Domain: rootshell.com
Stories and comments across the archive that link to rootshell.com.
Comments · 24
-
Childish attacks unnecessary
I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.
For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.
The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.
Second Law of Blissful Ignorance -
The previous hack - archivedWhile I'm sure it really sucked for cmd Taco, I thought the front page of the previous
/. hack was kinda clever...It's archived here.
---
-
Marketing Applied Operating Systems TruthfullyClearly, I don't need to expound greatly on Mr. Moody's article. I wouldn't bother at all had it not crossed my field of view on the MySQL Users Group. By concluding, that based on one distribution of Linux and ignoring other more security-conscious versions of Linux, and by accentuating a number pertenant to one defect measurement of an OS, and concluding that characteristic to designate the OS as "...arguably the worst operating-system product in history...", can't be interpreted as anything more than a marketing statement. I'm actually encouraged by the article, since it alludes to the growing fear Micro$oft is beginning to demonstrate. They market. That's what they're good at. Moody's a spokesperson, of sorts. He's doing his job. His remarks hint at his qualifications to do this well. Many pointy hairs will buy it. Many profit-minded business people will weigh it along with all other marketing propaganda and qualified intel on how to choose their servers for making money over the next decade++.
That aside, I'll agree the vulnerabilities in Linux are more visible than in the past due to deployments, but, most of us who've been doing it for several years, have enjoyed some key features that have helped us make this Operating System and it's applications the treasure to administer that it is today and has been for quite some time:
- Built-In Firewall
- Great Documentation for the Responsible Administrator, (as contrasted by The Micro$oft Knowledgebase
- Timely Security Updates from our Vendors and our Enemies to help us patch things quickly
- Source Code;
...that's 2 different links, people...
The list goes on. This is why I have 40 different servers out there in the wild supporting several thousand end-users in education, business, and, of course, entertainment.
I'm chalking this one up to a victory. I suggest all others do the same and keep at it. I still believe this is the greatest Operating System that ever existed. And, I do love my AIX and other UNIXes. But, there's really one word that makes the difference: free >:).
Linux rocks!!! www.dedserius.com - Built-In Firewall
-
Farewell...
I don't like to see SCO's end.
I used to work with their Unix some years ago and I have to admit that, despite its relative lack of user friendship(*), it was doing its job fairly well.
(*I mean the lack of tools, not the lack of configurability which was definitively approaching most other Unixes on the market)
For example, you should take a look to RootShell.com, you'll then see that there weren't that many exploits against these servers. Whenever we felt like installing some Unix software, a single recompilation of the Linux sources was usually enough (ah... PHP/FI in 1996 :-).
SCO was also a sequel to Xenix.
You could say whatever against Xenix but it was IIRP the first Unix ported to 68000/8086. At these times, this sounded like a miracle.
You could also argue about Microsoft's ownership... Well, even though most of us agree on some of their products, we also have to admit that they finally helped a lot and maybe even Linux would not have come on PC if it had not had this inspiration.
Finally, I also have a cultural issue about this : Unix was originately meant to be a standard, not only a single OS. Losing one of its flavours might not sound that nice according to this point of view.
-- -
Re:The web isn't Unix, guys
(biting the troll really really hard)
I know that "geeks" tend to prefer the old-fashioned, command-line way of doing things...
No, I prefer the best way. I think icons are worthless... what did MS think we have extensions for? Would you prefer a CLI or GUI for mass changing of file attributes? Would you prefer a GUI or a CLI for running a program with a gazillion options?
I've got netscape, real player, and all the latest plugins. And I think it's a lot better than Lynx!
And I don't. End of discussion.
Would you rather have a dynamic multimedia experience, or use a web browser that has trouble rendering tables?
Large discussions are bad enough in vanilla. Why would I want Flashdot?
I hear it can't even do JavaScript
Yup. No Hotmail security holes that way.
Do you not like images or something?
Actually, no. Nobody except the
/. icon designers can keep them small enough to load before I've read the rest of the page.Or are you one of those "lets take the Internet back to 1992" people?
I have no idea what the INet looked like than; but I give it a resounding, "YES!" because there were probably less ads. Also, I should point out that the GIF file format is 87a and 89a; and that Unisys got pissy about them ~1995 (so I've heard.) So you can have images in 1992; just try to make them PNGs this time
:) ...make everything into bland text.So
/. is bland?Eagely awaiting Slashdot's new Gopher server
"With the coming of the graphical Web, however, Gopher sites have gone the way of the dinosaurs." (from here) Error: logically inconsistent with the previous three statements.
-- LoonXTall -
Re:The web isn't Unix, guys
(biting the troll really really hard)
I know that "geeks" tend to prefer the old-fashioned, command-line way of doing things...
