projects”, if you will) within Microsoft. These projects, in turn, are also comprised of several different people.
If you can blame “Microsoft” for the Conficker worm, then who do you blame when it comes to a Linux distribution?
Say we have a monumental security flaw in X.org that can lead to remote code execution. Almost every distribution packages X.org, but obviously, only a few will actually ship with the hole before it gets discovered. Still, this raises the question: if Microsoft is responsible for Conficker, who are you going to hold responsible for the hypothetical hole here in X.org?
Your Linux distributor, who apparently failed to do proper QA to find the
the hole? Or will your distributor point to the X.org project? Are they responsible? What if they point to the person who contributed the code, whose name is most likely clearly visible since everything is open?
It really is an interesting question, and in the unlikely scenario that a Conficker-like worm ever made its rounds across Linux machines, I can see a lot of blame being thrown around on mailing lists.
Thoughts?
Always blame Thom Holwerda for GNU/linux problems.
What, it’s finally not Bill’s fault? You impress me Thom. 😉
I see my army of upper-class hookers is doing its job.
You may imagine an evil laugh, now. “Imagine”, because my actual laugh is quite girly.
I was going to say “Silly Thom, Linux is exempt from criticism!”
Can only answere for my self…
Ultimatly it is the people behind the software that are responsible for developing the patch.
After that it is the distributions responsibility to package the patch and distribute it through appropriate channels(its own package repos).
If then the idiots behind the keyboard(end users) doesnt install the updated package, it is there own fault…
I would agree to that.
On the other hand, I would say there is nobody to blame.
Microsoft made clear in their EULAs that it cannot be held liable for any damage which may be done by their software or by their lack of providing security patches.
Open source software also makes the same statement in their various licenses.
Having finally handled a security hole the way it should be handled (proactively) is a great thing for Microsoft. I hope they will continue on this path in the future.
In general, security is a process, so there are minor issues, major issues and occasionally a zero-day exploit will occur.
Whatever happens if such a thing comes to pass will have to determine how we judge the ones who can close the hole.
Ultimately the majority of people seem to be OK with the mediocre level of security Windows XP provided, so I guess they should be rather relaxed if such a thing happens in the Linux world.
On the other hand, there never was a really successful virus/worm written for Linux before, so it would certainly make BIG news if someone could pull it off.
Let’s wait and see if it happens, and when it happens what happens.
I would agree to that.
On the other hand, I would say there is nobody to blame.
Microsoft made clear in their EULAs that it cannot be held liable for any damage which may be done by their software or by their lack of providing security patches.
Open source software also makes the same statement in their various licenses.
That may make them not legally responsible. I would still like to see some major corporation with the fiscal resources, legal resources and cajones to do so try that in a court of law.
But it does not negate their moral or ethical responsibility. Oh wait! Were talking Microsoft. Nevermind, I’ll hush now.
When there was found some SSH hole and many exploits appear. I remember than many servers and client computers were exploited. So i think currently the situation could be similar. Ofcourse currently ditros got better update methods but because common lie that “linux is more secure” not many linux users really install them all just after they are out, and i think many linux computers would be affected.
Link, please.
There was a SSH vulnerability discovered, at one point, I believe it was in Debian, whereby a developer had got “over-zealous” and had “cleaned up” some initialisation code in SSH. This turned out to be the wrong thing to do, because it made the keys less random than they should have been. Because there was no actual error of operation, it took a number of years before this was noticed.
Although many servers and client computers did have this error, I know of not one case where a machine was exploited because of it {EDIT and CORRECTION: see below, more serious breaches than this have occurred at other times, and some systems were compromised}. Remember, all that this error did was reduce the randomness of ssh keys … meaning that instead of six thousand years for a brute force attack to crack the key, it would instead take only one thousand … or something like that.
Anyway … as far as responsibility for fixing it goes … every single package on Debian has a responsible maintainer.
http://www.debian.org/doc/debian-policy/ch-binary.html#s3.3
So in the case of the ssh package …
http://packages.debian.org/lenny/openssh-client
… the current package maintainers are:
# Colin Watson
# Matthew Vernon
It is these people who would be responsible for getting a fix for the SSH error(s) for Debian.
Ubuntu and other Debian-based downstream distributions would probably just follow with whatever these people decided would be the fix.
Candidates for fixes to the source code would probably start to arrive from community members within a few hours of a problem such as the ssh error being identified. It would be these two people, for Debian, for the ssh package, who would have the task of evaluating and testing the candidate fixes, and looking for any regressions, and then choosing the best one, and then packaging it as a security update in the repositories.
I’m sure that other distributions would have similar arrangements.
PS: Correcting myself … it would appear that an SSH hole has appeared more than once.
In 2003
http://www.zdnet.com.au/news/security/soa/SSH-security-glitch-expos…
In 2005
http://www.techworld.com/security/news/index.cfm?newsid=3668
… and possibly other times as well. In 2005 there were cases reported of breaches of some systems.
So fair enough. No software is perfect.
The method of response to such situations is still the same, however. Fixes are normally available within a day or so. Sometimes there is a race between the fix being available and an exploit being ready.
Edited 2009-04-15 11:00 UTC
This is not true. It was not a SSH vulerability but a problem in OpenSSL which therefore *also* influenced OpenSSH. Here is a link: http://www.metasploit.com/users/hdm/tools/debian-openssl/
All the entropy besides the PIDs (and even those are mainly predictable) was thrown out of OpenSSL. To quote an article from “2600” (Volume Twenty-Five, Number Two, Page 52f) that is 1.9 x 10^-32 less keys than before (0.0 thirty-one zeros, 19). To put it in other figures all the remaining hashs (for one hardware plattform) took now 40MB of space instead of 3.7 x 10^32 gigabyte.
But don’t get me wrong I use UNIX-like operating systems and Debian is by far my favorite Linux distribution, even after this incident.
I don’t know what kind of Distro users you have around your parts. Anyone I know using a distribution is very quick about updating. Average users have automatic updates, more advanced users do it by hand. For me, it’s the first two seconds after my first login of the day just before I go into the graphic desktop.
In the case of SSH, I think you mean the Debian SSH bug which only effected Debian and derivitives like Ubuntu. The bug was not caused by OpenSSH but a developer who didn’t follow Debian’s patch policy. It was also fixed very quickly when discovered and now all one does is include openssh-blacklist to avoid the weak certificates.
