On Friday, December 18, 2009, at 02:25AM, "James B. Byrne" <[log in to unmask]> wrote:
>
>On Tue, December 15, 2009 17:37, Paul Raulerson wrote:
>> Just a comment, but I do not think the Windows virus infection is
>> merely a factor of market share.
>
>>
>> I am not saying that market share doesn't play a part, even perhaps
>> a very large part. But it is certainly no the only factor. In my
>> opinion, it also isn't the main driving factor, but that is just my
>> opinion. :)
>>
>
>I never said computer virus development and infection was 'merely' a
>consequence of market share, I said that the reason MS-Windows is
>targeted most frequently is because of market share.
>

I disagree. I think it is targeted most often because it is the platform most
often successfully compromised. 

>The reason that most virus-type software is directed against
>MS-Windows is simply that it is the OS most commonly connected to
>the Internet.  That is a direct result of market share and nothing
>else.  

Again, I disagree. If this were so, then the system most often targeted by hacker's would be 
z/OS. Well over 90% of the *worlds* significant financial transactions run on a machine running z/OS.
That is "market share" no matter which way you look at it. 

And indeed, z/OS machines connected to the internet experience just as many hacking attempts as
Windows, Unix, or Linux machines. (Or probably HP3K machines, though I have no data to support that.) 

While market share is certainly a contributing factor, it is the fact that Windows is far more easily compromised
than Linux, or certainly than z/OS, that contributes to the popularity it enjoys among virus/trojan writers and script kiddies. 


>Viruses are not directed against MS just because that it what
>the script kiddies have to play with at home. Rather, modern viruses
>are all about adding slave machines to a zombie net so as to provide
>illicit network services to paying clients.  And it is so much
>easier to create such a net from MS-Windows machines since there are
>so many more hosts out there running it than anything else.
>

It is easier to do from Windows machines yes, but more because you can 
break into them than anything else. Unix computers were once just as open
as Windows machines - back in the mid 1980's. 

I will say with Vista and WIndows-7 windows is starting to grow up. But it sure 
took a long time for it to happen! 

>If Linux today ran as the OS of 45% of all hosts connected to the
>Internet, instead of its current 4.5%, then I firmly believe that
>Linux would be under the same scale of assault from virus writers as
>MS-Windows.  And, I suspect, given the lack of concern evidenced on
>my distro's mailing list, many sysadmin's have no clue what they are
>in for once Linux becomes a focus of criminal exploitation.
>

Those figures are very misleading. Linux/Unix machines perform a very large
percentage of the "heavy lifting" on the internet, serving and e-mail, file, web, 
and other transport endpoints. These are all the prime targets for hackers,
and all experience heavy attack loads.  Windows machines, on the other hand,
are most often compromised in an attempt to gain valuable personal information,
or to be used as zombies to transmit out tons of SPAM or other garbage. Or to 
coordinate attacks upon more valuable targets - DOS and cracking attempts 
in particular. 


>There I regularly read of people turning off SELinux because it
>makes administering their systems more difficult.  Others think that
>reassigning the sshd port from 22 to something else suffices to
>protect against brute force login attempts.  I do not know what they
>do to prevent brute force attacks against authentication schemes for
>web based services not to mention those for smtp, imap and pop3. 
>These are all subject to exactly the same techniques as used in ssh
>attacks.  How well will simply moving the service port number work
>there?
>
Actually, it works surprisingly well. The reason of course, is that 
almost every firewall is configured provide a "stealth" pattern for 
port scans. Instead of taking a fraction of a second to scan 65K ports,
it takes hours. So moving a service to an unexpected port dramatically 
drops the number of attempts on that port.  

Further, services like sshd are almost always backed by rules in hosts.allow 
(or the equivalent for your platform) that refuse connections from unknown
or untrusted locations, and enforce a few seconds of delay. (twist lines in hosts.allow.)
Again, that slows the attackers down. 

There are also ways to handle DOS attacks, though those are mostly 
implemented these days by competent ISP's with largish budgets. Your
old style ISP, sharing T1 service to a batch of dial up customers will not have 
these capabilities. Mass market facing ISPs, like RoadRunner and Suddenlink,
will not provide these capabilities to their "home" customers, but will for their
business customers.  (Which is part of the problem, though when confronted, 
they just say that their home customers are prohibited from running mail or web
servers anyway... ) 


>These are supposedly trained, experienced, and technically
>proficient people, not Joe and Jane Average.  If they do not 'get
>it' then what will the average Ubuntu user do to protect themselves,
>and the rest of us, from criminal penetration and misuse of their
>laptops and home computers?
>

Well, for one thing, an Ubuntu computer is inherently more difficult to compromise. 

For another, UNIX based computers are more difficult to compromise. Macs provide
easy proof of that. No matter what the actual figures, most folks would agree that there are
enough Mac's out there to provide a juicy target for Virus writers - the more so because most
Mac folks think that their computers are invulnerable to virus infections. 

Still, only an infinitesimal number of Macs are every compromised. Amazing isn't it? 
MacOS configured by default from Apple = BSD Unix = Much harder to compromise than Windows. 


>I am no fool, nor am I noticeably negligent, and yet recently it
>still took me more than four days of dedicated effort to lock down a
>number of Linux hosts that were under dedicated assault from China. 
>At one point I had hundreds of different IP addresses simultaneously
>attempting to brute force the root password of a single host. What
>rule based system, self modifying or not, can deal with tens of
>thousands of centrally controlled yet separate IPs, each of which
>tries to logon as root just one time every minute or even every hour
>if there enough of them?
>

That is exactly the situation that firewalls, and stuff like hosts.allow are setup 
to manage. 

>That capability is what today's computer viruses provide for their
>masters, thousands of separate IPs and processors from around the
>globe available to direct against the next target.  That is why
>MS-Windows presently is the preferred target, there are so many more
>of them 'on-line' than anything else.  If something displaces
>MS-Windows then that will become the target.  And that is just
>market share.
>

I tend to agree with you, except for the misapprehension that it is 
Market share driving this. 

-Paul


>-- 
>***          E-Mail is NOT a SECURE channel          ***
>James B. Byrne                mailto:[log in to unmask]
>Harte & Lyne Limited          http://www.harte-lyne.ca
>9 Brockley Drive              vox: +1 905 561 1241
>Hamilton, Ontario             fax: +1 905 561 0757
>Canada  L8E 3C3
>
>
>

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *