back to article Hidden 'Windigo' UNIX ZOMBIES are EVERYWHERE

Hackers using a Trojan seized control of over 25,000 Unix servers worldwide to create a potent spam and malware distribution platform. The attack, dubbed Operation Windigo1, was uncovered by security experts at anti-virus firm ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing, as well as …

COMMENTS

This topic is closed for new posts.
  1. Irongut

    Typical Windows insecurity. This would never have happened on *nix!

    oh wait

    1. Anonymous Coward
      Anonymous Coward

      False Claims!

      Linux is secure! Until such time there is an article on El Reg that says all 10ⁿ Linux variants are pwnd by a zero day hack. Until then, I'll keep my fingers in my ears and singing "la la la la".

      1. Anonymous Coward
        Anonymous Coward

        Finally!! Us Windows users have got the story we've been waiting for! How is the egg on your faces now, smug Linux users :P

        It doesn't matter if it's manually installed and due to poor config. It's still a breach!!!

        Just a shame it's being used to automatically infect us :(

        1. JEDIDIAH
          Linux

          Not so sweet for the Lemmings really...

          This "virus" or whatever you want to call it seems to feed entirely off of swiped credentials. It doesn't infect systems in the usual Windows-y way. You kind of have to invite it in first.

          The real harm of this thing is that it feeds weaker malware to Windows machines.

        2. yossarianuk

          > Just a shame it's being used to automatically infect us :(

          Yes Linux desktop users are pretty much safe from most malware/spyware still.

          1. h4rm0ny

            >>"Yes Linux desktop users are pretty much safe from most malware/spyware still."

            That is because most malware is not written for GNU/Linux. It used to be the case that Windows security model was weaker than Linux and so some smugness was supportable (if you were inclined to be a smug person). But since Vista, their security models of equivalent. The reason today that GNU/Linux users are safe from most malware is because we get security through obscurity (to repurpose a phrase).

            A very large proportion of malware on Windows depends on users running things they're not supposed to. I could create a script right now that popped up a "Would you like to install / view / X" message and asked for root access. And if GNU/Linux had the same userbase WIndows had, the same number of people would go "okay" and grant it access.

            1. Spiracle

              And if GNU/Linux had the same userbase WIndows had, the same number of people would go "okay" and grant it access.

              You're correct but only up to a point. On a Linux desktop such a script would result in the user having to type in their su/root password into a box, giving a vital extra couple of seconds to engage brain. On Windows all that's needed is a reflex click on an 'OK' button. Later versions of Windows have tried to make this more obvious by making the box modal and blanking the screen background, but it's still just one mouse click.

              1. h4rm0ny

                >>"You're correct but only up to a point. On a Linux desktop such a script would result in the user having to type in their su/root password into a box, giving a vital extra couple of seconds to engage brain. On Windows all that's needed is a reflex click on an 'OK' button."

                I appreciate the effort, but I really don't think that a case can be made that GNU/Linux is more secure because it will take a user two more seconds to type a password before doing something ill-thought out. I could just as easily make a case (I don't care to as I think it's marginal in either direction) that the Windows one is more secure because in KDE I get a dialogue box that just looks non-descript and boring wording whereas in Windows I get a large block of yellow with a big exclamation mark and a question: "Do you want to allow this program to make changes to this computer?"

                Point is, GNU/Linux is no more secure against ignorant users (note, I say ignorant rather than stupid) than Windows is. I wrote that the reason GNU/Linux isn't vulnerable to as much malware as Windows (which is what the OP stated), is because little of it is written for GNU/Linux. And so long as we're talking about modern Windows which is the only fair way to talk, I stand by that.

                1. Spiracle

                  ... I really don't think that a case can be made that GNU/Linux is more secure because it will take a user two more seconds to type a password before doing something ill-thought out

                  I'm not so sure. You have to remember that the average* Linux desktop user will only have cause to type in the sudo password when either the system update triggers or they're installing something new from the repository. If something outside of those events asks for more authority they're much more likely to think something along the lines of 'hang on, something's asking to go into God-mode and muck about with the workings of my computer and it's not one of the regular things.'

                  It's true that the Windows confirmation box is both big and yellow but it also pops up whenever, say, a browser needs an update, which is regularly. The answer to the question "Do you want to allow this program to make changes to this computer?" is usually 'Yes, now get out of my way' - Click.

                  If MS did something as simple as popping up a similar big yellow box whenever Windows Update runs it might go a little way towards reinforcing in user's minds the fact that something serious is happening

                  *I'm basing this average user behaviour on a sample of one: my wife.

                  1. h4rm0ny

                    >>"I'm not so sure. You have to remember that the average* Linux desktop user will only have cause to type in the sudo password when either the system update triggers or they're installing something new from the repository"

                    Which is more often than the average Windows user as Windows does not require authentication to perform updates. I have to type my password into my Debian box every couple of days - it's always popping it up asking for permission for updates. Remember, I'm not arguing that this makes WIndows more secure - I repeat, the difference is trivial, I'm disputing your assertion that typing your password has any significant impact on making GNU/Linux secure for the sort of user who doesn't think twice on Windows when it flags up a large colourful warning box with a simple message and flashing Shield icon.

                    Personally, the fact that GNU/Linux asks them to type in the password with every update getting them used to doing so (as you pointed out) and has a non-descript little pop-up with customizable text on GNU/Linux puts such petty arguments in Windows favour if you really want to go down that route. But I do not - it's a marginal difference either way and I doubt the impact would really be measurable. The fact that you're trying to build a case on this concerns me as to your neutrality, quite honestly.

                    >>"It's true that the Windows confirmation box is both big and yellow but it also pops up whenever, say, a browser needs an update, which is regularly"

                    Actually, only the first part (the part you quoted from me) is true. I never said anything about browser updates and in fact this part is false. I have been running Windows since last October and both Firefox and Internet Explorer haven't been asking me to grant permission to update. So it can't be asking very often at all. Certainly less often than I'm asked for permissions on my Debian box as I pointed out earlier. That happens almost daily.

                    >>If MS did something as simple as popping up a similar big yellow box whenever Windows Update runs it might go a little way towards reinforcing in user's minds the fact that something serious is happening

                    The exact opposite. Even though MS clusters their updates into a once-a-week thing unlike most GNU/Linux distros, it would still just condition people to click "Okay".

                    Seriously, trying to build a case on this that GNU/Linux is more secure against ignorant users who trust foreign software is desperate, to be honest. Sorry to say it, but that's how it sounds. Really - I said that GNU/Linux would be pretty much the same malware-wise if it had the same user-base as Windows. That's not a dig at GNU/Linux, that's a simple and supportable opinion. And you're trying to argue against that by saying (a) typing a password will have a significantly greater effect at stopping this than Windows bright colourful warning signs and flashing shield icons. And now (b) that the fact GNU/Linux users are more used to granting such permissions will make them more likely to not grant such permissions.

                    There is one chief reason why modern GNU/Linux is more secure against such attacks then modern Windows, and that is because the typical GNU/Linux user is one Hell of a lot more tech-savvy than the typical Windows user.

                    1. eulampios

                      @h4rm0ny

                      I said that GNU/Linux would be pretty much the same malware-wise if it had the same user-base as Windows. That's not a dig at GNU/Linux, that's a simple and supportable opinion.

                      That's your theory, a hypothesis. It might not be true though.

                      Is it that you're forgetting the fact that you have to type in your password more times with Debian updates than for only two apps (FF and IE) in Windows. 2 vs all? Would you also prefer have an important, security update available ASAP than once a month? Please answer these questions:

                      -- there are only two pieces of software that needs updates, and/or

                      -- all the rest software stays magically updated without you needing to type in any passwords?

                      -- you can get updates for the 99.999% of installed apps, just like in Debian ?

