Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bug

BugTraq's Elias Levy Talks Security 137

LiquidPC writes: "UnderLinux.com.br has an interview with the BugTraq moderator, Elias Levy or Aleph1. Questions ranging from what he thinks of 'Hacking Exposed' to whether BSD is more secure than Linux. Kind of short, but interesting nonetheless." He notes the interesting difference between the approaches to security taken by FreeBSD (which he praises) and Linux -- lots of projects vs. a single unified one, and emphasizes that security is ongoing, not defeating any single problem.
This discussion has been archived. No new comments can be posted.

BugTraq's Elias Levy Talks Security

Comments Filter:
  • OpenBSD, not FreeBSD (Score:5, Informative)

    by X-ViRGE ( 44659 ) on Tuesday September 18, 2001 @03:59PM (#2317272) Homepage
    Um, just FYI, he said OpenBSD, not FreeBSD. I think most people would agree about the security of OpenBSD.
  • Geez.

    And he doesn't really "praise" anything, although his comments are interesting.
  • security (Score:3, Informative)

    by Lumpy ( 12016 ) on Tuesday September 18, 2001 @04:00PM (#2317285) Homepage
    It's very true, Anything can be secured including windows NT/200/xp/zp/ww3p it just takes more time and more money to do it than BSD or linux. but many companies take the stance of hiring a security consultant, get's an audit, fixes what's wrong and then believes that they've done what was needed and that they are secure now. They never think, or dont want to think that security is a moving target that requires full-time attention and trained people to take care of it. Send your IS/It staff to security training and seminars, keep the staff trained.

    unfortunately in today's economic world, those programs and positions will be among the first to be cut by the CEO's.

    • > unfortunately in today's economic world, those
      > programs and positions will be among the first
      > to be cut by the CEO's.

      I have worked in a field related to security (more like crypto), and it is also a problem when HR's are first to filter out job applicants. A woman acquaintance of mine had such a job interview, which ended with her and the HR woman subtly bitchslapping each other about their dressing styles. No security talk whatsoever!

      It is as if the companies expect a security guru to have, before all, a nice personality (I know very few such people, realistically speaking).

      Yoko 99
    • Re:security (Score:4, Interesting)

      by mindstrm ( 20013 ) on Tuesday September 18, 2001 @04:24PM (#2317418)
      I don't even buy that it's 'easier' to secure BSD.

      It may take a few less keystrokes out of the box, on any particular version, but that's where it ends.

      Running *real* live systems, it takes the same amount of diligence and effort to keep them secured. You have to be aware of each new application you install, and how it impacts your security. It's no different on any OS.

      Win2k is not hard to secure; neither is any other MS system.

      • Re:security (Score:3, Insightful)

        by Simon Brooke ( 45012 )
        Win2k is not hard to secure; neither is any other MS system

        [simon@beesianum simon]$ cat /var/log/httpd/*access* | grep msadc | wc -l
        133

        Not bad for a worm that's been live for less than seven hours, and attacks an operating system that's 'easy to secure'.

        • Re:security (Score:3, Informative)

          The worm might be new, but the patch for the exploit in question was released in October 2000. Here are some links that are of interest:

          http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/lockto ol.asp

          http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/iis5ch k.asp
          • Re:security (Score:5, Informative)

            by coolgeek ( 140561 ) on Tuesday September 18, 2001 @07:09PM (#2318117) Homepage
            the patch for the exploit in question was released in October 2000

            I don't want to harsh on you too roughly. Blaming the end user for not patching their systems is a bit like a programmer blaming a user for pressing that wrong key at that wrong time that crashes said programmers' code. They are innocent and ignorant. Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel. Its just not practical, and it ain't never gonna happen.

            Microsoft sure seems to have money to spend when it comes to sicking the BSA on its paying customers, or lobbying various public officials to look the other way while they break the law, yet seems to have $0 when it comes to educating the masses about the flaws in its products. Why not some full-page ads and television spots: "We're sorry we made a boo-boo. Please visit windowsupdate.microsoft.com to repair your Windows installation, and help keep The Internet safe for all of us." (and I have my doubts about whether that plugs these leaks) How about just putting some "Free MSN and Windows Repair CDs" next to the free AOL CDs you see everywhere. Instead, Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies in the form of lost productivity, upstream bandwidth fees, law enforcement investigations, etc. I would speak to their possible motives as to why they might want us all to waste our time and money, but I've sworn off the flamebait for a while.

            • Now, it's not really that bad. Things would be a whole lot better in the world of Windows security if two things happened:

              1) Microsoft shipped their OS in a reasonably secure-by-default configuration. Now, I realize that if they did the OpenBSD and shipped with everything turned off their users would scream, but the reality is that MS has enabled a lot of things that the average user really doesn't need.

              2) People actually patch their systems regularly. People go to gas stations and pump their own gas (well in most areas of the world), and it really isn't that much more difficult to install security patches. Just go to the MS web site, download, and install. Honestly, part of me feels that people should have to get a computer license to connect a computer on the public Internet, just like driving a car on public streets.

              I'll be the first to admit, that neither of these are going to completely solve for the problem, but either would definately make a rather dramatic impact to these sorta things.

              • Now, I realize that if
                they did the OpenBSD and shipped with everything turned off their users would scream


                If they can't even start the web server service on the machine then perhaps they shouldn't be running a web server in the first place?