Where exactly are you seeing overwelming evidence that “linux is more secure” is an outright lie? Granted, I’d say it has a higher potential for security since any computer can be configured to be insecure; it’s just easier with some platforms.
Ubuntu’s fault, no doubt.
If you can blame “Microsoft” for the Conficker worm, then who do you blame when it comes to a Linux distribution?
First, here’s why I blame Microsoft:
The vulnerability was in the RPC server service. This is a service that’s completely unneeded for 99% of computers running windows. Why is it enabled by default? That’s retarded.
If the default was off, then conficker would barely be a blip on the internet radar especially since computers that actually use the server service are usually administers by semi-competent admins–not home users that have never installed a security update.
So, what if this were a linux vulnerability?
I don’t know. For a long time now, the default settings for almost any linux distribution is to not have anything listening on the network (except ssh, which they *should* change… enabling ssh if you need it isn’t that hard).
Mandriva installs with the network closed down and a friendly GUI to allow SSH or other common network services. Other distros are different though. Debian Stable installs with the network wide open but it’s expecting more of a server install. Ubuntu has it’s network defaults though I’m not as familiar with the distro.
Who is to blame for being compromised by an exploit for which a patch was released months before?
The admin. (which is quite often also the primary user in home systems)
Sure, Microsoft had code with an exploit. But they found it (or someone else pointed it out to them using responsible disclosure, hopefully) and they released a patch that was pushed out in updates.
There have been similar problems in the Linux world. Slapper, anyone? Who is responsible for getting hit by a Linux worm that has had a patch released months before?
I stand by my answer. The admin is responsible.
(as for who is responsible for repairing the code, if it the bad code is in mysql, then the mysql team is responsible to fix, but that is pretty obvious, eh?)
This is an interesting moral/ethical dilemma. In the case of conficker, relatively few US and European computers were in fact, compromised.
Most of the compromised hosts were from Asian, African and South American coutries. These also correlate to countries were the numbers of pirated (Their word, not mine) copies are highest.
Easy enough to google for references.
So called pirated copies of Mircosoft products are blocked, for right or wrong, from receiving updates.
Linux has no such restrictions. Yes, there are commericial versions of Linux. And yes, only rightfully registered and licensed Linux installations can receive updates from the commericial repositories. But each of these have a corresponding open to all free repository. And in fact, security patches are fed to the commercial repositories from the open and free repositories.
I have as a matter of fact, occasionally patched production machines from the “free” repositories because they do get the patches first. Then once the patch hits the “official” repository, I reapply the patch from there. I have only done that with the one or two instances where there were 0 day or near 0 day exploits.
There are two unrelated issues with the Microsoft security paradigm. The one is the a fore mentioned “only supply security updates to legal users.
The other is that generally only Microsoft (Maybe) and/or black hat hackers (the bad guys) know about a security vulnerability at first. Sometimes a white hat (Officially sanctioned security expert) or grey hat (Unofficial but none the less benevolent) hacker might find a Microsoft vulnerability.
The white hats are under NDA (Non Disclosure Agreement) about the vulnerability until Microsoft chooses to disclose the vulnerability.
Grey hats may disclose the vulnerability at their own discretion and risk of retribution from Microsoft.
Because of historical legal action against grey hats by Microsoft, they have become fewer and less vocal. (ie. now under NDA and therefore “white hats”)
All of that say this. We are now is a situation where:
A) Only Microsoft, those good guys who can’t say anything and the bad guys who won’t say anything to anybody that can do anything to prevent an intrusion are the only to know about a MS vulnerability at first.
B) All systems are vulnerable to attack via new vulnerabilities until Microsoft:
a) Publically acknowledges the attack.
b) Gives enough information about it to allow administrators to make interim remediation plans until
c) Provides a patch remediating the vulnerability.
C) Microsoft only allows updates to systems that they deem “Legal”
Now there is Microsofts definition of “Legal” in regards to its software. Lets take this straight from their EULA.
10. NOT FOR RESALE SOFTWARE. Software identified as “Not For Resale” or “NFR,” may not be sold or otherwise transferred for value, or used for any purpose other than demonstration, test or evaluation.
13. SOFTWARE TRANSFER. Internal. You may move the Software to a different Workstation Computer. After the transfer, you must completely remove the Software from the former Workstation Computer. Transfer to Third Party. The initial user of the Software may make a one-time permanent transfer of this EULA and Software to another end user, provided the initial user retains no copies of the Software. This transfer must include all of the Software (including all component parts, the media and printed materials, any upgrades, this EULA, and, if applicable, the Certificate of Authenticity). The transfer may not be an indirect transfer, such as a consignment. Prior to the transfer, the end user receiving the Software must agree to all the EULA terms.
If you bought a used computer on E-Bay with Windows loaded. You may not be a legal user.
1.2 Mandatory Activation. The license rights granted under this EULA are limited to the first thirty (30) days after you first install the Software unless you supply information required to activate your licensed copy in the manner described during the setup sequence of the Software. You can activate the Software through the use of the Internet or telephone; toll charges may apply. You may also need to reactivate the Software if you modify your computer hardware or alter the Software. There are technological measures in this Software that are designed to prevent unlicensed use of the Software. Microsoft will use those measures to confirm you have a legally licensed copy of the Software. If you are not using a licensed copy of the Software, you are not allowed to install the Software or future Software updates.
So many people may not be legal microsoft users and not even know that they are not legal. They may not be receiving Microsoft security updates.
These issues do not exist with Linux.
Should Microsoft allow security updates do “illegal” users? It is well with in MS rights not to. But who are the illegal users? Many may not even know they are illegal.
Basically I would also blame the stupid user, who allows is system to get infected. In fact he is helping these evil worm creators, so he’s guilty. If they are not able to secure Windows, they should use something like OpenBSD or an other secure by default. If they use an unsecure and open by default system it is 100% their fault – at least if they are at home and play system administrators. If the owner of a computer running a ddos attack on a system would be guilty for it people would be care about it.
I mean, if I am buying a house without a lock and always open AND I don’t fix it and you get robbed people would laugh and no insurance and basically no one would say it is not your fault.
