__/ [ nessuno@xxxxxxxxxxxxxxxxxxx ] on Wednesday 02 August 2006 13:14 \__
>> But since more linux machines tend to run their own smtp servers and
>> leave them open as open relays there is a contribution there too.
>
> Back in 97 Caldera linux put out a distro with sendmail that was
> default configured with an open relay. By the summer they had a
> security bulletin out. I don't think any Linux distro has put out a
> default mail server configured as an open relay since that time. You'd
> have to know something about sendmail configuration even to
> deliberately set one up nowadays (or postfix etc), and a person with
> such sophistication would be unlikely to be so stupid. It's possible,
> but I doubt it, and I doubt that very many linux systems are currently
> being used as open relays.
>
> If 80% of the spam is sent by Windows zombies, then it's a good
> question where the other 20% comes from. The majority of it may also
> come from Windows machines. It may come from non-Windows machines that
> are not compromised, but deliberately used as spam spewers (I don't
> know, maybe in Russia or some place). I have no idea, and I don't know
> about the methodologies used in the 80% studies.
>
> You seem to trail off into the thought that Windows machines are the
> victims of malware only because they are a bigger target. MS would
> like people to believe that, but it's just not credible. The security
> issues with Windows are real, and much worse than with any other OS.
To provide just one explanation:
,----[ Quote ]
| To test her concept, Forrest experimented with a version of the
| open-source operating system Linux. She altered the system to force
| programs to assign data to memory locations at random. Then she subjected
| the computer to several well-known attacks that used the buffer-overflow
| technique. None could get through. Instead, they targeted the wrong area
| of memory. Although part of the software would often crash, Linux would
| quickly restart it, and get rid of the virus in the process.
`----
http://www.schneier.com/blog/archives/2006/08/security_and_mo.html
One would imagine that the 60% code rewrite (in Vista, according to Allchin),
as well as the complains about endless cyclic dependencies (no modularity,
according to a Windows tester/engineer) reflects on the sordid mess, which
renders the code untestable.
Moderate and patient development is a virtue. Deadline-driven addition of
bells and whistles, as well as inclusion of over-the-top patches (due to
premature O/S releases) leads to poor binaries lying out there 'in the
wild', being easy prey/pickings.
|
|
