Slashdot Mirror

John Chamberlain writes "Netcraft's numbers for the new year are in. The trend graphs tell a story: 2003 was the Year of Apache. If Time magazine had a server-of-the-year award the cover would be featuring a feather. Since October 2002 market share has grown from 53% to 64%, a 20% gain while Microsoft IIS, its nearest competitor has shrunk from 36% to 24%, a 33% decline. The change in server totals was even more dramatic. Apache HTTP Server increased from about 20 million to 32 million (+60%) while all other competitors remained flat."

John Chamberlain writes "Netcraft's numbers for the new year are in. The trend graphs tell a story: 2003 was the Year of Apache. If Time magazine had a server-of-the-year award the cover would be featuring a feather. Since October 2002 market share has grown from 53% to 64%, a 20% gain while Microsoft IIS, its nearest competitor has shrunk from 36% to 24%, a 33% decline. The change in server totals was even more dramatic. Apache HTTP Server increased from about 20 million to 32 million (+60%) while all other competitors remained flat."

Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

kolchak writes "An article in The Age has an interesting analysis of the Netcraft Web Server Usage Reports. According to Port80 Software, Netcraft's surveys are biased towards domain name parkers and very small web sites, not taking into account how popular a site may be - there's some interesting results in the competing Port80 survey." However, it should be pointed out that Port80 "develops software products to enhance the security, performance and user experience of Microsoft's Internet Information Services (IIS) Web server."

djeaux writes "In the November 4 issue of Syllabus, Howard Strauss, manager of technology strategy and outreach at Princeton University, presents 'The FREE, 0% APR, Better Sex, No Effort Diet' in which he scattershoots at open source software. The Nigerian scam is part of his imagery, leading to a great quote: 'While you are installing your free open source software you may want to write Mrs. Ahmed a check. Her $8.5 million will help pay for the real cost of that free software.' Elsewhere, Strauss describes the open source community as 'a smattering of teenagers too young to work at Redmond, hackers, virus creators, and a menagerie of others with whom you will feel great pride in entrusting your IT infrastructure.'" Not everyone at Princeton agrees.

ZuperDee writes "It looks like Microsoft is now looking for another search engine to buy. They are looking at Ask Jeeves and Looksmart, but they recently dumped Looksmart, after deciding that its results don't stack up well. So would anyone be surprised if they bought Ask Jeeves? It can't hurt that according to Netcraft, they already run Microsoft IIS."

Mr Bill writes "According to NetCraft the Apache web server now owns over 2/3rds of the web. The jump of 2.8% since last month is mostly due to a number of large domain parking sites switching back to Apache from IIS. 'During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%.' See the full report here."

Mr Bill writes "According to NetCraft the Apache web server now owns over 2/3rds of the web. The jump of 2.8% since last month is mostly due to a number of large domain parking sites switching back to Apache from IIS. 'During 2001 and the first half of 2002 several companies hosting very large numbers of hostnames including Webjump, Namezero, Homestead, register.com and Network Solutions migrated to Microsoft-IIS. Subsequently these businesses have either failed, significantly changed their business model, or reverted to their previous platform, and Microsoft-IIS share is now in line with its long term pre-summer 2001 level of around 20%.' See the full report here."

buford_tannen writes "According to this New York Times Article (registration, etc.), Google may be considering a merger with Microsoft in the near future. As many people know, Google's search services are powered by Linux. "

limbicsystem writes "The first issue of the free journal Public Library of Science Biology hits the presses tonight. With Lawrence Lessig on the Board, the PLOS team are taking the Creative Commons to the world of science publishing and hope to compete with the big-name journals Science and Nature. The move towards freely-available scientific journals is supported by major funding bodies who are tired of seeing their grant money spent on subscriptions to commercial journals that can cost thousands of dollars a year. PLOS-Biology is available online at plos.org. The inagural issue has an essay by the executive director of the creative commons, Glen Otis Brown. Oh, and it's all running on Linux ;)"

ZuperDee writes "According to Netcraft, the number of Windows 2003 servers has doubled since July, and 5% were running Linux before, which is consistent with the trends they've been observing for some time. This doesn't look good for Linux, in my opinion. Maybe we should all start to think about jumping ship?"

