Date: Fri, 6 Aug 1999 12:41:53 -0400 From: "Eric S. Raymond" <esr@snark.thyrsus.com> To: hotnews@snark.thyrsus.com Subject: Will You Be Cracked Next? Melissa. Explore.zip. Back Orifice. If you think there has been a bad rash of viruses and crack attacks lately, you're right. And security experts say it's going to get worse, not better; the frequency of crack attacks is rising exponentially. So are the money losses fromm the problem. Computer Economics, a research firm in Carlsbad NM, reports that American businesses lost $7.6 billion due to software viruses during the first half of 1999 -- more than in all of 1998, Curiously, the massive mainstream media coverage of these incidents completely fails to mention the one thing they all have in common; Microsoft Windows. Non-Microsoft operating systems such as Linux are invulnerable to macro attacks, immune to viruses, and can laugh at Back Orifice. This simple fact explains why your Internet service provider never suffers from viruses; essentially all ISPs run their services off Unix boxes, and about 40% of them run Linux. Evidently businesses are finding this an increasingly attractive option; a recent Computer Associates survey reports that 49% of information technology manages describe Linux as "important or essential" in their enterprise plans. One of the reasons for this trend is surely security. Anyone running a Microsoft operating system on a machine visible from the internet is just begging to be cracked. If you're concerned with computer security, you need to understand why -- and why Microsoft will not and cannot fix the problem. Linux and other operating systems like it were designed from the ground up to be used by several people on the same machine, and to protect those people from each other. The user interface of Linux is separated fromn the `kernel', the privileged operating system core. And the kernel is carefully protected from being modified by ordinary programs. This is why Linux doesn't get viruses. Microsoft Windows, on the other hand, has a one-person-per-machine assumption built deeply into it. There is no internal security and the Windows kernel is not protected against being modified by user programs. In fact, the user interface of Windows is wired right into the kernel. This is why hostile programs coming in over an Internet connection (such as Back Orifice) can reach right through the user interface, deep into the operating system core, and infect it. If you value your data and your privacy, you need to understand that Microsoft cannot fix this. Too many applications (including Microsoft Office and the IIS web server) actually *depend* on the lack of security in the system. Furthermore, the fact that the source code of Windows is closed means that it never gets properly audited for security problems. How does Microsoft deal with this? Not well. Mainly, they tell lies and try to confuse the issue. Three days ago, on August 3 1999, Microsoft put a machine running a beta of its new Windows 2000 operating system on the net and challenged crackers the world over to break into it. A few hours after the announcement, the machine crashed. Microsoft spokespeople subsequently claimed that it had been brought down by electrical storms. But the machine's own error logs showed there had been nine crashes due to errors in Microsoft's own software, not the weather. Furthermore, crackers did indeed get in and alter a guestbook application during the short time the machine was actually up -- a fact Microsoft tried to dismiss as irrelevant. A few hours after Microsoft's challenge was announced, a Linux company in Wisconsin matched it. During the following three days, their Linux machine withstood 6,755 attacks without crashing once. Which system would *you* rather trust your critical data to? -- <a href="http://www.tuxedo.org/~esr">Eric S. Raymond</a> "Both ogliarch and tyrant mistrust the people, and therefore deprive them of arms." --Aristotle