                      -- updates for 3-party software are taken care of by a central packaging Windows system that installs, verifies the authenticity and integrity, checks for dependencies, keeps records for, notifies about and performs the updates when available of every piece of software

                      --Microsoft after all those long 20 some years has finally built itself a repository/store where you can securely install and update all apps and dlls?

                      If this is not completely true you might need to reconsider your little "congruency" theory, I suppose.

                  2. jbuk1

                    I guess you've never used opensuse then?

                    I'm prompted for my wallet password way too much. It's almost become a reflex to type it in and the elevation dialog box does not give you enough information to make a valid decision.

            2. Bill Neal

              Would you like to install?

              ...unless they don't know the root password. That depends on the distro, of course.

          2. unimaginative

            Exactly. Even if it is security by obscuity as Windows fanbois claim, the end result is that a Linux desktop is a LOT less likely to be affected by malware.

            I am not entirely conviced that Windows has caught up either - there have been a lot of improvements to Linux security as well in the last few years, and Linux is also much less of a monoculture (although Ubuntu's ubiquity has made it more of one).

        3. M Gale

          It doesn't matter if it's manually installed and due to poor config. It's still a breach!!!

          It doesn't matter if you took your bullet proof vest off, got out of the armoured vehicle, stuck a high visibility jacket on and walked toward the insurgents waving your hands in the air and shouting "come and get me, you pig-eating motherfuckers." Bullet proof vests aren't worth the kevlar they're made out of!

        4. tom dial Silver badge

          For those who didn't read the story: misconfiguration, not software vulns. No default unix/linux installation I ever saw had a privileged default user. For years the default windows install gave the default user admin. As far as I know that is true today, although I seem to recall that Vista generated a lot of complaints by deviating from that.

          Windows: insecure by default, by popular demand.

          1. David Roberts
            WTF?

            No default privileged user?

            Not been around that long, then?

            'root' was always the default sysadmin user on Unix installs and other users were created later if you really had to share your toy.

            However sysadmins were trusted to manage systems and they didn't have these new fangled Internet connections - fancy systems had UUCP over dial up, of course.

            Hardware costs put Unix systems far beyond the reach of most home users (mumble Xenix mumble).

            Of course, with free Linux downloads measures had to be taken to protect naive users from themselves.

        5. h4rm0ny

          >>"Finally!! Us Windows users have got the story we've been waiting for! How is the egg on your faces now, smug Linux users :P"

          Speaking as a GNU/Linux AND a Windows user, I just downvoted you. The football fan mentality of idiots who want to feel part of a team but feel excluded by sports and so turn to tech companies, does no good at all for any of us. It's downright destructive.

          Not that such idiots care. They're too busy hooting at any perceived flaw in the other "side".

    2. Anonymous Coward
      Anonymous Coward

      It's not exactly news that for internet facing servers, you are much more likely to be compromised if you run Linux than Windows Server.

      1. Anonymous Coward
        Anonymous Coward

        Man, who is doing all the downvoting here? There must be a lot of Linux shills here!

        1. Daggerchild Silver badge
          Holmes

          Not as easy as you thought, huh?

          Don't worry, you can easily defeat those evil shills by confidently and un-anonymously, citing your reliable sources.

        2. Ole Juul

          Who are we here?

          "There must be a lot of Linux shills here!"

          I noticed the downvotes too, but also see that most of the comments appear to be from MS-Windows supporters.

      2. Anonymous Coward
        Anonymous Coward

        "It's not exactly news that for internet facing servers, you are much more likely to be compromised if you run Linux than Windows Server."

        Hi there TheVogon - still coming out with that crap are we?

        1. Anonymous Coward
          Anonymous Coward

          Just look at the Android malware scene for a hint of the carnage that would result if a significant percentage of people actually used Linux on the desktop.

          1. M Gale

            Just look at the Android malware scene for a hint of the carnage that would result if a significant percentage of people actually used Linux on the desktop.

            What Android malware? I've yet to see anything that affects a handset that hasn't had its own security measures broken to "root" it.

            Personally I'd rather like to see the CM guys come up with a way of re-locking the device under your own personal key. However, as far as a device you buy from a shop and use goes, you're basically wrong. Even if you do install some rogue app, it's all contained. Uninstall it. Job done.

            Oh, and Dalvik isn't Linux.

            1. DerekCurrie
              Gimp

              Going OT: "What Android malware?"

              THIS Android malware:

              http://www.kaspersky.com/about/news/virus/2014/Number-of-the-week-list-of-malicious-Android-apps-hits-10-million

              Head-In-Sand Android users. It sounds similar to the Linux/Unix server botnet denial syndrome, getting us back On Topic.

              1. Chemist

                "THIS Android malware:"

                Not an Android user but I don't understand this paragraph in their note

                By late January 2014 Kaspersky Lab had accumulated about 200,000 unique samples of mobile malware, up 34% from November 2013 – two months earlier over 148,000 samples had been recorded. Cyber-scammers are continuing to focus their attention on Android mobiles: our report found that in January the number of malicious Android apps out there topped the 10 million mark.

                Are they saying there are ~200,000 unique malicious apps each averaging 50 infections ?

              2. eulampios
                FAIL

                hey, Derrek

                Have ever met a single victim of the Android malwares that are so numerous (according to Kasperski and others)? I myself have not. How many Windows users do you know that had never experienced a Windows malware at least once in their life? Well. I can't recall any, if I have, than there should be a really tiny percentage.

              3. M Gale

                http://www.kaspersky.com/about/news/virus/2014/Number-of-the-week-list-of-malicious-Android-apps-hits-10-million

                So how many of these malicious apps affect people who haven't rooted their handsets?

                If the user has checked the little box to allow installation from unknown sources, how many of these apps have broken out of the per-app sandbox?

                I'm reckoning that number will be zero, just like I said. Even if you do get something dodgy, you uninstall it. Just like I said.

                Head-in-sand? Hardly. Broken handsets more likely to be infected. Well, I think that falls under "no shit, Sherlock".

                Now, as I said (again): I've yet to see anything that affects a handset that hasn't had its own security measures broken to "root" it.

                When you can find an example of malware that will infect a non-rooted device, and break out of the sandbox, and be unable to be simply uninstalled like any other app, then maybe I'll listen. I just haven't found any.

                And Dalvik still isn't Linux.

    3. Anonymous Coward
      Anonymous Coward

      exploits poor configuration and security controls, rather than a vulnerability in Linux or OpenSSH

      You can't secure against stupidity.

      1. cambsukguy

        >You can't secure against stupidity

        Not really true. Those of us that have written software for end users constantly have to ensure nothing stupid is allowed to happen.

        If the server software had a setup system that ensured that the default system was bulletproof (probably because no-one could ever do anything with it) and then only allowed changes that are safe, the end result would be safe.

        If the system allowed (for instance) weak passwords to be used, then the system is flawed.

        Perhaps people log on as root and just play with files instead of using some supervisor system that ensures you don't do something idiotic, even accidentally?

        1. Anonymous Coward
          Anonymous Coward

          Adding "must change password from "admin/password" " tends to be the first step. :P

        2. Kiwi

          @ cambsukguy

          "If the system allowed (for instance) weak passwords to be used, then the system is flawed."

          Question is... What is a weak password? Try something on say Skype, which has a requirement of a strong password.. Now, I tried one there that is a 10 word phrase with number subs and also various bits of punctuation, Skype wouldn't allow it as "to weak". I put in one that makes it into the top 10 most common passwords, accepted as it's long enough with psuedo random letters and numbers.

          Any password can be strong or weak, depending on what is known about a person. 21_JHG$45 might look like a strong password to any system., but if you know me well enough you might guess it within a small number of tries.

