Announcement

Collapse
No announcement yet.

The PAM_MOTD exploit

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    The PAM_MOTD exploit

    In a recent thread is was suggested that Linux was as vulnerable as Windows is and as proof a list of exploits were given that were published on almost the same day as the discussion. Here is the list that was given:
    2010-07-08 Ubuntu PAM MOTD File Tampering (Privilege Escalation)
    2010-07-05 linux/x86 polymorphic Drop suid shell root /tmp/.hiddenshell 161 bytes
    2010-07-05 linux/x86 bind sh@64533 97 bytes
    2010-07-05 linux/x86 lynx polymorphic shellcode 84 bytes
    2010-07-05 linux/x86 setreuid(0,0) execve("/bin/sh",NULL,NULL) encoded 62 bytes
    2010-07-05 linux/x86 /proc/sys/kernel/randomize_va_space SUB encoded 111 bytes
    2010-07-05 linux/x86 bind port to 6678 XOR encoded polymorphic shellcode 125 bytes
    2010-07-05 linux/x86 nc -lp 31337 -e /bin/sh polymorphic shellcode 91 bytes
    So, what's a Linux newbie to think? "OMG! Greygeek says only about 12 exploits in 15 years and here is a listing which shows 9 posted in one day! Linux must be as vulnerable as Windows!"

    The next day an article on a security news site was cited: http://www.h-online.com/open/news/it...e-1034618.html in further support of the belief that Linux is as vulnerable as Windows.

    A couple days ago I decided to look deeper into that "threat", that proof that Linux was as vulnerable as Windows.

    Ubuntu security announced the PATCH to PAM_MOTD on July 7th. Notice the date and time of the post.
    https://lists.ubuntu.com/archives/ub...ly/001117.html
    Kees Cook kees at ubuntu.com
    Wed Jul 7 23:38:25 BST 2010

    The Twitter post which the H-Online article referred to is at:
    https://twitter.com/jonoberheide/status/18009527979
    rm -rf ~/.cache;
    ln -s /etc/shadow ~/.cache;
    ssh localhost (trigger pam_motd by re-logging in and you'll own /etc/shadow)
    #tweetsploits 11:42 PM Jul 7th via web
    jonoberheide
    Jon Oberheide
    The dates are the same, but notice the time on that twitt. Dr Oberheide is in Michigan and is on EDST time.
    The Ubuntu announcement was made on BST time which is 5 hours ahead of EDST. 11:42PM is also 23:42.
    Subtracting 5 hours from the BST time gives 18:38 EDST. It was 18:38 in Michigan when Ubuntu posted the security announcement.The twitt by Dr. Oberheide was posted at 23:42, 5 HOURS AFTER the Ubuntu security announcement was posted. Dr. Oberheide had obviously read the security announcement before he posted his tweet. He is Co-Founder of Scio Security (http://www.sciosecurity.com),

    More important, the exploit was for a hole which had already been announced. But, was it patched?

    Let's look at the time stamps on the code was merged to the launchpad repository.

    The baazar launchpad changelog reports:
    Kees Cook 2010-07-07 11:55:09
    (3.2.5 squeeze)
    Revision ID: james.westby@ubuntu.com-20100707105509-0g9nwq37at7yvfwj
    Tags: 1.1.0-2ubuntu1.1
    * SECURITY UPDATE: root privilege escalation via symlink following.
    - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
    - CVE-2010-0832

    pam (1.1.0-2ubuntu1.1) karmic-security; urgency=low
    * SECURITY UPDATE: root privilege escalation via symlink following.
    - debian/patches-applied/pam_motd-legal-notice: drop privs for work.
    - CVE-2010-0832
    -- Kees Cook <kees@ubuntu.com> Wed, 07 Jul 2010 10:55:09 -0700
    The "pam_motd.c" file had a date of:
    +++ pam-1.1.0/modules/pam_motd/pam_motd.c 2010-07-07 11:47:35.296210838 -0700
    The launchpad posting was 11:55 and changlog contents were dated one hour before, at 10:55AM, one hour before (to the second.. ), and 12 hours before the security announcement.

