Slashdot Mirror

http://news.com.com/2100-1001-835602.html

To mitigate this vulnerability OULU (the guys that found this a year ago) has some good links at http://www.ee.oulu.fi/research/ouspg/protos/testin g/c06/snmpv1/

Securing SNMP on Solaris
http://ist.uwaterloo.ca/security/howto/2000-10-04/
Securing SNMP in Windows
http://www.sans.org/infosecFAQ/incident/SNMP.htm
Securing your Cisco Router when using SNMP
http://www.sans.org/infosecFAQ/netdevices/router.h tm
SNMP - simple management tool for hackers?
http://www.nwfusion.com/newsletters/sec/1004sec1.h tml
Windows 2000, SNMP and Security
http://www.securityfocus.com/focus/microsoft/2k/sn mp.html

He wasnt raided because of the content on the site...

He was raided because he hacked into, and then defaced, commercial sites.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase

I think kernel 2.4 has what I always dreamt of on my linux firewall: Stateful firewalling and NAT. It is great for building inexpensive firewalls that can be as good as those costing grands.

Also, the VM system is much improved, when compared to the 2.2.
The only thing I think was a little too risky was replacing the entire VM (originally built by Rik van Riel) with a new one, by Andrea Arcangeli. I believe such dratic changes should be reserved for developmente kernels. But the important thing is that now it's working wonderfully, and is much improved.

I don't think 2.4. should be called the Kernel of Pain. We're what, in 2.4.17 ? Remember 2.2.17 or 2.0.17 ? Heck, 2.0 had DoS bugs till release 2.0.35.

I am running 2.4 on some production boxes. They're behaving fine and very stable, thank you, and I think 2.4 is ready for production.

BWAHAHAHAHAHAHAHA! http://www.sans.org/topten.htm

http://www.sans.org/topten.htm *nix takes #1! shares 2! Takes 3, 5, 6, shares 7 &8, takes 9 on its own, and shares 10. Windows shares 2, takes 4 (IIS only), and shares 7, 8, and 10. Boy, that windows sure is full of holes. But *nix is worse.

There are plenty of sites dealing with W2K security. Go to the Sans Reading Room for a start.

This coming to you from a MCP.

paranoid

Not only was Real Networks software transmitting back your GUID, NetCenter LogonID, MAC address, IP address, files downloaded, Internet address accessed, music CDs listened to, songs recorded on hard drive, type of MP3 player, and music preferences...

it can even send out your real name and e-mail address - in the clear.

Which is linked to their internal records - zip code, country, Windows version, type processor, language, software version number, etc.

And that's just RealNetworks. But that's ok. We're all paranoid, and your not. So I guess you won't mind if I post this:

Steve Sheldon
Burnsville, MN 55306 612-435-2933

-

A reminder is perhaps due here that the first internet worm program to cause significant damage (the Morris worm) was released in the 1988 and infected UNIX systems through a well known vulnerability (yep, good ole gets(3)) in the fingerd daemon.

And waddaya know,UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later...

The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.

However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.

In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.

Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.

A reminder is perhaps due here that the first internet worm program to cause significant damage (the Morris worm) was released in the 1988 and infected UNIX systems through a well known vulnerability (yep, good ole gets(3)) in the fingerd daemon.

And waddaya know,UNIX application programmers are _still_ using the occasional gets(3) call in setuid root programs, more than a decade later...

The Morris worm is a nice spectre to pull out of the Unix closet and remind everyone that Unix is not infallable. Just look at all the damage done in the early internet days! Spooky.

However, this is history - ancient by Interent standards. Since then, there have been other Unix-based worms to hit the net at large. I can name three more recent examples off-hand. Sadmind spread amoung Solaris hosts to deface IIS sites. The ramen worm attacked Linux (specifically RedHat) hosts. And there were reports of ramen code being modified and sent on its way. And then there was another Linux worm called li0n.

In each case the worm hit the wild, was discovered and reported, had a brief life as appropriate counter measures were taken, then faded out. Missing was the media frenzy one would expect with something as damaging as the Morris worm. That came later on a different platform with a different worm: Code Red.

