Slashdot Mirror

First time accepted submitter scottbee writes "A major New York intellectual property lawfirm has filed a $1m lawsuit against domain squatter/security researcher Wesley Kenzie (aka Securikai). Kenzie registered domain names to collect misaddressed email, and then holding companies to ransom claiming he had found security vulnerabilities and would consult for five figure engagements. Lockheed Martin handled it with a simple UDRP, but the Gioconda Law Group decided instead to file a lawsuit for 'cybersquatting, trademark infringement and unlawful interception of a law firm's private electronic communications in violation of federal laws,' along with a permanent injunction. Kenzie had also tried the same tactic against Rapid7's HDMoore, but was shamed out of the domain names earlier this year."

A recent rant up at Attrition.org highlights problems with the responsible disclosure of security issues. While some vendors are happy to do their own research and patch reported problems, others drag their feet and make unreasonable demands on a researcher's time and effort, making anonymous public disclosure an ever-more-tempting option. Quoting: "After a couple hours of poking, I found a huge unauthenticated confidentiality hole. Once the euphoria wore off, I realized I had a big problem on my hands. I had to tell my employer's app owners and we had to assess risk and make a decision on what to do about it. After some quick meetings with stakeholders, we decided to severely limit access to the thing while we worked with the vendor. The vendor refused to acknowledge it was a security issue. Odd, considering most everyone who sees the issue unmistakably agrees that it is not acceptable. Now I'm forced to play hardball, yet nobody wants to fully-disclose and destroy relations with this vendor, whose software is somewhat relied on. Meanwhile, I know there are hundreds of institutions, small and large, using this software who have no idea that it has flawed security and who would probably not find the risk acceptable. What can I do? Nothing. Oh well, sucks to be them. ... I've had a vendor tell me to put a webapp firewall in front of their software. Did they offer to pay for it? No. That would be like Toyota telling its customers to buy ejector seats (unsubsidized ejector seats, that is) to resolve the accelerator problem in their vehicles. I've had other vendors demand I spend time helping them understand the issue, basically consulting for free for them. Have you ever knocked on a neighbor's door to tell them they left their headlights on? Did they then require you to cook them dinner? Exactly..."

An anonymous reader points out an announcement up at Attrition.org, that going forward their Data Loss Database will be taken over and maintained by the Open Security Foundation. From the news release: "...OSF is pleased to announce that the DataLossDB (also known as the Data Loss Database — Open Source [DLDOS] currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008... The project's core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records. The... DataLossDB will be free for download and use in non-profit work and research. The new website launch builds off of the current data set and provides an extensive list of new features."

An anonymous reader points out an announcement up at Attrition.org, that going forward their Data Loss Database will be taken over and maintained by the Open Security Foundation. From the news release: "...OSF is pleased to announce that the DataLossDB (also known as the Data Loss Database — Open Source [DLDOS] currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008... The project's core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records. The... DataLossDB will be free for download and use in non-profit work and research. The new website launch builds off of the current data set and provides an extensive list of new features."

Noryungi writes "It seems as though a Republican Communications Director contacted Attrition.org, trying to hire hackers to improve his educational records. I don't know what is his dumbest move: (a) contacting Attrition in the first place, (b) using a real name Yahoo email address or (c) speaking at length about what he needed? Kudos to the Attrition crew for posting the whole email dialogue online! A sample from the conversation: 'Jericho: First, let's be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can't trust anyone and everyone that mails such a request, you might be an FBI agent, right? So, I need three things to make this happen: 1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus. 2. The information I mentioned so I can find the records once I get into the database. 3. Some idea of what I get for all my trouble.'"