              • 1) Microsoft could easily turn services off by default. No user needs a webserver unless they have content to serve. If they don't know where the content goes, they don't need the server. They could have put a 'Web Server' config pluggin in the control panel. People are capable to using the control panel (or the shortcuts) to change the screen background, or at least don't raise hell when they can't. They'd be able to turn on a webserver, or wouldn't realize that it was there...

                2) MS's patches are often worse than the hole. Service pack 2(?) for NT was called the SP-of-death. SP6 rendered Lotus Notes unusable (maybe just the notes server...) No admin worth the title would blindly install MS patches without waiting a month or so to see if any problems were reported. Patches released as the result of an exploit are worse... MS code is unstable at best, when rushed, you're trusting your server to alpha-level code.

                MS could learn a lot from IBM, or other mainframe makers, before trying to enter the server market. IBM had mainframes with decade-long uptimes, they didn't do that by rushing untested code onto client machines.

                I really think someone needs to sue MS for incompotence. Some of their blunders are so bad it's amazing they went through testing. (I don't think MS should be ruined for it, but if they had to pay out anything in this kind of case, they might be more careful to avoid a larger settlement in the future.)
            • Re:security (Score:2, Interesting)

              Come on! Look, I'll be the first to admit that Microsoft could do a better job with many aspects of the securing of their operating systems (like other people have mentioned, things like not turning on every last service under the sun by default, that kind of thing).


              But as for your argument, windowsupdate.microsoft.com is about the easiest method I've come across for any operating system to keep your system up to date. I do hold the end user responsible for that reason, because in the age of the internet and high-speed home connections, as a user, you have an elevated responsibility over days past to keep your systems secure. It's simply a fact of life.


              Every OS has holes. Linux, BSD, Solaris, Win[92XM]*, they all have 'em. Very few operating systems are designed and implemented with security as a top priority. In addition, MS OSes enjoy the massive user base and visibility, not to mention the low entry-level of computer knowledge, of no other OS, which means they're going to be more vulnerable, to some extent.


              But it's definitely not rocket science to keep your MS OS patched. They make it really easy. Could they be more visible about it? Perhaps. Could everyone else? Just as arguably, yes. Does anyone else out there have better visibility for security issues/updates for their OS? With very few exceptions, I'd say no.

              • Re:security (Score:2, Informative)

                by Tony-A ( 29931 )
                I'd say yes.

                Try redhat.com/errata
                In addition to links to Errata for 7.1 going back to 4.0,
                Notable Security Exploits

                Red Hat Linux users who have applied all Red Hat security updates are usually not vulnerable to worms and other security exploits. Click on the links below to read about each recent exploit and what you can do to prevent being affected.
                The Adore Worm
                Discovered April 3, 2001
                The Lion Worm
                Discovered March 23, 2001
                Bind Exploit
                Discovered January 29, 2001
                The Ramen Noodle Worm
                Discovered January, 2001

                http://openbsd.com/errata.html
                even better organized

                http://www.freebsd.org/releases/4.3R/errata.html

              • windowsupdate is very easy to use, I am not arguing that. My points are:

                1) M$ really lags when it comes to posting security updates on windowsupdate
                2) The unwashed masses of computer users are unaware that windowsupdat exists.
                3) windowsupdate is really practicial only for people that have bandwidth. Most people still use 56K or less. (At least that's what they are saying)

                When it comes to applying security patches, and one wishes to do so in a timely fashion, I do not consider it trivial. All those Qxxxxxx.exe files one needs to download from the M$ Security Center, and the Rube Goldberg add-ons that are needed to apply more than one Qxxxxxx.exe per reboot are not "easy to use", especially not for an end user. Personally, I find it easier to download new kernels and Apache source and recompiling from scratch to maintain the Linux boxes than running the Qxxxxxx.exe files from M$.

                You make a good point about their relative visibility compared to other OSs. I argue due to M$ monopolistic market share, especially in the workstation market, they have an implied duty to do far more than other OS vendors to make this stuff available.

            • Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel.

              A motorist does know that periodic oil changes are needed, even if they don't know how to change the oil themselves. Everyone who has a car, either changes their own oil, or has someone else (e.g. a pro) do it for them. If they put their head in the sand and just assume that the car will work forever w/out needing maintenance, then they are destined for disappointment.

              MS Windows and IIS are no different. There have been repeated incidents and stories in then news for years about this stuff. Anyone who buys them without the expectation that they're going to have to spend some time on maintenance (or hire someone) is denying reality.

              I'm not saying this is a desirable situation; it isn't. But the buyer knew about it before he signed the check. He knew what he was getting into and he decided to proceed anyway. That's not a Microsoft victim, that's a self victim, or maybe a gambler at best.

              Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies

              Users are apparently content to pick up that tab too; all they have to do is Just Say No. Microsoft's attitude will change after users' attitudes change.

              Just Say No. It solves most of life's problems.

            • Nope! I'm sorry.. The unix world is no different. You have to update your code when patches become available as vulnerabilities are discovered. The exact same argument would apply.

              Having an unpatches system months later.. fair enough you say it might not be the users fault.. or not fair to blame them. but it's not microsoft's fault.. what more can they do than publish and make available the fix?