Once again - Unix is not infalliable. But various generations have been in the trenches dealing with infosec issues for years. Recent incidents have began to show off its experience, versitility, and resiliance. It is small wonder the Unix crowd tends to look at virus issues with almost a disinterest compared to their Windows counterparts who are burned either more often or more severely by such a threat.

There's a good summary at the SANS Institute site. Schwartz did three different things: (1) installed a backdoor in a firewall, (2) did an unauthorized password scan, and (3) used one of the passwords he obtained through this scan to log into a system to which he should have had no access. He then copied the /etc/passwd file off that last machine, apparently to run an attack against it, as well.

Even a cursory review of the documents in the case make it clear that he wasn't framed, that he actually did the things he was charged with, and that at least one of the activities with which he was charged was not only unauthorized, but had been explicitly forbidden by his managers. He had been ordered to take his gateway down at one point. He did so, waited a few days, and then brought an equivalent service up on the same machine under a different name. (See this site for some more details.)

In my opinion, what he did was certainly grounds for dismissal, and almost certainly technically criminal. That said, I think the district attorney was unwise to pursue the case against Schwartz, since the damage done to his reputation just on the basis of what is clearly the case would have been punishment enough. Even without the convictions, no major site will ever touch him again: security geeks are dangerous, and the last one you need is one that won't obey the policies about what he or she may attack at any given time.

http://www.sans.org/topten.htm where Unix is king of security problems.

http://www.sans.org/topten.htm

Unix and Linux are doing great!!!!!! None of those "gaping holes" that MS has. Yes, bash away, for everyone knows it's MICROSOFT that's responsible for all those gaping security holes. Really. Really. No kidding. Seriously.

And besides, you often don't need any shell code as such, there is enough cruft in different libraries that you can call to do your dirty work for you. See for example the last (windows) link of of sans buffer overrun page. Which is a good page to get you started on buffer overruns.

I've never had any problem with PayPal, but my use has been minimal. I think it is worth noting, though, that PayPal has got one of the more vigorous anti-fraud groups around. I think their fraud rate is around 1/2 of 1 percent, which is (IIRC) lower than many credit cards.

Some of this information is from an MSNBC Article that showed up on SANS NewsBytes. But I've also heard personal anecdotes from security professionals who'd rather have the Mafia after them than PayPal.

You can find a good source of Tempest Info here: http://www.sans.org/infosecFAQ/encryption/TEMPEST. htm

I find it very funny that this information used to be classified in the 1950's.

But port 12345 is already being used. :P

Use BIND 9! A new security hole is discovered in BIND 4 and BIND 8 every couple of months. The quality of the BIND 8 code is so poor, that a complete rewrite was needed for BIND 9. Consequently, BIND 9 is much less likely than BIND 8 to throw up new security holes.

The story can be found here. The differences between BIND 8 and BIND 9 are highlighted in this quote:

"The basic sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students was still at the core of BIND", according to Paul Vixie, BIND9 architect. This rickety software structure was not judged an adequate basis for the complex changes needed by DDNS and DNSSec, so a decision was made to completely rewrite bind. In 1998, Jerry Scharf, who was the Executive Director of ISC, convinced the remaining UNIX vendors and a few government agencies that the only way to support all of the new DNS protocol enhancements was to totally rewrite BIND. As a result, in August of 1998 DARPA awarded a contract to TIS (NAI labs) to write the software in collaboration with ISC.

This Is something I was just looking at... very interesting, shows what techniques have been used to hijack domains.

Try looking in the "Windows" section of the Reading Room from SANS website.

Specific articles of interest are:

Encrypting File System Primer , from July 6, 2001

and

Windows 2000 Encrypting File System , from July 27, 2000.

Both of these articles are heavily referenced with links to other techincal source material about Windows EFS. Most notably:

Mark Russinovich, "Inside Encrypting File System, Part 1", June 1999, Windows 2000 Magazine

Mark Russinovich, "Inside Encrypting File System, Part 2", July 1999, Windows 2000 Magazine.

