Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SANS Report Says Organizations Focusing On the Wrong Security Threats

timothy posted about 5 years ago | from the here's-mud-in-yer-eye dept.

Security 98

yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."

cancel ×

98 comments

Sorry! There are no comments related to the filter you selected.

Rob Malda's penis is tiny! (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29428365)

His penis is so tiny that his wife has to jack him off with a pair of tweezers. When he cums it can't even fill a thimble.

first (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29428379)

first

Most type of exploit is 'other' (3, Funny)

symbolset (646467) | about 5 years ago | (#29428397)

Chart [sans.org] (jpg) shows 92% 'other'.

Re:Most type of exploit is 'other' (1, Informative)

Anonymous Coward | about 5 years ago | (#29428549)

Unless I am reading that wrong, the 92% is the other blue item: MS08-067 (buffer overflow).
Other is only 2%.

Though they really should have used colors that contrasted better than light and dark blue.

Re:Most type of exploit is 'other' (1, Insightful)

ShieldW0lf (601553) | about 5 years ago | (#29428553)

I find it hard to trust the credibility of the report, after a statement like this:

SANS' Ullrich says patching third-party applications isn't easy. "Third-party applications can be tough. There's no good system" for patching them, he says. The key is inventorying third-party Web applications, which the report shows are a major attack vector, Ullrich says.

It's called apt. It's already widely deployed in Debian and Ubuntu, and has been for a long time. The problem is solved.

Re:Most type of exploit is 'other' (1)

Disgruntled Goats (1635745) | about 5 years ago | (#29428591)

It's called apt. It's already widely deployed in Debian and Ubuntu, and has been for a long time. The problem is solved.

Did you forget to read the top of the figure where it says "Microsoft OS" and not "Linux"?

Re:Most type of exploit is 'other' (2, Interesting)

Knuckles (8964) | about 5 years ago | (#29428721)

Yeah, and if they were honest and serious that's were they would have said, "third-party applications can be tough. There are very good systems for patching them, like Debian's APT, but sadly most vendors of proprietary software have made practically no progress in this area in two decades".

Re:Most type of exploit is 'other' (2, Interesting)

Artifakt (700173) | about 5 years ago | (#29430085)

The claim that there is no good system is just the sort of claim that gets quoted out of context, and when it happens, supposedly expert technical people will be the ones making the mistakes.
      Think of it like politics. Someone writes a story specifically about the Democratic party in Ohio. Five paragraphs in, they say "There are no particularly distinguished front runners for the upcoming election.". What happens when that gets quoted by itself - is there much chance at all that someone will put (for the 2012 Ohio governor's race) after the quote? It seems far more likely that someone will claim the original author said there were no distinguished candidates for the whole democratic party this time around, or misapply it to the presidential election, or maybe someone with different biases will apply it to both major parties nationwide.
      Authors, when they are trying to be fact-focused, fair, and rational, frequently go over their manuscripts looking for likely quotes that won't look right if quoted out of context, and insert internal context (In this case it would be something such as 'there's no good system in Windows for patching them'). It's often a mistake to rely on context from outside the immediate quote to keep things clear.
      Editors, often take these modifications back out for brevity, but I've known several professional editors who had to deal with the results (i.e. a libel suit over something that wasn't libelous in full context) and have started encouraging such additional context instead.
      So you're right - the problem hasn't been solved for Microsoft products. And the parent poster is right - the article is easy to misquote, and that hurts its overall creditability.

Re:Most type of exploit is 'other' (1)

Runaway1956 (1322357) | about 5 years ago | (#29430323)

I also forgot to read all the disclaimers that tell me that no one is responsible for anything.

Re:Most type of exploit is 'other' (2, Informative)

ShieldW0lf (601553) | about 5 years ago | (#29430407)

Did you forget to read the top of the figure where it says "Microsoft OS" and not "Linux"?

No, I didn't forget to read it. It wasn't there. "Microsoft OS", "Windows", these were not mentioned in the article nor in the report. Things that were mentioned were things like Flash, Acrobat Reader and Microsoft Office. I get my updates to Flash and Acrobat through apt, so I think it's pretty relevant. My office suite is also updated via apt, although it wasn't made by Microsoft.

Re:Most type of exploit is 'other' (1)

ColdWetDog (752185) | about 5 years ago | (#29428693)

Windows has apt? Cool. I never knew.

Protip - we're talking about business computers. Business Computers == WindowsXP (to a first approximation).

Re:Most type of exploit is 'other' (1)

leromarinvit (1462031) | about 5 years ago | (#29429365)

Windows has apt? Cool. I never knew.

Actually, it does [sourceforge.net] . Unfortunately, the repository seems to be wildly out of date; e.g. Firefox is only at 2.0.0.11, OOo at 2.3.

Re:Most type of exploit is 'other' (2, Interesting)

HangingChad (677530) | about 5 years ago | (#29429613)

Business Computers == WindowsXP

I guess we're one of the approximations. ;) Our office is more Ubuntu than Windows and people, astonishing to the Windows faithful, don't have any trouble getting their work done.

Almost any office could replace many, if not most, of their desktops with Ubuntu with very little difficulty. The level of effort increases to another level if you want to try replacing all of them.

Imagine having APT for a large percentage of your desktops. A couple keystrokes to run a script and they're all up to date. Sweet.

Re:Most type of exploit is 'other' (1)

ShieldW0lf (601553) | about 5 years ago | (#29482783)

Windows has apt? Cool. I never knew.

Protip - we're talking about business computers. Business Computers == WindowsXP (to a first approximation).


Pro tip - Business Computers = Tools that solve problems to make money

I've been solving problems and making money using open source tools for years. If your tools don't work, then maybe people should be giving their money to me instead of you.

Re:Most type of exploit is 'other' (1)

Penguinisto (415985) | about 5 years ago | (#29428715)

...for some odd reason I can't get APT to compile on Windows Server 2003 or 2008. Help? :)

Re:Most type of exploit is 'other' (0)

Anonymous Coward | about 5 years ago | (#29428921)

"Third-party applications can be tough. There's no good system" for patching them, he says.

It's called apt. It's already widely deployed in Debian and Ubuntu, and has been for a long time. The problem is solved.

In this case, a system needs to be compatible in order to be useful. It needs to be useful in order to be good. Apt is no good for what the SANS report is talking about, because it's not compatible with the systems SANS is talking about patching. If Apt was ported, and software vendors got on board, it could be exactly what's needed. But it's not there yet.

Re:Most type of exploit is 'other' (1)

postbigbang (761081) | about 5 years ago | (#29429599)

It's ok to use apt and derivatives for control, even it if it's not perfect, and it isn't.

The domain that's vulnerable is Windows. As shown apt isn't very useful there, as few vendors participate in a delivery structure that keeps things up to date.

Altiris/Symantec do a respectable job-- when the patches are available, across multiple platforms. There are others.

All of those, however, are dependent on the patches being available.

All of that need is incumbent on the need to patch, meaning poor quality software from a vulnerabilities stand point. In other words, the apps, while delivering superficially good results, are poorly written, poorly tested, and poorly quality-verified/reviewed-- then too slowly patched, if at all. That's the core of the problem: crappy coders turning out crummy work.

Re:Most type of exploit is 'other' (1)

drsmithy (35869) | about 5 years ago | (#29429253)

It's called apt. It's already widely deployed in Debian and Ubuntu, and has been for a long time. The problem is solved.

What proportion of third party vendors distribute their software using apt ?

Re:Most type of exploit is 'other' (1)

Bert64 (520050) | about 5 years ago | (#29429757)

As with operating systems, it tends to be the commercial vendors who don't produce and distribute packages in the standard way, instead preferring to use their own nonstandard installer which doesn't integrate with the existing mechanisms for keeping things up to date.
I would consider lack of integration with the standard update system to be a big black mark against something when evaluating it relative to possible other options.

Incidentally, Nokia use apt on their maemo platform, which includes the new N900 phone too.