ZuperDee writes "According to Netcraft, the number of Windows 2003 servers has doubled since July, and 5% were running Linux before, which is consistent with the trends they've been observing for some time. This doesn't look good for Linux, in my opinion. Maybe we should all start to think about jumping ship?"

grahamlee writes "It may be a case of 'do as we say, not as we do' over at the Santa Cruz Operation. The Netcraft statistics meter says that for the last year, SCO's web site has been served by Apache on Linux. Indeed, it's been more than a year since the site was ever served from a SCO Unix machine. So what is the possible reason for this? Your humble author suggests that SCO found themselves requiring a multithreaded web server, and as SCO UNIX is based on an ancient version of The UNIX spec it just couldn't cope ;-)." Read on for one of the strangest-yet turns to the SCO story, and several merely insipid ones.

An anonymous reader writes "SCO have made much of how their claims about UNIX code being improperly copied into Linux were verified by 3 teams including 'MIT Mathematicians.' However, MIT can't seem to find the mathematicians concerned!"

(SCO's explanation is that the company is talking about a team made up of people who formerly worked at MIT, rather than a group still associated with the school, but "due to contractual obligations, we cannot specifically name the individuals.")

kuwan writes "SCO has responded to the massive debunking of their 'evidence' last week. Chris Sontag claims that the BPF code was 'not intended to be an example of stolen code, but rather a demonstration of how SCO was able to detect "obfuscated" code.' That, however is a flat-out lie. If you look at their Obfuscated Copying slide (#15), it clearly states 'Obfuscated System V Code Has Been Copied Into Linux Kernel Releases 2.4x and 2.5x,' and then the slide labels the BPF code on the left as 'System V Code.'

At this point I think they realized that their case has been severly weakened and they need to spin it any way they can. And in their case this means more lying."

Captain Beefheart writes "According to this story over at The Inquirer (crediting a special edition of Terry Shannon's Shannon Knows HPC newsletter), SCO has officially announced that HP is safe from their infringement lawsuit brigade ... This leads one to suspect that HP is the Fortune 500 company that SCO claimed recently had paid for a license."

Maybe HP just wants to avoid Microsoft/BSA-style hassles: FatRatBastard writes "According to an article on Commentwire.com SCO has started sending invoices to Linux users. If a company signs up for SCO's 'Intellectual Property License for Linux,' they allow the possibility of being audited at SCO's expense to ensure that the user has been truthful about the number of Linux installations it has. Should the audit reveal that the user has underpaid SCO by 5% or $5,000, whichever is highest, the user also agrees to pay the price for the audit."

Blacklantern writes "The SCO lawsuit has made it into "Halloween Documents" gallery. Eric Raymond takes on the contents of the lawsuit point-by-point. "

grahamlee writes "It may be a case of 'do as we say, not as we do' over at the Santa Cruz Operation. The Netcraft statistics meter says that for the last year, SCO's web site has been served by Apache on Linux. Indeed, it's been more than a year since the site was ever served from a SCO Unix machine. So what is the possible reason for this? Your humble author suggests that SCO found themselves requiring a multithreaded web server, and as SCO UNIX is based on an ancient version of The UNIX spec it just couldn't cope ;-)." Read on for one of the strangest-yet turns to the SCO story, and several merely insipid ones.

An anonymous reader writes "SCO have made much of how their claims about UNIX code being improperly copied into Linux were verified by 3 teams including 'MIT Mathematicians.' However, MIT can't seem to find the mathematicians concerned!"

(SCO's explanation is that the company is talking about a team made up of people who formerly worked at MIT, rather than a group still associated with the school, but "due to contractual obligations, we cannot specifically name the individuals.")

kuwan writes "SCO has responded to the massive debunking of their 'evidence' last week. Chris Sontag claims that the BPF code was 'not intended to be an example of stolen code, but rather a demonstration of how SCO was able to detect "obfuscated" code.' That, however is a flat-out lie. If you look at their Obfuscated Copying slide (#15), it clearly states 'Obfuscated System V Code Has Been Copied Into Linux Kernel Releases 2.4x and 2.5x,' and then the slide labels the BPF code on the left as 'System V Code.'

At this point I think they realized that their case has been severly weakened and they need to spin it any way they can. And in their case this means more lying."