Since computers are more or less optional and some kind luxury, if compared to things like a home one should be made responsible.
The other way would be:
Say computers are computers and everyone is allowed to DDoS everyone, create worms, etc. This would also make people thinking and the would be fewer companies putting sensitive/unsecured data/systems on the net.
IMO both ways would be better, than how it is now. Even if I really don’t like MS software and I think security isn’t handled very well at Microsoft I would not blame them, as long as their systems are not starting DDoSing or spamming.
oh, to make it clear: On GNU/Linux its also the users/sysadmins fault.
Edited 2009-04-15 11:45 UTC
Call me when confiker for *nix starts to spread.
Who cares who is to blame? The problem is solving the security hole and securing the computers.
No. I don’t see any difference if you blame John or Bob. You aren’t gonna sue the person who’s responsible (at least I think so).
Well, I’d partly blame Nvidia and ATI.
We’re talking about a hypothetical flaw in Xorg, which runs as root. Kernel mode-setting is now a reality which means that X can be run as an extremely limited user account providing the drivers support it.
To my knowledge, most of the open-source graphics drivers have patches available that allow them to run with a limited-user Xorg. Nvidia and ATI drivers don’t support this mode of operation and it’s not possible for us to patch them (they are closed-source).
So, while Xorg and the developers of open-source graphics drivers would be partly to blame for not completely implementing the non-root Xorg, there would also be some blame for Nvidia and ATI as their non-compliance is holding back us back from fixing this security issue.
I won’t argue that open drivers would be preferable, but to clarify, the proprietary nvidia driver for xorg (the userspace portion) doesn’t require root permissions, hasn’t for a while. It does everything through /dev/nvidia*. From that POV, the open 3d drivers are just catching up.
It’s the rest of xorg, and the default packaging distros use, that kept xorg running as root for nvidia users. Now that KMS is here, perhaps we’ll start seeing xorg running as non-root by default.
Your open drivers and their non-compliance up until now has been holding us proprietary nvidia users from fixing this security issue.
But the answer isn’t written in the License? for example the GPL says:
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Even Microsoft and the closed source licenses include a “use at your own risk” clause. That’s the difference between being the one who can be blamed and being legally accountable. We can blame Microsoft for a flaw in Windows or Xorg for an issue with X but we can’t take either party to court over it.
Who is the who blaming Microsoft and therefore blamed by you? Would you please give some cites or original links? It seems an article imagining some stupid users (and hint they are Linux users) and then claim part of (hint a large part) users (of Linux) are stupid. What a winding reasoning!
If you are a corporation/company then it its your responsibility to ensure your systems are reasonably secure. For most companies this risk/responsibility would be outsourced to a vendor for a fee (Red Hat, Novell, Sun etc)
For private users if you’re paying for commercial support then once again its the vendor, if you’re not then it’s your own responsibility.
The community is usually responsive enough in and of itself but this still doesn’t change the fact that people must be responsible for their own lives.
100 % true !
And if a fool wrote a worm/virus/whatever to exploit this hole on *nix, I will point my finger at him.
…This is the _*real*_ responsible.
Lets say you own a car, there is a oil warning light that goes on – instead of doing something about it you ignore it till the point that it results in the engine seizing up. This oil light had be blinking for months, the manual in your car stated that if the light goes on you need to take it in to get serviced. When the engine seized up – whose fault is it?
The driver had all the warnings, all the knowledge and the window of opportunity to do something about it – but chose not to. Is it the car companies fault or the fault of the driver? If there is a fault with the car that results in the oil light going on – there is a recall of those cars but the driver chooses not to, is it the fault of the car company or the driver who refused to take it in to get fixed?
Before people start criticising Microsoft – the fix has been out since the 28 October 2008. End users have had over 5 months to install it; the ‘warning light’ has been on for a long time and yet they chose to ignore it. The media in New Zealand on both TV3 and TV1 had segments talking about how you can be safe – and yet we have end users ignore this.
So could someone please explain to me why Microsoft should be blamed after doing all the right things as so far as issuing a security alert, providing a patch, and the media explaining what you as an end user can do to protect yourself.
Edited 2009-04-15 12:53 UTC
Wow, you really like car analogies
My f*&king brother’s fault. Who did that same thing on a long trip, and just ignored the light. The good thing is that he learned his lesson. Now he’s like a self made mechanic or something.
That b*stard. It’s all his fault! Does he have money? Can we sue him?
Hmmm… Even ignoring the fact that the analogy totally falls apart because, in a malware breach of security, there’s an individual actively trying to break the system, this still has issues.
I had a car. I’m reasonably knowledgeable about the inner working of said car. Did some work on it myself. I was moving out of state, and my friend needed a car, so I gave it to him.
Now, I know he doesn’t know much (anything at all, zero, completely ignorant) about cars, so I get it checked over and maintained before I give it to him.
One thing I didn’t fix was the engine light, coz I know it’s just the OBD being annoying, and you just need to unplug & plug the battery to make it go away.
My friend pointed it out a light was on a year earlier, and I said “eh, no problem”.
So a few months after I gave it to him, the oil light came on, he said “eh, no problem”, and later reported to me that he was driving along the freeway and the car “made some noises, and stopped”.
Now, as much as I wanted to just laugh my #$#, I did feel kind of bad, because I knew he didn’t know anything, and probably should have took more time to explain how cars work…I tried going over the basic ideas, but failed to emphasize things like “orange light, OK. Red light, BAD”, so I did feel somewhat responsible.
Now I had another friend that had built a classic car from the ground up over a period of two years, and took it out for the first time, and had never put oil in it (just forgot). Now, in that situation, I really wanted to feel bad, but just tried really hard not to laugh, and sound sympathetic.
Finally, note that I gave my friend the car for free. Just like you get Linux for free. So he felt silly and bad for not taking care of a free car. Whereas if he had bought the car, he might have been a little mad if the dealer never explained anything about checkups, etc. And I find that totally reasonable.
Windows = I paid for this so I didn’t have to think, you didn’t give me access to fix anything myself, so you better treat me, the dumb idiot customer, like the dumb idiot customer you made me. And also treat me like you really want to keep me happy, and make sure I can’t screw it up too badly. And make me feel good about myself while you do it. I.E, if I have to think, you have an HCI bug!. In other words, If I can’t figure it out, or do something wrong, your interface is broken.
