Linked by Thom Holwerda on Wed 15th Apr 2009 09:54 UTC
Bugs & Viruses Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it's their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution - who will the Redmond-finger-pointing people hold responsible?
E-mail Print r 1   · Read More · 71 Comment(s)
Thread beginning with comment 358634
To read all comments associated with this story, please click here.
Who is to blame for being compromised?
by markjensen on Wed 15th Apr 2009 11:19 UTC
Member since:

Who is to blame for being compromised by an exploit for which a patch was released months before?

The admin. (which is quite often also the primary user in home systems)

Sure, Microsoft had code with an exploit. But they found it (or someone else pointed it out to them using responsible disclosure, hopefully) and they released a patch that was pushed out in updates.

There have been similar problems in the Linux world. Slapper, anyone? Who is responsible for getting hit by a Linux worm that has had a patch released months before?

I stand by my answer. The admin is responsible.

(as for who is responsible for repairing the code, if it the bad code is in mysql, then the mysql team is responsible to fix, but that is pretty obvious, eh?) ;)

Reply Score: 10

k1773r37f Member since:

This is an interesting moral/ethical dilemma. In the case of conficker, relatively few US and European computers were in fact, compromised.

Most of the compromised hosts were from Asian, African and South American coutries. These also correlate to countries were the numbers of pirated (Their word, not mine) copies are highest.

Easy enough to google for references.

So called pirated copies of Mircosoft products are blocked, for right or wrong, from receiving updates.

Linux has no such restrictions. Yes, there are commericial versions of Linux. And yes, only rightfully registered and licensed Linux installations can receive updates from the commericial repositories. But each of these have a corresponding open to all free repository. And in fact, security patches are fed to the commercial repositories from the open and free repositories.

I have as a matter of fact, occasionally patched production machines from the "free" repositories because they do get the patches first. Then once the patch hits the "official" repository, I reapply the patch from there. I have only done that with the one or two instances where there were 0 day or near 0 day exploits.

There are two unrelated issues with the Microsoft security paradigm. The one is the a fore mentioned "only supply security updates to legal users.

The other is that generally only Microsoft (Maybe) and/or black hat hackers (the bad guys) know about a security vulnerability at first. Sometimes a white hat (Officially sanctioned security expert) or grey hat (Unofficial but none the less benevolent) hacker might find a Microsoft vulnerability.

The white hats are under NDA (Non Disclosure Agreement) about the vulnerability until Microsoft chooses to disclose the vulnerability.

Grey hats may disclose the vulnerability at their own discretion and risk of retribution from Microsoft.

Because of historical legal action against grey hats by Microsoft, they have become fewer and less vocal. (ie. now under NDA and therefore "white hats")

All of that say this. We are now is a situation where:

A) Only Microsoft, those good guys who can't say anything and the bad guys who won't say anything to anybody that can do anything to prevent an intrusion are the only to know about a MS vulnerability at first.

B) All systems are vulnerable to attack via new vulnerabilities until Microsoft:
a) Publically acknowledges the attack.
b) Gives enough information about it to allow administrators to make interim remediation plans until
c) Provides a patch remediating the vulnerability.

C) Microsoft only allows updates to systems that they deem "Legal"

Now there is Microsofts definition of "Legal" in regards to its software. Lets take this straight from their EULA.

10. NOT FOR RESALE SOFTWARE. Software identified as "Not For Resale" or "NFR," may not be sold or otherwise transferred for value, or used for any purpose other than demonstration, test or evaluation.

13. SOFTWARE TRANSFER. Internal. You may move the Software to a different Workstation Computer. After the transfer, you must completely remove the Software from the former Workstation Computer. Transfer to Third Party. The initial user of the Software may make a one-time permanent transfer of this EULA and Software to another end user, provided the initial user retains no copies of the Software. This transfer must include all of the Software (including all component parts, the media and printed materials, any upgrades, this EULA, and, if applicable, the Certificate of Authenticity). The transfer may not be an indirect transfer, such as a consignment. Prior to the transfer, the end user receiving the Software must agree to all the EULA terms.

If you bought a used computer on E-Bay with Windows loaded. You may not be a legal user.

1.2 Mandatory Activation. The license rights granted under this EULA are limited to the first thirty (30) days after you first install the Software unless you supply information required to activate your licensed copy in the manner described during the setup sequence of the Software. You can activate the Software through the use of the Internet or telephone; toll charges may apply. You may also need to reactivate the Software if you modify your computer hardware or alter the Software. There are technological measures in this Software that are designed to prevent unlicensed use of the Software. Microsoft will use those measures to confirm you have a legally licensed copy of the Software. If you are not using a licensed copy of the Software, you are not allowed to install the Software or future Software updates.

So many people may not be legal microsoft users and not even know that they are not legal. They may not be receiving Microsoft security updates.

These issues do not exist with Linux.

Should Microsoft allow security updates do "illegal" users? It is well with in MS rights not to. But who are the illegal users? Many may not even know they are illegal.

Reply Parent Score: 1