Additionnal repositories (1)

DrYak (748999) | about 5 years ago | (#29438831)

It's called apt. It's already widely deployed in Debian and Ubuntu, and has been for a long time. The problem is solved.

And for completness:

  • on openSUSE it's "zypper".
  • on some embed Linux distros it's "ipkg" and it's derivate (like opkg).

What proportion of third party vendors distribute their software using apt ?

There is :

  • a great dealy of 3rd party opensource producers who provide repositories for their softwares. Not only binaries, not only packages, but full repositories which can be added to apt/zypper/whatever and get automatically updated
  • there's also a great deal of additional external repositories - such as for example "PPA [launchpad.net] " for ubuntu, Debian multimedia [debian-multimedia.org] , openSUSE's repositories [opensuse.org] , and Packman [links2linux.org] (which is multi-platform, but mostly concentrates on multimedia packages which can't be legally distributed with openSUSE)
  • whenever possible people try to package 3rd party commercial application in these repositories - you can find closed source drivers, flash, acrobat, microsoft's font. The only limit is whether the author authorise re-packing and re-distribution. Even then, sometime packagers manage to go around such limitation by making packages which are actually updating scripts (ms fonts works that way)

So, in short, a great deal of software in addition to what came on you CD can already get updated today.

Not only that, but to make the whole experience more user friendly, some like openSUSE have developed method [opensuse.org] where a single link on a web page can be processed by the package manager and, once given the necessary privilege, with 1 webpage clic, you get automatically the correct repository added and the necessary packages selected.

Meanwhile, with microsoft you get 1 central system (windows updates) which is used for the OS and maybe for a couple of other microsoft products (MS-Office, Visual Studio) as long as the user selects the appropriate service (microsoft updates). Then you have a couple of other software which implements their own incompatible updates tracking (Firefox) of which some are really cumbersome (Acrobat). Virtually everything else is left to rot.

From the "No Duh" department... (4, Funny)

spinkham (56603) | about 5 years ago | (#29428401)

Wait, let me get this straight... Attackers are going after the things that aren't getting fixed as quickly? Who would have guessed!

The problem is in job responsibility (4, Insightful)

suso (153703) | about 5 years ago | (#29428603)

As a long time sysadmin and also as a programmer, I know that sysadmins generally try to draw their line of responsibilities or at least what they will take care of just below the "user installed software" level. I do have general knowledge of some of these applications and know which ones have vulnerabilities, but I usually ask that the programmer or user of the software maintain it. Although they seldom do and then ask for help when something gets hacked.

Perhaps the responsibility for these apps should be in the hands of the sysadmin as well, but the number of apps you have to maintain as you go up to that level increases exponentially. Plus, since they are usually not part of the OS, your OS company is not going to provide you with an easy way to maintain them, so you either need an application administrator or you need to train the programmer/user. Companies probably don't see the point.

Re:The problem is in job responsibility (5, Informative)

PlusFiveTroll (754249) | about 5 years ago | (#29428709)

For commonly used applications that make the CSV lists I find the Personal Software Inspector an excellent tool.

http://secunia.com/vulnerability_scanning/personal/ [secunia.com]

Amazing how many userland applications out there have some kind of exploit against them : /

Re:The problem is in job responsibility (1)

suso (153703) | about 5 years ago | (#29428903)

I was thinking of server side stuff, but that may be a good client side program.

Actually, something like that for web applications would be nice. Probably is already something, just hard to find among the barrage of apps out there.

Re:The problem is in job responsibility (2, Informative)

spinkham (56603) | about 5 years ago | (#29429511)

Cassandra [purdue.edu] is probably the best resource for that, you can build a profile of the software you use, and it will alert you when a vulnerability is fixed in that software.

Secunia of course offers commercial tools, but I've never used them, so not sure how useful they are.
http://secunia.com/advisories/business_solutions/ [secunia.com]

Also, vulnerability management/discovery software like NeXpose or Nessus also can find many similar problems, especially if you give them access credentials.

Re:The problem is in job responsibility (1)

spinkham (56603) | about 5 years ago | (#29429567)

Of course, none of the above finds publicly unknown bugs such as you'd have in custom apps, that's a whole different suite of tools/professionals..

Re: About PSI (0)

Anonymous Coward | about 5 years ago | (#29438965)

Can this company be trusted? This tool finds the most commonly used programs and versions to prioritize for hackers..

Re:The problem is in job responsibility (1)

andymadigan (792996) | about 5 years ago | (#29430285)

Plus, you eventually end up with a system where all applications have to be approved by the BOFH. Then, when a developer/techie who knows what he's doing needs to use a new tool to solve a problem it ends up in a 6-month queue for "approval".

Re:The problem is in job responsibility (2, Interesting)

dkf (304284) | about 5 years ago | (#29431109)

Plus, you eventually end up with a system where all applications have to be approved by the BOFH. Then, when a developer/techie who knows what he's doing needs to use a new tool to solve a problem it ends up in a 6-month queue for "approval".

What actually happens is that the user complains to Heap Big Boss (board-level or equivalent) and they instruct the poor BOFH to approve their pet project immediately or find another job. It's a really bad idea to be the person who says "no" to another person doing their job, especially if they have the ear of higher up (and most users will only deliberately use a new app if it is something dictated from on high; the rest of the time they'll cling to old stuff far more than a BOFH would).

Re:From the "No Duh" department... (0)

Anonymous Coward | about 5 years ago | (#29428907)

Almost as amazing: That the report was written based on REAL data from MULTIPLE sources. It sure makes my "no data from a single source" security report shameful!

We are just lucky I guess (2, Informative)

2names (531755) | about 5 years ago | (#29428477)

My place of employment is lucky to have our "patch management" guy. He is absolutely fanatical about keeping up-to-date on patches for OS and apps, anti-virus updates, and anti-malware updates. I make sure that I tell upper management about him every chance I get so he continues to be properly compensated. He would be difficult to replace. In fact, I doubt I would find another person with his level of dedication, which is kind of sad.

Re:We are just lucky I guess (2, Funny)

localman57 (1340533) | about 5 years ago | (#29428519)

Well, kudos to you (er, him!) for keeping everyone's computers up to date!

Re:We are just lucky I guess (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29428521)

WTF??? Kissing ass on slashdot are we?

Re:We are just lucky I guess (2, Funny)

Inda (580031) | about 5 years ago | (#29428761)

The cheque's in the post mate. Cheers.

Re:We are just lucky I guess (1, Funny)

Anonymous Coward | about 5 years ago | (#29428773)

awwww... someone has a man crush.

Re:We are just lucky I guess (4, Funny)

2names (531755) | about 5 years ago | (#29428879)

No, no, nooooo. I just appreciate him for his - uh - skills in the patch managem...dammit. If any of you douchers says "bromance" I'm kicking your ass. Now I'm off to the Monster Truck rally.

Re:We are just lucky I guess (0)

Anonymous Coward | about 5 years ago | (#29441623)

sexist of you to assume the OP is a male!

Re:We are just lucky I guess (1)

blhack (921171) | about 5 years ago | (#29429549)

That's awesome, man. Good on him for doing his job, and good on you for making sure that management knows it.

I think that, all too often, people who don't work in tech don't understand how much work there can be in tech.

Re:We are just lucky I guess (1)

Bert64 (520050) | about 5 years ago | (#29429837)

I run a network of linux machines (debian/ubuntu/gentoo) and find it very easy to keep everything up to date, every midnight our mirror server pulls down the latest package lists for the 3 distros, every 3am every box pulls the latest package list from our mirror server (and we log any boxes that fail to do so), then at 8am every box is polled by nagios to see if it requires any updates and an email alert is sent... By the time i get to work at 9am, there may or may not be a list of systems and packages which need updating.

99% of the packages we use are present in their respective distro repositories, for the very small handful which aren't, we maintain them locally on our mirror server.

Re:We are just lucky I guess (1)

ToasterMonkey (467067) | about 5 years ago | (#29430927)

every box pulls the latest package list from our mirror server (and we log any boxes that fail to do so), then at 8am every box is polled by nagios to see if it requires any updates and an email alert is sent...