Linux = it’s free, you have the source. If you really had an issue YOU SHOULD HAVE FIXED IT YOURSELF. And you better not complain.
So in other words – your mate pointed out a flaw and instead of taking it off to a professional to get it fixed you decided to ignore it.
Lets do a parallel; Imagine we have a software company who makes an operating system, a end user notices something strange occurring – he is noticing that the network icon is flashing extremely fast event though he isn’t using the internet or transferring anything over his network. He rings up the software company and notifies them of this strange behaviour – he isn’t exactly knowledgeable about computers but assumes (given past experience) that it doesn’t seem right. The software company chose to to ignore what he reported by stating that is perfectly normal for that to occur.
Months later there is a massive outbreak of a worm taking advantage of their software and they later find out that the end user whom they were speaking to had it. Instead of taking it further and finding out the nature of the problem they chose to ignore it. Ignoring a false positive and claiming that all positives are false ultimately led to something that could have been controlled becoming a major security issue.
All the rest of what you wrote is completely irrelevant.
1) Microsoft is notified of a security flaw.
2) Microsoft issues a bulletin.
3) Microsoft issues a patch.
4) All computers pre-loaded with Windows receive automatic updates.
5) As the event (1 April 2009) comes closer the media ramp up the effort to educate people.
6) The media inform end users to run Windows update and update your virus detector/cleaner.
Please tell me where my analogy was wrong in the previous post. Information was put out there – end users ignored it; how is it Microsoft’s fault?
Edited 2009-04-16 09:31 UTC
Um. Exactly. My friend was the end-user, and I was saying I should have been more informative. Thus, it’s not the end-users fault.
Where do we disagree?
We disagree when you claim in you original analogy that it isn’t the end-users fault that he refuses to install updates (the analogy I made with the software company was an attempt to try and get my head around your analogy that has nothing to do with my original post).
Even if the end user weren’t an expert – the major news stations have been running articles on how to make sure you’re not infected, installing updates, how to get in contact with Microsoft etc; so it wasn’t as though the information was being hidden in the IT media where only a small niche are interested in listening to.
What you seem to be hell bent on doing is attempting to create and argument that all end user problems sit at the feet of Microsoft – ignoring the fact that you as an end user have a responsibility to maintain your computer, just like a car or any other piece of machinery.
A computer isn’t some sort of magical device that mysteriously does something. A computer is a glorified calculator that controlled by software written by fallible humans and because of this fallibility one needs receives updates to correct those problems. If you as the end user choose not to engage in the most basic understanding of running Windows update and getting informed of what could go wrong – why is it Microsofts fault?
Edited 2009-04-16 23:10 UTC
Oh, and btw, the engine light was on because of the OBD.
This has nothing to do with oil.
So in your parallel, the end-user DIDN’T have it.
cheers
Oh, and finally what part of “so I get it checked over and maintained before I give it to him.” does not constitute taking it to a professional, like you said?
I gave it to a mechanic, and said “look for anything wrong, and fix it”. Before I gave him the car. After the engine light comes on.
Read before you speak, man.
I like car analogies, just because today they (cars) are almost as easy to hack as any other system that runs on software.
Needless to say, whether the car was free or not, if someone hacks your bluetooth interface and makes your car reboot when you are doing 80 miles per hour on a high-way, the car manufacturer would have to pay the damages as you cannot avoid product liability in the car industry.
Edited 2009-04-16 10:47 UTC
Gotta give you that one.
Still, my point was that you couldn’t really blame the end-user (my friend). He just didn’t know any better.
Linux distributions are usually a lot faster with patching than ms as soon as a vulnerability is detected. It’s just a matter of hours – max. 1 day – till the fixes pop up in the update manager.
Remember that MS took quite a long time to fix the issue with their RPC-Servers just that there was no worm exploiting this vulnerability at that time.
Bug reports said; “hey, this is broken and exploitable in 3.0.7 and previous versions. We’ll have 3.0.8 available for free download on Monday”
How it went down; version 3.0.8 available for download by end of day the Friday before the announced Monday release date.
Even Microsoft’s last crisis patch release out of band was two weeks after the bug report was made public and “we’re working on it” announcements went out.
Historically, much faster patch times on more collaborative platforms.
In the similar situation, we’re still waiting on Apple to fix Safari.
Apple did fix the SSH problem within a reasonable time (for them); however, since the fix was handed to them by open source developers, they took too long to apply it. Perhaps, they customised the code for some reason.
I’d say that those Linux users who are merely users (not hardcore users or developers) will likely update quickly and there wouldn’t be a Conficker-style issue hanging over the head of Linux. Those who don’t update quickly are likely on a dialup connection and aren’t much of a threat anyway.
The problems with Apple’s system go deaper than the browser but fixing Safari would be a huge step ahead for them as will be the promised features in the next OS major version. Let’s not look to closely at the non-existant network issue that was quietly included in later patches after the media frenzy passed.
That’s osX though which is limited by Apple’s development scheduals. The openly available Unix like platforms will likely continue to make the lifespan of an exploit very short. For computers in general; update, update, update, for the love of baud update. That would have negated Conficker right there and continues to negate threats against Unix like platforms quickly after discovery.
MS has a bit more involved system for a few reasons. First, there’s a functional test pass of the component and all downstream items to ensure nothing is broken.
At the same time, the security response team reviews the code in the area or any similar code for the same bug.
Then there’s the creation of appropriate bulletins translated into a number of languages for worldwide distribution.
Lastly, the patch is distributed during the normal patching cycle unless it is being actively exploited. This is done to make the testing job easier for IT admins. Of course this rule is broken if there are active exploits in the wild.
Usually the time to patch is not the most important factor since most of the famous attacks (Nimda, Code Red, Slammer, and now Conficker) were not exploited by the original discoverers. They were instead exploited by people reverse-engineering a long-released patch (9-12 months in the case of Slammer).
Vulnerabilities will always slip through the cracks, though we try to catch most of them during development by fuzzing and review (I’ve personally prevented a couple of little NT kernel EoPs). In Vista and later OS releases, this particular exploit is less effective due to better containment of the vulnerable code.
They’d have the most to benefit from such a thing
~~
If the indavidual program is closely maintained by the upstream developers (OpenOffice) then official bug fixes have to go through them. An unpatched threat becomes there responsability since they choose not to accept patches from third parties.
If the indavidual program works more openly with downstream developers then it becomes a matter of shorter patch times. The core developers can review the submitted patches and choose or modify the closest fit.
If the bug was introduced downstream by the distribution then the responsibility is that of the distribution maintainer. OpenSSH was not broken but someone with upload rights for Debian decided to fix what they thought was a bug. Debian and any distributions forked from it suddenly had broken OpenSSH. Upstream in OpenBSD, it was not broken nor was it broken in distributions that chose not to use the Debian patch. In this case, someone did not follow the Debian policy or consult the OpenSSH developers who are experts in cryptography and it was fixed quickly when discovered.
If you choose Red Hat then you watch for there bug reports and patches. For Debian, debian.org/security. for Mandriva, that distro’s bug reports and patches. For WindowsXP, that OS bug reports. For Win2k, that OS bug reports. For Vista, that OS bug reports, for osX, that OS bug reports. Is the bug in the kernel and userspace, or application on top like Word, or third party application like Firefox or a third party provided hardware driver? It’s really no different or more complicated just because there are more brand names involved.
Firts, it would be near impossible for a virus to target all Linux distributions, they all place their configuration files in different places, alsao, Linux code is better written and more secure, if handled the right way. Then there is the, it is open source, if the vendor doesn’t patch someone will in a few hours from the announcement of the virus.
Take for example the very easy virus writing for LInux tutorial that came up a month or so ago, where it could be very easy to write a virus to exploit the .desktop management in Desktop Environments. Well, the virus was not that easy to execute, you had to make it an executable. And this has been already patched by KDE so it can not hapen, so it came and go so fast, it was not even funny for the writer.
I know there are ways to get a virus or a security problem in Linux, but most of the time, if not always, it requires a big moron of a user to make it happen. QUite the contrary on Windows, someone plugs in a USB on your PC/Laptop and there, you are infected.
It does not matter who at xorg or at debian put the security hole and who exploit it. guilty != responsible.
The one who is guilty of putting a security hole in software he distributes for free is in no way responsible since you didn’t pay him anything to take any responsibility.
Most of the time you have a support contracter that is responsible for those security holes. That can be Red Hat, Novell or Mandriva. If you pay them to patch your machine and ensure security, and the contract says they are responsible, then they are responsible.
If you downloaded a distro for free and have no support contract then you are responsible for whatever happens to your computer.
If you use Windows, then indeed, Microsoft is responsible for fixing security breaches because you paid for that service.
You can’t have it all. download it for free and still blame whoever put buggy code in your computer because it is you and you alone. They give you the source code for you to fix it when it is broken, so you fix it or you pay someone to do it. The software is not the service. Microsoft does not give the code but they take responsibility for it.
Edited 2009-04-15 14:54 UTC
I have to set Gufw(uncomplicated firewall) as a start up program. I really see no reason it shouldn’t be by default. I never take a nvidia or kernel update after I enable a non free software video driver. It almost always screws things up.
I’m sure there are hundreds of best practices and tips for a more stable and secure desktop but until someone drops them on the desktop in a document only a handful of Linux users are going to know about them.
This is really the wrong question – which can easily be seen in the responses. When you search for someone to blame – you get into a mindset about how you (or your code) are better and everyone else is lazy, stupid, irresponsible, blah blah blah…
Rather than asking who is to blame, ask what accountabilities each persons has in the solution!
Everyone has a responsibility,
– the architect should design inheritably secure and maintainable systems.
– the coder should learn and practice writing secure code, and his peers should review code with security in mide
– the maintainer should patch security holes quickly
– the build system should automatically run software through the numerous validation systems out there that automatically identify basic security gaps (so our energies can be focused on finding real / difficult issues)
– the packager should ensure the software is installed in a secure fashion
– distributions should ship secure defaults, tools that help keep it secure when being reconfigured, and patch software quickly
– the administrator and support staff should understand security and configure/maintain computers securely
– the end user should ensure they install known software, remove software they don’t use, and keep the system patched / up to date
Most importantly, journalists and other writers like yourself should create constructive conversations by not focusing on “blame” but focusing on “accountability”. It breeds more creative, more considered, and broader thinking solutions… which results in more security.
I know we love car analogies
If some car part manufacturer creates a defective part that eventually ends up in your brand new Honda Civic, who do you blame? You blame Honda… period… full stop.
Whatever the distribution packages is fair game to blame on them. That said, there is small caveat. Distros also come with package management that allow you to install applications. This becomes a grey area. Then it largely becomes a matter of perception.
Does the user think package X is part of the ‘OS’, or do they think of it as a separate program that is merely allowed to be installed easily by the package management software? As I said, this is perception. Something like X.ORG is definitely an OS like component and you would definitely hold the distro responsible. Something like open office is a bit different.
One of the things distros should do to clear up this liability is to clearly mark packages they ‘support’. Then again this goes back to one of my main complaints of distros. None of them want to take the bold leap and actually make choices. They all want to give you full flexibility, which means most distros end up being the same with all the same packages available. I’d like to see Distro X completely throw out support for Gnome or KDE. Pick one or the other. This reduces your testing and support time. They should make other choices on what they will support. They can provide unsupported links in their repo (clearly marked of course).
I’ll liken this to my experience with pulseaudio on Ubuntu Hardy (since its on their now). It wasn’t exactly well supported, but it was there. For such a basic component, I had no idea if it should keep it on, remove it, install this or that… everyone was saying something different. if you’re going to package something as core as the sound system, you better fully support it and stand by it.
Just my two cents.
This question is really, really dumb. You make it sound as if Windows and Linux were somehow comparable operating systems. They are not.
Windows is the product of ONE company whose main interest is to hide problems and to push and sell “products”. Security is a side note.
Linux is a kernel, and there are various companies that distribute software together with the kernel. Security, for most of these distributions, is the key element in their strategy. The software and the kernel are OPEN, and everyone can deliver patches. That’s why the state of security is very high among Linux distributions.
