Slashdot Mirror

thats a neat system but there are more covert ways of sending data

Linux zealots are going to run in defense of the [Linux] kernel.

Never let facts get in the way of a good rant:

To exploit any of these vulnerabilities an attacker needs control
over the answers of the connected smb server. This could be achieved
by man in the middle attacks or by taking over the smb server with
f.e. the recently disclosed vulnerability in Samba 3.x

While any of these vulnerabilities can be easily used as remote
denial of service exploits against Linux systems, it is unclear if
it is possible for a skilled local or remote attacker to use any of
the possible bufferoverflows for arbitrary code execution in kernel
space.

Not a website, no specific tracking but at you can be smarter and more prepared then the average bear if you subscribe to some security mailing lists.

Bugtraq mailing list. Not much noise and not Linux specific but good reading.

Full Disclosure mailing list. A lot of noise and higher volume but still has some good information.

Based on the info http://www.securityfocus.com/archive/1/381420here, it took 53 days from initial contact to public release of the patch (and public notice of the vulnerability). How does this stack up against other OSes?

Probably not. Quote:

While any of these vulnerabilities can be easily used as remote denial of service exploits against Linux systems, it is unclear if it is possible for a skilled local or remote attacker to use any of the possible bufferoverflows for arbitrary code execution in kernel space.

SecurityFocus have this down as a "Design Error". Is that in the design of the implementation, or the design of the protocol? Can we start blaming Microsoft for bugs in Linux now?

Here is the information you are looking for.

This page gives a much better overview of what it is.

More information also here

This page gives a much better overview of what it is.

More information also here

I installed Xandros on my parents computer and haven't had to fix it since. I wrote about it for LinuxWorld. Yes, I know that switching OS seems like a huge step and frankly it is. But Xandros is the perfect distro for many computer users (basic office apps such as word processing, Internet, etc). The Xandros Deluxe edition includes Codeweavers CrossOver too so installation of things like Quicken and full version of Microsoft Office are possible, though Xandros includes OpenOffice.

It seems as though most Windows users that I've talked to don't care about the *name* of the program so much as they care about it just *working* and being compatible. OpenOffice is a great example of this. Show someone that they can read their old Word docs and that they can even save directly to PDF and they'll be an OpenOffice user. Yes, yes, yes. I know that there are things that OOo can't do but many (most?) users won't ever encounter those issues. Likewise, show someone that they can get their work done in much the same way and don't have to settle for IE's constant string of security holes, even post SP2, and Windows' poor performance and constant, never-ending critical updates and they'll be a Linux (and/or Xandros) user.

Since I installed Xandros on my parents computer I don't have to worry about my parents getting the spyware/adware/malware du jour or about the OS crashing for no good reason. They don't have to worry about clicking something they shouldn't or about their computer being "down" when they get yet another virus. I chose Xandros as an upgrade from XP Pro on their computer and it helped everyone concerned.

If I ever had to do tech support, which I'm just guessing I will at some point, Xandros is based on Debian which makes my life easier. At least I won't find myself in the position of having to tech support Outlook Express, a program I've never used, or any of the other disappointing, unconfigurable, security-hole laden programs that come from Microsoft.

I'm not so sure gentoo is the answer:

http://www.securityfocus.com/bid/11617/

http://www.securityfocus.com/bid/11616/

But then again, I guess no one here is interested in any Linux flaws.

I'm not so sure gentoo is the answer:

http://www.securityfocus.com/bid/11617/

http://www.securityfocus.com/bid/11616/

But then again, I guess no one here is interested in any Linux flaws.

If I recall correctly, IIS6 (out for 1.75 yrs) currently has no exploits. Win2k3 (out for the same amount of time) has very few exploits. In fact, I think it's on par with OpenBSD.

In fact, recent fuzz tests have favored MSIE.

Actually there was a buffer overflow reported recently in apache. It just wasn't reported that much. Similarly there was a second .png and xml exploit about two weeks ago affecting many applications, including those mentioned here.

