Con Zymaris conz at cyber.com.au
Mon May 10 21:02:02 UTC 2004

On Mon, May 10, 2004 at 02:44:38PM +1000, David Purdue wrote:
> Just to play devil's advocate...
> Con Zymaris wrote:
> >
> >The first worm, by Robert Morris Junior, son of a senior NSA computer
> >security expert and Unix pioneer, occurred in 1988. Even though it was
> >not malicious and accidentally escaped from a lab, it brought the
> >Internet to its knees for a few days. It directly caused the creation of
> >a number of agencies, primarily CERT - Computer Emergency and Response
> >Team. What the Morris Worm did clearly demonstrate is that there are
> >substantial advantages for any organisation in using operating systems,
> >middleware and applications from more than one codebase. Organisations
> >who had a variety of platforms were able to keep part of their
> >computing infrastructure going.
> This release fails to mention that the Morris Worm propagated by 
> exploiting weaknesses in Sendmail, an open source program.

The issue isn't that there are no remote vulnerabilities in open source
platforms or applications. The issue is one of homogeneity as opposed to

To broaden the example you raise, almost all Microsoft OS environments use
the Exchange mail server as their MTA. You therefore have MS Exchange on
an MS Windows NT/2000 kernel core, always on an x86 architecture; this
makes for a single, large, well defined target. A target that when hit, 
will propogate a worm at the maximal speed possible.

Contrast this with the open source/proprietary Unix space, where you would
have Sendmail, Exim, qmail and Postfix on a mix-n-match combination of
FreeBSD, Solaris, Linux and OpenBSD. Which of these do you target as a
malware writer? And for which OS? And on what CPU instruction set?

The work effort involved in aiming a worm which remotely exploits a
vulnerability, and making it effective against this lot, is extremely 
hard. Furthermore, the propogation speed (and reach) will be far far less 
than for the platform in the previous example.

Which is why we are calling for the conversion of half of all business 
systems to something which is not Microsoft Windows.

> So it could also be said that what the Morris Worm did is clearly 
> demonstrate that software being open source does not imply that it is 
> immune to virus/worm attack.

Indeed not. Which is why we aren't claiming this point above.

> If the real lesson is that I should source my applications from multiple 
> code bases, what is the alternate codebase for something that does the 
> same job as Apache?

There may be areas where there is no viable alternative(s) to the
user-space application in question (i.e Apache).  What you would do is
ensure you run Apache on multiple operating systems, preferrably on
different CPU architectures. This achieves the same result.

Con Zymaris <conz at cyber.com.au> Level 4, 10 Queen St, Melbourne, Australia 
Cybersource: Australia's Leading Linux and Open Source Solutions Company 
Web: http://www.cyber.com.au/  Phone: 03 9621 2377   Fax: 03 9621 2477

More information about the linux-aus mailing list