An anonymous reader writes "Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere." The news comes shortly after Mitre (CVE) released statistics showing XSS has become the most popular exploit. Unfortunately new XSS attacks are growing increasingly severe and scanners are unable to find many of the issues on modern websites."

roj3 writes "PCWorld and other sources are covering the story of how the Republican Party outsourced work on their massive Voter Vault project to India. "When the Republican Party clinched close gubernatorial races in Mississippi and Kentucky in 2003, it relied heavily on its Voter Vault database to get people to the voting booths. Though party officials are tight-lipped about what's inside the Vault, they've acknowledged it contains records on an estimated 168 million voters. ... PC World has recently learned that the major development work on the Voter Vault was done in India." The work, done by Compulink Systems of Maharashtra, occurred during the same time that a Russian hacker (RyDen) compromised their site. Thankfully, they are pretty sure that no data was compromised. Who do you trust less with your personal information, marketers or politicians?"

jyre writes "ZDNet Australia has a special report that profiles and interviews five hackers over the next five days. Day 1: Raven Alder's page is up now (inludes photos). Day 2 will be Attrion.org creator, Jericho. Day 3: Adrian Lamo. Day 4: Kevin Mitnick and Day 5: L0phtCrack creator, Mudge."

jaroslav writes "There is a great article over at Attrition about the problem of anti-virus related spam. I don't know if we should all start reporting this to the government, but telling the companies themselves that this should stop might get some results."

prec asks: "One of my goals for my post-university life is to start my own High Speed Internet provider. The plan is to find a decent sized residential area that does not currently have such a service available and start my business there. However, one major problem presents itself - How in the world could I start my own cable company? Would I actually have to lay my own cable lines and everything or do the big companies (such as Comcast) have services set up for people to start their own 'Comcast Franchise' type businesses? All feedback is appreciated."

webword writes: "Attrition.org has decided to stop updating their defacement mirror. Their decision is based on problems associated with the rapid increase in web defacement activity. They don't have the time, energy, or money to keep it updated. Fortunately, the image gallery, music reviews, movie reviews, poetry, and contests, will receive more attention." Those things are certainly more interesting to me than who's scribbling where, and it was becoming no fun for the attrition.org folks to keep up with them.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

Yesterday, due to system-level misconfigurations, www.apache.org was defaced after a root-level breakin. Those responsible for finding the holes and the ASF have been in cordial contact, and the holes have been plugged. In the process of doing that, FTP and other services on www.apache.org have been stopped. A mirror of the defaced site can be found on the Attrition.org mirror site. Brian Behlendorf sent the following to various Apache mailing lists:

Hi. We have been made aware (thanks to a very humorous banner ad for Microsoft Back Office on the front of www.apache.org!) that our particular configuration on www.apache.org of ftpd and bugzilla opened a security hole that allowed someone from the outside to get a shell account, and then get root. We have been in contact with those who found the hole, and have closed up the misconfigurations that allowed this.

It is important to note that this is *not* a hole in the Apache web server or related software products. I would encourage double-checking the PGP signatures of Apache releases for the immediate future.

However, I do not believe we are out of the woods yet. Bugzilla has not been thoroughly audited, and while I am not worried about ftpd, simply having another deamon that can write files to the web server whose purpose has been completely superceded by others suggests that taking it down for good is the right idea.

So I am taking down FTP - something that should have been done long ago. If there are FTP links on any of our pages (or on places like freshmeat) they should be change to HTTP. There are enough high-quality text-mode HTTP clients that there is no point to having it up, save for mirroring, and we allow rsync and cvsup for that. I will be contacting the mirror site admins list to communicate this.

Also, I have taken down all installations of bugzilla on apache.org until it can be audited. I will be performing a first pass tonight over it, but anyone else familiar with perl and willing to deal with rather ugly code is welcome to do so as well. I will set it back up once I'm comfortable there's been at least one reasonable pass over the whole codebase and any obvious holes have been plugged. This is only life-support though; I really don't think we should be using bugzilla once a suitable replacement is found.

Finally, I think it can be said that this compromise was mostly due to a lack of discipline on the part of those who had root and set up services without considering the ramifications of the way they were installed. I don't want to point fingers, since I'm probably at least as to blame as others, but I do feel that the policy of giving root access to a larger number of people than usual was probably a mistake. Along those lines, I've changed the root password and removed everyone from group wheel but myself - sorry to be fascist about this but I kinda feel like at the end of the day it's my responsibility. We'll come up with a strategy soon about granting sudo access to particular people for particular binaries so that I don't become a bottleneck again.