That is nice and all, but gathering the latest updates is the easiest part. There are tools for every major OS to do that, often many different tools. The difficult part, and the reason many companies have difficulty keeping up with patch releases are the logistics involved with applying updates - the testing (you _will_ be bit eventually, this pays off), keeping them consistent, rebooting them, restarting apps, outage notifications, failover preparations, etc. There are always gotchas in a large environment. Systems without boot blocks/grub installed to both root mirrors halves and missing the *good* disk for years, SAN volumes long gone still in vfstab, dsk/rdsk colums mismatching, hardware that just wants to die, and so on. There is nothing special about Linux in that regard unless you're one of those people who thinks it's safe to disable kernel updates and never reboot after shredding dozens of in use shared libraries, frameworks, runtimes, etc. I'll just presume you're more sensible than that, maybe you're fortunate enough to work in an environment where you can turn things off without providing a detailed plan to two levels of upper management :\ I envy you.

Re:We are just lucky I guess (1)

Hurricane78 (562437) | about 5 years ago | (#29432773)

Umm... nothing against the guy, but I can literally replace him by a very small shell script:

eix-sync && emerge -auDNtv world && revdep-rebuild && emerge -atv --depclean
(Yes, there's a tool to run that in parallel on at least a couple dozen computers... from one system.)

Re:We are just lucky I guess (1)

Nyder (754090) | about 5 years ago | (#29432899)

No, all you need to do is find someone who hates fixing compromised computers (or has OCD for updated software).

God, I hate fixing peeps software problems, so I try to make sure everyone has updated software and crap on the computers i work on.

rather spend 5 mins or so installing software then 5+ hours fixing the crap.

OpenBSD vs Linux (5, Insightful)

chill (34294) | about 5 years ago | (#29428525)

I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.

Re:OpenBSD vs Linux (1)

Penguinisto (415985) | about 5 years ago | (#29428769)

Sort of... but you have to remember - at least when PHP gets popped (is there really any other culprit these days?), the OS is still untouched (if you built the box right, anyway). When ASP code gets popped, you stand a good chance of losing the entire server to the penetration (though not a perfect chance, depending on setup).

In your analogy, it's like the tent poles of the "windows" tent are made of cardboard tubes... they might hold up due to the imbalance of newly torn cloth, or they might not.

Re:OpenBSD vs Linux (2, Insightful)

ToasterMonkey (467067) | about 5 years ago | (#29428951)

when PHP gets popped (is there really any other culprit these days?), the OS is still untouched

So what?

Today, the PHP service that got popped was running on the... PHP server. Is the OS important when someone snarfs up your web app and all data it had access to?
Are you keeping unnecessary sensitive data on your PHP server? I hope not, but sure.. MAYBE it would be protected if your OS was secure.

In your analogy, it's like the tent poles of the "windows" tent are made of cardboard tubes... they might hold up due to the imbalance of newly torn cloth, or they might not.

You're completely missing the point. If someone tears through your tent, its game over, circus down. Nobody gives a damn about tearing your poles down, they have better ones at home.

Re:OpenBSD vs Linux (2, Informative)

Penguinisto (415985) | about 5 years ago | (#29429125)

Is the OS important when someone snarfs up your web app and all data it had access to?

Depends on how long you want to spend in doing recovery. If I have incremental copies (in addition to normal backup/DR actions) and a live copy of the DB transaction logs sitting on the local box outside of the chroot jail (and thus remain untouchable)? It is a lot easier and faster to disable the offending script (or apply the needed patch), copy over the last known good data, and be up and running - with a very short downtime.

If the OS is untrusted, you get to rebuild the entire - which means you get to reach for disk backup or VM clone (if you're lucky) or tapes (if you're not), or you're basically screwed (if you're stupid).

Corner cases naturally will change all of this, but that's the basic premise.

/P

You're still missing the point (1)

TheLink (130905) | about 5 years ago | (#29434809)

You're still missing the point totally.

Good luck telling your customers that "Who cares about your identity theft problem? Who cares that someone stole stuff from your account? It's not a big problem since we don't have to rebuild the O/S, so we don't have to wait hours to get it back up."

Uh huh.

The loss of the O/S hardly matters. The DATA does.

1) There are ZILLIONS of copies of the O/S out there, and many of them are the latest and greatest versions. There aren't zillions of copies of your data, and the few copies there may not be the latest and greatest.
2) Your data backups could be full of already corrupted data and you don't know when the corruption started because the webapp is full of holes.
3) Restoring from backups does NOTHING when the problem is secret/confidential/sensitive information has been leaked.

The rebuild time for an O/S is not a problem, so many ways of dealing with it if necessary.

Understood, but there's a larger picture. (1)

Penguinisto (415985) | about 5 years ago | (#29447293)

Yes, the data is highest in importance, etc. However, the data does not an entire server make, and getting that data back up and spinning ASAP is even more important.

Yes, the site getting popped for any reason still sucks. However, there's still the question as to how big of a crater gets left behind, to use an abstraction.

Pull the zoom back a bit and look at the larger picture. If the data gets corrupted, most-to-almost-all of it (depending on how you built things) can be restored and recovered. If you built the server right initially, you probably won't even lose anything really valuable (e.g. customer data) to those who penetrate the thing.

However, from this pulled-back view, the question still remains - how bad did it get?

  • If it's just in the chroot jail, then the person penetrating got no further, and you have a little cleaning up to do w/ very little downtime.
  • If the OS is compromised, then odds are good that the entire box needs to be flushed.
  • Worse still, if we're talking more than one box and the OS gets compromised, then you'd better start sniffing the rest of your DMZ (or worse) for signs of penetration.

I don't know about you, but I would much prefer to clean up after a pipe bomb blast than to clean up after a thermonuclear detonation.

Re:Understood, but there's a larger picture. (1)

TheLink (130905) | about 5 years ago | (#29451807)

Just like the SANS report says, you're focusing on the wrong security threats.

What if the data is corrupted but you don't know when? It could be stuff just doesn't add up.

You can find SQL injection and web app security flaws really easily. Why bother trying to break a server at the O/S level, especially when it's behind a firewall and there are easier ways in?

Who cares about chroot jails, when you can already get to the data. I have managed to get bank and other webapps to do stuff they shouldn't allow, and believe me, the O/S and chroot jails do NOTHING against that sort of stuff. They enforce at a totally different layer. The O/S knows nothing about cheques, bank accounts, money etc. The O/S cares about process isolation, memory protection, file access controls, that sort of thing.

Why should a hacker break out of a chroot jail, if the hacker can already transfer money from one account to another using an exploit in the webapp? You think a bank will care that the O/Ses are fine when it finds out that millions of dollars have been siphoned off to Nigeria?

The webapps already have the keys to the "bank safes". They need it to do stuff they were written for.

Once the money is gone (transferred and/or withdrawn as cash), you can go restore from backups all you want, but the Central Bank isn't going to let you recreate the stolen money - they want to hold a strict monopoly on money creation ;).

If you're an online casino and players find an exploit in your gambling app, it doesn't matter if the gambling app is stuck in a jail and can't rm -rf your filesystem.

O/S being blown away is petty stuff. Go run a snapshot/virtual machine restore script or something.

I guess if you're running facebook or twitter, data corruption doesn't really matter that much. Oh boohoo, 1374 listed friends instead of 1389. Go readd them again. But even then, I bet few really care about screwing up the facebook/twitter O/Ses, they're more interested in the "app level" stuff.

Those that aren't interested would just DDoS the sites.

Re:OpenBSD vs Linux (2, Informative)

greenbird (859670) | about 5 years ago | (#29430741)

Today, the PHP service that got popped was running on the... PHP server. Is the OS important when someone snarfs up your web app and all data it had access to?