Sorry to say this, but if you’re going to call the question dumb, I have no choice but to call you dumb
The question specifically makes a point of using the term “Linux distributions” instead of “Linux”. Probably trying to prevent some nut from saying ‘linux is just a kernel…’
Yes, this is OS news. Most of us know when we talk generally about Linux… we know the difference between a kernel and a distribution. It’s especially ridiculous when someone makes a point to use ‘Linux distribution’.
Do I have to add a repository? Or Is this source code we need to compile and install ourselves? But seriously, most exploits on Linux are by nature less damaging than Windows exploits, because of the design principles of Linux and Unix systems. But if a worm did hit Linux, or even referring to the worms that have hit Windows, I fail to understand why we wouldn’t want to at least attempt to blame the author of the worm, rather than the author of the code that was exploited? Anyway, who’s responsible for the fix in the open source world is the one who steps up to the plate and fixes it, which generally happens pretty quickly. Who’s responsible for the Windows fix has to be Microsoft, because they are the keepers of the closed proprietary code. Only if they were willing to open up their code could someone else share responsibility, and they’re just not going to do that.
So a criminal obtains a gun illegally, then robs a convenience store and shoots the clerk. Obviously we need to blame the gun manufacturer, right? NO!!! The criminal shot the clerk. We need more gun laws, right? NO!!! As I stated, the criminal obtained the gun illegally. If he already broke the law, what good is another law? Suppose the criminal instead busted the clerks head with a Craftsman claw hammer? Do we then blame Sears? Again, NO!!! Now, instead lets say the criminal wrote a worm to steal the clerk’s identity and credit card info on his Windows based computer. Do we blame Microsoft? NO!!! How about blaming the criminal? But a responsible convenience store owner will train the clerk how to handle robbers, possibly provide the clerk with a gun or a taser, a panic button to set off an alarm, and perhaps even build in a panic room in the store. A responsible Windows user will install patches, and a firewall, purchase antivirus and antispyware, and refrain from visiting questionable web sites. A responsible Linux user will do much the same. But for goodness sake, don’t waste your time trying to lay blame here and there for malware! Blame the criminal who wrote it.
Edited 2009-04-15 17:19 UTC
“So a criminal obtains a gun illegally, then robs a convenience store and shoots the clerk. Obviously we need to blame the gun manufacturer, right? NO!!!”
Why not? He advertized for his guns heavily. Are guns to be used – yes or no? Is it the state or the gun manufacturer who wants people to own guns? Would anyone with an UZI be able to kill 20 people alone, as opposed to a single guy with a knife?
Of course having access to guns leads to an easier way to kill people. I dont know how it is in the USA because the people there always defend that everyone can use a gun to shoot the next enemy on the street (even if it is your neighbour) but here in Europe there were several recent events where people who use guns for their sport did kill other people (most of the time family members, but in one instance a school shooting).
The guy who fired got the weapon from his father. Both were in a school for guns training for sport, so he was trained to shoot at targets. In this situation he chose to shoot at other people.
Now you come and say the gun manufacturer has no responsibility? Bullshit. They heavily advertize, so they do share responsibility. Of course they dont control human beings, and it is not their main fault if people kill other people, but guns are meant to be used against targets – animals, practise targets, or other human beings. You can not excuse this at all.
“The criminal shot the clerk. We need more gun laws, right? NO!!!”
Yes, you do. You need to restrict it heavily. You need a society where these things do not happen. Of course this does not work in the USA because you guys are controlled heavily by a corporate agenda of making profit wherever you go. So gun laws will forever remain a joke. This is an observation. The US people are bloodthirsty and want it this way. That is why they voted for Bush jr.
I am still surprised they voted for Obama not long ago. They cant make up their f–king mind.
“As I stated, the criminal obtained the gun illegally.”
And what difference does this make to someone who obtains a gun legally? The bullet coming out of the gun doesnt care whether it is legal or not. Someone produced the gun, someone produced the bullet. You try to protect these.
“If he already broke the law, what good is another law?”
What kind of reasoning is this? This way you can use nukes against enemies when they do not comply to your way – because they already “broke” some agreement, or law. It is the agenda of ultimate conflict.
“Suppose the criminal instead busted the clerks head with a Craftsman claw hammer? Do we then blame Sears?”
How many people are killed with a hammer?
How many people are killed with a gun?
If you f–king compare things, then get a clue first before making such stupid remarks.
“Now, instead lets say the criminal wrote a worm to steal the clerk’s identity and credit card info on his Windows based computer. Do we blame Microsoft? NO!!!”
We do. They are a de-facto Monopoly.
Are you a MS troll?
“But a responsible convenience store owner will train the clerk how to handle robbers”
Up to the point where he is f–king shot.
Your comparisons stink.
“A responsible Windows user will install patches, and a firewall, purchase antivirus and antispyware, and refrain from visiting questionable web sites.”
Do you know elderly people who use Windows? I know them for years. They will forever stay noobs.
Now, is it their fault if the underlying software sucks?
“A responsible Linux user will do much the same.”
Linux users are usually more competent, because Linux as a whole is a shit OS and you need to have a few brain cells to work with it. Unlike Windows. You can be an idiot and remain that way, and windows just works. Of course windows will forever suck, but as long as you are happy, and can use it, it does not really matter.
“But for goodness sake, don’t waste your time trying to lay blame here and there for malware! Blame the criminal who wrote it.”
Lets compare something.
We have a wall. It’s height is 200cm.
Then we have another wall. It’s height is 200000cm.
Which will is easier to climb over?
And this is exactly the difference between good software, and bad software.
“So a criminal obtains a gun illegally, then robs a convenience store and shoots the clerk. Obviously we need to blame the gun manufacturer, right? NO!!!”
Why not? He advertized for his guns heavily.
Yeah, I was totally flabbergasted by the number of Gun ads showing during the Super B o w l e, Oh wait. There weren’t any.
Well, I am completely astonished by the proliferation of Gun Ads during prime time tele…..vision. Oh wait, There aren’t any.
Well, those radio guns adds have got to go. What? None there either?
Well, still the proliferation of Gun adds in Home and Garden magazine……. wait, none there either.
Well those one or two gun related Magazines that we all know that everyone in the US is forced to read, beginning in kindergarten should limit their adds to feminine hygiene products only. Yeah That’s the ticket.
“If he already broke the law, what good is another law?”