    So, the patch had been merged into the code base at 11:55AM on the 7th, at 2010-07-07 11:55:09AM BST.
    Also, the security urgency was marked "low", probably because it is a LOCAL exploit.

    The merge announcement lists the patched packages as Ubuntu 10.04 LTS: libpam-modules 1.1.1-2ubuntu5. Out of curiosity I examined my /var/cache/apt/archives and found my libpam-modules and related files WERE ALREADY PATCHED and had a time stamp of 07-07-10 10:05:06 PM, which about 12 hours after the code was merged into the code base, 6 hours after the announcement, and Dr. Oberheide's tweet was only a couple of hours before my box was patched!. See the attached graphic. So, the PAM_MOTD security hole was patched AND ROLLED OUT BEFORE the forum discussion and well before the inj3ct0r website published their "exploit" on the 8th. A code can't be called an exploit if there is no hole to exploit.

    It didn't take long to find where the list of Linux "vulnerabilities" was located: http://inj3ct0r.com/shellcode/linux/x86
    Other hacker websites have similar lists but the inj3ct0r list was already in the format in which was posted as the "proof".

    Nine exploits were listed to counter my claim that there have been only about a dozen Linux exploits found in the wild in 15 years (I should add "effective"), and to bolster the claim that Linux is as vulnerable as Windows, or at least more vulnerable than I think it is. Besides the PAM exploit eight more were listed, and I suspect they were cut and pasted from the "Linux /x86 Shellcode" section of inj3ct0r.com. Here is a complete listing with all the information.
    2010-07-05 linux/x86 bind port to 6678 XOR encoded polymorphic shellcode 125 bytes linux/x86 200 S D gunslinger_
    2010-07-05 linux/x86 nc -lp 31337 -e /bin/sh polymorphic shellcode 91 bytes linux/x86 183 S D gunslinger_
    2010-07-05 linux/x86 send "visit inj3ct0r.com" to all konsole XOR encoded 99 bytes linux/x86 308 S D gunslinger_
    2010-07-05 linux/x86 /proc/sys/kernel/randomize_va_space SUB encoded 111 bytes linux/x86 173 S D gunslinger_
    2010-07-05 linux/x86 setreuid(0,0) execve("/bin/sh",NULL,NULL) encoded 62 bytes linux/x86 202 S D gunslinger_
    2010-07-05 linux/x86 lynx polymorphic shellcode 84 bytes linux/x86 270 S D gunslinger_
    2010-07-05 linux/x86 bind sh@64533 97 bytes linux/x86 175 S D Magnefikko
    2010-07-05 linux/x86 polymorphic Drop suid shell root /tmp/.hiddenshell 161 bytes linux/x86 224 S D gunslinger_
    As you can see, all but one of those programs were published by "gunslinger_", who has a blog at word.press, and they were all published on the 5th of July. It is important to remember that the PAM_MOTD "exploit" was published on July 8th, not the 5th. It is also important to note that these exploits are "shellcode" exploits, which means that they are LOCAL, not REMOTE, exploits. No one can use these to gain access to a Linux box through ports which don't handshake. A person MUST have PHYSICAL access to the computer AND be logged onto an account on it in order to use the exploit.

    On the http://www.ubuntu.com/usn/usn-959-1 site, which references the exploit about which the Ubuntu security announcement was made includes the following:
    Details follow:
    Denis Excoffier discovered that the PAM MOTD module in Ubuntu did not correctly handle path permissions when creating user file stamps. A local attacker could exploit this to gain root privilieges.
    The announcement was ALSO on July 7th. The patch was merged that day at 11:05AM, BST.

    So, a "hak0r" did NOT find the PAM_MOTD hole. Denis Excoffier is not a hak0r. He is a professional coder working for airbus in France who contributes to FOSS regularly. He was the first to inform Ubuntu of the PAM MOTD (Message of the Day daemon) LOCAL exploit.