This auto satisfy any questions about the limited protection offered by EFS in stand-alone and default modes, as well as provide direction for configuring EFS to operate with a very decent level of confidentiality and availability.

Try looking in the "Windows" section of the Reading Room from SANS website.

Specific articles of interest are:

Encrypting File System Primer , from July 6, 2001

and

Windows 2000 Encrypting File System , from July 27, 2000.

Both of these articles are heavily referenced with links to other techincal source material about Windows EFS. Most notably:

Mark Russinovich, "Inside Encrypting File System, Part 1", June 1999, Windows 2000 Magazine

Mark Russinovich, "Inside Encrypting File System, Part 2", July 1999, Windows 2000 Magazine.

This auto satisfy any questions about the limited protection offered by EFS in stand-alone and default modes, as well as provide direction for configuring EFS to operate with a very decent level of confidentiality and availability.

Try looking in the "Windows" section of the Reading Room from SANS website.

Specific articles of interest are:

Encrypting File System Primer , from July 6, 2001

and

Windows 2000 Encrypting File System , from July 27, 2000.

Both of these articles are heavily referenced with links to other techincal source material about Windows EFS. Most notably:

Mark Russinovich, "Inside Encrypting File System, Part 1", June 1999, Windows 2000 Magazine

Mark Russinovich, "Inside Encrypting File System, Part 2", July 1999, Windows 2000 Magazine.

This auto satisfy any questions about the limited protection offered by EFS in stand-alone and default modes, as well as provide direction for configuring EFS to operate with a very decent level of confidentiality and availability.

SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits

How is the top 20 exploits page MS-specific? At least by the wording of the article, you make it seem this way. Newsflash genius, the SANS/FBI Top 20 is a list of vulnerabilities - UNIX, Windows, and General...not Microsoft-only.

You really need to get over your Windows envy. It's getting the point of being pathetic.

The NSA has been saying this for a while now.

CERT has been saying this for a while now

Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.

*nix took top honors, according to the experts. Windows didn't even show up by itself until #4, so *nix took or shared the top 3. Hmm. Go figure. But this is from those kooks at SANS, why would I believe them?

Why spend all your money on physical security and you can waste it on something cooler like using differential phase shift keying (DPSK) and frequency shift keying (FSK)to ensure the integrity of your data. Check out this article for some pretty good encrytion ideas(at the end of the article). ohh and don't forget the cryptonite plated titanium pipe for a little extra security.

To my knowledge, the Webstar reward still stands. The contest crack I suggested stems from a pcweek contest, the winner of which (jfs) exploited the third party PhotoAds software. jfs was partially succesful against the crack.linuxppc.org. Details here...

Maybe then you'll have a chance at improving your highest unique (#4) ranking in security holes. Linux/*nix cleaned up, #1 and at least sharing 8 of the top 10!!!! If Microsoft opens their source, they could certainly hope to aspire to such greatness.

-sting3r

That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.

The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.

That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:

• CPU architecture. Sure, Linux/Unix/etc boxes are far and away x86-based, but having a sprinkling of SPARC, Alpha, Mips and PPC probably makes a difference - no single shellcode or exploit covers all architectures.
• OS architecture. Instruction-level calling sequences probably prevent a "universal" shellcode from working on all OSes that a given CPU architecture runs.
• Web server variety. Sure, Apache dominates, but WN, iPlanet and thttpd have a presence.
• Userland software variety. A huge variety of email clients that don't share a common scripting language or address book format keeps NIMDA and SirCam like things from happening.

That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.

The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.

That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:

• CPU architecture. Sure, Linux/Unix/etc boxes are far and away x86-based, but having a sprinkling of SPARC, Alpha, Mips and PPC probably makes a difference - no single shellcode or exploit covers all architectures.
• OS architecture. Instruction-level calling sequences probably prevent a "universal" shellcode from working on all OSes that a given CPU architecture runs.
• Web server variety. Sure, Apache dominates, but WN, iPlanet and thttpd have a presence.
• Userland software variety. A huge variety of email clients that don't share a common scripting language or address book format keeps NIMDA and SirCam like things from happening.