        • None of my machines have been infected. I follow standard, easy to find methods for securing my systems. Hmmm.....

          Many, many people who run the OS have not done *anything, whatsoever* to secure their system out of the box. THey haven't even TRIED.

          The presence of this worm is indicative of the average knowledge and aptitude of those running the infected systems... and NOT an indicator of the quality of the OS.

          Oh.. I'll agree that it's easier to find information about how to secure unix systems... and the admin generally has a better knowledge of how a new application affects his security.. but in general, this is the case with windows too.
      • Re:security (Score:2, Informative)

        by Anonymous Coward
        I disagree. Win2K is hard to secure because Microsoft's policy regarding security is to release a patch once a vulnerability is identified. Furthermore, a multitude of services are enabled per default, and in a sea of product updates, it can be difficult, if not impossible, to determine which update applies to the system at hand.

        Contrast this with OpenBSD. Their approach is much more pro-active. Regular code audits leads to a more secure codebase. However, if something slips through the cracks, a patch is released. Since OpenBSD is "secure by default" it is a simple matter to determine if the patch applies to your system, becase the administrator must enable services as the need arises.

        Both systems can be secured, certainly, but Microsoft's security policy is shit, so I'd rather not have to try and secure a windows box when there are better options available.
        • I'm sorry, but from a realistic point of view, the fact that Windows ships with some services that need to be disabled does not equate to being 'hard to secure'.

          A simple procedure applied to new systems fixes it up quickly.

          Unix systems have traditionally been no different. Certainly, the openbsd distribution ships with nothing enabled. Fine.... but in the hands of someone unskilled, it becomes just as unsecure as anything else if they start enabling services they need without the proper diligence.

          I don't dispute that OpenBSD, indeed, most of the free unixes are basically secure out of the box, where windows & IIS and stuff are not.. but that does not mean they are 'hard to secure', it just means you have to actually take some measures to secure it.

      • >>Win2k is not hard to secure; neither is any other MS system.

        Well, actually Windows 98 is pretty difficult to secure.

        In particular, I would point out the large number of local root exploits.

        • Well, actually Windows 98 is pretty difficult to secure.

          In particular, I would point out the large number of local root exploits.

          Uhm... Windows 98 is a local root exploit. With no user permission levels, local roots become meaningless.

          More interesting would be the number of remote roots (probably fairly small, as only NetBIOS runs normally IIRC), or remote DOS'es (fairly large, IIRPingOfDeathC).

        • In particular, I would point out the large number of local root exploits.

          Like, pressing ESC at the login prompt? :->
      • Win2k is not hard to secure;

        Yep, there's this secure switch marked "I/O" right on the box!

      • MS DOS is easy to secure? What are you smoking? And can I have some?

        Sure MS DOS isn't subject to worms or IP spoofing, but that's 'cause it doesn't ship with and IP stack. You may be amazed to hear that my toaster is also secure from Internet attacks! And these days, my toaster is more useful than MS DOS. The hot, buttery toast I'm chewing is testament to that. Why, the last time I saw the DOS command prompt was when I installed Windows 98.

        What about Windows 3.1, 95, 98 or ME? They didn't have a very firm grasp on the notion of multiple users. Anyone could read anyone else's files, for crying out loud! That's not secure, that's Swiss cheese. My apologies to the Swiss. I like that cheese.

        I've never touched Windows CE. I hear it sucks less now, which is good. I wonder how many IPAQs it would take to run a medium-sized web site? How many would it take to weather the Slashdot effect?

        Windows NT, I grant, is far more secure than any MS System. But I shouldn't really mention NT and 2000 separately, since I lumped 95 in the same pile as ME. Even Windows 2000 has a nasty habit of lying to you about certain file extensions. It can also hide files and directories from the administrator.

        As for other products, well-- When you say "system", you must mean operating system, 'cause we can't go around comparing Linux to Microsoft Word. That would be silly.

        Shall we compare compare Word and Outlook to VI and Mutt?
        • You got me there. I should clarify, for people like you, that we obviously aren't talking about MS DOS here. Or WinCE. I'd imagine you are just in a bad mood or something?
          I'd think most readers would find it obvious what we were discussing. Apparently you need some assistance.

          Win2k can't hide anything from the administrator if you set it correctly. Neither will it lie about file extensions if you set them correclty. Neither of those has anything to do with network security, either.

          And when I say 'system'.. what the hell did you think I meant? I meant a system involving Microsoft products. You can quabble over the exact definition all you like. NT is a product, so is Windows 2000. NT is also a kernel. Linux is a kernel, and also a product. Blah blah blah..

          • You said, "Win2k is not hard to secure; neither is any other MS system." What you apparently meant was "Win2k is not hard to secure; neither is Windows NT."

            The first statement is way too broad for any sane person to make, so I went on a sarcastic rant to show how silly it was.

            And in my opinion, an operating system should never hide anything from the administrator, if the administrator tries to see it. I recently tried to determine what was taking up so much space on a Windows 2000 server. I had to resort to an alternative program, because Windows Explorer hid the Exchange subdirectory from me completely.

            I also understand that there are some file extensions that are hidden unless you edit the registry. That's just wrong.
      • mindstrm wrote:
        I don't even buy that it's 'easier' to secure BSD.