The details will soon be posted to bugtraq. Thanks.

This week's "main" interview guest is L0pht Heavy Industries as a group. (We hope to have answers from Linux International head Jon "maddog" Hall tomorrow). Many insightful questions for the L0pht guys were posted Monday. Today, lots of insightful answers on everything from political controls on the Internet to hardware hacking. (Click below to read.)

1) Which do you consider more dangerous
by Gleef
Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

L0pht
While both Governments and multinational corporations are detrimental to personal liberties on the Internet, one must not overlook the greatest danger of them all. The uninformed citizen. In democracies, this is problematic, where governmental policy typically follows public opinion. In the case of the Internet, one will find that most citizens of the world are willing to give up personal liberties in exchange for perceived safety and piece-of-mind. For the safety of the children, is cited commonly.

Many people believe that anonymous access to the Internet is criminal behavior. Government would like you to think privacy is an "anti-social" behavior. You should have nothing to hide, should you? You wouldn't be reading up on the consecration of explosives, looking up security holes in various operating systems, or possibly downloading the latest crypto software, would you? Only terrorists do that.

Governments are lobbied by uninformed citizens, or citizens which are easily manipulated and swayed by various groups across the gambit of our modern civilization. Multinational corporations have their hand in the fray by funding these groups or by participation in Associations which provide counsel to government officials on technical matters. Often recommending legislation which will better the profit taking over the sanctity of "personal liberties."

Multinational corporations are problematic in that they operate in a proprietary world. Often outside parties will scrutinize the technological fabric of a communciations service being provided. Should a flaw be found, and published, the corporation claims that the flaw itself is detrimental to the service being provided and litigation is dispatched on the party disclosing the flaw. This has been the case in the Cellular communications venue. Cloning a cellular telephone was a real thorn in the side of the Cellular Industry. They took their gripes to the US Government. The CTIA and their ilk successfully swayed Washington to pass legislation to combat the cellular fraud. Result: A portion of the radio spectrum was made _forbidden_ to reception. Possession of an eprom programmer, a computer, and a cellular telephone became a crime. Meanwhile, the cellular network REMAINS open to eavsdropping. Money is power, and with power comes influence. However, in the end it was the Government, sucking up to industry, which passed the law.

Law Enforcement and Intelligence gathering communities dwell within the governmental domain. Both are lobbying lawmakers to pass laws to give them greater powers to combat crime in this high tech world. Surveillance is paramount. They will convince the lawmakers that without the keys to all communications, a bomb may be set outside Parliment or Congress or .

The government pursuades the people, the people pursuade the government. Who planted the seed first? Those who understand the technology are too busy working on the next cool widget. Meanwhile the technological world rushes toward a global dictatorship and the populace embraces it under the guise of security.

2) The net: strip mall or unlimted human potential?
by garagekubrick
The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

L0pht
The Internet has changed dramatically over the last year or two and with it the underground has also changed. Back in the good ole days (1995+6) every web site was underground, hell the entire internet was underground.

As the web increasingly encroaches onto the mainstream and large portal and corporate sites take over feeding you only the information they want you to see, the underground will evolve and change and morph to suit its surroundings.

There is definitely still an underground. In some aspects it is a lot larger than it used to be and in others it seems to be much much smaller. I think labeling the underground as 'the one true medium with liberation' is laying it on a little thick. The internet underground has been nothing but the exploration for knowledge, if you are looking to it to save mankind from itself your looking in the wrong place.

Governments are increasingly encroaching on personal liberties and freedoms of the average citizen, this is unfortunate. How much longer before the population as a hole realizes what is going on and says enough? Maybe they will never wake up. Will the governments eventually control the internet? Possibly. It is hard to tell but there will always be those who will resist that control and the underground will continue in one form or another.

While the web, as you put it, may become 'an enormous cyber strip mall' I can't help but think of the trash dumpsters behind that mall and what secrets they may hold.

