[LUAU] Its time to simply ban Windoze machines from the Internet

Tim Newsham newsham at lava.net
Thu Oct 19 09:58:29 PDT 2006 

It's apparent that this is quickly becoming religeous.  It is not my 
intention to start a religeous OS battle...  Linux is great.  I use it all 
the time.  FreeBSD is great.  I use it all the time....

> Please.   Windows is *full* of holes, and by default, it essentially runs as 
> "root" (or the Windows equivalent).

As I stated earlier, most malware doesn't rely on software vulnerability. 
It doesn't matter if there are holes when malware isn't using holes to 
install itself (in essense the human behind the computer *is* the 
vulnerability).  It is true that most windows users are effectively 
running as "root" and this gives malware some benefit (but remember, 
malware can operate perfectly fine in a non-root role), but in fairness, a 
large majority of linux users also run as "root" (albeit smaller fraction 
than in the windows world).

The "root" argument isn't very compelling.  There is a long history of 
privilege escalation attacks on all operating systems and a large number 
are being found regularly on ALL platforms, including windows, linux, *BSD 
and OS X.  The step from local user to local administrator is a much 
smaller hop than from external attacker to local user.  If I was a malware 
author, though, I wouldn't even bother.  You can get the job done just 
fine from a non-administrator account.


> I've had linux machines on the wide-open net for years with nary an issue 
> (save a RedHat machine in 1999 or so that got rooted when it was sitting in 
> my home at the end of a T1 line.)

That's funny, in that same time period (I believe 2001) a study showed 
that on average it took a few minutes for a fresh redhat 7 box to be 
"owned" when it was put on the network.  If anyone is interested I can 
hunt down the study (it was part of the honeynet project).  Linux security 
has come a long way since (they werent even configuring packet filtering 
in the default installs and were, by default, running a lot of unneeded 
services) but so has the security of Windows.

> Go ahead, put your XP machine up on a raw, unfiltered IP connection.  See how 
> long it lasts.

Unfiltered as in not behind a firewall?  People do it all the time.  I do 
it occasionally (though not regularly).  XP comes with its own packet 
filter installed and configured since XP SP2.  In its normal configuration 
there are no externally accessible ports.  So unless an attacker is 
hitting a vulnerability in the TCP/IP stack itself or in a service that 
the user explicitely added to his system, there's no remote server 
exposure.  It's the client stuff you have to worry about since firewalls
don't protect connections that you initiate.

> jim

PS: re: Julian's message -- I'll buy the argument that a faster
patching cycle for Mozilla would be less advantageous for attackers.
It still wouldn't prevent malware, but it would reduce the effective
window of attacks that rely on a vulnerability.

Tim Newsham
http://www.thenewsh.com/~newsham/

More information about the LUAU mailing list