        It may take a few less keystrokes out of the box, on any particular version, but that's where it ends.


        Nope, completely different worlds. When I update an app (say, pine for example) on my *nix box, that one app is all that changes. If I switch over to the latest and greatest version of Outlook on a Windows box I have to check to make sure that Windows Scripting Host or IIS hasn't automagically been installed too.

        Running *real* live systems, it takes the same amount of diligence and effort to keep them secured. You have to be aware of each new application you install, and how it impacts your security. It's no different on any OS.


        So where is the source code or documentation that tells me that this particular service pack installes completely unrelated software that is installed without even asking me if I want to install it?

        Win2k is not hard to secure; neither is any other MS system.


        Uhm, Code Red was based on an exploit that was how old? There is IMHO a difference in the mindset of *nix admins vs. MSCSEs. *nix admins want to control their boxes, MCSEs just want them to work.



        "Anyways, you are precisely right - the best admin is at heart a lazy, worthless bastard who will do anything, script anything, to get out of work." danheskett

      • Well actually al least NT is HARD to secure, I have been working with this form some years before I got to fustrated and left of the nice stabile Unix world again. Installing NT and securing the box is actually pretty easy, well it takes a loot more time that the same work with OpenBSD but...

        As every installation needs software, yet it does saidly but thats true. We soon run into problems with the NT enviroment as almost every program assuems that it's running in a Windows 9x enviroment it also assumes that it could write anyware on c:. It dosn't care about looking for the nice multiuser features of NT, I can write to C:\WINDOWS\MyConfig.dat without problems. (or maybe C:\Program Files\MyApp\Config.cfg, this is nice and works in a simple singeluser enviroment or maybe on a trused server looked in a nice server room. But actually we have computers standing on the desktop of users, and some of them may even be used by several persons.

        Securing a NT machine produces bugs in software packages as office to be exposed. It take a loot more effort to secure the applications in Windows that in the unix world (most Unix developers are developing where they don't have root access to any disk, that is not the case of windows developers.)

        / Balp
      • Thats the problem, its turned on by default, most users of MS systems don't have a clue what going on in their machine, therefore no due diligence is involved. My site sever logs were showing codeRed probes as lately as 9/10/01. There is so much flying arround on the web today that no one can keep on top of it all.

        Come on People you have to get out and contact those "six pack Joe computer users" you know your non-geek friends and start to teach'em a little bit about security. It the simple stuff they need, like running anti-virus, running a firewall, downloading updates from MS or where-ever and simple Email security. The internet is much more a community than ever before, when one get sick they either need to be quarentined or cure period. All of the silly stuff flying arround makes it harder to see the dangerous stuff.

        Some one need to write a MS versoin of top so it easy see average people to see what thier machine are doing. Maybe that way Joe might notice that he has 100 threads of codeRed trying to run in 32K of memory, and a easy way to do something about it.

      • Win2k is not hard to secure; neither is any other MS system.


        I have to disagree with you here. I also have to disagree with most of the comments in this thread. As far as windows 2K it has come a long way but there are still alot of undocumented holes. But this is not the issue. The problem is that W2K is being marketed as an easy to administer system. I have come across so may system admins who know windows only, but have no clue about security. Clients who purchase windows systems are under the impression that we need not train windows admins or just place the most knowledgable person in the company to create user accounts and reboot. Microsoft is selling a false sense of security in all levels of their marketing. Windows is NOT easy to use (ever have a problem that you know what needs to be corrected but it just doesn't allow you, plug and pray for one). True Windows administrators cost the same as UNIX admins, they only admins who settle are those that are not able to truely administer a system. /RANT


        I am tired of reading how great windows is. I'd like to experiance it, unfortunately every OS out of Microsoft has easy to use 'WIZARDS' that fail to acomplish simple tasks but make people feel that they have administered the system.

      • mindstrm, it's been a while. I thought you had suffered a Slashdot death penalty or something.

        Win2k is not hard to secure; neither is any other MS system.

        OK, I agree all you have to do is remove the modem, network card and keyboard. That is easy, cheap too!

        Otherwise, MSJVM, VB and other trash that has full access to your file system as root will trash you. Duh. M$ designed their OS around marketing, so they can shove whatever software they want onto and extract whatever info they want from their users. This is not going to change, ever, and M$ will always be impossible to secure.

        • Sorry, I was busy changing continents yet again....

          That wasn't a troll. I dispute being called a paid MS troll. I avoid using MS wherever possible, and I dislike them in general.

          But having run many, many systems... I'll grant that MS is slightly harder to secure.. in that it's harder to get the information you need.... and that it may not come 'as secure' out of the box....but any sufficiently busy or large server has the same problem. You install software, you have to be aware of what the impact is on the system.

          Yes, lots of people are talking about how MS is 'marketed to a different audience'. Or about how the presence of these new 'worms' shows that it's harder to secure... blah blah blah.

          To the guy talking about MSDOS and Win98 being 'insecure locally'.. get a grip. That's not the discussion here.

          Running windows boxes securely is no harder than running unix boxes securely, I'm sorry. You have to take different factors into account, and you have to get your information from different sources, yes...
          And yes, MS policy on publishing patches for exploits might be bad....