That's right: marketshare doesn't matter. And here, I'm taking "marketshare" to mean either (a) the number of servers sold or (b) the number of servers running.

The reason why marketshare doesn't matter: every server connected to a TCP/IP network is "touching" every other server connected to that network. Marketshare has no bearing on which servers can possibly infect which other servers in a population, only connectivity does. Essentially, the "population" of unix servers on the internet all "touch" one another, just like the population of all IIS servers "touch" one another.

That said, it hasn't really been a banner year for Linux/Unix/BSD worms. We've seen adore, l1on, cheese, ramen, sadmind/IIS, lpdw0rm, and x.c. Absolutely none of these worms ripped through the Linux/Unix/Solaris/BSD population. This is indisputable. The question is why does one population have resistance, while the other doesn't? I think the answer is diversity on four levels:

• CPU architecture. Sure, Linux/Unix/etc boxes are far and away x86-based, but having a sprinkling of SPARC, Alpha, Mips and PPC probably makes a difference - no single shellcode or exploit covers all architectures.
• OS architecture. Instruction-level calling sequences probably prevent a "universal" shellcode from working on all OSes that a given CPU architecture runs.
• Web server variety. Sure, Apache dominates, but WN, iPlanet and thttpd have a presence.
• Userland software variety. A huge variety of email clients that don't share a common scripting language or address book format keeps NIMDA and SirCam like things from happening.

... we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.

(1) If you have two servers providing the same service (listening on the same port), you'll need two or three IP addresses, a hub (connected to the DSL or cable "modem"), and either a NAT router or a way for one of your servers to do NAT.

(2) If you have different services on the different servers (e.g., HTTP, e-mail, Q3), you can have one IP address, and configure the NAT to pass the appropriate ports through to the appropriate servers ...

... if the protocols you want to support are NAT friendly. If the protocols specify, "Further communications will happen on such-and-such a port at such-and-such an IP address," it won't work. You're not only doing NAT (Network Address Translation), you're also doing PAT (Port Address Translation), and the "such-and-such a port" message needs to be translated.

For example, FTP clients wouldn't work well over NAT (in passive mode, I think), except that every NAT router supports client FTP. I don't know if they support server FTP. Voice-over-IP protocols (H.323 and SIP) are notorious for not working over NAT; the respective standards organizations are trying to find solutions.

If you need to support a NAT-unfriendly protocol, go back to (1).

See also this article (cached): "Network Address Translation: Not A Panacea".
--
With grief, with determination, and with hope.

IMO, this isn't a bad thing. It's really a "catch 22" your talking about here, isn't it? MS, over time, churns out an OS that is more secure than the rest and as a result becomes the OS of choice. Not likely.

I don't believe this would lead to a "Monoclonal OS prevalence" on the internet because people do learn from other peoples mistakes. That's what places like this, this and, this are for.

Take a look at the SANS Institute's "Ten Most Critical Internet Security Threats" here.

Notice that the level of representation of MS products is quite low. Consider that the Open Source Community's conventional wisdom is that closed source leads to insecurity. I am risking the almighty flame when I say so, but here it is: Monoclonal OS prevalence is the issue, not open source versus closed source.

What I am saying is that the OS with the greatest market share attracts the hackers the most because they get the most "bang for the buck."

But two conclusions can be drawn about this observation, one good, one bad:

The good: the move towards an "OS ecosystem" of various flavors of OS is the healthiest for the Internet. Because if something like Code Red were to reappear, only a minority portion of the pie chart of OS prevalance would succumb, as opposed to the majority slice. I use the biological allegories "monoclonal" amd "ecosystyem" because you can say the same thing about crop resistance to insect/ bacterial/ fungal/ viral pests: the more the genetic similarity of crops, the greater the risk of one solitary biological pest taking out all of the Midwest as opposed to one cornfield.

The bad: Microsoft, having the greatest exposure to exploits now, is getting the most experience with dealing with exploits. Dealing with them at a business, PR, and technical level. The more you fight a war, the better you get at it, and Microsoft will only get better and better at it, the general public will only grow more and more confident with their fight, and less and less exploits will be discovered. Other OSs haven't borne the brunt of the kind of hacker attention yet that fosters this kind of improvement, unfortunately for us all, who live in the ecosystem of the Internet.

