Entries in Life

  # dh-make-perl --cpan Acme::Buffy --build --install  

A lot of Linux destop users seem to be under the impression that they are safer from exploits simply because they are running Linux. They seem to believe that software written for Linux is just going to be better. Fact of the matter is, most programmers are still human. And, programmers as a whole couldn’t care less about security.

The question I see is not “Are there existing exploits for Evolution’s bugs?”. The answer to that is “Of course!”. The question I see is “Are those exploits being used and are they causing damage?”. As you said, “there have been exploits for Elm and Pine”. Here is the breakdown as I see it:

• All Software has bugs.
• Virus writers want notoriety, not obscurity.
• Virus writers will choose popular software instead of obscure software to write their malware for.
• Windows is more popular than Linux.
• Outlook is the most popular MUA on Windows.

Thus:

• Outlook has a lot of viruses written for it.

Consider that Eudora has exploitable bugs, but it remains a safer choice than Outlook because it isn’t as popular. Outlook’s popularity (driven, in part, by the popularity of Exchange) means that most virus writers will use it.

Of course, we’d like to think that Linux is immune to this kind of thing (exploits, that is. A lot of us wish it weren’t immune to popularity), but there are still bugs that can be exploited. Even on UNIX/Linux, a lot of programmers don’t care about security. Now consider:

• Evolution is probably the most popular Linux MUA (among new users).
• Linux growth on the desktop is slow.
• Virus writers still don’t have a large userbase to exploit on Linux.
• The Linux/Evolution userbase is even smaller because most old Unix hand already have an MUA that they like.
• Evolution and Linux still have bugs.

Thus:

• Any viruses that get written for Evolution are just proof of concept. The real virus writers don’t care about Linux.

Hey, if the Emacs/Gnus combination were really popular, there would be exploits for it. It ain’t popular, though, so I’m quite safe from anyone who hopes to gain notoriety from writing a virus.

Don’t think for a second that you are safer simply because you are running a UNIX-like OS. There are plenty of exploitable bugs and plenty of exploits. You can make yourself safer by choosing less popular combinations of software (e.g. using Debian instead of RedHat), but Linux, in and of itself, does not mean you are immune to the whims of the virus-writers. Sendmail used to be the only MTA out there. And, in 1988, we got to see the consequences of that.

The reality is that security is an unimportant part of most projects. This is a “worse is better” world and the most popular software is written by programmers with a “worse is better” mindset. They’ve got some code they want to hack or a job that’s been given to them. Nine times out of ten, their focus is not security. It’d be nice if we were all as obsessed with security as D.J. Bernstein, but, c’mon, we’ve got real work to do here.

A consulting firm did a security audit on the company I work for. Of course, we had to have a way to manage our new security policies once the audit was done. (That is, we would have to have a way to manage the policies if we had them, which we don’t, but that’s another story.) So, they sold us software that they valued at around $50,000 to do this. A nice little web-based utility, written in Tomcat/Apache with an Oracle backend and running on Solaris.

Now, since I try to be security concious, I reduced the Solaris install to the core OS. In fact, this is one of the things they recommend: reducing the software on a machine to only what is needed.

I mentioned this to the consultant they sent to help with installation and he was shocked.

“Don’t do that!” he said.

“It works, doesn’t it?” I replied.

“I guess, but we don’t test it that way.”

The irony should be obvious.

I can never get anything done. So, instead of sleeping, I wrote about the revelation I had regarding REST, did (not)Echo in Perl, and released my trackback for Emacs implementation.

If none of that geeky goodness intrests you, check out Eve Andersson’s New Orleans pictures. She’s an interesting person in her own right, too (“I didn’t know what to do with the small bread wafer that I was given, so I put it in my purse.“) By the way, she hates to sleep, too.

My day job is at a company that builds oil rigs in the Gulf of Mexico. This most recent storm must have been a lot of fun — at least according to the pictures. Keep in mind that this was “just” a tropical storm. They told all non-essential people to leave downtown the day the storm hit shore. A little wind and rain is all I saw. Looks like it was much worse out in the gulf.

We’re supposed to get another one of these in about a week or so.

So, even though I’ve been following the formation of the new Echo movement, I’ve not really been posting much or hacking much. Probably this has to do with my current mental state, but also because I now have a new laptop. Last week, I bought a new P4 2.2GHz with 640Mb of RAM. It makes a nice DVD player.

Seriously, because it is new — the only new system I’ve bought — it needs newer drivers, so I’ve been tracking down Linux support for some of the hardware. In the process, I’ve compiled the latest Kernel and found some of migration pitfalls. It may appear that I enjoy that kind of thing, but appearences can be deceiveing.

Oh, yeah… I’m running Debian unstable on this sucker and loving the beautiful Gnome2 desktop and MozillaFirebird browser. Very nice.

Dave writes:

you shouldn’t report security vulnerabilities by exploiting them on a mass scale, if you’re a professional.

What Mark did was a demonstration of an exploit, not an actual exploit. He gave us a vivid example of exactly what could happen without actually doing anything harmful.

People publish demonstrations because software vendors have historically ignore private warnings. A demonstration makes it clear to the vendor and the users what the flaw enables. The users see the flaw and pressure the vendor to fix the software.

Without the demonstration, there is no pressure from the users, and the software is rarely fixed.

Even the “white hats” in the security industry recognise this simple principle. They’ve tried various times to come up with a solution that would allow the vendors to save face and users to have their software fixed, but every effort has failed. It seems that the vendors can’t help themselves.

William F. Buckley: We do need to have a much better explanation than any we have had. Going to war to abort Husseinism is justified. But we are nevertheless entitled to know: How was intelligence information, presented as conclusive, so apparently illusory?

Finally got around to putting more pictures online. Ginger, Basil, Violet, Bike Riding, Birds, and more.

Yesterday, my mother sent me a copy of her will — who gets what. It was then that I realized that she might be feeling just a little scared about her trip to Indonesia to see the Indonesian half of my brother’s wedding. She’s on her way to the airport now.