Yes, it's very important. To extend your analogy a little, with Microsoft all the goodies are sitting on open tables inside the big tent so a tear in the big tent generally allows complete access to all the goodies. With linux there are locked covered cubicles inside the tent that you can keep the goodies in. If the goodies are kept in the cubicles, as they should be, it's much harder to get at them even after you tear through the outside tent. With OpenBSD there are steel cubicles for the goodies.

Re:OpenBSD vs Linux (0)

Anonymous Coward | about 5 years ago | (#29434889)

You really don't "get it" do you. No one is interested in hacking the OS whether it is windows, linux or OpenBSD. The point they are hacking your app and pulling what they need out of the app, no one gives a shit if your OS is safe or every other app on your box was smugly secure. You have lost your data, you have had everything that was important compromised and the OS was completely unaware. Even the worst OS (windows) is many times more secure than the most of the best apps out their and those apps are where the valuable content is.

Re:OpenBSD vs Linux (1)

TheLink (130905) | about 5 years ago | (#29434895)

But SQL injection goes all the way to the goodies whether it's Linux, OpenBSD or Windows.

Typically the webapp has keys to those locked steel cubicles where the data is stored. Since the webapp needs to read and change the data.

So whether it's OpenBSD or Linux or Windows it doesn't matter for the problem at hand.

In my experience it does matter a bit whether it's PHP with its "mysql_definitely_real_escape_string_this_time_no_really", or some thing less crap (since PHP does make it easy to do th wrong thing and hard to do the right thing).

But what matters more is whether the programmers are writing secure web apps.

Re:OpenBSD vs Linux (2, Interesting)

bloodhawk (813939) | about 5 years ago | (#29434923)

As a hacker and I am going to walk into your PHP cubicle, snarf up all your customer data to sell for identity fraud. But don't worry you can tell all your customers your OS was safe and the hacker was not able to break out of the sandbox to get access to your other apps. I am sure they will feel so much better about that having their details sold on the black market hearing that wonderfull news.

Re:OpenBSD vs Linux (2, Interesting)

jafiwam (310805) | about 5 years ago | (#29429617)

The security model of PHP in Windows is still pretty bad.

The default install of PHP can let a user put files in a web site that can compromise or infect the operating system.

Plus, a lot of third party add-ons for PHP want you to add "read/execute" to CMD.exe and put it in the PATH to the PHP services to piggy back their apps into working. Which, is well, stupid.

Maybe on Linux PHP is no harm to the OS, but on MS boxes that is not a safe assumption to make.

Re:OpenBSD vs Linux (1)

dkf (304284) | about 5 years ago | (#29430785)

Maybe on Linux PHP is no harm to the OS, but on MS boxes that is not a safe assumption to make.

PHP is a problem, but if you're properly paranoid you can avoid most of the problems. Removing from your production webserver all things like wget that can download a rootkit is a good start. You also don't want to have compilers on those systems. It also helps if you crucify any web developer who puts an "email a friend" form up. (Careful firewalling can help detect when such idiots have been about; you don't have to wait for your server to appear in one of the spam blacklists...)

Re:OpenBSD vs Linux (2, Interesting)

javaman235 (461502) | about 5 years ago | (#29429021)

That's a really great post. It reminds me that any OS which grants their users freedom for their apps to do what they like also grants the freedom for some app running on them to do bad things, whether it effects the OS or not. It will always be like that.

The only solutions I can think of are to 1) create programming languages that result in really secure code through lots of input restrains etc. 2) create a lot of transparency to see what's going on. And even those don't do enough: A language with too much checking will be slow (Java has a much better security name in this department than C for instance) and while seeing if my machine is sending mystery emails out to my friends would be good, what kind of transparency lets me "see" a buffer overflow caused by a Flash movie writing arbitrary code???

Re:OpenBSD vs Linux (1)

dkf (304284) | about 5 years ago | (#29430913)

A language with too much checking will be slow (Java has a much better security name in this department than C for instance)

The best way to do this is to have all the requirements and guarantees written in the code, right down to the low-level, and then to have a compiler that can remove explicit checks once it proves that they're not necessary. This is the sort of idea behind a language like Eiffel. (And the cost of checking at runtime for buffer overflow and other things like that is actually not that high. A lot of the time, you can compensate by building/using a proper high-quality buffer management lib rather than rolling your own hack each time round. "Do It Right, Once" is an excellent rule to follow.)

and while seeing if my machine is sending mystery emails out to my friends would be good, what kind of transparency lets me "see" a buffer overflow caused by a Flash movie writing arbitrary code???

Oh god! I just thought of using tubgirl as the visualization of that... Now to get that image out of my mind; where's the brain-bleach?

Analogy (1)

rockNme2349 (1414329) | about 5 years ago | (#29429243)

Uhhh, I don't really get it. Can you put that in the form of a car analogy?

Re:OpenBSD vs Linux (1)

caluml (551744) | about 5 years ago | (#29430793)

Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

Linux + GRSec [grsecurity.org] + RBAC + PIE + SSP + etc etc = much much tougher.

Re:OpenBSD vs Linux (1)

Hurricane78 (562437) | about 5 years ago | (#29432561)

Well, that's what rights management is for. Why do you allow them to do that? Because it's hard to set up SELinux, and simply deal with the non-allowance of so much stuff?

I understand that. But unfortunately, it's no real excuse. :/

I think there can be a ton of money made with a automation/optimization of setting up and maintaining such rights.

Re:OpenBSD vs Linux (1)

TheRaven64 (641858) | about 5 years ago | (#29439923)

I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

On OpenBSD, for years, the default Apache install has run:

  1. As an unprivileged user.
  2. In a chroot jail.
  3. With no ability to write to any of the files in this jail.
  4. With stack canaries, W^X protection, and address-space randomization.

A lot of these have now been back-ported to the mainline of Apache. I think Apache on Linux now tends to use SELinux so it should be comparable (ignoring the recent few SELinux vulnerabilities), but a few years ago Apache on OpenBSD was a lot more secure than Apache on any other platform.

Re:OpenBSD vs Linux (1)

chill (34294) | about 5 years ago | (#29440243)

And my point was that in a real-world situation, this is mostly meaningless.

1. How does this protect from someone compromising Apache to read the .php files on my server without them being parsed; extracting database login information; and pillaging my database?

2. How does this protect from someone compromising Apache to read all the files in a shared web host?

The whole "prevent them from getting root" mentality is like operating with blinders on. Great! They didn't get root or compromise the core OS. How does that help us explain to our clients how the database was sucked dry?

If I have a web front-end to a database that 1,000 users interface to, I don't have 1,000 database logins with 1,000 views. Code on the web server usually handles the actual authentication, meaning the Apache process is going to be able to get a LOT of places in the database.

All that is like saying "we have fire-hardened the bicycle chain and used a super-strong alloy so NOTHING can break the chain" when the lock is made of paper mache. The whole "weakest link" bit, etc.

Re:OpenBSD vs Linux (1)

TheRaven64 (641858) | about 5 years ago | (#29441089)

The database has its own access control. Compromising Apache on Linux and getting root access meant that you could just read the filesystem and get (or modify) the contents of the database. Compromising Apache on OpenBSD meant that you then had an entry point for attacking the database. This concept is called 'defence in depth'. The database should be regarding the web application as a barely-trusted client. It should not, for example, be allowed to read password information, it should provide passwords to the DB which will then check them via a stored procedure.

If I have a web front-end to a database that 1,000 users interface to, I don't have 1,000 database logins with 1,000 views. Code on the web server usually handles the actual authentication, meaning the Apache process is going to be able to get a LOT of places in the database.

Then you are an idiot. If your database is designed to trust the web server, then your database is as secure as your web server. If you're intentionally going to bypass the protection that your OS gives you, then any OS will be insecure.

All that is like saying "we have fire-hardened the bicycle chain and used a super-strong alloy so NOTHING can break the chain" when the lock is made of paper mache. The whole "weakest link" bit, etc.

No, it's like saying "we have fire-hardened the bicycle chain and used a super-strong alloy so NOTHING can break the chain" and then you deciding to just loop the chain around the handlebars and not connect it to anything else.