          Strong passwords are good, but we do need a bit more than that to keep systems secure.

      2. yossarianuk

        777

        Yes - most people who don't understand even basic security on Linux will try to get (as an example) 'wordpress' to run by doing the following

        - chmod -R 777 /var/www/crappysite.com

        - disable SELINUX/APPARMOR (as it's 'interfering' with Wordpress)

        - Maybe disabled the firewall (after all they couldn't get their 'Navicat' to connect...)

        i.e in order to get a (in my mind) badly designed CMS system they have disabled pretty much all security.

        Oh and there is also the fact that a lot of people running their own webservers didn't realise that (a) you had to install updates (b) that was meant to be done by them...

        1. Hans 1

          Re: 777

          Yeah, I corrected an answer on stackoverflow where the guy instructed somebody to do chmod 777 -R /some/path. You also have stupid Unix admins ...

          The system is only as secure as the admin is literate.

          I mean, seriously, 777 ... downfall, like the aircraft ;-)

        2. Jim 59

          Re: 777

          @yossarianuk according to the story, cPanel (an application) was targeted, not the kernel or file system itself.

          Victims of Operation Windigo included webserver control panel software cPanel and kernel.org.

          In my view, admin shortcuts like cPanel and phpMyAdmin are a malware magnet best avoided. Better to learn Unix and do the work manually. Reason being, the logs on my Debian internet server often show thousands of repeated attempts to guess the phpMyAdmin password, all failing because the software isn't installed. You would think the bot would be smart enough to realize the page doesn't exist before trying 7000 more passwords, but no.

          1. Kiwi
            Linux

            Re: 777

            "You would think the bot would be smart enough to realize the page doesn't exist before trying 7000 more passwords, but no."

            Well... You might need to try something like Fail2ban. I think it works in those situations. Basically x failed attempts to log in, IP is banned for Y time (both can be set by you). I used to see stuff like that in my logs before I put that in to help block it.

            Me, I cheat with PMA. If I am feeling significantly dumb enough to want to use it, I'll install it and use it, then dump it before I close the session.

            HTH

      3. Euripides Pants
        Happy

        Re: You can't secure against stupidity.

        You can with enough concrete...

    4. Jim 59

      Windows Vs Unix

      To be fair, the "virus" has not pwned Unix, it has vectored in where admins left the door open. This is opposed to Windows where the doors are welded open, and the OS itself has been pwned daily for 20 years.

  2. Mint Sauce
    Paris Hilton

    Unix servers?

    I thought the mantra was: 'Gnu's Not Unix'.....??

    1. Anonymous Dutch Coward

      Re: Unix servers?

      Yep. Confusing article.

      At one time it's 10,000 servers, then 25,000... which is it?

      1. Graham Cluley

        10,000 or 25,000

        The explanation is that currently 10,000 Unix servers are compromised by the Windigo attack, but in the entire lifetime of the campaign up to 25,000 servers have been hit.

        Hope that helps

        1. Anonymous Dutch Coward

          Re: 10,000 or 25,000

          While that makes sense (thank you), my point is really that this kind of info should have been in the article.

    2. vagabondo

      Re: Unix servers?

      "I thought the mantra was: 'Gnu's Not Unix'.....??"

      Here "Unix" is a shorthand for Unix, Gnu/Linux, BSDs, OSX, and even some MS Windows servers.

      You really have to read the stuff at http://www.welivesecurity.com -- the article here is unclear to the point of being downright misleading. More like a techie Daily Mail/Sun article than what we expect from El Reg.

  3. Joe Harrison

    How?

    "ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised"

    It would be nice if they explained how to do that... I get a 404 when I click the story on their site.

    1. Destroy All Monsters Silver badge
      Trollface

      LOL!

      I guess they have been infected, too.

    2. Graham Cluley

      Re: How?

      The link works for me.

      http://www.welivesecurity.com/2014/03/20/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/

      Or you can go straight to the technical paper (PDF) here: http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

  4. Frank Zuiderduin

    This again?

    This was news in 2011. The kernel.org hack was part of it. They made a fuss about it then. Elsewhere it is stated they identified most of those servers three years ago. Why wait this long?

    1. Anonymous Coward
      Anonymous Coward

      Re: This again?

      Maybe because *nix admins have yet to secure their servers?

      1. Anonymous Coward
        Joke

        Re: This again?

        They don't have to secure them, UNIX is secure by design.

        1. Jim 59

          Re: This again?

          Lost all faith... says

          They don't have to secure them, UNIX is secure by design.

          So when you go to a Unix job interview, and they ask "Hi Mr Faith! How would you help to secure our Solaris servers ?", you would reply...

      2. Denarius
        Unhappy

        Re: This again?

        >> Maybe because *nix admins have yet to secure their servers? Not quite. Change control is still reviewing the change request as it is so unusual.

  5. Anonymous Coward
    Anonymous Coward

    cpanel nix admin are to blaim

    Pay peanuts get monkeys

    1. Anonymous Coward
      Anonymous Coward

      Re: cpanel nix admin are to blaim

      Users use cpanel, not admins. Cpanel is for bedroom hosting resellers and is also the source of numerous security failures.

      1. Captain Scarlet Silver badge
        Holmes

        Re: cpanel nix admin are to blaim

        So is the majority of software designed to make it easier to manage and maintain servers, so add Plesk, Interworx, Webmin (Other web control panels also available) to your list.

  6. RyokuMas
    Meh

    The devil's in the detail

    "...exploits poor configuration and security controls, rather than a vulnerability in Linux or OpenSSH"

    No matter how secure you make a system, the greatest security flaw is between the keyboard and the chair.

    ... although I'm guessing this won't stop some of the Windows faithful from gloating.

    1. Anonymous Coward
      Anonymous Coward

      Re: The devil's in the detail

      I may live to eat my words, but: I'm plesantly surprised by the lack of gloating from Windows-only people, when there are problems with UNIX/Linux considering the bashing that they have to put up with day in, day out on sites like this when even the smallest thing goes wrong with Windows.

      1. Daniel B.

        Re: The devil's in the detail

        "I'm plesantly surprised by the lack of gloating from Windows-only people"

        You didn't stay long enough. The very first post here is an MS shill/troll, followed by a lot of replies made by ACs gloating. It does seem that most of 'em are hiding behind the AC mask though.

        1. Anonymous Coward
          Anonymous Coward

          Re: The devil's in the detail

          "The very first post here is an MS shill/troll, followed by a lot of replies made by ACs gloating"

          I would classify the first post as a joke, mildly taking the piss. I would also class the replies as a bit fanboyish, but nothing like the things that Windows users have to put up with on a daily basis.

          Incidentally - Do you really think that MS pay people to make comments like the first post? That's what a shill is, someone just posting their opinion is a fanboy, they are very different things.

          1. M Gale

            Re: The devil's in the detail

            but nothing like the things that Windows users have to put up with on a daily basis.

            Which Windows users would they be? Or do you mean the endless streams of malware and hack attempts that Windows users have to put up with?

            I've certainly seen offline, in-the-flesh examples of console fanbois telling each other their machines are shit, but then most of these people were somewhere in the order of 13 to 15 years old.

            In my own experience, the only time someone's accused me of having a "crappy Wintel box" was a mac-fanboi uncle in pre-Intel, PPC-mac days, while I was running a Linux distribution on an AMD-powered laptop.

            I just smirked.

        2. Anonymous Coward
          Anonymous Coward

          Re: The devil's in the detail @Daniel B.

          " It does seem that most of 'em are hiding behind the AC mask though."

          It's really feeble that so many Linux fans trot out that old straw man so readily.

          1. frank ly

            @AC Re: The devil's in the detail @Daniel B.

            I see your humour and raise you an upvote.