    Most Linux desktops have only one user account. Additional users on these home or family computers are family members. Their concerns are not LOCAL exploits but REMOTE exploits. So, let's look at the Linux remote exploits listed at inj3ct0r for ALL of this year AND Last:

    2010-07-18 AIX5l with FTP-Server Remote Root Hash Disclosure Exploit linux 425 S D Kingcope
    2010-06-13 Unreal IRCD 3.2.8.1 Remote Downloader/Execute Trojan linux 1382 S D anonymous
    2010-05-13 WFTPD Server 3.30 Multiple remote vulnerabilities (0day) linux 939 S D n/a
    2010-04-03 Sun Microsystems Sun Java System Web Server file disclosure exploit linux 352 S D Kingcope
    2010-04-03 Sun Microsystems Sun Java System Web Server remote exploit linux 568 S D Kingcope
    2010-03-31 OpenDcHub 0.8.1 Remote Code Execution Exploit linux 436 S D Pierre Nogues
    2009-07-14 Virtualmin < 3.703 Multiple Local/Remote Vulnerabilities linux 160 S D Filip Palian
    2009-06-04 Kloxo 5.75 (24 Issues) Multiple Remote Vulnerabilities linux 157 S D Inj3ct0r
    2009-04-29 Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit linux 124 S D Arr1val
    2009-04-29 Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit linux 123 S D Arr1val
    2009-04-28 Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit linux 294 S D sgrakkyu
    2009-04-09 net2ftp <= 0.97 Cross-Site Scripting/Request Forgery Vulnerabilities linux 106 S D cicatriz
    2009-01-08 Samba < 3.0.20 Remote Heap Overflow Exploit (oldie but goodie) linux 212 S D zuc
    Short list, isn't it, for covering a year and a half.

    There are less than 200 remote exploits listed since Nov 16, 2000. That amounts to about one exploit per month. Hardly the dozen or more per month claimed. One can't claim that there are more because other hak0r sites have more listings. These sites make a point of sharing their exploits with each other, and hak0rs post their work on as many sites as they can all of them.

    Also, just because an exploit is listed doesn't mean that it ever was or is still a threat, as we found out with the PAM_MPTD "exploit". The real question is how many viruses are wondering around IN THE WILD automatically infecting Linux boxes without assistance from the user? I (and you can too) search the Internet for news of a few of these exploits appearing in the wild. I couldn't find any. I found LOTS of other hak0r sites listing the exploit code, but no news of the exploit IN THE WILD.

    You may want to browse around Symantec's list of Linux viruses. http://searchg.symantec.com/search?q...S&proxycustom=
    With the exception of the known dozen or so Linux threats which infected more than a handful of machines, most Linux malware listed are like theLinux.Phalax, from 2008. Note that the number of known infections was less than 50, and it was found on fewer than 3 sites. It was also easy to contain and remove.

    Linux.Phalax
    Risk Level 1: Very Low
    Threat Assessment
    Wild

    * Wild Level: Low
    * Number of Infections: 0 - 49
    * Number of Sites: 0 - 2
    * Geographical Distribution: Low
    * Threat Containment: Easy
    * Removal: Easy

    Damage

    * Damage Level: Medium
    * Payload: Opens a back door on the compromised computer.

    Distribution

    * Distribution Level: Low

    Writeup By: Alfredo Pesoli

    Or, Linux.Psybot, which appeared in March, 2009, and quickly disappeared.
    Linux.Psybot
    Risk Level 1: Very Low
    Threat Assessment
    Wild

    * Wild Level: Low
    * Number of Infections: 0 - 49
    * Number of Sites: 0 - 2
    * Geographical Distribution: Low
    * Threat Containment: Easy
    * Removal: Easy

    Damage

    * Damage Level: Low
    * Payload: Spreads through routers.

    Distribution

    * Distribution Level: Low
    * Ports: May lock administrative access to certain ports.
    * Target of Infection: Targets routers and DSL modems.

    Writeup By: Liam O Murchu & Mario Ballano
    It has the same coverage and effect as Linux.Phalax ... essentially NONE.

