I don't know why people are calling this a worm. It's simply yet another script for non-technical script kiddies to deface Web sites. I don't see how this is different from the RDS/MSDAC, Cold Fusion, or wuftpd exploits.
posted by bkdelong at 10:18 AM on January 22, 2001

The worm components then scan the global network for other Linux machines and upload the worm there if the "buffer overrun" attack is performed successfully.

It's called a worm because it self-propogates from machine to machine.
posted by plinth at 10:34 AM on January 22, 2001

CrayDrygu, many would argue that lack of knowledge on the user's part is no excuse for poor security. A system that is in such widespread use, that is *expected* to be run by people who don't know any better, *should* be secure. So personally, I blame RedHat. :-P

Does anyone know *why* they decided to install so many open services in their default install? It doesn't make much sense to me.
posted by whatnotever at 10:40 AM on January 22, 2001

These services and their activities are transparent. They're the sort of things that should be locked down by distributors. Even if they're not, not disabling them, or at least securing them properly, is proof positive that you shouldn't be running Linux until you read the Network Administrator's Guide.

(That said, I'd be worried about the BSD daemons running by default on OS X. One of the reasons why MacOS can be a decent server platform is that it's locked down by definition.)
posted by holgate at 11:10 AM on January 22, 2001

Just another example of why genetic diversity is A Good Thing.
posted by baylink at 11:31 AM on January 22, 2001

Is there any real Mac OS left (the OS9 and below kind) in OS X, or is it just total Unix with a neat-looking front-end? I mean, Mac OS has always been the most secure OS simply because it never had all those open services coded into it in the first place. But that's all out the window now, isn't it?
posted by aaron at 11:45 AM on January 22, 2001

Well, one could run one's Web server in Mac OS X's Classic "box" and turn off all BSD services, I guess.
posted by kindall at 11:50 AM on January 22, 2001

aaron: OS 9 runs in, like kindall said, a 'box'. Basically, the Classic environment is a separate application--a Mac emulator. (When you launch a Classic application for the first time in a session, the Classic 'box' has to boot up, just like a current Mac.) It just so happens that this emulator is running on the native PowerPC processor, so the speed hit is minimized.
As to security... well. Current builds of OS X have several ports open by default (and a portscanner is a standard system utility! l33t), but I really, really, really hope they default them to off for the consumer release.
posted by darukaru at 12:38 PM on January 22, 2001

A system that is in such widespread use, that is *expected* to be run by people who don't know any better, *should* be secure.

We still talking about Linux here? That's a good argument against the MS security model, but even in the common distributions Linux is still largely a do it yourself type of OS - a pretty poor choice for people that don't want to know/care what their OS is doing.
posted by willnot at 12:52 PM on January 22, 2001

If OSX is setup like the FreeBSD install I did (which I'm assuming that, for the most part, it will be) when I installed it, it was pretty barren. It wasn't quite as tight as OpenBSD, there were still a number of ports open, but for most services (like SMTP, telnet, FTP) I had to specifically alter the kernel or various configs to load them.

A general question that I just thought of. If there's no service listening on a port, is it vulnerable?
posted by cCranium at 2:19 PM on January 22, 2001

There are other issues here: wuftpd is a known problem --meaning not this particular exploit but its exploitablity in general. RedHat ignored other alternatives that exist out there and installs (and activates) it by default. If you are going to choose a program prone to security holes because it is the standard one, don't enable it by default; put wuftpd in the distro but enable a competitor by default: everybody's happy.

Problem of course is, RH doesn't want to *support* multiple ftp servers --which is their right. However, because of that you just lost an advantage of open source, i.e. the ability to pick a competitor component instead of going with another one for economic reasons.

If you take this argument to its logical conclusion you *may* conclude that an OSS *vendor* is subject to the same technology lock-in as a commercial software vendor --e.g. Microsoft has the same issues with dumping a component and replacing it with another (support and maintainance costs, besides development). However, an OSS vendor does not have the financial resources to facilitate a speedier technology change and, more importantly, is relying on outside human resources to develop this technology. In other words, if you're stuck with a piece of OSS that is un-sexy to compete with (BIND comes to mind) you will be stuck with it for a long time.

Can RH pay people to develop another ftpd? yes. Can they afford to? probably not.
posted by costas at 2:20 PM on January 22, 2001

Exactly. Neal Stevenson compared Unix to the Hole Hawg drill in his "In the Beginning was the Command Line":

The Hole Hawg is dangerous because it does exactly what you tell it to. It is not bound by the physical limitations that are inherent in a cheap drill, and neither is it limited by safety interlocks that might be built into a homeowner's product by a liability-conscious manufacturer. The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it.
posted by holgate at 2:20 PM on January 22, 2001

costas: they don't need to. More reputable distributions, such as Debian, already switched to the OpenBSD ftpd.
posted by holgate at 2:22 PM on January 22, 2001

If there's no service listening on a port, is it vulnerable?

Generally speaking, no. It is conceivable that a particular networking stack might have an exploitable bug that involved a port with no service listening in a denial-of-service attaci, but that's pretty rare considering how hard most TCP implementations have been beat on over the years.
posted by kindall at 4:21 PM on January 22, 2001

To respond to the headline, as an experienced design engineer I can tell you truly that nothing is foolproof. We engineers have two sayings about that.

1. "You can't make something foolproof because fools are so ingenious."

2. "Every time you make something foolproof, they invent a better fool."
posted by Steven Den Beste at 5:36 PM on January 22, 2001

kindall, that's what I figured, it only seems logical to me.

I can understand OS creators wanting simplicity and easy setups, but I can't understand why they don't at least make users turn services on somewhere.

I expect an out-of-the-box installation to be pretty minimal (security through obscurity can ease a lot of problems), but then I guess there's a reason I've been doing custom installs of all my software for a number of years now.
posted by cCranium at 5:41 PM on January 22, 2001

Rowr. Hole Hawg.
posted by dhartung at 6:27 PM on January 22, 2001

Hmm. I didn't expect the Hole Hawg to look exactly like that (given Mr Stephenson's description). I take it that "In the Beginning was the Command line" is still under copyright and that if I did have a link to an e-text version of it (and I'm not saying that i do) that it would be wrong and evil of me to post that link.
posted by davidgentle at 8:06 PM on January 22, 2001

Same here. It still looks like one hell of a drill. Wonder if they make 240V models?
posted by holgate at 7:11 AM on January 23, 2001

For Pete's sake, you can download the whole frickin' essay from Stephenson's own site, although I'm disappointed that there doesn't seem to be a .gz version. And thus I have no qualms about linking the e-text or how to find it.
posted by harmful at 7:20 AM on January 23, 2001