[Coco] Re: OS Vulnerabilities

[John E. Malmberg]

Dennis Bathory-Kitsz wrote:
> At 11:28 PM 2/27/04 -0600, James Ross wrote:
> 
> Isn't all OSes vulnerable because they are complex, multi-purpose systems
> written by many people under varying testing conditions and, most
> importantly, systems intended to handle massive quantities of unpredictable
> external activity?

Some operating systems seem to have better testing/review than others.

> There have been Unix and Mac exploits, but these get little publicity
> (although a recent Linux exploit was severe; Linux runs our cable modem
> system in our town, and my stepson -- the system designer -- was doing some
> fast patching).

The last OpenVMS exploit that made the news was the Morris worm.  And 
procedures were put in place by the engineers to make sure that would be 
the last time.

An OpenVMS system was at DEFCON-9 what happened there did not make the 
mainstream news, but probably should have.

> The difference is desirability. Why waste your time creating a virus for an
> OS few people actually use or, more importantly, will get little publicity?
> Windows is everywhere, and if you want to propagate something and get some
> backslapping from your fellow haxorz, you choose the most popular (unless
> you're showing off to a specialized geek crowd somewhere).

The strengths of social engineering are always going to rule, and people 
are always going to attack the weakest link.

But there is no evidence that if a less popular platform had more people 
attacking it, they would eventually find a vulnerability.

Until very recently, most of the viruses/worms were poorly written hacks 
by people with apparently no background in programming.

Most of the exploits have been copycats of issues found by a very few.

The current round of viruses are deliberately designed to spread rapidly 
at first and then morph into remote control programs to be exploited by 
criminals.

The ones that are used to send spam are easily detectable, and should be 
easy for the owners of the network they are on to secure.

The ones (if any) that may be used to harvest company or personal data 
may not be.  And if and when companies get victimized by them, they 
generally do not publicize it.

> The key to compromising an OS is discovering what hasn't been predicted in
> combination with being a digital con artist or impostor. More isn't
> predicted than is, so it's only a matter of time, effort, interest, digital
> smooth-talking, and clever grooming.
> 
> I think that anybody with tech smarts, tools and experience who can't
> exploit an OS isn't really trying.

The UNIX model of all privileges or none, means that more code can have 
possible exploits.  Gain root privileges, you own the box.

With OpenVMS, applications should only have the privileges that they 
need, so even when an application gets compromised, the damage that can 
be done is usually limited.  And this raises the bar greatly for the 
skill needed for an exploit, usually to the point where the person can 
easily find better paying work.

>  Either that or it's not a true, multi-purpose OS.

Some operating systems make the technological approach very hard, and 
can still be truly multi-purpose.

OpenVMS is currently in use in many places, and is usable for from the 
desktop to systems that are in disaster tolerant configurations.  It 
qualifies as truly multi-purpose.

And while it is not the most prevalent OS out there, it does have enough 
market share to be visible, and there are many OpenVMS systems that are 
connected to the wild wild web directly.

The people who took an OpenVMS system to DEFCON-9 want to take it back 
for a second round.  However for all subsequent DEFCON contests have 
been restricted to a pre-built LINUX kernel supplied by the organizers.

-John
wb8tyw at qsl.net
Personal Opinion Only