Captain Beefheart writes "According to this story over at The Inquirer (crediting a special edition of Terry Shannon's Shannon Knows HPC newsletter), SCO has officially announced that HP is safe from their infringement lawsuit brigade ... This leads one to suspect that HP is the Fortune 500 company that SCO claimed recently had paid for a license."

Maybe HP just wants to avoid Microsoft/BSA-style hassles: FatRatBastard writes "According to an article on Commentwire.com SCO has started sending invoices to Linux users. If a company signs up for SCO's 'Intellectual Property License for Linux,' they allow the possibility of being audited at SCO's expense to ensure that the user has been truthful about the number of Linux installations it has. Should the audit reveal that the user has underpaid SCO by 5% or $5,000, whichever is highest, the user also agrees to pay the price for the audit."

Blacklantern writes "The SCO lawsuit has made it into "Halloween Documents" gallery. Eric Raymond takes on the contents of the lawsuit point-by-point. "

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority. Today, about a hundred readers have submitted the news that Microsoft.com went down last night. And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight. Related news: Windows Update says you're protected, but maybe you're not; WU.com briefly ran Linux, heh; worm variant with clever "anatomical term."

Echo|Fox writes "So much for *BSD is dying. The latest Netcraft survey shows over 2 million active sites, and almost 4 million active hostnames all running on FreeBSD. Combined with the report that 5 of the top 10 hosting companies in terms of reliability were FreeBSD based, it's been a very positive month *BSD wise. Perhaps the most interesting quote from the survey is: 'Indeed it [FreeBSD] is the only other operating system that is gaining, rather than losing share of the active sites found by the Web Server Survey.'"

Echo|Fox writes "So much for *BSD is dying. The latest Netcraft survey shows over 2 million active sites, and almost 4 million active hostnames all running on FreeBSD. Combined with the report that 5 of the top 10 hosting companies in terms of reliability were FreeBSD based, it's been a very positive month *BSD wise. Perhaps the most interesting quote from the survey is: 'Indeed it [FreeBSD] is the only other operating system that is gaining, rather than losing share of the active sites found by the Web Server Survey.'"

X86BSD writes "Interesting survey at Netcraft showing the most reliable hosting providers for June. Interesting that not just the top 5 are FreeBSD but that the top 10 come from all variants in the industry."

You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

   There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

   Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

   I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.

Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

1. You don't go to jail (If you've worded your contract carefully.)
2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]

The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

crowston asks: "There have been a number of discussions on Slashdot and elsewhere about how good projects work (e.g., Talk To a Successful Free Software Project Leader), but less about how to tell if things are going well in the first place. While this may seem obvious, most traditional definitions of software project success seem inapplicable (e.g., profit) or nearly impossible to measure for most projects (e.g., market share, user satisfaction, organizational impact). In an organizational setting, developers can get feedback from their customers, the marketplace, managers, etc.; if you're Apache, you can look at Netcraft's survey of server usage; but what can the rest do? Is it enough that you're happy with the code? I suspect that the release-early-and-often philosophy plays an important role here. I'm asking not to pick winners and losers (i.e., NOT a ranking of projects), but to understand what developers look at to know when things are going well and when they're not."

cioxx writes "Speaking to a few-hundred ISVs at an Oracle-sponsored event in New York, Larry Ellison made a bold prediction , also covered in Infoworld, stating: "(Microsoft has) already been killed by one open-source product. Slaughtered, wiped out, taken from market dominance to irrelevance [...]", referring to Apache's displacement of MS IIS server. He continues on with a claim that battle for datacenter dominance is looming with a clear advantage on the side of Open-Source platforms, and desktop would follow once Star Office becomes completely "usable" to compete with MS Office. "And it's going to happen to them again on Linux." Newsforge also has a related article on Oracles ongoing linux efforts.

sverrehu writes "A GNU/Linux worm exploiting a bug in OpenSSL spreads through vulnerable Apache web servers, according to Symantec. The worm, which was first reported in Europe, targets several popular Linux distributions. See also the SecurityFocus vulnerability listing for the OpenSSL bug." sionide also writes: "Netcraft recently published a report which explains that a large portion of Apache systems are still unpatched (halfway down). To protect yourself please upgrade to OpenSSL 0.9.6g."