Read this if you're not familiar with ShareSniffer

Essentially, they say that since people enable drive sharing manually, an open share holds the same legality as a clickthrough license: You wouldn't have clicked it if you didn't want to do that, so you're responsible for what happens.

People don't install Windows by mistake. (well, that's another joke entirely) If they have services running that any reasonably competent admin would know about, they're responsible for those.

The point of a server is to let people use it. The point of an internet connection is to make your computer part of a global network. If you're running a server on the internet, you INTEND to have it accessed by anyone who wants to.

The worm's problem is that it's malicious, sucking up unreasonable amounts of bandwidth and denying service to others. If someone wrote a fixit worm that worked as advertised, I don't see how it could run afoul of the law. Just be careful with the bandwidth usage. Someone might call it unauthorized access, which is bullshit, access is implicitly authorized by the machine's very presence on the internet.

IANAL!

I'll agree with people that this paper is much more than your average MS-bashing that we experience here at Slashdot. It's good to see that the authors had done the technical research and had the evidence to back up their claims. It also had some interesting points that I though I'd might mention here:

• The first interesting point I noted is that while using Netscape, clicking on the Logout button for Hotmail would appear to log you out of Hotmail and redirect you to msn.com. But if you were to click the Hotmail link again, you would appear in your inbox without reauthenticating. Needless to say, this creates a major practical security flaw for non-technically-minded users (ie. the users most at risk because they don't fully understand how the whole process works) as someone on a public terminal can commandeer a previous user's Passport account by simply clicking on the Hotmail icon, hence gaining access to their account. So Passport doesn't work properly with Netscape, but works fine with Microsoft Internet Explorer Conspiracy theorists and Microsoft bashers, do what you will with that statement. The obvious solution to this problem is to use MSIE (a morally repugnant option to some in the Slashdot community), but it shows the problems that can occur when differing platforms aren't properly taken into consideration.

• The central point of authenication can also prove a security risk as it provides a central point of attack. There's no real way around this particular risk as it's a long-accepted notion that the more valuable data is on a machine, the more likely it is going to be compromised (or at least, attempts are made). So to have vital information for all Passport users on a single server (correct me if I'm wrong) makes a very tasty target for hackers, crackers and anarchists the world over.

• It's been a long-accepted notion that the weakest part of any security system is the people, and that includes everyone from users to sysadmins. So if you choose an obvious password (like "swordfish"), then your account is more likely to be compromised because the hacker can just guess your password, rather than employing elaborate methods (such as DNS spoofing, explained here in this SANS article) to compromise your account.

• And finally, I'd like to point out that Passport, while having serious security flaws, is an abitious project that makes the best of existing technology. It's alright to stand up and say (or post, in this instance) that Passport is insecure but until we fundamentally change existing protocols (DNSSEC and IPSec are two suggested standards) then this is what we have to deal with.

In conclusion, you can say what you like about Microsoft, but unless you have evidence to back it up, you won't have much credibility. At least these people did their homework.

Perhaps I should have said BIND and Sendmail together give IIS a run for the money in the vulnerability list. :)

At least there are viable secure alternatives to Sendmail in Qmail and Postfix. With BIND, you can reduce the privileges, but you really need to chroot jail it. I didn't want to go TOO long on the post, so I chose to bash BIND the hardest :)

And just a reminder: click here for the ten worst and most abused vulnerabilities.. lisitng BIND *and* Sendmail holes.
--
Steve Jackson

Such a proposal would lead to the death of free software.

A big proprietary software corporation like Microsoft, with billions of dollars of cash on hand, could easily afford to carry out such a recall. But any time such a recall was ordered for a security flaw in a free software project (which typically doesn't have as much cash on hand as Microsoft), it would probably be the end of the project. In fact, it's unlikely that anyone would bother starting a free software project in the first place, with the enormous risks of an expensive recall.

Be careful what you ask for -- you might just receive it.