    For purposes of comparison here is the information on the Slapper.Worm.
    http://www.symantec.com/security_res...091311-5851-99

    Linux.Slapper.Worm
    Risk Level 2: Low
    Threat Assessment
    Wild

    * Wild Level: Medium
    * Number of Infections: More than 1000
    * Number of Sites: More than 10
    * Geographical Distribution: Medium
    * Threat Containment: Easy
    * Removal: Easy

    Damage

    * Damage Level: Low

    Distribution

    * Distribution Level: Medium

    Writeup By: Peter Szor
    SO MANY "infective" agents are found on so few sites in such few numbers that one suspects that the ONLY site they have been found on are the research computers of the AV houses. There is too much of a coincidence for such statistics to be by chance. I suspect that AV houses were looking for attempting to create Linux infective agents which could be released into the wild to "salt the mines" of their AV Sales.

    The slapper worm was the only malware in the last 10 years that had more than 50 infections and was found at more than 2 sites, mostly on boxes where the user was running as root. Even then it was easy to contain and remove. I've also noticed that the database has viruses which are windows viruses with "linux" added to their names. Windows jpeg "cross platform" viruses are treated this way. Also, while only the first 100 infective agents are listed you can continue to click the "next" button and it will continue to show you several hundred agents.

    Despite all their marketing, claims of Linux vulnerability, and puffing up possible Linux infections (i.e., "exploits") the AV houses have not been able to generate a market within the Linux user base because the need remains un-demonstrated. Linux users, if they run AV software at all, do so to avoid passing on Windows viruses to their Windows using friends. Other Linux users take no such precautions, claiming it is not their responsibility to help Windows users keep their machines from getting infected. That what Microsoft was paid to do.

    So, while you are regularly treated to yet another news story of a virus or Trojan infecting large numbers of Windows boxes even without the cooperation of the user, one RARELY even hears of a break-in on a Linux computer, let alone a bot farm. A year ago it took hackers about 180 days to create a farm containing 770 bots. Let that fact soak in. IF there was an easier way to gain control of a large collection of Linux boxes do you really think professional thieves would use difficult manual break-ins? This large expenditure of personal labor to capture such a small number of Linux boxes also demonstrates what HIGH VALUE professional thieves place on Linux. After they gain control of it they do what the user should have done, secured it against further remote exploits. They want to protect their investment. Another fact that this event brings out is that most Linux boxes, either because of built-in security measures during install, like Ubuntu or Kubuntu, or because of diligent users, are too secure for professional thieves to break into to. If that were not the case these thieves would have captured many, many more than 770 boxes. Or, they wouldn't have bothered to waste their investment in the box if another thief could so easily capture it.

    If you see two guys running around a track and one keeps stumbling countless times and the other only rarely, it's hard to claim that both are equally clumsy.






    Attached Files
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Re: The PAM_MOTD exploit

    Thanks for that illuminating post GG!! Very useful as a source to direct skeptical Windows users to if they are considering switching to Linux.

    Comment


      #3
      Re: The PAM_MOTD exploit

      Originally posted by GreyGeek
      In a recent thread is was suggested that Linux was as vulnerable as Windows is and as proof a list of exploits were given that were published on almost the same day as the discussion. Here is the list that was given:
      I don't recall saying that by design Linux is as vulnerable as Windows. I said that if you don't manage it correctly it can be as vulnerable as Windows. Case in point, this thread. If you don't manage your Linux computer correctly (apply patches, use a firewall) then you are at a very high risk. Yes, inj3ct0r.com was my source. If you go back to inj3ct0r.com, you will find a published exploit for this vulnerability. Keep in mind also that inj3cr0r.com is an academic site and not the malware underground, so you normally won't find published exploits there until the vendor (in this case Canonical / Ubuntu) have released patches. The released exploit though greatly increases your risk if you don't manage your computer properly.

      My point is responsibility, while you have done an admirable job of taking apart the PAM_MOTD vulnerability, you still missed my point entirely.
      Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

      Comment


        #4
        Re: The PAM_MOTD exploit

        Originally posted by zlow
        I said that if you don't manage it correctly it can be as vulnerable as Windows.
        This is true, it's possible to make linux unsecure, as well as it's possible to make windows secure.