          But still: blaming home users for not having secure web servers? It's because they were ignorant of how to properly run them, in most cases. Saying that is because it's supposed to be 'easy' to use.. well.. why did the user pick it in the first place?

          I've *never* had a problem with any of my boxes.

          • I've *never* had a problem with any of my boxes.

            That must be because of this:

            I avoid using MS wherever possible, and I dislike them in general.

            Why would you ever run MS stuff? You must be aware that they continue to ignore basic security requirments such as unprivalidged user accounts, and all of the reprocusions. Surely you would never run a browser that automatically executed code as root? How do you secure such a beast and why would you go to all that effort?

  • From the article: While we can place great efforts into teaching people how to avoid buffer overflows in languages such as C it is likely they will introduce them into their programs anyway. It makes more sense from a security perspective to replace the language with one that makes buffer overflows difficult.

    This is why you shouldn't use an MS designed languages like VB or C#.

    Seriously, I understand what he's saying about C. It allows low level access to a computer's hardware, and can be easily broken at that low level... Thus the need for garbage collection and careful avoidance of Stack-overflow conditions.

    On the other hand, we have Java, which trades convenience for security. Sure, it's easy to get started coding in Java, but heaven help you if you want to distribute a Java-based application to everyday (non-hacker) computer users. A webpage is the only medium in which Joe-sixpack is very likely to view any given Java application, giving full-scale Java applications a somewhat more limited potential user base.

    Seriously, then, what is the best application and system language in terms of security, power, and convenience?
    • by devphil ( 51341 )


      Agreed, to an extent. Whenever I see coders beginning to argue about "secure languages" and programming languages that "don't allow" security holes, I have to laugh and recall what Bjarne Stroustrup said about C++'s (and C's) approach to such things.

      I assume that a sufficiently skilled programmer can do anything not explicitly prohibited by hardware.

      (I'm quoting from memory.) The "protections" of the C family of languages are meant to prevent accidents, not fraud. Y'all might check out something like libsafe [avayalabs.com], originally from Bell Labs, and released under the LGPL.

      • As far as I know one of the intents when designing C was to make a language that doesn't forbid you doing anything, eg no internal checking and bla-bla-bla, thus not sacrificing performance btw the /. effect sucks - Warning: Too many connections in /home/underlinux/htdocs/mainfile.php on line 17 Unable to select database
    • Python, LISP variantes (CL, Scheme pop to mind), Smalltalk, and even relatively-safe C++ programming (never using C arrays, but rather using safe array classes such as vectors, etc.)..

      Perhaps a little offtopic, but I'm currently pondering a language where one proves his code correct via logic-code that is written side-by-side with the existing code, with mechanic(compiler)-testing of the proof, verifying it is indeed correct. This ofcourse will not work for all programs, where low-level thread control is required, and proof of correctness is near-impossible, but mostly a side-effect-less style can be used (not completely functional though), allowing high-level control of threading, or sometimes avoiding threading altogether. Achieving 100% compatability with a rather-simple mathamatical specification of a server, guarantees the server will work for all cases and never fail. This is obviously useful for many other software fields.
      • You are pondering creating such a language or using one ? Anyway have a look at Haskell [haskell.org] and other functional programming languages.
        • Functional languages are inherently inefficient and not "computer-scientific" (changing an array item is O(n), for example, instead of O(1)).

          Functional languages do NOT mechanically test the proof for correctness.
    • I'm personally a big admirer of perl's taint-checking feature. When you run perl with the -T flag, it marks data from external sources as "tainted", which will produce a fatal error if that data is used for certain operations deemed insecure, such as shelling out or opening a file for writing. If you want to use external data to open a file for writing, or shell out, you have to first "lauder" the data by matching it against a regular expression you've constructe.

      It would be nice if there were more granular control over what operations are deemed insecure. E.g. so you could deem opening a file for reading insecure, or execution of SQL statements in a database.
      • Safe - Compile and execute code in restricted compartments

        perldoc Safe for more information on the module-- probably does some of what you outlined above, though I've never used the module personally.

      • It would be nice if there were more granular control over what operations are deemed insecure. E.g. so you could deem opening a file for reading insecure, or execution of SQL statements in a database.

        Ruby exposes that functionality to the programmer. There are defined $Safe levels that define what actions can happen on "tainted" objects. Additionally, objects have the "taint" and "tainted?" methods which mark an object as tainted, or tells if an object is tainted, respectively.

        By either changing the Safe level, or making explicit calls to object.tainted, you can make taint checking as granular as you want.
    • by scrytch ( 9198 )
      This is why you shouldn't use an MS designed languages like VB or C#.

      Show me a buffer overflow attack on the VB VM. Just one. Attacks on the system? Watch me write "rm -rf $HOME /" in perl, python, and ruby. MS ships IIS in a bloody awful configuration for security, and it may not be possible to totally secure it, but the herring you're waving around is redder than Kruschev (there's a dated joke).
      • Show me a buffer overflow attack on the VB VM

        I'm pretty sure you are talking about vbscript, correct me if I'm wrong. A buffer overflow is generally used to elevate privileges on an os. It seems that usually any process you can get to run on a windows machine has the highest privileges available. You dont need to break out of the scripting language if it allows you to act like a nimda worm.
    • On the other hand, we have Java, which trades convenience for security. Sure, it's easy to get started coding in Java, but heaven help you if you want to distribute a Java-based application to everyday (non-hacker) computer users. .