        3. Anonymous Coward
          Anonymous Coward

          Re: The devil's in the detail

          "You didn't stay long enough. The very first post here is an MS shill/troll, followed by a lot of replies made by ACs gloating. It does seem that most of 'em are hiding behind the AC mask though."

          In an Attenborough whisper:

          "Here, in the hidden depths of the Neverwrongme forest, an extraordinary conflict is unfolding between two related subspecies of primate, Homo Fundamentalis Torsvaldii, and Homo Fundamentalis Redmondii. This endless battle is a goldmine of behavioral information for anthropologists, who are simultaneously baffled by its pointlessness and reduced to tears of boredom by its extraordinary duration. Though bizarre, this behaviour is not unique - similar displays can be observed among between populations of the species Malus Cupertinii and a more common relative of H. Fundamentalis Torsvaldii.

          Listen as the alpha males challenge their opponents with haunting territorial cries:

          "Fanboi! Fanboi!"

          "Shill! Shill!"

          It does not take long for the confrontation to turn violent; often striking from ambush, combatants beat their chests and produce an endless maddening droning noise from deep inside their rectums. Meanwhile the rest of the forest sleeps, as they wait for the Circle of Strife to begin anew when a fresh challenge is made...

        4. h4rm0ny

          Re: The devil's in the detail

          >>"You didn't stay long enough. The very first post here is an MS shill/troll"

          The first post doesn't make an attack on UNIX, it's just a mild joke at all the armchair sysadmins we get on this site who trumpet UNIX superiority whenever a Windows vulnerability story comes up. Which you must if you're honest admit a lot of people make such comments.

          No modern and capable OS is secure if the sysadmin doesn't take care of it.

        5. MrZoolook
          FAIL

          Re: The devil's in the detail

          "The very first post here is an MS shill/troll"

          No, the first post was pointing out sarcastically how wrong Linux users were when gloating how secure they are. That's not trolling or shilling, that's pointing out sarcastically how wrong Linux users were when gloating how secure they are. Nothing more, nothing less. If Linux users see more into it then that, then that's showing an altogether different type of insecurity.

      2. vagabondo
        Boffin

        Re: The devil's in the detail

        "I may live to eat my words, but: ..."

        probably because this attack is reported as potentially affecting many OSs; e.g. BSD Unices, Gnu/Linux, OSX, and MS Windows.

        The technical report at http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ is really interesting and usefull.

        The quick check for infection is given as a one-liner:

        $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

        1. Matt Piechota

          Re: The devil's in the detail

          "$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected""

          Heh, nice.

        2. alisonken1
          WTF?

          Re: The devil's in the detail

          $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

          doh ! N/M

          Just got home from work and was relaxing. Good one.

    2. Anonymous Coward
      Anonymous Coward

      Re: The devil's in the detail

      > No matter how secure you make a system, the greatest security flaw is between the keyboard and the chair.

      Unfortunately this flaw affects 100% of all OS's but for some reason most Linux admins can't seem to identify this gaping security hole (some bigger than others). Hence why this vulnerability is still open and being exploited.

      Just to be fair, I understand why Linux admins fail to see the security flaw, its hard to see yourself in the mirror behind that bushy beard!

      1. Eradicate all BB entrants

        Re: The devil's in the detail

        Us Windows users aren't gloating because the security issue is mainly to do with the meatsacks and not the OS.

        Plus we are waiting for that *nix Zero Day exploit that increases M&S underwear sales by 500% before the schadenfreude kicks in (Which is why I never save any usernames/passwords on any system, Win or Linux).

  7. Anon5000

    Services

    Any server than runs services such as web servers is opening up more attack vectors. This is a software issue rather than operating system.

    Using Linux as your home desktop is still much more secure by design. Antivirus for home users will become useful at some point in the future no doubt but for now only servers really need it still.

    1. Anonymous Coward
      Anonymous Coward

      Re: Services

      "Using Linux as your home desktop is still much more secure by design"

      It really isn't - Windows is ahead in some ways on security - it's just that Linux has a ~%1 market share on trhe desktop so no one targets it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Services

      "Using Linux as your home desktop is still much more secure by design"

      Thinking like that ends up with being owned, because you end up in a mindset that makes you think that the security is built in and you don't really need to bother because it's all those Windows guys who have bad security, not me.

      1. JEDIDIAH
        Mushroom

        Re: Services

        No. Being smug is no threat. Linux or any Unix is less likely to subject you to the stupidity of your software vendor. Needless Internet facing services will not be on by default. The system will not be engineered to muddle the boundary between code and data. The apps won't insist on running strange executables from strangers.

        If you want to do harm to yourself you will have to work at it.

        It helps to know WHY some vendors are more of a problem than everyone else rather than hysterically declaring that you can't do any better than the crap monopoly vendor.

    3. h4rm0ny

      Re: Services

      >>"Using Linux as your home desktop is still much more secure by design"

      Okay. I'll bite. (I use both Debian and Windows 8 daily, btw, and have a list of CentOS servers running things for my clients, though I'm not the direct sysadmin of those).

      What makes GNU/Linux more "secure by design" than modern Windows (i.e. 7 or 8). Give me the features or capability differences that GNU/Linux has which make it more secure than Windows. Be specific. I'm genuinely curious to see if you're actually making a comment because you're familiar with both systems and this is your informed conclusion, or if you're about to go away and type "reasons Linux is more secure" into a search engine because you're just parroting what someone else said.

      You have the floor, Anon5000 - support your case. You specifically, ideally, because I'm interested if you can back up your own comment.

      1. eulampios

        Re: Services

        What makes GNU/Linux more "secure by design" than modern Windows (i.e. 7 or 8).

        There are a few things that you (I guess, pretend) to have never heard about. I might recommend you to go back to some classical text on this. Most of the tackled material remains true to this day, IMHO. Okay, let me provide you my own proof of the "Pythagoras Theorem", ... I mean, my own take, a list of my own. I promise you to not use this Euclid's own masterpiece

        a list:

        -- most software on GNU/Linux is free/open source, including the kernel and utilities;

        -- the kernel is modular, where a huge number of options are togglable at the compile time;

        -- various system pieces are mutually interchangeable; many different combinations exist out there, say, quite a few GNU/Linux, BSD, the hybrids of the latter, Android etc;

        -- a GNU/Linux (*BSD) system can be stripped down much further, disassembled and assembled with much more ease, than can be Windows. MS Windows didn't invent a headless, bare minimum server; A Core Server -- things are improving in Redmond here after 20 some years of denial.

        -- more accurate POSIX hierarchical filesystem structure vs. chaotic Windows that still mixes data and software;

        -- much more numerous up-to-date versions in use, a much higher distro heterogeneity than with MS Windows;

        -- lack of central secure repositories containing 99% of all used software in MS Windows; recent attempts with a Windows store are unraisable, yet semi, or rather one hundreds of a measure, since very few software is available there. Neither did MS invent the Android's apps' permissions system and its transparency to the user.

        -- lack of a decent central packager paired with a repository utility (see the previous item), like dpkg+apt, familiar to you from Debian, that does security, integrity and dependency tests; installs updates most of the software in a near seamless fashion, literally by typing in a command, or by a few mouse-clicks

        -- better and closer adherence to the main IT principles of modularity, KISS, software in the Linux/BSD camp of developers and sysadmins than in the proprietary camp including Microsoft folks; neither is F/OSS people changing their opinion on things IT like Microsoft has for the last decades demonstrated time and again.

        -- lack of a competent IT culture and infrastructure around MS Windows: harder to troubleshoot and fix problems, than with GNU/Linux or *BSD. Most popular type of diagnosis and resolution with Windows are either:

        It's a malware/viruses -- get yourself a good AV and disinfect your PC!

        Could be anything.... -- reinstall your system!

