John E. Perry wrote:
Joachim Schrod wrote:
... Let me propose another hilarious 5-step process:
1. Read the LWN.net security page.
OK, so I did.
2. Detect how many exploits are based on data files, and not on executables. just last week: ...
Not a single exploit listed. Many vulnerabilities, almost all qualified as "user-assisted" or "local.
I wrote that they are local. That's what step 4 was for. User assisted is not relevant here, when these are exploits that are triggered by looking at images, or videos, or ads on web pages (the flash plugin exploit), or PDF files that are fetched from the Internet. Please note that exploits exists for most of these vulnerabilities, as described in the CVEs. Also, please note that exploits for similar vulnerabilities in the Windows world are actively used. Black hats don't attack Linux desktops on a large scale because they try to create large botnets with leveraged (distributed) C&C control, and there are not enough Linux desktops out there to make them a worthwile target. If Linux systems are really attacked, it is currently for specific targeting. But that's a matter of interest on the black hat's side, not a matter of missing vulnerabilities with existing exploits in deployed systems. When we do security and penetration tests at our customers, we can take over Linux boxes with 90% confidentiality. In 50% of the cases, something as simple as running metasploit is sufficient. But, as you can read from the other answers to my post, these results are obvioulsy dreamed by me and my customers pay for nothing, because "every linux/unix/*ix box on the planet is not owned by hackers and spammers while so many possible exploits exist", as Ken Jennings put it so succinctly. No, no, no. "Every ... is not owned" -- guys, now I've got it: There are *NO* owned Linux boxes out there, none at all. You read it here, so it's true. I should close down the part of my company that's testing and securing linux/unix systems for my customers; it's not necessary. Well, by public acclamation, I seem to be wrong, and rest my case. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org