When it comes to launching online attacks, criminals are getting more organised and branching out from the Windows operating system, says eBay's security chief. eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University. "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes," he said.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-01-02
You're burying your head in the sand and denying that vulnerabilities exist when you have no idea how things are tested. You seem to have no idea what kind of scrutiny XOrg recieves, but you're willing to compare finding bugs there to finding WMD in Iraq. The difference of course, is that WMD are created intentionally while bugs crop up on their own by accident. Take these two in the X Font Server, for instance: http://labs.idefense.com/intelligence/vulnerabilities/display.php?i....
The first bug mentioned is an honest mistake. Integer overflows are hard to spot and the only real way to eliminate them is rigorous use of a checked integer library like SafeInt for buffer sizing with static code analysis to make sure you didn't miss any places.
The second bug may be a real design mistake. Letting people remotely swap an arbitrary number of bytes on the heap is not a good idea.
I was making that insinuation about X EoP attacks with this recent bug in mind. I also suspect that X doesn't get nearly as much scrutiny from *nix security researchers as Apache or Samba. And XOrg is in a serious state of flux right now, so new vulnerabilities can arise as the code is refactored and extended.
My point is that your arrogance about Linux security is unjustified. Sure, bugs get fixed quickly after they are reported, but how long do those fixes take to get to the corporate desktop? Also, how long can a zero-day attack last in the Linux world? Microsoft has nothing to celebrate here because their track record was piss-poor before 2003. Things changed there at that time and now they're pretty paranoid about security. How paranoid is the linux crowd? They're certainly not like Theo's gang at OpenBSD.
Member since:2005-07-02
First, I can't be arrogant, since I haven't actually made claims about Linux security. So that would make you ignorant, I guess.
Second, you try to argue that Linux can be attack because of an unexploited vulnerability in XFS...how is *that* related to the current discussion? Are you talking about home PCs or servers? Why focus on Linux? Solaris, the BSDs and other Unix systems might also use XFS. Are these systems insecure as well, from your point of view? OpenBSD *also* uses XFS as part of X, does that make it insecure by your definition?
Again, you show dishonesty by claiming that I somehow think that Linux has no security problems ever (when I believe nothing of the sort). Linux, like all OSes, has security issues, and software that runs on Linux also sometimes has issues. That has *nothing* to do with the current discussion, which is whether or not Phishing botnets are made mostly of Linux boxes, as the eBay guy insinuated, or if this is yet another PR job to convey the false notion that Windows is more secure than Linux.
Member since:
2005-07-02
I'd use SELinux, though that is irrelevant. You want to protect your outer periphery, i.e. servers facing the Internet. What you use on desktop software is not really relevant.
Source, please.
Yeah, and Iraq had WMDs, right? That's textbook FUD: you don't know that there are vulnerabilities in X, but you insinuate that there are, without any proof whatsoever.
And that warrants your bias against Linux? What about just telling the truth, even if some kernel devs are hotheads? If an arrogant, obnoxious person screams "2+2=4", does the fact that they are dislikable mean that 2+2 no longer equal 4?
It's not "triumphalism" to defend Linux when it is *constantly* attacked by Microsoft. You want a less shrill environment? Put pressure on MS to stop the OS cold war, and to truly embrace coexistence and interoperability. Then you'll be true to your nickname.