My point is that somethings are reported more widely than others. You can speculate about why.

However - If your really interested in security, then its a good idea subcribe to security mailing lists like those hosted at security focus or zone-h. Or even a Full-Disclosure list.

These requirements have been set by the Federal Election Commission, which has always overseen our elections. The software has been reviewed, including at a source code level, as required by law by independent third parties.[1]

Personally, I'd prefer that the source be open for public inspection and that there be a voter-verified paper trail...

[1] http://www.securityfocus.com/archive/1/375954

Diebold strongly refutes the existence of any "back doors" or "hidden codes" in its GEMS software. These inaccurate allegations appear to stem from those not familiar with the product, misunderstanding the purpose of legitimate structures in the database. These structures are well documented and have been reviewed (including at a source code level) by independent testing authorities as required by federal election regulations.

In addition to the facts stated above, a paper and an electronic record of all cast ballots are retrieved from each individual voting machine following an election. The results from each individual machine are then tabulated, and thoroughly audited during the standard election canvass process. Once the audit is complete, the official winners are announced. Any alleged changes to a vote count in the election management software would be immediately discovered during this audit process, as this total would not match the true official total tabulated from each machine.

Man, I want to get modded up for writing one-liners like that! I think both of these "bullshits" are more true than you suspect.

Tackling the latter one first: if you read a security list like Bugtraq, you will see that nearly all vulnerabilities are buffer overflows, format string vulnerabilities, cross-site scripting vulnerabilities, or number overflows. All of these are symptoms of language weaknesses. Buffer overflows and format string vulnerabilities are pretty much a trademark of C - few other popular languages are as vulnerable to them.

As to popularity: you can't be sure one way or another. I am sure the author does not have the evidence to prove his claim. I'm also sure you don't have the evidence to refute it. Yes, Apache is more popular than IIS, but gets exploited less often. That's one case - what about the general trend? And even if it is a general trend, that doesn't mean anything about the quality of the products. IIS might be broken into more because its attackers try harder, or are more skilled, or because IIS sysadmins are less skilled, or pretty much anything else. You can never rule out all the factors (neither in the wild, nor in a controlled experiment), so you can never rule out popularity. Common sense says that bigger targets are easier to hit.

There are several things you can do to minimize or mitigate a DDOS attack, the first and most obvious method would be to host your server from two seperate hosting providors preferably in different geographic locations LA and NYC or Dallas and Seattle for example, have both IP's in dns with the same A record and it will be round-robined by DNS, so each visitor should be balanced between the two servers.

Another cheap way is to deploy an inline IPS device which mitigates the attack in real-time. Some devices performance range drasticly with price.

There are even some free ones such as OpenBSD' Packet Filter, this can supply advanced syn-flood protection, connection tracking and general packet scrubbing all within a low cost solution but with the lack of support and learning curve and completeness, so YMMV. I have tested several commercial devices and so far I am most impressed with the http://www.ddos.com/ guy's box it thoroughly kicks ass for the price.

Anyways a couple of good sites to find more info on hardware, etc would be http://www.securityfocus.com/'s IDS mailinglist (yes all the IPS stuff goes here too) and also http://www.nss.co.uk/ who do alot of independent reviews of this kind of hardware. They charge for some of their reports but most of it can be found on their site for free.

DDOS is a toughy, the best way is to keep a low profile :) if thats not an option, then your going to have to dish out some bucks to protect yourself. The Internet is the new Wild Wild West, there is no such thing as diplomacy.

Good luck.

Since some of the phishing sites are in China, that could get interesting.

Their database contains two sets of voting books. A secret key combination enables the hidden book and the machine will report on it.

I've highlighted the really important bit. It's the giant pink elephant no media organization wanted to touch, and there's no logical explanation for it except to enable vote tampering.

No, I already knew about this. (Fuck, do I have to write a goddamned novel with each slashdot post to prove I'm aware of the facts so I don't get accosted by people who assume that the only way you can have an opinion in opposition to theirs is if you don't have all the "facts"...and their version of the "facts" at that?)