3) Internet Worm II
by tilly
Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

L0pht:
I believe your prediction is right on track. However, I don't feel that an Internet Worm II is necessary to teach Microsoft, its customers, or its vendors, about security. There are three ways to implement a security model, the slow way, the fast way, and the right way. The slow way involves making a bunch of little mistakes and fixing them over time as you find them, correcting your policies and implementations. The fast way involves having a major disaster occur, after which the faulty parts of the system are completely torn apart and reimplemented. In practice, the slow way often leads to the fast way.

Which brings us to the right way: To design software with a security policy in mind, and with extra caution, care, and expenditure during the implementation. OpenBSD's model of proactive security measures is a classic example of 'the job done right'. Retroactively applied security measures are a recipe for disaster.

Rant off.

As for when Microsoft is going to learn about these things, they'll first have to learn that 'bigger isn't necessarily better'. They need to stop believing their own FUD before they can actually make change over there. When I read things like the article at http://www.microsoft.com/ntserver/nts/news/msnw/LinuxMyths.asp, particularly the parts about Linux being less 'secure' than Windows NT, I'm appalled at the ridiculous 'facts' that are being used to back up their claims. For example, they claim that:

"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate."

While this statement is true, they neglect to mention the fact that under a unix operating system, most things that correspond to Windows NT kernel objects, file, data structures, etc, are represented as files. Hence, the coverage of the security model for Linux is just as extensive, even more so, than Windows NT. This is a particularly bad statement, simply because it's not only incorrect, but the converse is true. Linux is more flexible in terms of permission management. Try setting the access controls on who can bind to a particular port under Windows NT, with the ease of chmod and portfs under Linux, and you'll fail miserably. And the list goes on.

(And as for 'access control lists', we've noticed that Windows can't seem to get the right default ACLs anyway, and that the complexity of managing them has outweighted the value of their 'flexibility'.)

As for your comments on the Windows NT TCP/IP stack being vulnerable to attack (possibly, who knows :P) and the possibility of a worm destroying Windows systems, the possibility is very real. And again, this possiblity is not unique to Windows. They're just a likely target at this point in time.

It would take a feat of dedication and great skill, but the possibility is there. My advice to anyone who's worried about this, is this: If you're going to use Windows NT, you should probably keep that firewall in place between those Windows service ports and the rest of the world. Microsoft loves to add services and open ports to your computer when you're not looking. And it's probably not going to be the IP stack, it'll probably be some goofy listening service, like anonymous share enumeration or something. Or maybe remote access to NetDDE. Or some authentication protocol that doesn't like large Netbios fields. Or possibly even some undocumented functionality in the named pipe filesystem used for RPC. Who knows. Personally, I'm not going to wait around to find out.

4)The Public's Perception of Hacking
by dmuth
First, I should probally preface this geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find > objectionable. I've even heard the term applied to spammers!

Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselves.

So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

L0pht:
The first thing you need to do is refer to yourself as a hacker and be prepared to educate the person you are talking to what you mean by that. It doesn't matter if you are talking to someone from the media, or the government, or the business world. People need to know the real meaning of hacking, its history, and what a positive thing it is.

A lot of the time we talk to the media just because we are afraid that if we don't there will be no one they talk to who will describe hacking in a positive light. No one to describe it as other than defacing web pages or breaking into .mil sites. This was one of the reasons we wanted to talk to MTV. We were afraid their story would be all about criminal hackers. If you saw the MTV show you saw that sometimes resistance against the media memes is futile. The show was 95% about illegal activity.

Yet the world of hackers is 95% non-criminal. Probably a better percentage of people behaving positively than most segments of society. It is a world of people exploring the edges of technology and building things. The crazy thing is the government is making more and more of that exploration illegal.

Reverse engineering security mechanisms is being considered a crime. Receiving digital radio signals is a crime. We can't let them wall off part of the world we inhabit from investigation.

Hackers have a positive role to play both as builders and critics of the digital world. Unless we speak up and refer to ourselves in that light we have only ourselves to blame. Everyone who can should educate. Its not easy changing perceptions. But sometimes a passionate personal explanation of what hacking means to you can make someone change their mind.