In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.

I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.

There is a lot of accessible security information at SANS, though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.

No, you can keep wireless access from happening -- it's just a pain in the ass. Most switches these days support secure ports. With the Cisco switches I use at work, you can set port security so it not only allows just one specific MAC to use the port, but if anybody unplugs the cable to plug something else in, the port is automatically disabled (although there are other settings to choose from besides automatically disabling the port). This keeps people from spoofing the MAC, because nothing will work until an admin resets the port. For more information, check out this article.

Like a lot of security, it's a pain in the ass, but you can prevent people from plugging in unauthorized devices, wireless or otherwise. Of course, no security is unbeatable.

The cost savings over their current use of "Trusted" OSes has already been mentioned. It probably adds up.

But you are forgetting one thing. Most of the reported vulnerabilities are not in the kernel! They are in associated apps and misconfigured services!

Yes, I know what MACs are and that properly configured they would go a long way towards securing a system.

Guess what? Most people can't properly configure a system now much less understand and properly setup a MAC-based one!

Look at the Top 10 vulnerabilities on the net today and you will see most of them have had fixes/patches for a long time -- they just haven't been applied!

THIS ISN'T GOING TO CHANGE WITH SE LINUX! If you know what you are doing you can properly configure a pretty damn secure Linux/BSD system -- especially a non-server -- with minimal effort. Combine IPChains/IPTables with Tripwire, Snort, NMAP (to double-check) and don't run any services that aren't absolutely necessary and ANYONE, including the NSA, is going to have a damn hard time getting in to your system.

If you really want to be paranoid -- use different passwords for local-access items (like logging in) and remote-access items (like POP3 e-mail -- which can be easily sniffed); install the International crypto patch on your kernel and setup a loopback device to encrypt all your file systems. (BTW: the 2.4.3 Int'l patch is out.)

Professional involvement by the world's largest employer of mathematicians and cryptographers is a good thing.

--
Charles E. Hill

Seems there was a lion stalking the net just last week :->

GIAC has a similar system already at incidents.org. They assign a "handler" to be on duty at any given time, and all incident reports are filtered through the handler. Someone might submit falsified logs, but unless a lot of sources report the same incidents they problably won't get much mention.

for training people up to be able to use a computer for running charities or getting a job you'd be far better off teaching them how to use Windows/Word/Excel than some open source solution which is more difficult and less well supported

You can find a link to the 1999 SANS (System Administration, Networking, and Security) salary survey right here. You can give them an email address to receive the survey (.pdf) by mail. If you don't want to give them an email address, I've posted a copy on The Linux Pimp, which you can view right here.

You can find a link to the 1999 SANS (System Administration, Networking, and Security) salary survey right here. You can give them an email address to receive the survey (.pdf) by mail. If you don't want to give them an email address, I've posted a copy on The Linux Pimp, which you can view right here.

The nice poster I got from SANS with the information about their security conferences for 2001 has several lists of interesting information. One of these is where US monitoring sites report malicious traffic coming from in the first quarter of 2000. Top is USA with 46%, second Canada on 11%, third Russia 8% and so on down. Of the three countries mentioned in the article, Israel is listed at 2%, and Ireland and India are not listed as being in the top four fifths at all (at which point we are down to 1%).

SANS has a good reputation, and I am inclined to believe that they gathered this data in a reputable way. Of course it is possible that US Military/Government sites attract a disproportionate foreign attack profile, but given the suspicion of government that seems popular in the USA, it might go the other way. In the absence of data to the contrary, I do not see any reason to expect a different attack profile. Pointing at foreigners has always been the way to bid for defence funding, so my cynical side suspects that this is on the agenda in the interview.

The SANS Institute GIAC (Global Incident Analysis Center) has been doing this sort of thing since before Y2K. Its continually run and moderated by the leading intrusion detection professionals in the world (namely Northcutt, Breton, Pomeranz, Novak, etc..). Check it out Sorry, Intrusion Detection is an art, and requires alot more than posting firewall logs and using nslookup. -Thang

I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.

The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



Second Law of Blissful Ignorance