An Onimous Cow Herd writes "Augusts Netcraft Web survey results are now out. This month's results show a dramatic upsurge of nearly 6% for Apache and a corresponding drop for MS IIS! At this point, Apache's decline has dramatically reversed, regaining the ground it lost to IIS starting mid-2001 and currently Apache's market share stands the highest since Netscraft started their monthly surveys."

An Onimous Cow Herd writes "Augusts Netcraft Web survey results are now out. This month's results show a dramatic upsurge of nearly 6% for Apache and a corresponding drop for MS IIS! At this point, Apache's decline has dramatically reversed, regaining the ground it lost to IIS starting mid-2001 and currently Apache's market share stands the highest since Netscraft started their monthly surveys."

Andy Cheung writes "http://www.netcraft.com/survey/ The Netcraft Web Server Survey for June is out. Apache market share rises 3.46%; MS down -2.72". Scroll down past the graph on servers and check out the information on current exploits. It makes you wonder why "immediate death of the internet" has not happened.

mshiltonj writes "In case no one has noticed, the lastest Netcraft web server survey showed a marked shift in market share in just one month. Apache gained 2.63% and IIS fell 2.06%. However, the previous month showed an even larger change in Microsoft's favor, so Apache is (quickly) making up for lost ground, as discussed before. Was this turnaround due to the release of Apache 2.0? Sadly, in the last 12 months, Apache's market share has noticeably eroded, while IIS has gradually gained ground."

Several people sent in variations on this: "Kind of ironic to see that the the site, dubbed WeHaveTheWayOut from Microsoft and Unisys runs on an Apache Web server powered by FreeBSD. This could have made a great April Fools joke, unfortunately for Microsoft, you can verify it by using Netcraft." This is a follow-up to the original story a few days ago. Other readers noted that there's already a WeHaveTheWayIn site up. Wehavethewayout.com was returning Apache headers yesterday; today it's returning "Server: Microsoft-IIS/5.0", so it appears they've dumped FreeBSD in a hurry, or maybe just changed the headers.

awptic writes "The March Netcraft survey is out. Among the changes is a 4% increase in the number of websites running IIS, primarily due, however, to register.com's domain name parking service switching to mostly IIS servers, which account for over 2 million of the 38 million sites surveyed. Ironically, a large number of the websites were defaced shortly thereafter."

The latest Netcraft survey is more interesting than usual, because it reports a drop in the total number of registered domain names, as well as a decreasing number of sites reachable overall by the survey. It's been a traumatic year in the tech world, but the drop in domain names goes back to domain name buy-ups of 1999 (and looks like it will accelerate the same way domain speculation did in 2000). All is not gloom, though, and the number of registered domain names is not the same as the number of active sites. The Netcraft site points out that "as domains bought for speculative reasons are abandoned, we can expect a higher proportion of sites to be active." Read the rest of the survey report for more interesting information on the state of the domain world.

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashback brings you updates tonight on book reviews past, intentionally defective CDs, failing disk drives, and joining the HURD. Enjoy!

Spin control for some IBM drives? If you are one ofthe people who have the same results with IBM 75GXP hard drives that Sean Kelly did when he posed a recent Ask Slashdot, you may be interested in this report from legLess, who writes: "Pair Networks is swapping out every IBM 75GXP hard drive they have "[b]ased on an amazingly high failure rate." Pair is a big host: 114,000 sites all running on FreeBSD 4.1.1, including cdrom.com and Tom's Hardware. "We currently use and recommend Maxtor drives" they say. Big black eye for IBM."

GNU isn't Linux, either. Amid the stream of recent and upcoming software releases (Suse 7.3, Red Hat 7.2, Qt 3.0), it's sometimes easy for projects with smaller followings or more esoteric goals to get lost. BorrisYeltsin writes: "The Debian HURD iso images are now available from your local ftp.gnu.org mirror. There are 3 iso's available, so get downloading now!" (And read through the recent months' on the HURD Kernel Cousin too.)

Update: 10/16 14:20 GMT by T : Please note that the GNU Project maintains a list of ftp mirrors -- look for one local to you for best results all around :)

Placing warning signs along the road to consumerism brigc writes: "Good interview in the Chronicle of Higher Education with Jessica Litman about changes in the copyright arena since the publication of her book.

For those who were asleep, Litman's book 'Digital Copyright' does a good job of discussing why the copyright process got handed over to the industry and Congress has failed to protect the rights of the public."