        --etc

        Theses are some I got off the top of m head right now, there are a lot more, I am sure.

        1. Anonymous Coward
          Anonymous Coward

          Re: Services

          Another, simple but effective one: The executable flag.

          You have to explicitly mark a file as "executable". That way, there's no danger of downloading something like "someimage.jpg.exe" and accidentally executing it.

          1. eulampios

            @AC

            You reminded me about a few more things, sir/ma'm:

            -- Simplicity, in other words effectiveness: if things are smart, they must be simple, feasible, usable, otherwise they are overly complex, not effective, simply useless (the KISS principle is in action)

            One such implementation of it is the POSIX file permission system that is easier, more simple than MS Windows. Hence, they are more usable and more used. On the other hand can be extended to acl, MAC system or Android extensions. Remember how messy it was with Windows XP?

            1. h4rm0ny

              Re: @AC

              >>"One such implementation of it is the POSIX file permission system that is easier, more simple than MS Windows. Hence, they are more usable and more used."

              I addressed this in my last post but seeing as you posted it twice, I'll just say it amuses me to think about how it would be received here if in some mirror universe it were the other way round and I argued Windows was better because it was less capable than GNU/Linux. It's really quite something to take one of the few big deficiencies that GNU/Linux has relative to Windows and try to spin it as a virtue. And it doesn't work for security, it actually makes it worse. People do use the ACLs in Windows, they do it routinely. But what happens on the GNU/Linux side is because people only have a blunt instrument, they over-grant. It's always happening that someone or something is being granted powers they don't actually need because they need some tiny ability. That's the problem with your "simpler" approach - when you have no granularity, you have to give people everything or nothing.

              And in addition to over-granting privileges, it leads to kludgy workarounds with contorted groups structure. If you maintained Windows for a year and then went back to GNU/Linux, the permissions system would frustrate the Hell out of you.

              1. eulampios

                @h4rm0ny, permissions

                Are we looking at and talking about the same thing really?

                Correct me if I was wrong about the xp nightmare with the privileges gone wild? Even if it was improved in the higher versions of Windows, it has still brought a lot of damage as the most popular version of MS Windows as of recent.

                Correct me also if it is true for every even modern version of MS Windows to not require any explicit privileges of a file to be executable? The system or shell decides whether it is or not and judges about it by looking at the extension of the file? No need for prompts like in your case with XFCE, (not in mine with the Mate desktop).

                When you talk about overkill in Linux or *BSD, what exactly is it?

                Have you heard about AppArmor or acl utility?

                Does Windows acl solve the same problem Android extension of the apps permissions addresses?

                1. h4rm0ny

                  Re: @h4rm0ny, permissions

                  >>"Are we looking at and talking about the same thing really? Correct me if I was wrong about the xp nightmare "

                  I don't think we're talking about the same thing, I'm not discussing XP at all, it's outside the scope of what I was saying to the original poster and justifiably so. The OP wrote that Linux is more secure by design. I have no interest in assessing the merit of that statement on what flaws Windows had in versions released over thirteen years ago. I said in my response earlier that the days of Linux users being able to be smug about better security (if they are the sort of person predisposed to smugness) have passed since the improvements to Windows in the last six or seven years. That is my case and that is what, by the tenor of your replies, I am taking you to argue against. I mean if I were debating the merits of MySQL vs. Postgres with someone, even though I'm a database snob, I would think it valid to comment on MySQLs dearth of features (based on it's state eight years ago) or on Postgres's poor performance (based on its state six years ago). It's clear from the OP's statement they're claiming Linux has better security by design now

                  >>Even if it was improved in the higher versions of Windows

                  "Even if" ? The security model of Windows Vista onwards is far ahead of XP. And 8 actually improves it further. But I'm happy to debate the last half-decade for the discussion (7+, essentially). I'm not sure how anyone could use the phrase "even if" in that context. I have the impression, correct me if I'm wrong, that you are primarily familiar with GNU/Linux from a security standpoint. Most of what you have been coming up with is lists of the good security features of GNU/Linux which is valid, but poor as a comparative argument. E.g. your comments about POSIX compliance. That more than anything has given me the impression you do not have familiarity on both sides of the administrative fence. The comment about executable permissions has some merit (though it's obscurity, it's still security when considering ignorant users). But I cannot envisage someone familiar with both rwx model and Windows ACLs and touting the former as a security advantage.

                  The tragedy is that Linux does have more sophisticated ACL features available to it, but hardly anyone uses them and they're fragmented in implementation.

                  >>"Correct me also if it is true for every even modern version of MS Windows to not require any explicit privileges of a file to be executable?"

                  That is correct. Linux has the executable bit, Windows has a file extension list that it considers things it should "run". In both cases a user can go ahead and make something run if they want to. As I pointed out Xfce (and I think KDE and Ubuntu) will ask you if you want to mark something as executable if you double click on a script. There are different ways you can approach this on both Windows and GNU/Linux, but there's no "by design" security advantage here. Both allow the user to run a program under their own account. Both have ways of putting a speed bump in the way - Linux has an executable bit that a user can change with a click (and which they'll be prompted to on most distros), Windows flags up a box saying "are you sure you want to run this".

                  >>"When you talk about overkill in Linux or *BSD, what exactly is it?"

                  I don't believe I've ever used such a phrase or said anything that can be interpreted that way. Certainly not here. I haven't criticised Linux for doing too much anywhere here and I've never even mentioned BSD.

                  >>Have you heard about AppArmor or acl utility?

                  Yes. Though I prefer SELinux to AppArmour. Possibly it's an issue of familiarity but I find the latter simplistic. Anyway, you're going way off on your own implied strawmen here as well as contradicting yourself. Firstly you are again replying with responses that only make sense if I were saying Linux is bad at security. I've nowhere said anything remotely along those lines. I'm taking issue with someone who said Linux was more secure by design, and you have chosen to take up the discussion on their behalf by trying to challenge everything I say. But I'm not going to allow you to turn this into a strawman where you pretend I'm ranting about how Linux sucks because I've never done any such thing.

                  And as to ACL, you cannot simultaneously argue that Linux is more secure by design because people use a simpler (I would say simplistic) permissions model and then in the very next post start trying to rebut my comments by saying people can use ACLs on GNU/Linux. You're again, not arguing anything that shows Linux is more "secure by design" than Windows, you're just showing that it can do some of the same things (though you've somehow managed to pick for your chief argument one of the very few security areas in which Linux is worse!)

                  >>"Does Windows acl solve the same problem Android extension of the apps permissions addresses?"

                  I'm not really familiar with Android so I'm not quite sure what you mean. If you can explain the problem I'll hopefully be able to answer.

                  1. eulampios

                    Re: @h4rm0ny, permissions

                    I'm not really familiar with Android so I'm not quite sure what you mean

                    The implemented Android permissions system, where every app when gets installed acquires a unique uid, so all apps are separated from both the user's data and other apps. It routinely joins certain groups seen to the user as certain permissions groups at the install time. This is done to fight apparent insecurity of an app and the fact that it could be a trojan. With introduction of SELinux a user might get even more power of that to turn some permissions off even when installing an app and agreeing to them.

                    Even without the SELinux part this is very smart, yet it is based on the good ol' POSIX permissions system. So it is smart and simple.

                    I am pretty baffled in with the fact that you never heard about it.

                    My question is, why didn't Microsoft invent it, since they have been in need of this 2 decades ago. I don't think it's only "Dave Cutler's own allergy to Unix" business. It's more of a culture issue, what is good, what is smart and how smart, political is the one that actually makes decisions, I might be wrong though.

                    I was mentioning it to demonstrate that simplicity can lead to some very clever things (more complex but still simple enough).