Your official guide to the Jigaboo presidency (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29428537)

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most prominent anatomical feature, after all, its oversized buttocks, which have evolved to make it more comfortable for your nigger to sit around all day doing nothing for its entire life. Niggers are often good runners, too, to enable them to sprint quickly in the opposite direction if they see work heading their way. The solution to this is to *dupe* your nigger into working. After installation, encourage it towards the cotton field with blows of a wooden club, fence post, baseball bat, etc., and then tell it that all that cotton belongs to a white man, who won't be back until tomorrow. Your nigger will then frantically compete with the other field niggers to steal as much of that cotton as it can before the white man returns. At the end of the day, return your nigger to its cage and laugh at its stupidity, then repeat the same trick every day indefinitely. Your nigger comes equipped with the standard nigger IQ of 75 and a memory to match, so it will forget this trick overnight. Niggers can start work at around 5am. You should then return to bed and come back at around 10am. Your niggers can then work through until around 10pm or whenever the light fades.

ENTERTAINING YOUR NIGGER.
Your nigger enjoys play, like most animals, so you should play with it regularly. A happy smiling nigger works best. Games niggers enjoy include: 1) A good thrashing: every few days, take your nigger's pants down, hang it up by its heels, and have some of your other niggers thrash it with a club or whip. Your nigger will signal its intense enjoyment by shrieking and sobbing. 2) Lynch the nigger: niggers are cheap and there are millions more where yours came from. So every now and then, push the boat out a bit and lynch a nigger.

Lynchings are best done with a rope over the branch of a tree, and niggers just love to be lynched. It makes them feel special. Make your other niggers watch. They'll be so grateful, they'll work harder for a day or two (and then you can lynch another one). 3) Nigger dragging: Tie your nigger by one wrist to the tow bar on the back of suitable vehicle, then drive away at approximately 50mph. Your nigger's shrieks of enjoyment will be heard for miles. It will shriek until it falls apart. To prolong the fun for the nigger, do *NOT* drag him by his feet, as his head comes off too soon. This is painless for the nigger, but spoils the fun. Always wear a seatbelt and never exceed the speed limit. 4) Playing on the PNL: a variation on (2), except you can lynch your nigger out in the fields, thus saving work time. Niggers enjoy this game best if the PNL is operated by a man in a tall white hood. 5) Hunt the nigger: a variation of Hunt the Slipper, but played outdoors, with Dobermans. WARNING: do not let your Dobermans bite a nigger, as they are highly toxic.

DISPOSAL OF DEAD NIGGERS.
Niggers die on average at around 40, which some might say is 40 years too late, but there you go. Most people prefer their niggers dead, in fact. When yours dies, report the license number of the car that did the drive-by shooting of your nigger. The police will collect the nigger and dispose of it for you.

COMMON PROBLEMS WITH NIGGERS - MY NIGGER IS VERY AGGRESIVE
Have it put down, for god's sake. Who needs an uppity nigger? What are we, short of niggers or something?

MY NIGGER KEEPS RAPING WHITE WOMEN
They all do this. Shorten your nigger's chain so it can't reach any white women, and arm heavily any white women who might go near it.

WILL MY NIGGER ATTACK ME?
Not unless it outnumbers you 20 to 1, and even then, it's not likely. If niggers successfully overthrew their owners, they'd have to sort out their own food. This is probably why nigger uprisings were nonexistent (until some fool gave them rights).

MY NIGGER BITCHES ABOUT ITS "RIGHTS" AND "RACISM".
Yeah, well, it would. Tell it to shut the fuck up.

MY NIGGER'S HIDE IS A FUNNY COLOR. - WHAT IS THE CORRECT SHADE FOR A NIGGER?
A nigger's skin is actually more or less transparent. That brown color you can see is the shit your nigger is full of. This is why some models of nigger are sold as "The Shitskin".

MY NIGGER ACTS LIKE A NIGGER, BUT IS WHITE.
What you have there is a "wigger". Rough crowd. WOW!

IS THAT LIKE AN ALBINO? ARE THEY RARE?
They're as common as dog shit and about as valuable. In fact, one of them was President between 1992 and 2000. Put your wigger in a cage with a few hundred genuine niggers and you'll soon find it stops acting like a nigger. However, leave it in the cage and let the niggers dispose of it. The best thing for any wigger is a dose of TNB.

MY NIGGER SMELLS REALLY BAD
And you were expecting what?

SHOULD I STORE MY DEAD NIGGER?
When you came in here, did you see a sign that said "Dead nigger storage"? .That's because there ain't no goddamn sign.

Can only apply the patches you get (2, Interesting)

petes_PoV (912422) | about 5 years ago | (#29428539)

SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat

They make it sound as if it's the fault of the client companies. In fact they probably apply all the security patches they get from their suppliers. If most of them come from the O/S vendors and relatively few come from the application vendors - you can hardly blame their cleints.

Maybe SANS should, instead, be asking why application vendors are so tardy about providing fixes for the vulnerabilities that SANS seem to think are the most exploited? Of course, the answer would be that the baddies focus their efforts on the weakest link, which is why more attacks target the (weak) applications than the better supported operating systems.

Re:Can only apply the patches you get (1)

0racle (667029) | about 5 years ago | (#29428853)

They did also mention vulnerability scanning to the patching when saying companies were focusing in the wrong place. This means a company can say "We scanned that box with X app and found no X OS holes" when in all reality they are running vulnerable versions of Y and Z apps and the companies scan didn't pick that up because they were focusing on OS vulnerabilities.

There are also many companies that while being diligent on patching their OS's, they are not so quick to apply application patches when they are released.

Re:Can only apply the patches you get (3, Interesting)

compro01 (777531) | about 5 years ago | (#29429039)

I don't think the problem is lack of application patches being provided, but the lack of them being delivered well.

The problem as I see it is there is no good method of application patch delivery on Windows (And Mac for that matter). On Linux and BSD, you have package managers built into the distro that handles everything from the repositories (either the distro repositories or the application's repositories). On Windows, there is no such thing (Yes, there package managers available, but they are not included stock and aren't widely used) and every application has to handle things itself, either by checking on startup or adding yet another background process taking up resources, both of which are decidedly non-optimal solutions.

In the former, with infrequently used apps (Stuff like Adobe Reader comes to mind), you're going to have infrequent (and thus large) updates, which would result in something like "What? A 15MB update? I don't have time for that, I need to read this PDF." with the obvious consequences or the file being opened before the update option is presented, with the same result.

Re:Can only apply the patches you get (1)

totally bogus dude (1040246) | about 5 years ago | (#29437431)

It's even worse than that, because in most environments users don't have administrator rights and therefore cannot install application updates themselves. But as you say, there's also no good, widespread way of delivering patches for third-party applications without user involvement.

Sometimes it seems like the easiest way is just to reimage every PC every week/day.

apt and friends aren't perfect, especially when dealing with large applications. On the other hand, reinstalling the entire app does mean you don't need to keep its install files around for patches. <grumble> It seems like these days Windows has at least 3 copies of every damned application buried somewhere under \Windows\... </grumble>

The TRUTH about Slashdot! (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29428589)

Imagine a giant penis flying towards your mouth, and there's nothing you can do about it. And you're like "Oh man, I'm gonna have to suck this thing", and you brace yourself to suck this giant penis. But then, at the last moment, it changes trajectory and hits you in the eye. You think to yourself "Well, at least I got that out of the way", but then the giant penis rears back and stabs your eye again, and again, and again. Eventually, this giant penis is penetrating your gray matter, and you begin to lose control of your motor skills. That's when the giant penis slaps you across the cheek, causing you to fall out of your chair. Unable to move and at your most vulnerable, the giant penis finally lodges itself in your anus, where it rests uncomfortably for 4, maybe 5 hours. That's what using Slashdot is like.

pointing fingers (1)

orev (71566) | about 5 years ago | (#29428627)

Usually the "lowly" task of patching is sloughed off onto the sysadmins, while the developers in their hubris think there's nothing wrong with anything they wrote. OS/app patches are easily obtained and applied because many people use them. In house apps take a lot more resources to analyze and patch, and add the previously-mentioned hubris and you have a situation where resources will never be spent patching the in-house apps, because it's not their problem anyway.