No, I prefer the best way. I think icons are worthless... what did MS think we have extensions for? Would you prefer a CLI or GUI for mass changing of file attributes? Would you prefer a GUI or a CLI for running a program with a gazillion options?
I've got netscape, real player, and all the latest plugins. And I think it's a lot better than Lynx!
And I don't. End of discussion.
Would you rather have a dynamic multimedia experience, or use a web browser that has trouble rendering tables?
Large discussions are bad enough in vanilla. Why would I want Flashdot?
I hear it can't even do JavaScript
Yup. No Hotmail security holes that way.
Do you not like images or something?
Actually, no. Nobody except the
/. icon designers can keep them small enough to load before I've read the rest of the page.Or are you one of those "lets take the Internet back to 1992" people?
I have no idea what the INet looked like than; but I give it a resounding, "YES!" because there were probably less ads. Also, I should point out that the GIF file format is 87a and 89a; and that Unisys got pissy about them ~1995 (so I've heard.) So you can have images in 1992; just try to make them PNGs this time
:) ...make everything into bland text.So
/. is bland?Eagely awaiting Slashdot's new Gopher server
"With the coming of the graphical Web, however, Gopher sites have gone the way of the dinosaurs." (from here) Error: logically inconsistent with the previous three statements.
-- LoonXTall -
Re:The web isn't Unix, guys
(biting the troll really really hard)
I know that "geeks" tend to prefer the old-fashioned, command-line way of doing things...
No, I prefer the best way. I think icons are worthless... what did MS think we have extensions for? Would you prefer a CLI or GUI for mass changing of file attributes? Would you prefer a GUI or a CLI for running a program with a gazillion options?
I've got netscape, real player, and all the latest plugins. And I think it's a lot better than Lynx!
And I don't. End of discussion.
Would you rather have a dynamic multimedia experience, or use a web browser that has trouble rendering tables?
Large discussions are bad enough in vanilla. Why would I want Flashdot?
I hear it can't even do JavaScript
Yup. No Hotmail security holes that way.
Do you not like images or something?
Actually, no. Nobody except the
/. icon designers can keep them small enough to load before I've read the rest of the page.Or are you one of those "lets take the Internet back to 1992" people?
I have no idea what the INet looked like than; but I give it a resounding, "YES!" because there were probably less ads. Also, I should point out that the GIF file format is 87a and 89a; and that Unisys got pissy about them ~1995 (so I've heard.) So you can have images in 1992; just try to make them PNGs this time
:) ...make everything into bland text.So
/. is bland?Eagely awaiting Slashdot's new Gopher server
"With the coming of the graphical Web, however, Gopher sites have gone the way of the dinosaurs." (from here) Error: logically inconsistent with the previous three statements.
-- LoonXTall -
Re:Not quite fair
A sizable segment of blame goes to the authors of the finger and sendmail daemons that the Worm used to thrive and propogate. Their careless programming caused the environment, and they should have been able to recognize the danger well before RTM started to code.
Especially since Robert Morris wrote a paper on the subject in 1985, two years before the worm attack. A Weakness in the 4.2BSD Unix TCP/IP Software
Of course, that's about the rsh and rexec exploits, but fingerd was already known to be buggy and a program like sendmail (which by its nature gives at least limited file access to your server by outside, untrusted hosts) is tricky to secure, and was also known to be imperfect.
-
rootshell.com?Does it really matter whether a site was hacked, or whether the site was major? The possibility to hack a site certainly existed.
Anyway, rootshell.com may have been hacked because of an SSH overflow. They've never stated it publicly (don't they believe in full disclosure?), but they clearly implied it and ranted about how SSH Communications lied about this attack.
-----------------------
[10/28/98 8:44AM PDT -- Rootshell Defaced]
On Wed Oct 28th at 5:12AM PST the main Rootshell page was defaced by a group of crackers. Rootshell was first informed of this incident at 6:00 AM PST and the site was immediately brought offline. The site was back up and operational by 8:00AM PST.We are still in the process of investigating the exact methods that were used. The paranoid MAY want to disable ssh 1.2.26. Rootshell runs Linux 2.0.35, ssh 1.2.26, qmail 1.03, Apache 1.3.3 and nothing else. The attackers used further filesystem corruption to make it harder to remove the damaged HTML files.
More information about SSH may be found at http://www.ssh.fi/sshprotocols2/index.ht ml
rootshell.com - Archive of defaced site.
rootshell.com - Security bulletin #25
----------------------
[11/2/98 8:07AM PST -- IBM ERS responds to Rootshell Security Bulletin #25]
The following was received this morning by Rootshell. IBM maintains that distributing their advisory was irresponsible as no proof of an actual exploit has been found. We maintain that information of a POSSIBLE exploit is still doing a service to our readers and will continue to make information such as this available. This is one of the differences between a service like ERS and Rootshell. Rootshell comments are enclosed in []'s. Since you irresponsibly distributed a draft of our advisory to further your own agenda, perhaps you will now responsibly distribute the following.A simple telephone call from you before you issued this could have saved us all a lot of hassle.