      GCC compiles Java. Im sure other compilers do too. Dont confuse the language with the virtual machine.
      A Java-written program can be distributed in binary format in an rpm, deb, or zip file. We are no longer limited to java applets running in our browsers virtual machines. We no longer limited to running Java applications in a sandbox.
      So if you feel that java (the language) protects you from making mistakes, then by all means use it, but dont think you are limited to producing crappy effects on a web page.
      But do have a look at Haskell too.
    • Sure, it's easy to get started coding in Java, but heaven help you if you want to distribute a Java-based application to everyday (non-hacker) computer users. A webpage is the only medium in which Joe-sixpack is very likely to view any given Java application, giving full-scale Java applications a somewhat more limited potential user base.

      Hey check out LimeWire, it's written in Java and joe-six pack probably wouldn't even know!
    • Language wars... cool!

      Military safety people will tell you "Ada, nothing else". As a professional Ada programmer who has made money out of this attitude, I can tell you Military safety people are wankers.

      My current favorite language is Python, because its quick to develop working programs with, and helps you avoid many mistakes. It doesn't really rate as a system language though.

      However, if I had a choice and safety was of the utmost importance, I'd have to rate Eiffel as the winner. It's the only language that has "Design by Contract" built in, right down to pre/post conditions and invariants being inherited. The whole librarys are DBC'd, so mistakes are much easier to detect and avoid.

      Unfortunately, in any development project, tools and support are more important than the actual language. This is why C wins hands down.
  • We as linux/unix/bsd users need to come together and stop blaming security hole on the operating system. While some OSes come more secure out of the box, virtually any OS out there can be made secure with some time and effort. it's not the OS, it's the sysadmin who runs the machine. Corporate America needs to provide admins time and money to cover these bases, rather than just putting it on the 'todo' list, it needs to be made a priority.
    • The problem is that with linux a new type of user has entered the UNIX(like) OS space. 15 years ago you'd not have found all that many "non-expert" people running a *NIX on their home computer. Hence, what I see happening is a lot of semi-capable people running linux without the experience or knowledge or motiviation to make and keep it secure... heck, why bother making it secure at all? Nobody can hax0r a linux box (ahem).
      • That's true, but now just with linux. The next big operating system will likely have the same problem. It's not linux's (or w2k's or winnt's) fault that many of their users are less-than-skilled, it's just the way it works. Thankfully there is a variety of linux distro's, and many make it easy for the newbie to at least have a somewhat secure OS by giving them a choice during the install (i.e. How secure do you want your computer to be? [ ] very secure [ ] somehwat secure [ ] no security)

        Things are getting better, and the more exploits there are (hopefully) the more people will learn and the less they will take for granted about security.

  • Elias Levy, or Aleph1 is the bugtraq moderator one of the most important security mailing list of the world.

    UnderLinux : In a general focus what is more secure Gnu/Linux or OpenBSD ? Or other OS ?
    Aleph1 : That is a pointless question without some context. For example, certainly the OpenBSD folks have done an incredible job creating a secure and stable operating system - an effort that should be emulated by others - but the application you are looking to run many not be supported under it. The most secure OS depends on your requirements.

    Even with OpenBSD's success the UNIX security model is very simplistic. You can certainly write secure applications - see qmail and postfix for examples - but they require a lot of effort. Linux is interesting because the are so many groups exploring alternative security models: privileges, acls, subdomain, SELinux, etc.

    UnderLinux Team.

    NT had potential. It has an interesting security model, but the legacy code, insecure defaults, complexity, and lack of security savvy by application programmers used to the Windows and DOS world have left it with a rather bad track record.

    You must also take into account how well the people administrating the system knows the technology. You can have the most secure OS but if its misconfigured it will be useless. Conversely, a good admin is capable to hardening a sloppy OS.

    UnderLinux: One time surfing on the web I see this phrase : "Wanna defeat hackers..think like a hacker.. work like a security expert". What you think about this ?
    Aleph1 : A cliche, but a valid one. When creating defensive security technologies you must test them by attempting to defeat them before others do. Therefore you do not only require a defensive mindset but also an offensive one. Not only that but you must be better and more through than the ones you are defensing from. As a defender you must find and fix all possible avenues of attack. As an attacker you must only find and exploit one.

    UnderLinux: Can you tell us something about the book Hackers Exposed ?
    Aleph1 : I believe you mean Hacking Exposed. Its a good book. I recommend it. It does a good job at describing the methodology of penetrations. Its a technical book that shows you how to use the tools available for the job. Sadly this means that is likely to become outdated after a while. Luckily the publisher seems to be doing a good job at keeping it up to date. A second edition is out. Nonetheless, the basic techniques it teaches are independent of specific technologies.

    UnderLinux : Nowadays what kind of documents and programs cause you more expectative and interest ?
    Aleph1:Those that make it difficult for people to shoot themselves in the foot. Security today is to fragile. Take for example buffer overflows. While we can place great efforts into teaching people how to avoid buffer overflows in languages such as C it is likely they will introduce them into their programs anyway. It makes more sense from a security perspective to replace the language with one that makes buffer overflows difficult.