Attention! Do not mod down!! +5 INFORMATIVE (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29428639)

I submit David Hasselhoff is the AntiChrist

And I have the proof

How can one explain the phenomenal global success of one of this country's least talented individuals? There are only three ways.

        * Mr. Hasselhoff actually is talented, but this goes unnoticed in his own country.

        * Mr. Hasselhoff has sold his soul to Satan in return for global success.

        * David Hasselhoff is the AntiChrist.

            I vote for the latter -- and perhaps, after seeing the facts involved, the rest of the world will agree.

The Facts First, the obvious. Add a little beard and a couple of horns -- David Hasselhoff looks like the Devil, doesn't he? And the letters in his name can be rearranged to spell
fad of devil's hash.

What does this mean? Well, Baywatch is David's fad. David is the devil. The Hash is what makes Knight Rider popular in Amsterdam.

(I was actually hoping to make the letters in his name spell out he is of the devil, which would be possible if his middle name was "Ethesis," which it might be. I'm sure his publicist would hide such a middle name if it were true.)

Second -- and most importantly -- David Hasselhoff and his television series were foretold in the Bible. Biblical scholars worldwide may quibble over interpretations, but they all agree on this. For a few telling examples let's skip to the end of the Bible. If any book of the Bible will tell us who the AntiChrist is, it's the Revelation of Saint John, which basically describes the AntiChrist and the Armageddon He causes. I'll just give you the verse, and the current theological interpretation of that verse.

Who is the Beast?

Rev 13:1 And I stood upon the sand of the sea, and saw a beast rise up out of the sea, having seven heads and ten horns The Beast, of course, is David Hasselhoff. The Heads are His separate television incarnations. Young and the Restless, Revenge of the Cheerleaders, Knight Rider, Terror at London Bridge, Ring of the Musketeers, Baywatch and Baywatch Nights.
The ten horns represent His musical releases: Crazy For You, David, David Hasselhoff, Do You Love Me?, Du, Everybody Sunshine, I Believe, Looking For Freedom, Night Lover and Night Rockers.
Not only does Mitch The Lifeguard literally "rise out of the sea" on Baywatch, but David's musical career has mostly occurred in Europe, a metaphoric rise to fame from across the sea.
Rev 13:3 And I saw one of his heads as it were wounded to death; and his deadly wound was healed: and all the world wondered after the beast. Of course, this is a reference to his third head: Knight of the Phoenix, the first episode of Knight Rider. In this episode, "Michael Long, a policeman, is shot and left for dead. The shot is deflected by a plate in his head, but ruins his face. He is saved and his face reconstructed. He is reluctant, but agrees to use K.I.T.T. to help the Foundation for Law and Government fight criminals who are 'beyond the reach of the law'. " Knight Rider has been shown in 82 countries.
Rev 13:5 And there was given unto him a mouth speaking great things and blasphemies; and power was given unto him to continue forty and two months. The following blasphemies are actual quotes from David Hasselhoff -- I read these while he was 42 years old.

"I'm good-looking, and I make a lot of money."

"There are many dying children out there whose last wish is to meet me."

"I'm six foot four, an all-American guy, and handsome and talented as well!"

"Before long, I'll have my own channel -- I'll be like Barney."

"(Baywatch) is responsible for a lot of world peace." which the Hoff said at the Bollywood Oscars. Don't believe me? Read the original article!

And here's a blasphemy that came from David's recent (Feb 2004) visit to the Berlin Wall museum. I couldn't have made something this great up by myself. He was upset that the museum didn't spend more time devoted to his personal role in the fall of Communism. You can read more about it here, if you don't believe me.

The Second Beast: Television

Rev 13:11-13And I beheld another beast coming up out of the earth; and he had two horns like a lamb, and he spake as a dragon.
And he exerciseth all the power of the first beast before him, and causeth the earth and them which dwell therein to worship the first beast, whose deadly wound was healed.
And he doeth great wonders, so that he maketh fire come down from heaven on the earth in the sight of men,

        The Second Beast, with it's dual antennae, is obviously the Television -- merely a pawn in Hasselhoff's underworldly regime. His stereo speaker (the dragon's voice) spews forth the blasphemy of Baywatch until He has caused all people of the earth to worship and watch Baywatch and Baywatch Nights. How well has he done? Baywatch is now seen by about one billion viewers in 140 countries -- the most watched series ever.

You probably never knew this, but the entire historical purpose of television has been to attract a worldwide audience for the eventual syndication of Baywatch. And how does it accomplish this global distribution? Via satellite - from heaven to the Earth.

Rev 13:15 And he had power to give life unto the image of the beast, that the image of the beast should both speak, and cause that as many as would not worship the image of the beast should be killed. How does television work? By giving life unto Hasselhoff's image. I'm pretty sure the second part hasn't happened yet.

Lifeguards: Denizens of the Underworld

These biblical revelations will show that the lifeguards on Baywatch are foretold as servants of the Devil. (Need I say who that is again?)

Rev 20:11And I saw a great white throne, and him that sat on it, from whose face the earth and the heaven fled away; and there was found no place for them

Rev 20:13And the sea gave up the dead which were in it; and death and hell delivered up the dead which were in them...

        Doesn't this sound like an exact description of what the lifeguards on Baywatch do? They sit on their big white wooden throne, and watch out over the sea -- waiting for a dying person to get cast up.
Rev 9:6 And in those days shall men seek to find death, and shall not find it; and shall desire to die, and death shall flee from them.

        One word: CPR

Rev 10:2 And he had in his hand a little book open: and he set his right foot upon the sea, and his left foot on the earth, Sounds like a lifeguard, eh? Standing on the beach reading a paperback?

Rev 17:3-5 ...and I saw a woman sit upon a scarlet coloured beast, full of names of blasphemy, having seven heads and ten horns. And the woman was arrayed in purple and scarlet colour, and decked with gold and precious stones and pearls, having a golden cup in her hand full of abominations and filthiness of her fornication: And upon her forehead was a name written, MYSTERY, BABYLON THE GREAT, THE MOTHER OF HARLOTS AND ABOMINATIONS OF THE EARTH.

    and if that wasn't enough, try
Ezekiel 23:17 And the Babylonians came to her into the bed of love, and they defiled her with their whoredom, and she was polluted with them, and her mind was alienated from them.

        The fabled "Whore of Babylon." Well, people have been calling Hollywood "Babylon" since long before I was making web pages. And of all the women in Hollywood, whose wedding night video is the most popular? Hmmm.... Did someone say "Barb Wire?"

Rev 18:11 And the merchants of the earth shall weep and mourn over her; for no man buyeth their merchandise any more Do you know any merchants who invested heavily in the acting career of this "whore of Babylon?" I've seen that "VIP" show of hers, and I'd be weeping if I had spent money on the merchandising rights.

Rev. 18:21 ... a mighty angel took up a stone like a great millstone, and cast it into the sea,...

        Speaking of lifeguards chucking rocks at innocent people, listen to this excerpt from a recent lawsuit against his Hasselness: "while Plaintiff was in the audience of the Rosie O'Donnell Show, Defendandt DAVID HASSELHOFF came on stage and threw a stack of cards depicting himself into the audience, striking Plaintiff in the eye. . . [he] should have known that throwing cards into an audience could cause injury to the audience."

Rev 18:14 And the fruits that thy soul lusted after are departed from thee, and all things which were dainty and goodly are departed from thee, and thou shalt find them no more at all. He stands to lose money in this lawsuit -- or maybe even all those dainty and goodly things he bought.

The Number of the Beast

The Bible shows us another way to prove a person is the AntiChrist, namely through numerology. Rev 13:18 says: "Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."