Litman's book got a rave review from Michael a few months back; I suggest you check it out, and better yet ask you local library to put it up on display. Libraries have a strong vested interest in not ceding all control to copyright holders forever and ever amen.

It might pay to have a big fat mouth and ask for a refund on defective merchandise, too. anonicon writes: "Here's a heads up to the web site I'm running at http://www.fatchucks.com. I've started both a Corrupt CDs list for people who wish to report 'copy-protected' CDs or find out which ones they are, and an Indie Rec for people who want to recommend independent artists to the public. Thank you."

Slashback brings you updates tonight on book reviews past, intentionally defective CDs, failing disk drives, and joining the HURD. Enjoy!

Spin control for some IBM drives? If you are one ofthe people who have the same results with IBM 75GXP hard drives that Sean Kelly did when he posed a recent Ask Slashdot, you may be interested in this report from legLess, who writes: "Pair Networks is swapping out every IBM 75GXP hard drive they have "[b]ased on an amazingly high failure rate." Pair is a big host: 114,000 sites all running on FreeBSD 4.1.1, including cdrom.com and Tom's Hardware. "We currently use and recommend Maxtor drives" they say. Big black eye for IBM."

GNU isn't Linux, either. Amid the stream of recent and upcoming software releases (Suse 7.3, Red Hat 7.2, Qt 3.0), it's sometimes easy for projects with smaller followings or more esoteric goals to get lost. BorrisYeltsin writes: "The Debian HURD iso images are now available from your local ftp.gnu.org mirror. There are 3 iso's available, so get downloading now!" (And read through the recent months' on the HURD Kernel Cousin too.)

Update: 10/16 14:20 GMT by T : Please note that the GNU Project maintains a list of ftp mirrors -- look for one local to you for best results all around :)

Placing warning signs along the road to consumerism brigc writes: "Good interview in the Chronicle of Higher Education with Jessica Litman about changes in the copyright arena since the publication of her book.

For those who were asleep, Litman's book 'Digital Copyright' does a good job of discussing why the copyright process got handed over to the industry and Congress has failed to protect the rights of the public."

Litman's book got a rave review from Michael a few months back; I suggest you check it out, and better yet ask you local library to put it up on display. Libraries have a strong vested interest in not ceding all control to copyright holders forever and ever amen.

It might pay to have a big fat mouth and ask for a refund on defective merchandise, too. anonicon writes: "Here's a heads up to the web site I'm running at http://www.fatchucks.com. I've started both a Corrupt CDs list for people who wish to report 'copy-protected' CDs or find out which ones they are, and an Indie Rec for people who want to recommend independent artists to the public. Thank you."

The latest survey is out and ready for reading from Netcraft. There's some interesting commentary in regards to Code Red, and its effects on web usage. One of the things that I found most interesting was the data showing that while the number of sites hosted by Apache continues to grow, the number of physical webservers running some variety of Windows is about half of the total. Worth checking out.

The latest survey is out and ready for reading from Netcraft. There's some interesting commentary in regards to Code Red, and its effects on web usage. One of the things that I found most interesting was the data showing that while the number of sites hosted by Apache continues to grow, the number of physical webservers running some variety of Windows is about half of the total. Worth checking out.

snotty writes "A well written article by Ganesh Prasad over at linuxtoday arguing that the shift towards web services has reduced the attractiveness of the current generation of Open Source web products. He talks about the market share decrease in Apache. Also mentions how .NET, Microsoft, Sun, Java, and Open Source Software fit into the picture." I think that the decrease in Apache's share is a red herring, but the bigger picture of web services is a troubling one.

In 1999, DoubleClick bought the Abacus database, which got them a ton of data about our personal buying habits. They've promised not to correlate it with their banner-ad database, but that's not the concern this week. This week, the concern is their network security. Last week Thursday, the French site Kitetoa discovered three separate security issues on DoubleClick's network; the company deleted the evidence of one immediately, but left the servers up until Monday, when they mostly closed the other two. There are numerous other issues but the question on everyone's mind should be, how long and how far has DoubleClick been penetrated? And how long can we expect it to continue?

As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.

Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:

"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."

Now here's the history of DoubleClick security since last week, as far as I can tell.

Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.

The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."