[ Apparently you do not believe in full disclosure then. ]
--Dave
On Friday, Oct. 30th, IBM-ERS sent out a draft advisory to be released on Monday, Nov. 2nd that described a buffer overflow condition in Version 1.2.x "sshd." This draft was sent to the Forum of Incident Response and Security Teams, and also to the "ssh-bugs" list for their comment/review. The draft was identified as ERS-SVA-E01-1998:005.1.
Rootshell has unfortunately chosen to include a copy of this draft advisory in their recent newsletter, apparently for the purposes of defending itself against charges that it was unfairly disparaging "sshd." Use of IBM-ERS's draft advisory in this manner was not approved or authorized by IBM-ERS, and does a disservice to all.
[ Making the facts known to the public is hardly a disservice. To quote your own advisory. "The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS." ]
Here are the facts about this advisory:
1. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was never issued publicly by IBM.
[ Neither was the Rootshell advisory by your standards. The Rootshell advisory was sent to a private collection of 26,000+ members of the security profession. ]
2. In response to a telephone query from Kit Knox of Rootshell, IBM-ERS attempted to contact Kit on Friday evening, and was unable to reach him. Specific contact information for IBM-ERS, as well as a brief status update, were left on Mr. Knox's voice mail. Mr. Knox never contacted IBM-ERS after that time.
[ Note: Not a single e-mail was received. We live in the digital age folks. My PGP key is also in the key servers if security was a concern. Or don't you trust PGP? ]
3. IBM has been working closely with Tatu Ylonen, author of "ssh," to make sure that the potential vulnerability described in the advisory is not exploitable. Upon further investigation, the problem originally described appears to have been influenced by outside factors and does not appear to be an exploitable problem in "sshd."
[ Rootshell NEVER has made any claims of an actual exploit. ]
4. IBM-ERS advisory ERS-SVA-E01-1998:005.1 was CANCELLED on the morning of Sunday, Nov. 1st, *before* Mr. Knox issued his newsletter.
[ Cancelled to your PRIVATE ~61 member list at FIRST. ]
5. At this time, IBM-ERS has NO KNOWLEDGE of any security vulnerabilities, exploitable or otherwise, in the "sshd" program.
[ We have never said otherwise. ]
We hope that this clarifies IBM's involvement in this situation.
The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes.
rootshell.com - Security bulletin #25
------------------
[11/5/98 8:44AM -- SSH Admits Buffer Overflow in 1.2.26 client]
This morning SSH Communications Security LTD. released information about a buffer overflow in its ssh 1.2.26 client kerberos code. This came as quite a surprise after SSH was very bullish about there being no buffer overflows in their code. While it is VERY hard to exploit and only works under certain conditions, it is still a valid security hole. PLEASE REMEMBER, ROOTSHELL HAS NEVER STATED THAT THE BREAK-IN WE HAD WAS FROM A SECURITY HOLE IN SSH. Anyone who believes otherwise has read too far into what we have said. -
Re:SSH, what a misnomer.Just to justify myself, having gotten burned by sshd before (twice even. `8r/), I've included URL's to make you all snuggily happy.
Here's a buffer overflow.
Here's a bounce attack
Here's another one.
Now what would happen I used a more current source of attacks? There were a couple on BugTraq a couple months ago...
--
Gonzo Granzeau -
Re:SSH, what a misnomer.Just to justify myself, having gotten burned by sshd before (twice even. `8r/), I've included URL's to make you all snuggily happy.
Here's a buffer overflow.
Here's a bounce attack
Here's another one.
Now what would happen I used a more current source of attacks? There were a couple on BugTraq a couple months ago...
--
Gonzo Granzeau -
Re:SSH, what a misnomer.Just to justify myself, having gotten burned by sshd before (twice even. `8r/), I've included URL's to make you all snuggily happy.
Here's a buffer overflow.
Here's a bounce attack
Here's another one.
Now what would happen I used a more current source of attacks? There were a couple on BugTraq a couple months ago...
--
Gonzo Granzeau -
Re:Name one major hack based on an SSH weaknessGroundless, eh?
Here's a buffer overflow.
Here's a bounce attack
Here's another one.
Now what would happen I used a more current source of attacks? There were a couple on BugTraq a couple months ago.
And don't tell me that 'patches come out quickly' because the bounce attacks were not patched for several weeks, and I know, because I was hit with them. So it might sound like just hype, but there is proof out there.