    Similarly I am interested in areas that help you encapsulate knowledge about computer security and help users do the right thing instead of letting them guess what is the right thing. For example, configuring a firewall correctly can be quite complicated and the are many nuances. We need to make it easier for folks to configure securely.

    UnderLinux: Do you think that problems like spoofing and DDoS will be defeat in the next 10 years ? Can you preview any solution for this problems ?
    Aleph1:I believe we'll find and deploy ways to mitigate them but not to do away with them. Denials of service and inherent in any finite system. The Internet architecture has made them even easier by its lack of authentication and resource allocation. In the future we'll have mechanism that make detecting and tracking network based denials of service easier. It's likely that some areas of the Internet will support resource allocation which will minimize some of the DoS effects.

    UnderLinux : What suggestions you can give to whom that wanna be a security expert ?
    Aleph1:Do a broad survey of the security landscape. They are many areas of interest out there. After you've gained a general understanding of the security world select an area you'd like to specialize in. Repeat ad infinitum. Bonus point of standing back after a while and trying to find ways to fit all the pieces together into a coherent and interoperable whole.

    • Linux is interesting because the are so many groups exploring alternative security models: privileges, acls, subdomain, SELinux, etc.
      This can't be a serious effort without any exploration of Pure capability systems. To me, that is the obvious security model.
      Shapiro has done extensive work documenting it, and even proving related stuff (I'm not into the exact details of his proof, but he proved part of his EROS [eros-os.org] design mathematically correct). EROS is a pure capability system, and I hope that in the future, people will utilize it as the obvious security solution.
  • Anyone know if something like this might be possible or easy:?

    Have a script that reads the Apache log in realtime. Whenever something gets cmd.exe or XXXX or NNNN or something like that, immediately block all communication with their IP with iptables?

    This is getting annoying...
    • You run the danger of blocking a request that's coming via a transparent proxy. Blocking it would block everyone behind that proxy.

      Comments?
      Dave
      • Well, I'm the unfortunate user of earthlink [I don't pay for the service, my roomate does, so I don't complain too much]. Here's my situation, which in a way doesn't allow me to do start blocking with iptables. I get a new IP every 12 hours or so, and majority of the infected machines are on earthlink/mindspring's networks. Blocking that would mean I could run into the possibility of blocking an IP which I could get assigned next, or my other machines were supposed to get. Yes, I could flush the iptables everytime I loose an IP, but wouldn't that be a bit pointless?
    • A few lines of Perl would do it. Very easy, but as stated previously, the implications are worth thinking about.
    • too late? (Score:3, Informative)

      by slashkitty ( 21637 )
      Wouldn't that be too late? Apache logs the request after it is successful. Some request for /path/to/shell/sh?rm+-rf+/ would only need one request, were that a real hole. Your log analysis would detect it, if the log file was even still there.


      Instead, your script would have to be a module or proxy that filters all incoming requests. And stops them before the trouble.

  • http://www.antioffline.com/ has interviews with the following. not as serious in nature, but funny and interesting if you're in the security industry.

    Attrition
    Dugsong
    Ghetto Hackers
    Hackweiser
    K2
    Lance Spitnzer
    Mixter
    Obecian
    Rain Forest Puppy
    ShadowVX
    s0ft Project
    Technotronic
    w00w00
  • and emphasizes that security is ongoing, not defeating any single problem.

    I agree this is true on *nix/Windows-like systems. But what about a system where every piece of code runs with a simple environment allowing it only the minimal privelege it needs? (EROS [eros-os.org])
    What about a system that extends this idea further, and makes sure that all code is compiled from a safe language? A system with no buffer overflows or pointer errors/overruns? (Vapour [sourceforge.net])

    I believe that a system like EROS would make actual breakins/control of a distant computer practically impossible.
    I believe that a system like Vapour would make ANY remote malicious operation practically impossible, if implemented right.

    Note that if you break into an EROS system's web server and even if you get some of your code to run on the remote host - the worst you can do is read HTML's and distribute content on port 80 (or whatever ports the server had access to), but nothing else.
    You can't really get any mailicious code to remotely run on a Vapour system at all.

    True Security IS defeating a single problem - that problem is the *nix fail-open design, and the lack of principle of least privelege. (In terms of security, Windows is a very similar design, both using ACL-type security, of attaching lists of "user"-based access to objects).

  • Apparently Aleph1 never heard of lint, bounds checker, and the like. Changing languages to make your apps more secure just shows your not much of a programmer to begin with. The right tool for the right job. C is often the right tool. Whether you shoot yourself in the foot with a Smith & Wesson or C, don't complain about the quality of the gun. Next time, stop pointing at your foot and you will be fine.
    • Apparently Aleph1 never heard of lint, bounds checker, and the like. Changing languages to make your apps more secure just shows your not much of a programmer to begin with. The right tool for the right job. C is often the right tool. Whether you shoot yourself in the foot with a Smith & Wesson or C, don't complain about the quality of the gun. Next time, stop pointing at your foot and you will be fine.

      I think Aleph1's approach is a bit more sound. Your approach preaches that all programmers should collectively change their [bad] programming habits and methods. While I agree with you that it's the "best" solution, I have to remind you and anyone else in your camp that it's also the least likely to occur.

      IMO, improvements in gcc that help compensate for such buffer overflows (read: improvements in the compiler/language) would go a lot further in clearing up all of these problems.