5)security of capability-based operating systems
by sethg
What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?

L0pht:
It's nice to see work such as EROS comming out of DARPA funded projects. Capability-based systems are quite interesting. However, one must be quite careful when making statements such as the one that these systems are more fundamentally secure that others. One has to keep in mind that Windows NT made a similar claim. Was NT fundamentally more secure that Unix as was presented to the general public? Well, it did have a security model that Unix lacked and it's internals were much more akin to VMS which had various strengths that Unix lacked. Yet we all saw that the implementation is where it matters.

In reality the implementation is key. Things can look great on paper and be a real bear to implement (look at communism for example). Another key component that is often overlooked is the functionality. This is a double edged sword. If the system is not universal and generic enough in nature to exist in a plethora of environments then it is difficult, if not impossible, to gain wide scale acceptance and use. Of course, this notion is directly opposed to creating a secure operating system. If it has to work in a multitude of environments then it needs to be relatively open and flexible or else the skill set and support for integrating it into one specific environment is beyond most peoples abilities (ie it won't get used). Sun Microsystems ran in to this problem with older versions of SunOS (now retroactivly named Solaris 1.x) when they used to consistently ship with a '+' in /etc/hosts.equiv. After several years they received enough requests to take it out of the distribution for security reasons. Unfortunately, taking it out caused so many installations to not be "plug-n-play" that they promptly put it back in.

When I look at an operating system such as EROS the following pops out at me when thinking security (this should not be viewed as condemnation by any means).

. RTOS modeled.
Real Time Operating Systems can be very useful for directed applications but suffer in general use often times. In addition, certain security notions at extremely low levels of a system (ie hash signing memory blocks that are passed between processors or ASICS) incur overhead that is quite unwelcomed in most of the "general public's" acceptance in RTOS.

. Emulated POSIX and Unix environments
I love Unix. However, it's difficult for someone to maintain the claim that they are more secure than another operating system and then emulate it's behaviour. A good emulation is going to have the good and bad aspects on the security front or many things won't work.

. implementation from the ground up can be painful
Often times it is required. But heaven help the "vendor" that decides that in order to be their own maker they will do it from scratch without looking at the mistakes that others have made. We see it all too often that people decide to reinvent the wheel and foist square versions on people the first time around.

With all of that being said I believe that in the future, should people start to wake up and really appreciate the notion of security and privacy in a way that really influences the market... we will see more dedicated systems and fewer general purpose ones. In order to go that route projects such as EROS are invaluable.

6)Security Through...Unpredictability?
by Effugas
Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than an expertly controlled failure?

If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursuing, for various reasons?

L0pht:
You must be a kindred spirit :) We have been preaching the approach that most stability problems are security problems that have not been looked into enough for quite some time. By fixing security problems you enhance the stability.

Now, with that said, it is important to shoot for the pinultimate solution to problems and this ends up being a wonderful academic excercise (out of which great things come). Do we shun any notions that merely raise the bar instead of being the silver-bullet? No. Each elevation in design is a step in the right direction. It is apparent that we have many steps in front of us but this does not mean we should stop progressing until a magic cure is found.

Unpredictability in systems, such as loaders or interpreters that recurse random times to throw off "static" frame location and other mechanisms (ie canary values) etc. are some of the finer points that I see coming out of the security approach to implementations. Are they ready for production systems? It all depends upon what your production system must be capable of. In many cases the answer is yes. In some cases the answer is no.

7) Future of Hardware Hacking?
by Tackhead
Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

A) Wireless.
Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

> When do we get to see some hardware projects to build, or is it the case that -- due to regulatory restrictions on what can and cannot be transmitted on US airwaves -- work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready? :-)

L0pht:
The Gnet project has been in progress for many years now. Mainly the problem had been lack of funds, but now time allocation and lack of dedicated participants hold back expansion.

There is a lot of interest, but no one seems to be willing to put up the nodes. There are 2 sites currently on the network. One at l0pht and one at a residence. This has been the state of the network for the past 2 years. Unfortunately no one with enough initiative in either state has been found to setup other nodes. There has been interest in other states but the long haul capability has yet to be worked out. Encrypted tunneling over the Internet may help span the network over long distances. Once the fabric of the network expands, landlines could be replaced with wireless links/nodes.