        If you don't manage your Linux computer correctly (apply patches, use a firewall) then you are at a very high risk.
        While applying security updates is always a sound practice, and a firewall is good to have in some cases and utterly useless in others..."very high risk" is a vast exaggeration at best.

        Remote vulnerabilities are very rare, and are nearly always fixed long before exploitation code is available to the public/scriptkiddies (and real black hats do not scavenge the net for random targets).

        Like this particular vulnerability, most vulnerabilities are local which means you need to have local access to exploit them. (and in those cases a firewall doesn't really come into the equation)

        For firewall to protect a machine, the machine needs to have:
        1. Services listening for outside connections (open ports)
        and
        2a. Service allows file or shell access and is insecurely configured
        or
        2b. Service has an open remote vulnerability (which is very rare, especially on an up-to-date system)

        And even in those rare cases, firewall offers protection only if it's configured to shield that service somehow (limiting allowed hosts or attempts), and not just having that port punctured wide open to allow connections to that service, which is something most people generally do (and which makes a firewall utterly useless against attacks on that port).

        "very high risk" sounds like every open port is an open invitation for anyone to walk on in, and this is definitely not the case. If it were, the internet would come down within minutes.

        The released exploit though greatly increases your risk if you don't manage your computer properly.
        The released exploit requires local access to the machine, and while some people may freely give such access to anyone (which means they are in a world of hurt even without this vulnerability), it does not "greatly increase" the risk for the vast majority of users.

        Comment


          #5
          Re: The PAM_MOTD exploit

          Originally posted by kubicle
          "very high risk" sounds like every open port is an open invitation for anyone to walk on in, and this is definitely not the case. If it were, the internet would come down within minutes.
          No, that's neither true, nor what I implied. The only reason I consider it very high risk is due to the existence of an active exploit. It is trivial to hide the exploit in a script. Inexperienced Linux users cut and paste ALL THE TIME, there is your vector.

          Originally posted by kubicle
          The released exploit though greatly increases your risk if you don't manage your computer properly.
          The released exploit requires local access to the machine, and while some people may freely give such access to anyone (which means they are in a world of hurt even without this vulnerability), it does not "greatly increase" the risk for the vast majority of users.
          Yep, but there isn't really any reason that exploit can't ride on top of something else. Installing the patch removes any risk, leaving it unpatched makes it very high risk.

          Note that I didn't say "critical". If it was a remote root vulnerability I would have said "critical".
          Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

          Comment


            #6
            Re: The PAM_MOTD exploit

            How can you be so sure you're not overreacting after you see or find an exploit? Especially if not even the reports say it was necessarily a very high risk vulnerability.
            Multibooting: Kubuntu Noble 24.04
            Before: Jammy 22.04, Focal 20.04, Precise 12.04 Xenial 16.04 and Bionic 18.04
            Win XP, 7 & 10 sadly
            Using Linux since June, 2008

            Comment


              #7
              Re: The PAM_MOTD exploit

              I understood your point, zlow, it was not hard to miss. And, you understand mine. We just disagree.

              inj3cr0r.com is an academic site and not the malware underground
              That's what they claim, if you believe them.
              The ultimate archive of exploits and vulnerable software and a great resource for vulnerability researchers and security professionals.
              Our aim is to collect exploits from submittals and various mailing lists and concentrate them in one, easy to navigate database.
              This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. // r0073r
              Whois shows:
              PRIVACYPROTECT.ORG is providing privacy protection services to this domain name to protect the owner from spam and phishing attacks. PrivacyProtect.org is not responsible for any of the activities associated with this domain name.
              But, using other tools I found that 2 other domain names use inj3ct0r.com's IP - 77.120.101.8, which is in the Ukraine:
              Country Name: UA - Ukraine
              IP Address: 77.120.101.8
              and uses DNS servers in Russia:
              Domain servers in listed order:
              ns2.sibhoster.ru
              ns1.sibhoster.ru
              The names of the other domains which use that IP are "OxrOOt.com" and "0x0day.com" (you should recognize them) and "asmerok.org.ua" (The site was launched on Sunday, December 6, 2009. The server that hosts asmerok.org.ua is located in Kiev, Ukraine and is running Linux (Debian). The server is located on the Volia network.). There are 9 others which use the same /16 block.

