RE: [OT] New Anti-Terrorism Law makes "hacking" punishable by life in prison

From: M. Edward Borasky (
Date: Sun Sep 30 2001 - 17:40:27 EST

> -----Original Message-----
> From:
> []On Behalf Of J Sloan
> Sent: Sunday, September 30, 2001 2:42 PM


> OK, the obvious question:
> If apache is 60% of the market and IIS is 25%
> (and I have heard that apache on Linux is about
> 33% of the web server market) how do you see
> that as windows/iis being more popular than the
> linux/apache platform? and yet, windows/iis has
> the lions share of vulnerabilities - your arguments
> lie in tatters....

We need to distinguish between Linux/Apache and other-UNIX/Apache.
Specifically, there's at least Solaris, Tru64 and AIX besides Linux in this
market. It isn't just IIS; the Nimda beast exploited, IIRC, 18 separate
vulnerabilities in the Windows / IIS complex, including shared files.

I've actually heard of cases where *Linux* systems exporting filesystems
with Samba had Nimda code stuffed down their throats! If this code had been
Linux-executable rather than Windows-executable -- if the virus had been
smart enough to know it was dealing with a Samba rather than a Windows share
and had been able to differentiate between Windows executables and Linux
executables -- hmmm ... do you see what I'm getting at??? In other words,
UNIX systems of *all* stripes that export filesystems with Samba need to
track mods to executables just like a virus scanner does on a Windows
system. *That's* what I mean by vigilance.


> I think Unix's long history of multiuser, networked
> operation gives it quite a bit more sophistication in
> areas of security, as opposed to windows, a single
> user system which has in the past few years
> become widely networked.

The security features are there in Windows if the users and sysadmins are
willing to implement them. Windows NT has had C2 available for quite some
time; they couldn't sell to DOD if they didn't. A good MSCE / security
specialist makes a lot of money. It's for the most part laziness on the part
of Windows users that allows malicious code to circulate, not any inherent
weakness in the Microsoft tool set. The technology exists.

> I'm not saying Linux/Unix users should rest on their
> laurels or be lulled into a sense of false security, but
> come on, let's at least be realistic about the very real
> advantages of Unix OSes over PC OSes in this area.

I don't see any such advantage. C2 is C2; crypto is crypto; authentication
is authentication; vigilance is vigilance.

Here, for your amusement, is a snippet of Perl code:

$stuff = `uname`;
if ($stuff =~ /is not recognized as an internal or external command,/ {
        # execute malicious Windows code
else {
        # look at the uname stuff and figure out what OS we're running
        # then execute OS-specific malicious code

Do you see what I'm saying?

M. Edward (Ed) Borasky, Chief Scientist, Borasky Research

Q: How do you tell when a pineapple is ready to eat? A: It picks up its knife and fork.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to More majordomo info at Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun Sep 30 2001 - 21:01:15 EST