What kind of reasoning is this? ==>This way you can use nukes against enemies when they do not comply to your way – because they already “broke” some agreement, or law. It is the agenda of ultimate conflict.
I would say, “This” is pretty flawed reasoning. Your argument is totally nonsequitor to the stated, “If he already broke the law, what good is another law?”
GP is saying that since the criminal is already of the mindset of breaking the law, how is creating another law going to hinder him?
Yours is saying, “Well, I don’t like him and he broke the law. So now I am justified in breaking the law also.”
In both cases, the gunman in illegal possession of a gun and the nuke flinging thug, the hypothetical criminal has decided to break the law anyways. How is yet another law going to change the fact that they have already decided to break the law?
“Suppose the criminal instead busted the clerks head with a Craftsman claw hammer? Do we then blame Sears?”
How many people are killed with a hammer?
How many people are killed with a gun?
If you f–king compare things, then get a clue first before making such stupid remarks.
Pot, meet kettle. See previous argument.
But to answer the question. I would blame the Beatles for suggesting this in “Maxwell’s Silver Hammer”. Laugh, it’s funny.
Now, in the spirit of keeping this post and thread from going totally off topic:
Where Microsoft can conceivably be held accountable is that they withhold security updates by “illegal” copies of Microsoft Windows. There is no such restriction in Linux. There is no such thing as an “illegal” copy of Linux. All Linux distributions allow for security updates from their respective upline repositories to all and sundry.
And that’s all I have to say about that.
Yes, it’s possible that an exploitable security issue will result in a Linux worm at some point. If and when this happens, deciding who to point the finger at should depend on what the facts are. Since at this point there are no facts, it’s wildly premature to ask who we will point the finger at.
And what’s the point anyway? That when it happens to us we can’t blame Redmond? That then all the Windows bashers will get their comeuppance?
shevegen, the problem with European style government is that they assume the general populace is incompetent and unable to make sound decisions on their own. Just because a gun manufacturer advertises a product is no logical reason to place responsibility on them for the way customers use their products. People are not ignorant zombies who can’t control their ability to choose what they buy and how they use it. People are fully able to make decisions on their own, whether they agree with you or not is a different matter.
Besides, gun rights are about keeping power in the hands of the people rather than limiting power to government and law enforcement. After all, a well-armed populace is the best defense against tyranny.
The problem with both of you and now me is you’re discussing gun rights
In any case, you’re both wrong about Europe. Some European countries have very high percentages of gun ownership. I’ll leave it as an exercise to the reader to check out gun ownership rates in Finland and Switzerland.
Gun control is not the issue. Like drugs, guns cannot be controlled. The underground economy and gangs can easily get guns. Heck, making a gun is not that hard. I mean, if the Palestinians can make rockets under the guise of Israel… you think you can prevent people from making guns?
People are the problem. The reason the Swiss can own all the guns they want and not have rampant gun crime is because Swiss people are not crazy violent nuts
The problem with American gun crime is not the guns, but the vast numbers of people willing to kill and murder.
*disclaimer… I’m from South Africa… one of the most violent places. Attempts at gun control are futile. Like in the US, the problem is not guns, but the people who so willingly use them.
*another disclaimer… poverty is not the cause of violent crime. Been to india/china/other parts of asia. There is rampant poverty, but don’t worry, you’re pretty safe from nut job violent crime.
Switzerland is a very interesting paradox. It is at the same time, one of the most socialist and one of the most free societies in the world.
Europe is different. There is another culture, different geographics, and different history. In the netherlands you can smoke pot but you can’t have a gun like in the US. The place is overcrowded and has been a central place in WW2. I see people from the US telling the europeans what to do and people from Europe telling the americans what to do. If I were from the netherlands I would tell you that you should build see walls in the US. Telling people in other countries what they should do is so pointless and stupid that that makes me laugh.
…but I don’t see any reason why Confiker/any-other epidemic is so impossible in Linux world. You see, creating such epidemic is a lot of work, so author wants something in return. For example a few hundreds of thousands of zombie boxes waiting for his command. That does not happen easily in Windows world and since Linux user-base is MUCH lower and Linux users are kinda smarter it simply not so cost-effective to attack Linux guys.
So it’s time to panic! Hehe (:
I would both agree and disagree. I am not a developer, and certainly can not begin to understand a lot of the underlying code that is involved with such worms. But my understanding has always been that the Windows platform has always been attractive not just because of it’s popularity, but also because the install base remains the same; program or service x, y, or z will always be named and located in the same place. Someone could write some script for Ubuntu, but it would most often not affect my Opensuse, and vice versa.
You are correct though in that time spent demands reward. In the past few years a lot of the motivation for malicious code has moved beyond the simple kids messing around to a more professional/organized unit. Back in 2003 I remember reading how the mob in New York was moving away from classic crimes to cyber crimes because of both the profit as well as the risk. Where there is money, one will find a way. If Ubuntu ever become massively popular, you would be guaranteed that people would be motivated to attack, but in the end they could only attack just one distro.
In the end though, why don’t we really just lay the blame where it belongs; on those that have chosen to devote their time to causing grief upon others. No collection of 1 and 0’s will ever be 110% secure, just as no alarm system on a house or car can be.