              I've written software for high schools and colleges and I have never heard of academic institutions registering their domains through private proxies. And while the Ukraine and Russia has some of the finest educational institutions in the world, especially in the physics, maths and the computer sciences, I doubt that any institutions or academics are sponsoring this site, even if they are posting exploits on it. The Russian military or the FBU (their "CIA") might be. Inj3ctor, 0xr00t and 0x0day, and some of the other "hak0r" websites might be code honey pots, however. Private proxy registration doesn't hide the IP address, it merely keeps the identity of the folks who paid the domain registration fee, their contact info and the location of their servers secret from most folks.

              Most of the folks posting shellcode exploits to that site are useful with assembly code, which I haven't used for over 20 years, and writing functions and apps using nasm requires more knowledge of the computer at the hardware level than any other language. So, they aren't script-kiddies by any stretch of the imagination.

              For a fellow who is as knowledgeable in Linux and hardware as you appear to be, zlow, your pseudonym doesn't appear on any Linux forums, blogs, maillists, project sites, bugzilla reports, or code attributions that I could find, so I assume it is used only for Kubuntu. I am familiar with your writing style, however. It is similar to "Lefty"'s.
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #8
                Re: The PAM_MOTD exploit

                Originally posted by kyonides
                How can you be so sure you're not overreacting after you see or find an exploit? Especially if not even the reports say it was necessarily a very high risk vulnerability.
                Really? I said installing the patch completely removes the risk. I don't think that is over reacting at all
                Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

                Comment


                  #9
                  Re: The PAM_MOTD exploit

                  Originally posted by zlow
                  It is trivial to hide the exploit in a script. Inexperienced Linux users cut and paste ALL THE TIME, there is your vector.
                  Fair enough. But you can basically hide *anything* in a script, and you don't really need vulnerabilities (and definitely not this particular one) to compromise a machine where users are willing to run anything.

                  But the point I was trying to make was that a firewall doesn't really protect against something like this.

                  Installing the patch removes any risk, leaving it unpatched makes it very high risk.
                  Of course, one cannot stress the importance of regular security upgrades enough, no hole is too small to patch. But to me, very high risk indicates that statistically a significant number of users are going to be affected, which I just don't see happening (I guess we're just using the same terminology in a slightly different sense)

                  Comment


                    #10
                    Re: The PAM_MOTD exploit

                    Originally posted by GreyGeek
                    I understood your point, zlow, it was not hard to miss. And, you understand mine. We just disagree.
                    I don't think that we do disagree actually. I agreed with your point, and I have to assume you would agree that irresponsible computing increases risk which could lead to exploitation.

                    Originally posted by GreyGeek
                    That's what they claim, if you believe them.

                    I've written software for high schools and colleges and I have never heard of academic institutions registering their domains through private proxies. And while the Ukraine and Russia has some of the finest educational institutions in the world, especially in the physics, maths and the computer sciences, I doubt that any institutions or academics are sponsoring this site, even if they are posting exploits on it. The Russian military or the FBU (their "CIA") might be. Inj3ctor, 0xr00t and 0x0day, and some of the other "hak0r" websites might be code honey pots, however. Private proxy registration doesn't hide the IP address, it merely keeps the identity of the folks who paid the domain registration fee, their contact info and the location of their servers secret from most folks.
                    Oh, don't get me wrong. I never meant to imply that they were an academic institution. Based on my experience with the site, I think it is a valuable research tool.

                    Originally posted by GreyGeek
                    For a fellow who is as knowledgeable in Linux and hardware as you appear to be, zlow, your pseudonym doesn't appear on any Linux forums, blogs, maillists, project sites, bugzilla reports, or code attributions that I could find, so I assume it is used only for Kubuntu. I am familiar with your writing style, however. It is similar to "Lefty"'s.
                    Wow, that smells almost like a compliment! /joke It is true that I don't use the same handle on every site that I visit, and there is nothing wrong with that really. I'm not sure who this "Lefty" is though.
                    Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

                    Comment


                      #11
                      Re: The PAM_MOTD exploit

                      Nice read guys! Thanks!