                    My reason of mentioning AppArmor without SELiunux was based on the fact that AppArmor is more proper extension of the filesystem permission system, than SELinux. Not making any points which one of them is a better MAC implementation.

                    My point with Unix/Linux acl utility was that you can use a more fine grained access control mechanism if in need and when the simple system gets on your way.

                    1. h4rm0ny

                      Re: @h4rm0ny, permissions

                      >>"I am pretty baffled in with the fact that you never heard about it"

                      I have, but you didn't explain what you meant, you just said something about Android permissions issues. Yes, Windows 8 has a very sophisticated system of this kind in Metro, but I would bet money that you're also someone who simultaneously lambasts MS for the store and regards it as anti-freedom. Android is not Windows nor GNU/Linux and has different criteria. It is acceptable to have only "apps" on a mobile phone. Having such constraints on Windows or GNU/Linux (they both are the same in this regard) would not be acceptable. And again I must point out that you have little interest in what I'm actually saying, which which is challenging the notion that GNU/Linux is more secure than Windows "by design", and instead just want to post things that make it sound like you're proving me wrong even though they have nothing to do with what I just said.

                      Every post of yours is becoming an implied strawman where you act as though I'm attacking Linux and takes the pattern of "Yeah, well what about X. Isn't X good?" To which I will just respond (again), X does not say anything about whether the security models between GNU/Linux and Windows are better or worse than each other. In this case, X is something you can do with Linux (as in Android). It is also something you can do with Windows (as in Metro). In neither GNU/Linux distros nor Windows is it common, (though it is becoming more common on Windows). So it's irrelevant as a counter-argument to anything I have said.

                      Please stop trying to turn this into a broad-ranging "Linux is better than Windows" argument, though it is plain that is your interest.

                      "My question is, why didn't Microsoft invent it"

                      Who cares? You care because you are interested in generally praising Linux and trying to put Windows down. I do not because I'm simply disputing the OP's contention that Linux is "more secure by design" than Windows. Anything you say other than that is sleight of hand attempt to prove me wrong by widening the discussion to other topics. You've yet to show anything that supports GNU/Linux being more secure by design than Windows. In fact, you ironically keep seizing on one of the few areas where it is worse I.e. Your bizarre faith that a less capable permissions system leads to better security because you mistakenly think Windows people find the Windows ACLs too complicated. Which is doubly ironic because when I point out the advantages of that greater sophistication you then start touting the fragmented and more complicated ACL implementations that exist on GNU/Linux.

                      GNU/Linux is not "more secure by design" than Windows. That hasn't been true in seven years. They are pretty much equivalent in security models.

                      1. eulampios
                        Meh

                        @h4rm0ny

                        Okay, it seems that you're trying to sound superior to me and giving me a lesson here and there. I, on the other hand, was attempting to refrain from a pedantic tone.

                        What appears to me even before I got into this discussion (futile as I see, and it's not the first time we are disputing this over) with you is that your arguments are disingenuous at best.

                        Let me read how you rebuffed someone who brought up a few more arguments.

                  2. Anonymous Bullard

                    Re: @h4rm0ny, permissions

                    "Windows flags up a box saying "are you sure you want to run this"."

                    Is that so? Not when I last tried.

                    Yes, it does when the executable's manifest (this is inside the executable) contains an appropriate requestedPrivileges section (which is basically an irrevocable self-appointed setuid bit!) - or if the exe filename "looks" like a setup app (eg, setup.exe)

                    But that prompt is sometimes disabled by the so called "power user", or the prompt is glanced at and generally just read as "click yes to continue" because you see it that many times.

                    OK, so I "cheated" by blaming the user's bad actions on the OS. But it *is* the fault of the OS when these "annoying" messages are displayed all the time. You become blind to them, it's instinctive to just click "OK".

                    In fact, it's the whole Windows culture in general. Don't forget, Windows wasn't originally designed to be multi-user or even connected to a network. Windows security was an after thought.

                    The mindset of users or developers isn't security first. Users think their AV will catch everything, and most Windows developers just don't give it any thought, to be honest (especially commercial devs: dead-lines == cut corners == "print doesn't work" is more important than "that input length is too long for the buffer"). Also, they are responsible for updating that buggy library that their application uses (they install their own copy, due to DLL hell). And who updates their software, anyway, especially if you're only prompted to (if at all) when you're about to start working with it and just want to use the damn thing.

                    And then there's IE. It's not uncommon for a site to ask you to install a codec or plug-in, for example. Users (yes, I know...) just want to do their stuff, and will click on anything that gets in their way - that's the way Windows is.

                    Once malicious code is on Windows, it's easy to execute: sexypic.jpg.exe, dir.bat.

                    And once malicious code is running on in Windows, it's all too easy to elevate (eg, apps run as Admin reading user-created config, DLL and EXE search paths include the cwd)

                    Also, as a developer is very easy to elevate to admin in your software (a one or two liner), but to drop back to user is a lot more tricky (i'd have to google it).. so it's easier to just keep it.

                    And what about cracked software, keygens? ok, not the OS's fault, and that's up to the user, but it's commercial software in general... but it's still a mostly Windows thing.

                    Most of this is on the user. But you can't say Windows isn't to blame for making them this way. You, however, already have the mind-set were running an executable from an external source sets of a few alarm bells. For Windows users, it's business as usual.

                    1. h4rm0ny

                      Re: @h4rm0ny, permissions

                      >>"Most of this is on the user. But you can't say Windows isn't to blame for making them this way."

                      Yeah, you can. It's pretty obvious that GNU/Linux and Windows user bases are hugely different in terms of typical users. The former user base is almost entirely made up of technical people. If you think that the stereotypical technically ignorant person is a different person depending on whether they are sitting in front of a Windows machine or an Ubuntu machine (to pick the most popular user-facing distro), you are mistaken. And it is only desire to find a "reason" to challenge my contention that GNU/Linux is more secure "by design" that possibly leads you to try and propose such a thing. Were I to posit such a ridiculous argument the other way around, you tear it apart.

                      1. h4rm0ny

                        Re: @h4rm0ny, permissions

                        I think I am done here. Someone posted that Linux is "more secure by design" than Windows. I asked them to support that. It's now come down to people arguing that being asked to enter your password on a daily basis to install updates (on Linux) somehow makes people more wary of entering their password than the occasional flashing shield icon and big yellow box warning "something is trying to make changes to your computer" and building a case on that. Also that the Windows ACL system is too complicated so maybe people don't use it. (It isn't and they do). Oh, and a selection of digs at Windows XP which was released over thirteen years ago and has no bearing on whether or not Windows versions released in the last seven years (Vista+) are defective or not.

                        Weak, and clearly motivated by a desire to prove something rather than a fair assessment. The topic is dead. This is an ex-topic. It has ceased to be. Despite some people's desperate desire to nail it to the perch.

                        1. Anonymous Bullard

                          Re: @h4rm0ny, permissions

                          Windows XP which was released over thirteen years ago

                          It was first released 13 years ago. The latest release was SP3, 5 years ago.

                          It also still has almost 30% OS market share, making it the 2nd most popular desktop OS. And.. for the next few weeks, it's still being patched (for the public).

                          I think that makes the security flaws in XP still relevant, and a real problem.

          2. h4rm0ny

            Re: Services

            >>"You have to explicitly mark a file as "executable". That way, there's no danger of downloading something like "someimage.jpg.exe" and accidentally executing it."

            True but when I click on a shell script on the Desktop of my Xfce system (I have one amongst my KDE installs because I really like how light it is), it pops up a window asking me if I want to "mark it as executable". And if I click yes, it runs it. Not any more secure than Windows asking if I'm sure I want to let something modify the system, except that the latter sounds more alarming.

            As GNU/Linux reaches out for the same users that Windows has, it has started to make many of the same compromises.