High-density, low-power networks sound great in theory, but until the interest level rises above its present state, the cellular structure will remain the dominant topology.

To get the network off the ground, we have been trying to go the Amateur radio route. Going this route does have its drawbacks. Encryption is forbidden, however compression is not. I have been running ssh in compression-only mode for years. The initial ssh authentication is allowed under FCC guidelines, as long as the communications is not encrypted, you are within the rules.

The move off the Amateur frequencies will be made once the cost of National Information Infrastructue (NII) part-15 devices drop under $500 dollars for a pair of nodes. These devices fall operate in the 5Ghz frequency range. The breakdown is as follows:

• 200 milliwatts EIRP (5.15-5.25 GHz) - indoor
• 1 watt EIRP (5.25-5.35 GHz) - inter-campus/neighborhood
• 4 watts EIRP (5.725-5.825 GHz) - Point-to-point, few miles, terrain permitting.

Other devices which are useable in the project are ISM band Part-15 devices which operate in the 900Mhz and 2.3Ghz frequency range, and dwell in the Wireless lan arena. Wavelan(Roamabout) http://www.wavelan.com, and rooftop networks (just purchased by Nokia) among others, players in the 900Mhz and 2.3Ghz arena. Older wavelan equipment can be found by searching auction sites and used equipment dealers. Early wavelan 2Mbps/sec ISA/PCMCIA cards can be found for ~$125.00 US Dollars. The problem with these cards is they don't conform to the IEEE 802.11 Wireless Ethernet specification. This is one inherent problem with building the network out of old equipment. It becomes costly to replace eqiupment once the entropy ball starts rolling.

The path to build custom equipment is equally as challenging. For example, the TAPR (Tucson Amateur Packet Radio) group has been in the forefront of Amateur packet radio for the past 15 years. While they have an established base of dedicated users, they continue to have problems developing new hardware. They have been prototyping a Frequency Hopping Spread Spectrum (FHSS) system for 3 years now, with still a protoype just passing a design review. Hopefully this project will come to fruition soon!

Some very talented folks over in Slovenia have developed some BPSK transceivers and a no IF SSB transceiver which will work on 1296, 2304 and 5760MHz. None are in kit form but the schematics, theory, construction notes, and equipment checkout is available in english. (schematics are not in english.). These radios are not for beginners or even intermediate kit builders. It would be nice if someone could kit these units. I started to convert the 23cm BPSK design to utilize a chipset family put out by RF Microdevices, but then my time got sucked into other projects. I may find the time to persue this once again, but I would like to get some semblence of a network greater than 2 nodes up and running first. *sigh*

B) The future of hardware hacking.
With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace [PROM| EPROM| EEPROM| PIC| FPGA] with one with the following special programming, and here's the [CPU| microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

L0pht:
It is true that the Electronics industry is moving toward much denser Multi-chip module like IC's. System-on-a-chip (SOC) is beginning to make inroads in communications equipment. Celluar/GSM/PCS phones are beginning to sport such technology. SOC will also revolutionize the security coprocessor industry.

What we see here is the bar being raised in the HW hacking arena. Remember cost still drives much of the industry and you will continue to see many devices still using microcontrollers. There are many, many internet appliances using standard Embedded Processors and peripheral IC's. The hackers are just going to have to bone up on thier FPGA hacking skillz. Monitoring the inputs of an FPGA and then the outputs, and hacking together an FPGA to drop inbetween isn't unheard of.

Hardware hacking today does require a bit more than the standard weller solding iron, a 50Mhz scope, and a multimeter. With processor speeds moving up into the 800Mhz range, you fall flat on your face with those stoneage tools. The trend in general is hardware which is becoming more and more abstracted and described by high-level programming languages such as verilog and VHDL. One must stay abreast of the latest tools in his trade. There are also relatively inexpensive "soft" tools, in that a spectrum analyzer, logic analyzer or a scope utilizes the modern PC as the guts of the device and an inexpensive physical interface module is purchased along with software for the host. The interface is typically a data acquisition pod for converting the sampled analog data into the host PC for processing and the presentation.