                      Comment


                        #12
                        Re: The PAM_MOTD exploit

                        Originally posted by kubicle
                        But the point I was trying to make was that a firewall doesn't really protect against something like this.
                        I agree.

                        Originally posted by kubicle
                        Of course, one cannot stress the importance of regular security upgrades enough, no hole is too small to patch. But to me, very high risk indicates that statistically a significant number of users are going to be affected, which I just don't see happening (I guess we're just using the same terminology in a slightly different sense)
                        In my mind 'critical risk' has the potential to impact a significant number of people. Perhaps 'very high' is too strong of a term though.
                        Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

                        Comment


                          #13
                          Re: The PAM_MOTD exploit

                          Originally posted by zlow
                          ...
                          Wow, that smells almost like a compliment! /joke It is true that I don't use the same handle on every site that I visit, and there is nothing wrong with that really. ...
                          No joke. It was a compliment. You seem well versed in Linux and hardware! And no, there is nothing wrong with using different handles on each site, unless you are trying to hide something You aren't a Microsoft Technical Evangelist, are you? Here is a story by journalist Joe Barr, now deceased, writing about his experience on the CompuServe Canopus Forum which is suspected to be the first appearance of TEs. Joe didn't know about TE's at the time. After the Combs vs Microsoft trial documentation was released the infamous Comes-3096.pdf document made public the existence of a team of individuals trained to do a lot of the stuff that occured in the Canopus forum but with much more added later, such as "The Slog" and "The Stacked Panel". When his name was revealed James Plamondon did a mea culpa and explained why TEs are so dangerous today. Interestingly, a lot of folks with WindowsLive IDs filled his comment section with hundreds of spam listings.
                          My belief that I was one of the Good Guys was similarly flawed. This is now inescapable. I was wrong. Many of the TE practices that I developed, taught, and espoused were wrong. Anyone who continues to practice them is wrong. As a first step towards making amends for my past wrongdoing, I must make this clear, and widely known.

                          Microsoft—where these practices were developed, welcomed, and endorsed as official policy—is this week launching its first public volley in the Mother of All Standards Battles, to control the de facto standards of cloud computing. For Microsoft, this is a life-or-death struggle. When Microsoft's back is to the wall, can it reasonably be expected to refrain from using the TE tactics that it KNOWS will help it win, if its use of those tactics is unrestrained?

                          However, my concern is not just for Microsoft. These TE practices are very effective, and now that some of them have been documented in the public record, other platform vendors will be tempted to use them, too, when their backs are against the wall.

                          This problem can only be treated, I believe, by professionalizing TE, and thereby inoculating platform vendors against unethical TE practices.

                          That's why I felt compelled to come forward now. Only now have I realized how wrong I was, and by coming forward now, in the opening skirmishes of the Cloud Computing Wars, I can begin to make amends for my past wrong-doing.
                          Sadly, Microsoft continued using those techniques on the ISO committee fast tracking their OpenXML standard (against the .ODT), the European Union Open Source Software Report committee, etc. And, Plamondon was right, other corporations have begun using the same techniques.
                          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                          – John F. Kennedy, February 26, 1962.

                          Comment


                            #14
                            Re: The PAM_MOTD exploit

                            Originally posted by GreyGeek
                            No joke. It was a compliment. You seem well versed in Linux and hardware! And no, there is nothing wrong with using different handles on each site, unless you are trying to hide something You aren't a Microsoft Technical Evangelist, are you?
                            Thanks. No, I don't have anything to hide I simply don't care about internet personas. I am also no Microsoft anything (I don't earn any money using or supporting any Microsoft products), but I find it hilarious that you keep pointing in that direction. :P
                            Don&#39;t blame me for being smarter than you, that&#39;s your parent&#39;s fault.

                            Comment

                            Working...
                            X