Good question, but not to easy to answer. The problem is, that as long, as we are considering proprietary software, we have well-known corporate paradigm of software development. In this scenario it’s easy – or at least it should be easy – to select the responsible parties as all the responsibilities and duties are delegated to proper ones. So, it’s obvious, once you have a real or possible security, stability or functionality issue, it’s the responsibility of solution provider to solve it as fast as possible. We may say, such reaction is somehow contracted. What is that contract? Well, it depends on the solution – if it’s a custom made system, it will be your contract and specification of requirements, if it’s a mass product, like operating system, then it’s a license, which has to be bought by end-user. If solution provider/software developer reacts quickly it means, this is a good brand, you may count on it. How it looks in the bazaar paradigm we all know from Free Software community? Of course, we, as a community, are responsible for the overall quality of solutions distributed on free licenses. As far as I can imagine, I see this paradigm to be at least at the same level of quality, if not even better, as for proprietary solutions available on the software market. So, to simply get you my answer. It’s our choice – one will prefer to blame defined party (proprietary paradigm), the other one will prefer to divide the responsibility into N pieces. In both scenarios there is a group of responsible ones and the issue to be solved. I think, the most important thing for us – end-users – is to have all the issues resolved quickly. To be honest, finally, I’m die hard Slackware user, big Free Software enthusiast, but I see that in many occasions, that it’s a good idea to buy a license, hire a consultant… I mean, to delegate a responsibility to other ones. Just to build effective solutions. In some scenarios, it’s a good idea to promote Free Software, especially GNU/Linux, but in some others you have a wide choice of proprietary solutions, maybe not cheap, but worth your investments. So, the question “who is responsible” is very important during your choice. Sometimes it’s better to pay some money to transfer the responsibility to the other party. It’s like with the insurance – your contract with the software developer or a license for software solution is like insurance policy. In some other scenarios it’s better to stay responsible for yourself. And as long as we’re talking about divided responsibility, we should remember, that once the responsibility is divided, there are no responsible parties (believe me, I grew up in the socialistic reality where everything was shared, but no one felt responsible) or we are talking about utopia. For me, Free Software idea is a kind of utopia, yet the only one example on how, on some occasions, we may prove that the utopia can exist and, what is more important, can compete effectively with widely accepted reality. Nice idea, indeed. Worth investing some of our time.
There have been security holes in Linux distributions before. Usually it’s the distribution being blamed. However the loudest shouting is usually coming from Windows users saying: “Linux is not really secure!”, “Hobbiest software” … Most Linux users actually patch the hole and get on with live. That does not mean that people are not held accountable for their action, if security bugs would pop up a lot in one distro only I’d just switch and so would many others. The other thing is that I don’t really blame Microsoft for their current efforts on security, what I blame them for is for creating an environment where people are totally ignorant of security in the first place. That’s why they don’t update … MS software did treat security very lax for many years and this has reflected on its users and created the situation we currently have. So yes users are to blame, but MS is also to blame for conditioning their users like this.
J
If its in samba, then the samba team & each distro that ships the vulnerability in their distro. Why is that a difficult question?
I would blame everyone but me of course !
more seriously finger pointing is easier and fun ( while you reinstall your OS ).
But I think that we begin to reach the critical mass for bloated software in alternate OS ( most of it is mainly the work of Adobe ). Apple found a nice way to limit it by restricting their mobile OS platform to minimal customization.
Microsoft is the easy goat as much as Apple can be,
Linux and to an extend free OS are more difficult because of the “you can always look in the code” fact.
I don’t know about others but Debian and Ubuntu use a system where you have a security repository. The people behind these are allowed to upload 0-day fixes (instead of going through the normal process of getting you new package accepted) and touch basically every packages in the entire repository.
This system should allow for distributions to fix security problems as soon as they can, or at least upload a temporary fix/work around until the problem is fully solved. They also have mailing-lists where announcements are send to, therefor any system administrator that subscribes to them should know about issues and take appropriate steps.
This is a standard duty as an administrator of any platform.
Now I think pointing a finger here is more complex than with commercial/licensed software. Cause when you buy a product of license you must be able to expect a certain level of commitment of the seller/producer.
This is the reason why one could argue that if Microsoft does not fix a problem in a reasonable amount of time, it’s becomes there ‘fault’.
However you don’t buy or license a product/service from X.org, OpenSSH, Apache or Bind. They explicitly say in there license that it’s free and you are not guaranteed support or error/bug free software.
How does this translate into distributions selling (Linux) software where these packages are included ?
I’m thinking that when you market that product as a ‘perfect webserver’ or a general purpose server os, a customer can rightfully expect you as a commercial entity to fix security issues in this product they pay for, whether or not the underlying party that builds the software used actually fixes this themselves or not.
When I take your work that you gave for free and make money of it, any problems with my customers should be my responsibility not yours.
Besides I think no distribution that didn’t actively fixed problems with there stuff would not get much traction (with non-hobby costumers) anyways.
The real answer to the question “What if a big security hole pops up in a Linux distribution – who will the Redmond-finger-pointing people hold responsible?” is… Redmond! They will immediately accuse Microsoft of engineering such a worm as part of their anti-Linux campaign.
It’s the real and painfully-obvious answer.
too easy:
You blame the project for letting the bug get into a release.
If a distro fails to get the patches upstream, you blame the distro for that.
If your doing your own distro and your using an exploited release, you blame yourself.
If your running something that also works on Windows and the exploit was discovered on Windows, you blame Microsoft.
Easy.
–The loon
The problem with the question is that the only possible answer is ‘everyone’. People will always finger point. However, I think, while there will always be those who don’t think before they point, majority of the Linux community will refrain. (Perhaps I’m a starry eyed dreamer, but I think I’ve got a point here.)
The reason (most) people point the finger at Microsoft when an exploit like Conficker comes out is the lack of transparency. You said that Microsoft handled the exploit perfectly, and from a certain perspective, you’re right. From a certain perspective. Let’s tip this on it’s head. What if Microsoft was a Linux Distribution?
Every program that would have gone into windows would have had it’s code looked at by hundred or thousands of people. Anyone could look at it and stumble upon these exploits. Would that have stopped Conficker? No clue. But, it might have and that is enough reason to point your finger at Microsoft and say, “It’s you’re fault!”
Let’s not leave reality too much, however. The ‘Many Eyes’ theory is flawed. Many people looking at something only makes it statistically more likely they’ll catch a bug. It’s by no means a promise of success. Could there be a Linux Conficker? Yes. I have no doubts. Let’s hope when it comes out, the Linux community handles it with the same grace as Microsoft has with this particular exploit.
So, to answer your question, people won’t pin the blame in the same way. They Linux community will simply focus on fixing it (and then people will blame their distro for not releasing patches “on time”) and the Linux haters will snuggle their Ballmer/Jobs plushies a little closer, after writing on their msdn blog about how ‘broken’ linux is.
Since we are being hypothetical … I should mention that there just might be little people on the dark side of the moon made up of dark matter so we can’t see them. They just MIGHT be feeding off us humans until their mothership comes to get them. In the meantime, people that seem like wackos will be abducted (those that are rejected because they don’t taste good are put back on earth) and eaten.
Hey, I figure this is as valid as this article. And since my hypothetical beings are made up of dark matter and invisible to us, you can’t prove that I’m wrong.