The security of FPGA's is definately going to become more of a target in the future. I can't think of anyone that doesn't set the security bit of FPGA before programming a device. Ummm.. Hmmm.. maybe I shouldn't say that. ;^) It does happen. There are also some not so well known ways around "securty bits" on FPGA's. Also, most FPGA's will allow you to reprogram them in circuit whether or not the security bit is blown. You just better be sure you can reproduce what you monitored before squirting in your own code.

Remember there are many more ways to fry an egg, such as voltage margining, or operating a circuit over/under current and temperature specifications. Hitting HW with various RF emissions (above and beyond what stantard emissions/immunities tests test for.) can also produce interesting results and insights.

And as you alluded to in your question, hackers will build their own hardware which will interface to the service/system under attack, which will allow for variable, marginable, modules to provide the flexibilty which the stock standard HW didn't provide. Study communications test equipment. Many secrets lie inside.

A lot of today's "hardware hacking" isn't strictly limited to hardware, due to the fact that most products are embedded systems - meaning there is a union of hardware and software. Those who are strictly "hardware guys" will fall by the wayside and those who are strictly "software guys" will also fall. You will need to have a decent knowledge of both the software and the hardware environment you are programming for. I have seen companies struggle because they hire CS folks to write firmware for a product. These particular folks could not grasp that they were writing for a platform other than a PC or desktop. They didn't understand how interrupts worked, how to write to a port, how to write low-level drivers to control external memory or other devices on an SPI, I2C or other inter-chip protocol. What ended up happening is the company called in the hardware engineer (me) to write all the low-level functionality. In order to properly design a product (and reverse engineer the product), you need to be able to grasp all facets...

The industry today is really in a sad state and I am fearful of the quality of the products that are due to come out on the market - the hardware and circuitry is sound and well-structured, but the software will have major fault and, because of this, many possibilities for vulnerabilities.

C) The future of l0pht.
(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardware projects" side?

L0pht:
Both. Hardware projects, since the beginning of time, are more costly, require more tools than software, and mroe often than not, more time consuming. Due to this, the amount of publicly-known activity appears to be less. As mentioned before, there will be more and more projects that require the knowledge of both hardware and software sides, where L0pht fits the bill perfectly. There are so many products and technologies to look at, there is no way we can limit ourselves by saying what activities we will and will not do. If something comes out, be it hardware or software, that we want to attack, we will.

8)What engines/sites do you use to scour the 'Net?
by Bacteriophage
Seriously, I would like to know. When you sometimes don't have all the answers (I assume that would be more than never), where do you guys go on the 'Net to find what you need concerning computer security, **/*acking, or even just news? Do you ever come to /.? This answer shouldn't take very long, and it'd be nice to get the seperate preferences of each crew member, as well as the general preferences of the group.

L0pht:

Generic search:

Altavista or NorthernLight for a spider based search Yahoo for a topic search.

Ask Jeeves when I don't really know what it is I am looking for.

security/hacking: altavista - word sequences work well. A recent example would be a search for the PCI specification by looking for "pci spec".

yahoo - when altavista doesn't help

Hacker search:

• The Hacker News Network Search Engine Page - Lots of undergound spiders http://www.hackernews.com/search.html
• attrition stats - http://www.attrition.org/mirror/attrition/stats.html
• eEye stats - http://www.eeye.com/html/Databases/Statistics/os.html
• NMRC - Good Novell NT and Unix info. www.nmrc.org
• counterpane - for books (through amazon) and lots of free information on crypto too.
• www.jya.com/crypto.htm - for the good cypherpunk info

------

Next week: Steve Wozniak (and a special pair of *surprise* guests Tuesday).