        2. h4rm0ny

          Re: Services

          That's a very interesting list. I'll address things one by one. But you can drop the petty put-downs and implications that I'm "pretending to forget" about things. I'm not. I asked a very reasonable question. I hear this comment a lot from people who can't support it and when they do, it's often with reference to how things used to be. On to your points:

          "-- most software on GNU/Linux is free/open source, including the kernel and utilities;"

          That's a good security argument against government intrusion and I agree with that. I don't think it's a strong argument on malware issues. It takes a lot of time and a lot of specialist knowledge to even be able to understand most sophisticated software such as Apache or the Linux kernel or many other components you'll find on a modern distro, let alone identify vulnerabilities. In compensation for a handful of extra people outside a core team maybe taking the time to look at the code properly, you also have to weigh that attackers are also studying the code and maybe even contributing such as happened with phpMyAdmin or the attempt at introducing exploits into PHP. (One of the PHP team said they suspected the attempt was China trying to introduce exploits they could later use). Additionally, there needs no deliberate introduction of exploits for Open Source to be a risk. The moment a bug report is filed, or someone commits an urgent fix, you're in a mad rush to update your systems with a patch (if available) before someone monitoring that project tries to exploit it. As any sysadmin will tell you, keeping up to date is a demanding job.

          Open Source is an advantage because it helps protect against deliberate subversion by powerful agencies (i.e. government agencies) and because it allows projects to grow and develop in interesting ways and be forked for the good of a community where necessary, or maintained after a company goes bust. But as a guard against malware. what we're discussing here, there's little net gain, imo.

          >>"-- the kernel is modular, where a huge number of options are togglable at the compile time;"

          I'm trying to remember the last time I actually compiled my own kernel and I'm pretty sure it was about three years ago when I was going through a Gentoo phase. Pre-compiled distros dwarf people compiling things themselves by orders of magnitude. Even if I were convinced that someone going "Oooh, SCSI support might have a vulnerability, lets exclude that" actually has some measurable effect on security - which I'm very far from allowing, it's academic because people are not doing that. Yes, yes, I'm sure you can find some people to point at. They're highly atypical these days and a miniscule percentage of real-world GNU/Linux deployments.

          >>-- a GNU/Linux (*BSD) system can be stripped down much further, disassembled and assembled with much more ease, than can be Windows. MS Windows didn't invent a headless, bare minimum server; A Core Server -- things are improving in Redmond here after 20 some years of denial.

          That's pretty much just a restatement of your previous point with an extra dig at Microsoft thrown in. And I have no interest in playing a Team vs. Team fanboy war where I have to get all upset about who invented what technology first. I don't care if Hyper-V or Server 2012 without GUI has predecessors elsewhere, they're good now, and we're supposed to be talking about malware. Or rather I am trying to - you seem to want to turn it into a general Linux is better than Windows fight.

          -- more accurate POSIX hierarchical filesystem structure vs. chaotic Windows that still mixes data and software;

          Yes, I used to have my home partition set to have a no execute flag on it. It was a pain in the bum, to be honest. But I used to do it. Windows handles this differently with defining the ability to execute by user / group, rather than the way Linux handles it. I know it sounds like it's the same as the UNIX rwx bits but it's not. It's interesting that you bring up "more accurate POSIX hierarchical filesystem structure". Windows ACLs are actually more sophisticated and feature rich than the POSIX standards. And I don't think "chaotic" is fair at all. Both Windows and GNU/Linux have standards about where to install and store things. They're just different, is all.

          >>"-- much more numerous up-to-date versions in use, a much higher distro heterogeneity than with MS Windows;"

          Are you still trying to argue against my point about malware which is what we're discussing? Because the above is a great argument for freedom and competition, but it's a terrible argument for security. Yes, a million different variations are great for consistent security and making sure your fix for your software is on all platforms in all the different packages. Surrrrre.

          >>"-- lack of central secure repositories containing 99% of all used software in MS Windows"

          Well that's the cost of a free and open system I'm afraid. I bet you would complain if Microsoft tried to introduce a single store where everything was centrally signed and managed. Oh yes, there it is in the very next sentence where you mock their attempt to do so. ;) But yes, this is an advantage GNU/Linux has in terms of security. Central management is a plus.

          >>"Neither did MS invent the Android's apps' permissions system and its transparency to the user."

          Again, you're shifting things into a weird game of My Team scores more points than Your Team. I don't care who invented what. Plenty have taken inspiration from MS's work, MS has taken plenty from others. (Often buying those others outright). It's nothing to a discussion about security in modern OSs and leads me to think you have a bias to prove GNU/Linux is better. Are you sure that you do not?

          -- lack of a decent central packager paired with a repository utility (see the previous item)

          Yes, "see previous item" was just what I was going to write as well. A point does not become two points, because you state it twice.

          >>-- better and closer adherence to the main IT principles of modularity, KISS, software in the Linux/BSD camp of developers and sysadmins than in the proprietary camp including Microsoft folks

          That I flat-out reject as straight bias. You're just stating that GNU/Linux programmers are better than MS programmers. Good programmers are good programmers, bad ones are bad ones. If you have some naïve idea that better programmers are magically drawn to the "Linux/BSD camp", you lack experience or an open mind. It's also pretty insulting to a lot of brilliant people.

          >>"-- lack of a competent IT culture and infrastructure around MS Windows:"

          Well now you're supporting the point that I made elsewhere - that the chief factor in security for GNU/Linux vs. Windows is that GNU/Linux has a more tech-savvy user base. That's not a quality of the OS itself and as I also wrote elsewhere, if GNU/Linux suddenly had the same userbase that Windows has, you would see the same problems of malware.

          Central package management is the one advantage on your list that I agree with, and have said so myself on previous occasions. Unfortunately it's also the most problematic from a freedom point of view.

          1. eulampios

            Re: Services, @h4rm0ny

            I would like to clarify a little more on what I said earlier.

            1) free and/or open source:

            Security through obscurity has been demonstrated to be a fallacy time and again. Moreover, dangerous bugs in proprietary apps are spotted through the reverse engineering usually. So, it's an exploit gets ready before you get a chance to see a code (especially, for someone that wants to patch it before MS or any other owner finds time and resources to do it for you and get it shipped)

            2) when people question the advantage of the code being available for study, they perhaps might have something different than me (and many other people) in mind. So what do we have here? Linux kernel that surpassed any proprietary kernel implementation in so many categories. And BTW, the only way you can defend proprietary implementation of a particular project is to compare the binaries performance. And what can we compare? The abominable Flash-player vs mplayer or vlc? adobe pdf reader with evince/atril, kpdf etc?

            In more details -- 64 bit skype version for GNU/Linux vs gpl-ed linphone. I got several 64bit Debian (and Debian systems here). Whenever I install skype, MS offers a 32bit version only. I have to use a multiarch option for it and install a whole lot of i386 libs (the apt does it for me) Perhaps due to this fact, I can't get the sound properly, you get so many sound devices and options in the options->sound devices tab, so it's a poor non-user-friendly, which doesn't work reliably anyways. To compare it with linphone available for most architectures for bot 32 and 64 versions. Works flawlessly out of the box. BTW, it's not the only case of a proprietary code that has portability issues. What that tells us? Without looking at the particular source code, one might observe a design problem, as I mentioned earlier, perhaps the developers could not distinguish all modules that should be separated. Do you have another hypothesis why MS cannot bring their code in order?

            This is a response to your "That I flat-out reject as straight bias. You're just stating that GNU/Linux programmers are better than MS programmers..."

            I'm trying to remember the last time I actually compiled my own kernel and I'm pretty sure it was about three years ago...