That's a bit cryptic, to be sure. One score is twenty, so threescore is 60, the number of the beast is 666.

Now, the way biblical scholars and numerologists usually convert the names of men into their numbers is through a simple numerical code. Let's assign the 26 letters of the alphabet the numbers 1 through 26. It looks like this:

a 1 i 9 q 17 y 25

b 2 j 10 r 18 z 26

c 3 k 11 s 19

d 4 l 12 t 20

e 5 m 13 u 21

f 6 n 14 v 22

g 7 o 15 w 23

h 8 p 16 x 24

Now, we take the letters from Mr. Hasselhoff's name, assign numbers to them, and calculate his number.

D A V I D H A S S E L H O F F

4 1 22 9 4 8 1 19 19 5 12 8 15 6 6

Now, since thirteen is such a fitting number for evil, let's multiply the first 13 numbers together. The total (65,874,124,800) is approximately 6.6 billion. Tack on the remaining 6's from the end of his name, and you've got yourself the mark of the beast.

Another tactic you could use would be to add the letters in "David" (I think you should get 40) and the letters in Hasselhoff (99) and then multiply them together. 40 x 99 = 3960. Now, 3960 is 660 x 6. And of course, 660 plus 6 is -- again -- the mark of the beast.

Not enough proof for you? Well, let's see what else the winning combination of the Bible and numerology have in store for David.....

As he explains it in his interview, David Hasselhoff first decided to act at the age of 7 when he saw a local production of Rumplestiltskin. His acting debut was in Peter Pan. Knight Rider ended its run in 1986, when Hasselhoff was 32. Baywatch debuted in 1989, when Hasselhoff was 35. His first televised role was as Snapper Foster on the Young and the Restless at the age of 19. If we look at the 37th chapter of the 19th book of the Bible (Psalms) -- at verses 32 and 35, we notice an interesting phenomenon. Take a look:

32. The wicked watcheth the righteous, and seeketh to slay him.

35. I have seen the wicked in great power, and spreading himself like a green bay tree.

Viewers of Baywatch may have thought they were watching the good leader Mitch Buchannon -- whose main job as head lifeguard is to watch over the righteous babes at the beach, and save them. According to the Bible, he is really trying to slay them. But can we be sure that the show in question is actually Baywatch? Well, count the number of letters in Rumplestiltskin and Peter Pan. 15 and 8, right? Now look at those bible verses again. Find the 15th word of verse 35 - and the 8th word from the end of verse 32. Put them together.

35. I have seen the wicked in great power, and spreading himself like a green bay tree.
32. The wicked watcheth the righteous, and seeketh to slay him.

Security through head in sand (1)

ArhcAngel (247594) | about 5 years ago | (#29428661)

Most companies I have worked for will overly lock down one area of security (ex. overly tight settings on web browsing)and completely ignore all other forms of security (ex. employee ability to install unlicensed SW on local PC). I can't say I've ever seen any of them install a patch for MS Office unless I did it myself on an individual machine. I'm sure the cost of manpower hours far outweighs the risk in most CFO's minds (CIOs probably look at it differently but don't get the final say). I've also noticed it has a lot to do with the CIO's particular bent. Some feel a good "offense" is best while others are always taking the "defensive" posture.

Re:Security through head in sand (1)

Bert64 (520050) | about 5 years ago | (#29431071)

Patching msoffice is a pain, installing updates can actually break document compatibility with unpatched versions... Also unless you install something like wsus, you can't patch them easily..
Third party apps are another big problem, because there is no standard centralised way to patch them at all that doesn't cost a lot of money.

These are just some of the hidden costs of running windows, that are often overlooked and cause problems as a result (by contrast, linux typically has such functionality out of the box)

Re:Security through head in sand (1)

Flere Imsaho (786612) | about 5 years ago | (#29432241)

WSUS does Office patching, not an issue

What's a lot harder is patching Adobe products and the like. We're currently investigating Shavlik Netchk Pro for patching apps

http://www.shavlik.com/netchk-protect.aspx [shavlik.com]

Insecurity Experts (3, Insightful)

sexconker (1179573) | about 5 years ago | (#29428673)

Always telling you what you're doing wrong, never telling you how to do it right.

How do you serve up the content and services end-users expect without the security risks?
Simple answer: You can't.

Unless you're writing your own operating system and rolling your own PDF viewers and office suite and publishing your own flash-like plug-in that no one will ever want to install, you'll end up running around like a chicken with it's head cut off every once in a while because of fucking adobe, fucking bill, fucking Linus 20 years ago, fucking java, etc.

You can extend this to hardware too if you want.
You never really know what that network card is doing, do you?

But at the end of the day, we have to get shit done. "Safety first" in construction is a farce. Getting the job done is first. Getting the job done right and on time is second. Safety's third. Maybe.
The same goes for security in the computer world. We cover the biggest holes and keep our ears open. But our primary goal is making shit available to the end-user.

I'm going to get shit from nerds claiming that I HAVE to be 100% secure. Fuck them. I HAVE to get the job done. My being 98% secure isn't very far from their being 99.99% secure.

Patching all the usual suspects (Adobe, Java, Office, the OS) certainly falls in the "should be done regularly and diligently" category. But as stated above, I understand why it doesn't always happen, (and it's not just due to incompetence).
A report saying what people are doing wrong isn't helpful. A report saying "these fuckers are always problematic - here's a practical solution" would be much more useful.

Re:Insecurity Experts (3, Insightful)

Bert64 (520050) | about 5 years ago | (#29431327)

The problem is that while there are solutions, they often won't be considered for various reasons...

There are expensive patch management systems for windows, but they are often extremely expensive and typically complex to manage.

There is the option of moving to linux, where on any modern distro it's easy to keep all your applications up to date with patches, but people are either locked in to windows applications, afraid to try something new or simply have no knowledge of linux.

I would say that the benefits are a lot more than the 1.9% you mention, and if done correctly actually requires *less* work... I keep a small network of linux boxes fully up to date and spend very little time doing so, while other people managing a similar sized windows network tend to lag behind badly (especially on third party apps). I have the package manager update its package list daily, and alert me if theres any needed updates.

Re:Insecurity Experts (1)

TheRaven64 (641858) | about 5 years ago | (#29439973)

People keep talking about Linux and apt as if there is no Windows equivalent. I've not used Windows for about five years, but I know that a Windows Domain Controller can push out MSI installers to all workstations in a domain, containing updates to any software that the administrator packages. Before this, there was Novell Zen, which did the same thing. You just need to roll up the patches on one machine and they will be pushed automatically to the whole network.

IE6 (4, Funny)

godztempus (1081497) | about 5 years ago | (#29428743)

Seriously big corporate needs to get off their asses and upgrade their internal web apps to run on IE7 or IE8 atleast.

Re:IE6 (0)

Anonymous Coward | about 5 years ago | (#29428973)

We're working one it

Re:IE6 (1)

Hurricane78 (562437) | about 5 years ago | (#29432327)

Ha. I programmed mine for Mozilla (Seamonkey) and Firefox. "IE? Sorry, no can do. Technically not possible. Or will cost four times the time and money. How are you going to justify that? By not wanting to take five minutes to install Firefox? You can be sure that I will show the boss those costs that your laziness caused. Oh boy will you be fired. ^^"

Mod parent SERIOUS (not funny) (0)

Anonymous Coward | about 5 years ago | (#29432963)

It's not funny. Corporate apps running ONLY on IE6 because they were developed by a bunch of barely-literate indians who only tested on IE6 are the reason "web side attacks" are a threat. Eliminating the use of IE6 would massively reduce the attack surface of an organization EVEN IF the org continued to use IE for some insane reason.

Firefox (0)

Anonymous Coward | about 5 years ago | (#29441297)

I hope that you are trying to be funny.
Laugh all you like, but a lot of applications for corporate intranets do specifically, and in some cases only, cater to IE: After all, it's what is on every machine in the office, right? And, it integrates with the Windows OS which most desktops have, right?