An anonymous reader noted that it appears that crack.linuxppc.org has been, well, cracked. There is a mirror of the defaced page at here being hosted by attrition.org. The actual box is down as of when I type this. On the upside, it sure took a long time for someone to get in there (I'm still amused that they posted the root password). Jason Haas from LinuxPPC said "The machine is going to Daniel Jacobowitz, who won it legitimately. The subsequent problems occured after Dan installed a backdoor, and have since been cleared up. The original problem was that proftpd-1.2.0pre4 was left running with a /incoming directory."

An anonymous reader noted that it appears that crack.linuxppc.org has been, well, cracked. There is a mirror of the defaced page at here being hosted by attrition.org. The actual box is down as of when I type this. On the upside, it sure took a long time for someone to get in there (I'm still amused that they posted the root password). Jason Haas from LinuxPPC said "The machine is going to Daniel Jacobowitz, who won it legitimately. The subsequent problems occured after Dan installed a backdoor, and have since been cleared up. The original problem was that proftpd-1.2.0pre4 was left running with a /incoming directory."

borehawg writes "John Vranesevich of AntiOnline is accusing Attrition.org staff members of being involved with the "hacker" groups called "United Loan Gunmen" (ULG) and "Hacking For Girlies" (HFG). Attrition.org responds with this press statement. "

borehawg writes "John Vranesevich of AntiOnline is accusing Attrition.org staff members of being involved with the "hacker" groups called "United Loan Gunmen" (ULG) and "Hacking For Girlies" (HFG). Attrition.org responds with this press statement. "

krp writes "The well known and regarded security softare and information site Packet Storm Security has been closed down by Harvard, who hosted the site, becuase of claims from John Vranesevich, of www.AntiOnline.com, about libellous material. The site will not re-open and backups will be destoryed. Ken Williams explains here and here - this guy put a lot of work into that site. "

Andreas Pour sent linkage to a page where you can get the KDE mascot in T-shirt form (half the profits go to KDE). Hubert Figuiere sent us pictures from the Paris LinuxExpo if you weren't in France. Brian sent us How Stuff Works. Its actually not bad. cpfeifer wrote in to send us some spoofed book covers including Taking Down the Internet in 30mins for Dummies and IP Spoofing for Dummies. More here. An anonymous reader sent us Prozac Pez if you've been having a rough day. Dwonis sent us a point-form description of Geeks, Twits and Nerds, and the differences between them. aspodf wrote in to show us what happens when Red Meat and Star Wars come together at last. CowboyNeal sent us a link to Career Path which has a Personality Quiz that tells if you are a Jedi Master, or a Sith Lord. I think Neal ended up an Ewok *grin*.

Andreas Pour sent linkage to a page where you can get the KDE mascot in T-shirt form (half the profits go to KDE). Hubert Figuiere sent us pictures from the Paris LinuxExpo if you weren't in France. Brian sent us How Stuff Works. Its actually not bad. cpfeifer wrote in to send us some spoofed book covers including Taking Down the Internet in 30mins for Dummies and IP Spoofing for Dummies. More here. An anonymous reader sent us Prozac Pez if you've been having a rough day. Dwonis sent us a point-form description of Geeks, Twits and Nerds, and the differences between them. aspodf wrote in to show us what happens when Red Meat and Star Wars come together at last. CowboyNeal sent us a link to Career Path which has a Personality Quiz that tells if you are a Jedi Master, or a Sith Lord. I think Neal ended up an Ewok *grin*.

Andreas Pour sent linkage to a page where you can get the KDE mascot in T-shirt form (half the profits go to KDE). Hubert Figuiere sent us pictures from the Paris LinuxExpo if you weren't in France. Brian sent us How Stuff Works. Its actually not bad. cpfeifer wrote in to send us some spoofed book covers including Taking Down the Internet in 30mins for Dummies and IP Spoofing for Dummies. More here. An anonymous reader sent us Prozac Pez if you've been having a rough day. Dwonis sent us a point-form description of Geeks, Twits and Nerds, and the differences between them. aspodf wrote in to show us what happens when Red Meat and Star Wars come together at last. CowboyNeal sent us a link to Career Path which has a Personality Quiz that tells if you are a Jedi Master, or a Sith Lord. I think Neal ended up an Ewok *grin*.