            I do it regularly, it's no rocket science and is easily automated. The only obstacle is the hardware that builds, it better be a multicore recent system, like one of my machines I utilize for it spends about 10 mins to do it. More importantly, that you conveniently forget or talk this issue down. Don't you know that different distributions use different configs with different options turned on and off? There are a lot of intersections, yet they are not quite identical. Let's take an example of the last CVE, CVE-2014-2523 found in the Linux source code. If you look and see which distros and versions are vulnerable, you'd find no common denominator: most generic kernels shipped have this dccp protocol option turned off. Mine is on though (I am using a customized 3.12 version from Debian sid). Let us now try figuring this out for Windows. Do we have any variations in the kernel among the current up-to-date version? There might be some between XP, Vista, 8 and 8.1. Not as many as with the Linux versions even in the 3.* range, and none withing the same version of OS or kernel as a particular Linux kernel version can have.

            If this is not a great advantage, I don't know what is for you? I mean, if you do not recognize heterogeneity as a huge advantage before homogeneity from the security stand point, we have different views here.

            That's pretty much just a restatement of your previous point...

            Not necessarily, the kernel is one thing, particular setups may not have to follow it. Once again, MS have/has been deaf for quite a long time to various remarks about their weakness as no way to strip a system down to a bare minimum before. They now recognize that and are talking about lowering the attack surface. And they are getting better, yet still not quite the same place where Debian and most other Linux and BSD distros have been for decades already.

            Yes, a million different variations are great for consistent security and making sure your fix for your software is on all platforms in all the different packages. Surrrrre.

            It's a flawed argument in my opinion. My counter to this is that had never been a problem in the past. Or you know any examples where this was a case? Committing a patch to all versions of the kernel are absolutely not a big deal, thanks to git. Distros are even faster to patch very important vulnerabilities. If we're talking about the kernel again. No waiting for the Tuesdays patch, remember ? :)

            Again, you're shifting things into a weird game of My Team scores more points than Your Team...

            If you didn't get it, I'll reiterate it for you, now it makes more sense after you have praised MS acl in your other comment, I would like you to come back to the Android open source realization of what MS should have done to fight so many trojan issues. No they didn't invent it, neither they touch upon many other categories. I mentioned them aplenty above. And BTW, the ultimate incentive for MS and most other proprietary entities are making as much money as possible. MS is a huge company, they probably have many talented programmers and designers (I mean, project and software designers). They also have as many or more managers, lawyers, financiers that have very different agendas than producing a good code and design. No, am I wrong? Didn't they try to "implant IE into the OS" to make non removable? What about the Vista to require more resources to make people upgrade to higher end hardware? What about their decisions in security, like ease of Auto-Play/Run? The decision to hide API's, poorly documenting them? To not ship products for alternative OSes damaging the design decisions so many times (remember 64 bit rewrite issues)? Deliberate incompatibility with other competitors products in their own? If this doesn't appeal to you, I apologize...

  8. John Smith 19 Gold badge
    Facepalm

    "exploits poor configuration and security controls"

    Why do I think the websites involved are of the "Pay peanuts and got monkeys" -->

    variety?

    1. Anonymous Coward
      Anonymous Coward

      Re: "exploits poor configuration and security controls"

      > Why do I think the websites involved are of the "Pay peanuts and got monkeys"

      Isn't that every website?

    2. Daniel B.

      Re: "exploits poor configuration and security controls"

      Yup. It's pretty much a given that those 0wn3d servers are the kind that someone set up and then proceeded to ignore. I still remember one site that spilled its MySQL creds, someone posted said creds in some forum and the trollosphere proceeded to DROP TABLE everything. 3 *months* after that, it was still missing its DB. There are a lot of people out there that have lax security practices and I'm guessing that is biting them back right now.

  9. adnim

    Vi

    Vi, Vi Delilah...

    What's Cpanel?

    1. vagabondo

      Re: Vi

      This is not a cPanel exploit per se. Cpanel.net was one of the infected sites. The attack vector is described as loading a compromised binary, or allowing root access to your server.

      1. billse10

        Re: Vi

        "This is not a cPanel exploit per se."

        There's a relatively old TV comedy show Drop the Dead Donkey, set in a TV newsroom. One of the news anchors (ok, the airhead in chief) is talking about US gun policy, and corrects a journalist, saying "Guns don't kill people, people do".

        I think his reply is "Yes, but guns save so much time .... "

    2. Anonymous Coward
      Anonymous Coward

      Re: Vi @adnim

      "cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site."

      1. Pookietoo
        Facepalm

        Re: "cPanel is a Unix based web hosting control panel"

        That's a ==<<WHOOSH>>== then?

    3. Anonymous Coward
      Anonymous Coward

      Re: Vi

      What's Cpanel?

      Something that Windows users need.

  10. Andyb@B5

    seems simple enough to check for

    looks like it dumps a modified ssh client on your server, at the bottom of the article the test they use is

    ssh -G 2>&1 | grep -e illegal -e unknown >/dev/null && echo "system clean" || echo "system infected"

  11. Daniel B.

    Windigo?

    The cannibal thingy is called 'Wendigo' IIRC.

    1. graeme leggett Silver badge

      Re: Windigo?

      that is the spelling Lovecraft (and Lumley) use for Ithaqua (the Wind-Walker) but not surprised if there are others.

    2. Anonymous Coward
      Anonymous Coward

      Re: Windigo? @Daniel B.

      "The cannibal thingy is called 'Wendigo' IIRC."

      Amongst other, similar names.

    3. Michael Wojcik Silver badge

      Re: Windigo?

      It's a transliteration, so various spellings are used.

      Referring to it as an Algonquin myth, as the article does, is also too narrow; the creature shows up in a number of Anishinaabe cultures and other tribes from a large swath of North America, more or less from the Great Lakes to the Atlantic coast and from New England up through much of eastern Canada.

  12. Anonymous Coward
    Anonymous Coward

    It's all software on hardware, and no matter which flavour you like, they'll all be hit at some point.

    Face it, all software is as bad as the next. If someone wants in they will find a way!

  13. Arctic fox
    Headmaster

    I think that we should avoid too much gloating hmm...?

    I would however like to make a point directed towards a certain type of Penguinista. Every time a softie fanboi logs on here to howl about the miniscule size of Linux on the desktop you reply stating, quite rightly, that its "parent" Unix is the basis of server architecture all over known space. Your problem now is that some black hats have also woken up to this. Time to think about the challenge rather than respond on auto here, hmm?

  14. Terry 6 Silver badge

    Social insight

    "Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit while Mac users are typically served adverts for dating sites. iPhone owners are redirected to online porn."

    So Windows users are just there to provide 'bots.

    iPhone users are thought to be in the market for porn.

    And Mac users are just lonely.

    Nuff said.

    1. Anonymous Bullard
      Linux

      Re: Social insight

      "So Windows users are just there to provide 'bots. iPhone users are thought to be in the market for porn. And Mac users are just lonely."

      Yet they still require the Unix-likes to provide the serving.

  15. unimaginative
    Holmes

    Sounds like PBCK

    This spreads when someone logins to another server from a compromised server it steals their credentials. It then uses the server logged into and spreads the infection there.

    People are logging in from one server to another using a root account, or one with sudo? Surely not doing that would be a basic security? Anyone with root access to a server should know better. If you must login from one server to another you use an account with limited privileges.

    1. Michael Wojcik Silver badge

      Re: Sounds like PBCK

      If you must login from one server to another you use an account with limited privileges.

      Yes, if you can. (It may be something like a shell account provided by a hosting service, where the account you have is the only account you have. An attacker can't get root from you but they can compromise your site.)

      Even if you do sign in using a limited account, at some point you'll need elevated privileges, and if you're using a compromised client, it can steal the creds at that point. Unless you're using multifactor authentication or one-time credentials, you're still in trouble.

This topic is closed for new posts.

Other stories you might like