The downside here is that you now have to cater for the problems using IE as a core browser has. For comparison: Yes, still on IE6 for many places. The hassle of an IE browser upgrade on 20,000+ desktops will be on the nasty side.

Let's compare this to 5K of firefox upgrades, v2 to v3, recently undertaken. 1% of users had either a standard question to the helpdesk or a problem to be resolved. Less than 1% of that 1% had a Serious issue that could not be solved remotely. (quoting the PIR here)

Now. The last IE 'upgrade' (this word is in QUOTES as using this word to describe the changes from V5 to V6 for IE may not be considered an 'upward' movement by some) caused 20% of the user base to reference the FAQ and 5% to lodge a helpdesk call for assistance.

We're not even going to discuss the $##$%#@ developers. In case you're interested though.. it goes like this 'Firefox upgrade? Sure. When?' .. as opposed to 'IE upgrade? Aw crap. WHEN? Will we have time to test? How long will we have to develop in parallel? What's the issues with next version? Who's bucket will this come out of?"

YMMV

Ease of patching (0)

Anonymous Coward | about 5 years ago | (#29428749)

I feel like OS patching is less due to company policy than the presence of Windows Update. I imagine that a third-party app like Firefox is dramatically less likely to be vulnerable (ignoring plug-ins) than something like Office, simply because Mozilla makes it so easy to stay up-to-date. The solution isn't user-education; it's releasing patches more frequently, and making the patch process more transparent.

Re:Ease of patching (1)

ToasterMonkey (467067) | about 5 years ago | (#29431137)

Firefox is dramatically less likely to be vulnerable (ignoring plug-ins)

This is like a repeat of the summary, ROFL.

OS:App::Browser:Plugin

because Mozilla makes it so easy to stay up-to-date

There are centralized tools to manage Mozilla updates or we expect users to take care of themselves?
Hell, Windows update is a piece of cake too, WTF is Microsoft's problem? Consistency is key, and any environment that takes security seriously needs to enforce security updates, not hope all users understand info security.

Re:Ease of patching (1)

Bert64 (520050) | about 5 years ago | (#29431389)

Most companies won't allow users to install updates themselves...

They need to push updates with some kind of central policy and a background process doing it, otherwise you need to give users admin privs to install the updates. While firefox may have an updater, that wont work if you don't have privileges to install them. MS don't make an easy way for third party applications to be centrally updated, unlike systems such as apt and yum on linux boxes.

On some versions of windows, when you run as an unprivileged user and automatic updates are turned on, you get a dialog box telling you updates were applied and giving you the option to reboot, only you cant select that option because you don't have privileges to do so... Very stupid, you can tell it's designed as a single user os.

It's really simple (1)

onyxruby (118189) | about 5 years ago | (#29429019)

If a medium is presented that interacts with something it must be patched! The more prevalent the medium, the higher the level of patching required.

Whether that medium is email, your browser, the OS, office or the like should not matter. It doesn't matter if a new killer app comes out, if it interacts with your computers, you need to patch it for security issues on a routine basis.

Really, the OS, vendor, and the rest don't matter, what matters is that routine patching is done. At first people were surprised that they could get malware from disks, than files, than emaal, infected Internet sites and so on. Is it really a surprise to anyone that you applications like Acrobat and Flash are routinely targeted? Every time the media presents this as the 'next big thing', really how did this not story get approved?

Permits and Inspectors (0)

Anonymous Coward | about 5 years ago | (#29429061)

Don't build computer system shanty towns. Require that systems be built by licensed and bonded professionals; that the work is inspected and certified; and that new systems and major changes get permits before starting. Worked for residential construction in the U.S. and we still have a relatively high home ownership rate.

Re:Permits and Inspectors (2, Insightful)

Bert64 (520050) | about 5 years ago | (#29431543)

A lot of the "professionals" are fairly incompetent, and you can bet that big vendors (especially ms) would corrupt the process to ensure that you can only be licensed if you only install their products.

I've found through the years, that enthusiasts who taught themselves, learned through experience and had a genuine interest in computing tend to be very good at what they do, whereas people who attended training courses and got certifications generally were only interested in the money they could earn from a career in computing, and are often stumped by something that wasn't covered on their course.

The latter kind of people are also extremely averse to learning anything new, and will want to remain in the bubble they were originally taught while the former will actively seek out new technologies to experiment with and learn about.

I have found that the course-taught people will typically believe what vendors tell them and never question it, if a vendor tells them a product is good/secure they will assume it is, and won't do proper research on how to harden it or what else might be a better option.
And they won't seek out anything that isn't advertised to them, this is why there is such a huge problem with unpatched third party apps as the article states, these people don't even realise there is a problem because there aren't any vendors heavily marketing a "solution" for it.

Having requirements like you specify is likely to do more harm than good.

Re:Permits and Inspectors (0)

Anonymous Coward | about 5 years ago | (#29431691)

Don't build computer system shanty towns. Require that systems be built by licensed and bonded professionals; that the work is inspected and certified; and that new systems and major changes get permits before starting. Worked for residential construction in the U.S. and we still have a relatively high home ownership rate.

Surely you jest...

If people could buy houses at half off, built by unlicensed, unbonded workers, not inspected or certified, with no permits, warranties, guarantees, they would fall all over themselves, and wedge lower and upper classes further apart. Computing, at least, isn't a necessity.

Too confusing (1)

Oxy the moron (770724) | about 5 years ago | (#29429079)

This would have been so much easier to understand with a proper /. car analogy.

Re:Too confusing (2, Interesting)

slinches (1540051) | about 5 years ago | (#29429357)

This would have been so much easier to understand with a proper /. car analogy.

Here you go:

It's like locking your car doors and keeping up with the manufacturer recall notices, but ignoring that the remote start system you had installed uses an unencrypted signal.

duh? (2, Insightful)

Lord Ender (156273) | about 5 years ago | (#29429281)

Patching Windows is the main focus because it is the best bang for the buck. There are many tools to automate this process (Active Directory, Group Policy, SUS). There are no tools to automatically discover XSRF, XSS, and Injection attacks in your custom web apps, then write patches for them, then deploy and manage those patches. That's orders of magnitude more expensive.

When you have limited resources, you will just go for the lowest-hanging fruit. Obviously.

Re:duh? (1)

Flere Imsaho (786612) | about 5 years ago | (#29432325)

Nessus has a pretty good plug-in for finding SQL injection and cross-site vulnerabilities.

But getting them fixed, yeah, that can be painful...

PEBKAC (1)

gmuslera (3436) | about 5 years ago | (#29429803)

People are the ultimate vulnerability. And that goes from applying the same solution for all problems (that desktop environment looks nice for personal trusted use, lets use it to let it run for hundreds of untrusted ones), to opening attachments, to confusing authority with knowledge (i am the boss and want full access to internet and all the corporate servers) to admins and thousands of etcs.

The security suite to solve it is education and common sense. One takes too long to get, while the other could take forever for some. How to raise a culture on security to "normal" people?

While installing Office 2007... (0, Offtopic)

Sfing_ter (99478) | about 5 years ago | (#29435649)

While installing office 2007 this morning, I too exacerbated... but I don't feel guilty or self-conscious about it. :D

OS vulnerabilities still present (0)

Anonymous Coward | about 5 years ago | (#29436865)

The article presented interesting data but failed to understand how we got where we are. Formerly, the overwhelming majority of attacks were OS attacks. If both OS and application vulnerabilities are present, attackers are more likely to be able to find a vulnerable OS than a vulnerable application; there are a lot fewer OS choices than application choices. Over the years, sysadmins and major vendors realized this and made a huge effort to improve OS patch processes, with a fairly high degree of success. Attackers have responded by moving on to applications; particular apps are harder to find, but if the OSs are hardened, then app it is. But attackers are still probing OSs and trying attacks on them, too. If we improve application patching at the expense of OS patching, as recommended in this article, then we actually make attackers' jobs easier. So we can only improve application patching if it does not interfere with OS patching. If funds to do that are available, great. If not, the status quo may be best.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?