Using this vulnerability, Kitetoa discovered the second security issue, which is that someone else had compromised the DoubleClick corporate webserver at some time in the past. The file eeyehack.exe was left on www.doubleclick.net. This is a backdoor written by the white-hat hackers at eEye, which opens port 6969 for attackers to telnet in.

DoubleClick assures us that eeyehack.exe could never have been executed, because that directory had script access disabled.

But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.

It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.

What concerns many people is that the eeyehack.exe file that was visible had a modification date of 1999. We know this date is not accurate, because the exploit that writes that file did not exist until last November. But that odd date does raise questions about how long DoubleClick's network has had these vulnerabilities.

The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.

DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.

The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."

Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.

Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."

Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."

Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.

That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.

But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.

As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)

DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.

Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.

And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)

Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.

I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.

I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.

And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)

And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.

Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."

It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.

This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.

This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!

I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.

"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."

"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.

When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."

Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.

And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."

Digimax writes "A sometimes more interesting read than the netcraft survey is the one carried out monthly by Security Space. It has a breakdown of apache module usage as well as some other interesting stats that the Netcraft survey does not produce."

Digimax writes "A sometimes more interesting read than the netcraft survey is the one carried out monthly by Security Space. It has a breakdown of apache module usage as well as some other interesting stats that the Netcraft survey does not produce."

Well, the battle between Apache and IIS continues with Apache gaining ground this month - but a pretty small amount of gain. What I found most interesting was the Linux distribution discussion and the possible implications that will have in the long run. There's also some interesting discussion about the walmart.com domain, which has been submitted before.

The fine folks at Netcraft have released this month's survey results. Notable figures - our uptime has seen "pronounced improvement", according to the results (true), Microsoft saw their biggest single month increase - but the reasons behind that and other host de/increases are more detailed.

The fine folks at Netcraft have released this month's survey results. Notable figures - our uptime has seen "pronounced improvement", according to the results (true), Microsoft saw their biggest single month increase - but the reasons behind that and other host de/increases are more detailed.

Maktoo writes: "Just checked out the latest Netcraft survey and it has a very interesting new feature breaking out the differences between "Total Web sites hosted" and total *active* Web sites. The pie charts are about 3/4 the way down the page. They show that in total sites, Linux and MS have 35% and 21% marketshare respectively... but when it comes to actual active sites, that gap shrinks to 29.9% and 28.3% respectively. Netcraft have figured out a way to try to eliminate the millions of place holder pages out there that aren't actually serving content, thus not really Web sites. Apache's marketshare also shrinks a little, but it's still an impressive 59%. It's an interesting read."

qbasicprogrammer writes: "At Daily Daemon News, Josh Pennell says the Reform Party's National Primary Online Election was constantly under attack during the 72-hour election window, however IOActive (the Reform Party's hosting service)'s OpenBSD server kept the kiddies and crackers away. According to the reader comments, Ralph Nader is using BSD/OS, as is the Libertarian Party Web site. It's nice to see political parties believe in freedom of software."

qbasicprogrammer writes: "At Daily Daemon News, Josh Pennell says the Reform Party's National Primary Online Election was constantly under attack during the 72-hour election window, however IOActive (the Reform Party's hosting service)'s OpenBSD server kept the kiddies and crackers away. According to the reader comments, Ralph Nader is using BSD/OS, as is the Libertarian Party Web site. It's nice to see political parties believe in freedom of software."

An AC submitted this interesting tidbit from those folks over at NetCraft. To quote from the page: "HotMail has commenced its much awaited migration to a Microsoft operating system. Some Windows 2000 machines have recently been moved into the load balancing pool, with currently between 90-95% of requests being served by the established FreeBSD/Apache platform, and 5-10% from Windows 2000." This is not the first time MS are believed to have attempted this (but I'd appreciate hard evidence confirming that, instead of the more normal rumours and whispers).

The July Netcraft Survey shows that, of the big 3 web survers (Apache, Microsoft and iPlanet), Apache posted the largest percentage gain, with an increase of 0.28%. Weblogic was the only one that posted a larger increase, mostly due to the fast growing NameZero hosting service located at Exodus.

denisbergeron writes: "According to Netcraft, 10,704,306 Web site[s were] running Apache in June. That represents 62.53% of all the Web sites in the world. It's an augmentation of 1,609,166 or 2.09%. " The graph is pretty cute, too.