      Again, asking the world to change their methods is about as likely as asking the world to stop smoking cigarettes. The useless slobs ALREADY KNOW it's bad for them and all those around them. They simply do no care.

      • "I think Aleph1's approach is a bit more sound. Your approach preaches that all programmers should collectively change their [bad] programming habits and methods. While I agree with you that it's the "best" solution, I have to remind you and anyone else in your camp that it's also the least likely to occur."

        Of course your assumption is that everyone who is programming should be. The truth is only about 20% of those who program are competant enough to create commercial quality, secure apps. Those are the people 'in my camp.' Let the rest eat cake, seriously.

        "Again, asking the world to change their methods is about as likely as asking the world to stop smoking cigarettes. The useless slobs ALREADY KNOW it's bad for them and all those around them. They simply do no care. "

        And as a smoker, I hope you know what you are talking about elsewhere, because you have no clue what you are talking about here. This "lazy slob" is like most other smokers ... we would love to quit if we weren't addicted to Nicotine, which the AMA recognizes is a more difficult habit to quit than Heroin.
  • by lowflying ( 252232 ) on Tuesday September 18, 2001 @06:01PM (#2317878)
    In a previous lifestyle, I flew helicopters for the Army. As a newbie admin, other admins have seemed impressed by how paranoid I am that some box I am responsible for is going to get cracked. This has always been my explanation:
    The thing is, helicopters are different from planes. An airplane by it's nature wants to fly, and if not interfered with too strongly by unusual events or by a deliberately incompetent pilot, it will fly. A helicopter does not want to fly. It is maintained in the air by a variety of forces and controls working in opposition to each other, and if there is any disturbance in this delicate balance the helicopter stops flying; immediately and disastrously. There is no such thing as a gliding helicopter.

    This is why being a helicopter pilot is so different from being an airplane pilot, and why in generality, airplane pilots are open, clear-eyed, buoyant extroverts and helicopter pilots are brooding introspective anticipators of trouble. They know if something bad has not happened it is about to.
    -Harry Reasoner, February 16, 1971

    I just wonder what is different about the training of *nix admins that makes them recognize that vigilance must be eternal, while the admins of other OSes seem to assume everything will go right when that is clearly not the case.

    Dave
      • The Unix security philosophy is isolation except where allowed. The DOS security philosophy is that you can reboot when something goes wrong.
      • Unix admins are used to multi-user environments where users have to be isolated from each other.
      • Unix admins are used to permissions which allow control over inter-user capabilities.
      • Unix admins have been learning about and doing configuration of network servers for decades, so have more security awareness and skills.
      • Unix admins have more tools, so can more easily adjust their configuration because they're not dependent upon someone else having written a point-and-click tool which can do a desired change.
      • Unix admins more experienced and know that nobody and nothing is invulnerable.
      • by Anonymous Coward
        Unix admins may have had a grasp of multiuser systemffor decades, but they were blissfully unaware of Internet security issues until relatively recently. Protocols like NFS and NIS belie a far more trusting attitude than even MS's stuff from the late 80s, not to mention Novell. Standard demons like sendmail were essentially unmaintained until recently. It took an enormous amount of work for some people (including those who started BugTraq) to change the lazy security culture bred into the fat academic maintainers of Unix. You might like to believe that Unix has a 20 year headstart over Microsoft, but it's more like a 5 year headstart. They'll catch up.
    • > I just wonder what is different about the training
      > of *nix admins

      They need to learn a lot to get a Unix system going well. They are forced to read documentation. In that documentation, the author has a chance to tell the admin about security and its importance.
  • Is that Hebrew for "steak sauce"?
  • From H.P. Lovecraft's "The Case of Charles Dexter Ward":

    It ran as follows, and experts have told Dr. Willett that its very close analogue can be found in the mystic writings of "Eliphas Levi", that cryptic soul who crept through a crack in the forbidden door and glimpsed the frightful vistas of the void beyond:
    'Per Adonai Eloim, Adonai Jehova,

    Adonai Sabaoth, Metraton On Agla Mathon,
    verbum pythonicum, mysterium salamandrae,
    conventus sylvorum, antra gnomorum,
    daemonia Coeli God, Almonsin, Gibor, Jehosua,
    Evam, Zariatnatmik, veni, veni, veni.'

    Eliphas Levi? Elias Levy? The name is just too similar, sounds like someone who came back from Beyond ye Spheres as his own grandson or something. I bet this Levy guy is over 300 years old.

  • One of the most interesting reads I've ever come across was the PC Week crack [hispahack.ccc.de]. Just cool to see what he went through, his thoughts/ideas, and especially his thought process.
  • Anyone know of a site listing the various linux distro's default settings from a typical install? You know the install I mean, the one performed by newbies that lets inetd fire off multiple servers for no good reason. It should be an interesting comparison, maybe even worthwhile if it is up to date and accurate. I think that would actually be a decision point for newbies who look before they leap, they certainly do not need to run a ton of servers that they do not understand.
  • I found his replies a bit contardictory:
    "Conversely, a good admin is capable to hardening a sloppy OS."
    while
    "...we can place great efforts into teaching people how to avoid buffer overflows in languages such as C it is likely they
    will introduce them into their programs" anyway.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...