And I forgot, just because URL's were not included, I have no clue, right? Happier?
--
Gonzo Granzeau -
Re:Name one major hack based on an SSH weaknessGroundless, eh?
Here's a buffer overflow.
Here's a bounce attack
Here's another one.
Now what would happen I used a more current source of attacks? There were a couple on BugTraq a couple months ago.
And don't tell me that 'patches come out quickly' because the bounce attacks were not patched for several weeks, and I know, because I was hit with them. So it might sound like just hype, but there is proof out there.
And I forgot, just because URL's were not included, I have no clue, right? Happier?
--
Gonzo Granzeau -
Re:Name one major hack based on an SSH weaknessGroundless, eh?
Here's a buffer overflow.
Here's a bounce attack
Here's another one.
Now what would happen I used a more current source of attacks? There were a couple on BugTraq a couple months ago.
And don't tell me that 'patches come out quickly' because the bounce attacks were not patched for several weeks, and I know, because I was hit with them. So it might sound like just hype, but there is proof out there.
And I forgot, just because URL's were not included, I have no clue, right? Happier?
--
Gonzo Granzeau -
Who gets hurt the most?Again, the issue of poor security on internet attached machines is, I'm sure, well understood by most of those reading today. Unfortunately, the groups taking the most action (ie governement, big business) don't seem to fully fathom the mechanism by which these attacks succeed. I don't even know if there is a way to stop a coordinated DoS attack short of the traditional method of calling everyone who's spewing out traffic. With more sophisticated tools (that say, generate valid traffic) how would one differentiate between attackers and real clients? Short of adding more bandwidth I don't see any easy short term solutions. The fact that the government, particularly the FBI, thinks they can solve the problem by throwing money at it, performing wiretapping, etc, is frightening. Even more so considering that they're supposed to have met with Industry Leaders to discuss the problem.
I suppose my biggest fear is that the government would try to invent/incorporate some sort of master control system (super ICMP?) for IP. Not only would this likely be ineffective in deterring a serious attacker, but it would likely invite abuse as well. I'm not sure that our fearless leaders in DC comprehend the issues involved.
I believe the only way we can deal with this is the way it's always been done: as a community. It has been pointed out that a lot of the zombies in recent attacks have been Linux/Unix boxes. I know there are a lot of resources on the web for Unix security.RootShell, for example is a good site not only for descriptions of exploits, but actual code you can use to test your box. There is a lot of information about Unix/Linux security out there, but it's unlikely that any newbie will be exposed to it before during or immediately following the install of their OS. And we all know what kind of daemons get installed by default these days. I don't know if it exists, but a clearinghouse of security info, including not only alerts/exploits but instructions for newbies on how to fix problems would probably go a long way. Just raising the issue of security consistently (banner ads, links from most major linux sites) to this clearinghouse would probably be enough to get the attention of people who are working with Linux. Does something like this exist? If not, would anyone else be interested in setting it up? Perhaps it could be part of the LDP. Who knows. I'm envisioning far more than might be practical, but if anyone else is interested, e-mail me at po.cwru.edu, username dwb2.
-
Old News?
Isn't this what caused the demise of RootShell?
I remember reading an explanation of a buffer overflow in ssh that allowed a cracker to get in to the last server anyone would have suspected a successful breakin to... -
$31,400 is enough, at least
In December, rootshell had a note about a case just like this, except that the sum was under half as big ($31,400). They still were sentenced to death.
/* Steinar */ -
Re:Excellent timing
-
how interesting...
..that it was almost exactly a year ago that this exploit was discovered...
-
Re:ssh / sdist
Not as far as I know.. The latest version at the time of the rootshell incident was 1.2.26, and is detailed here This is the last mention of ssh in this light on bugtraq.
-
Re:I'd rather not find the pot of gold at the end.
people want functionality before security
...until the day somebody hacks into their computer.Security is important. And it is very nice to see a security oriented distro like this one come out. This hopefully means that the only thing I will have to do to ensure my computer is "safe" will be to check for their security upgrades, instead of keeping track of CERT advisories, rootshell.com, et.al.
That is of course only if I feel I can trust the kha0s people to do their side.
Having a security oriented distro might also make RedHat, SuSE, Debian, etc. incorporate some of the ideas as well, and we will all be much happier.
In very few cases are functionality pushed down because of security. It is usually the other way around. All the functionality can usually be kept by doing things a little different. A little more secure.
-
Re:No I'm not!
It's fun to watch stupid FleaBSD users pretend they have no serious bugs in a kernel which is used by about 1% of Internet users... FreeBSD 3.0 and 3.1 exploit of the week
-
now anyone can read your form data from anywhere
this bug combined with the javascript/java exploit which allows anyone to read your local files means that you better think twice before you fill out another form.