Why?

Because you say so? Because blackboxvoting.org says so?

And then you use the good ol' "the media won't touch it" excuse? Well then your assertions must be true! Convenient.

Or might it be that you don't have any idea what elements might be used for in proprietary software. Note: I DO NOT think it should be proprietary, and I think that the source code of all operational components of such a system be available for public inspection, including all subsequent patches and updates, and overseen by a government custodian.

I know this will mean nothing to you, but:

Diebold strongly refutes the existence of any "back doors" or "hidden codes" in its GEMS software. These inaccurate allegations appear to stem from those not familiar with the product, misunderstanding the purpose of legitimate structures in the database. These structures are well documented and have been reviewed (including at a source code level) by independent testing authorities as required by federal election regulations.

In addition to the facts stated above, a paper and an electronic record of all cast ballots are retrieved from each individual voting machine following an election. The results from each individual machine are then tabulated, and thoroughly audited during the standard election canvass process. Once the audit is complete, the official winners are announced. Any alleged changes to a vote count in the election management software would be immediately discovered during this audit process, as this total would not match the true official total tabulated from each machine.

So yeah, consider the source and all that. The operative word here being consider.

Additionally, do you think a multi-hundred-million dollar campaign (i.e. Kerry/Edwards) is just ignoring this? That no one on their staff is INTIMATELY aware of these situations and allegations. Quite the contrary. And rest assured that if there was anything substantial to do or prove, they'd be doing or proving it.

Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that?

Mr. Matzan, I question why the editors would accept a submission by you that was nothing but copy-and-pasting the first paragraph out of your article on News Forge into the Slashdot submission box.

Regardless, I object to the assertion you've made above. No respected person, zealot or otherwise, has ever said that "open source programs are likely to contain backdoors." The article you cite for this assertion is Steve Lipner of Microsoft making some observations about the difficulty of security, and and contrasting the security process behind open and closed source software. His claims may be questionable, but they are serious and they do deserve a meaningful response. Dismissing those claims by building snarky little strawman through mischaracterization is not the response they deserve.

While I don't disagree in the least with the spirit of the concept of making the system(s) open source, it should be noted that, contrary to popular belief, Diebold asserts that its systems have been scrutinized, including at a source code level, by independent authorities, and that there is also a paper record:

http://www.securityfocus.com/archive/1/375954

I don't know if the paper record is "voter verified", or what mechanism it uses, but there is apparently a paper record nonetheless.

Notwithstanding Diebold's CEO's extremely inappropriate campaign comments, I really do think they're trying to put out the best electronic voting systems they can, but are suffering from the same problems that any large, proprietary system suffers from when it languishes in the comfort of large government-guaranteed long-term contracts: namely, inattention to the details that need to be addressed, that sometimes get lost in not seeing the forest for the trees.

Perhaps opening the source to these critical systems and having it overseen by an independent election agency would be an idea worth considering...

This is even noted as a problem: SecurityFocus

Looking at securityfocus.com and secunia.com it seems that IIS 6.0 has had at least 3 vulnerabilities discovered, one of which is still unpatched.

Apache 2.0.x, on the other hand, has at least 20 vulnerabilities listed so your point about IIS vs Apache is valid, but I just don't want you to fool yourself into thinking IIS 6.0 is somehow the savior of the web.

Its also interesting to note that Windows Server 2003 Enterprise Edition has 31 advisories while Red Hat Enterprise Linux AS 3 has 89 advisories

Now what is really interesting is to see the number of vulnerabilities that are unpatched when comparing Microsoft's solutions to the FOSS solutions. It seems that even though Microsoft has fewer advisories they also have more of them that seem to be unpatched. So that seems to be good news for FOSS and perhaps is proof in what has been said all along on the FOSS side, the bugs get fixed faster than on the closed source side.

Its interesting to look at the numbers anyhow, but I still see no reason to dump my linux installs for any expensive Microsoft offerings anytime soon.

burnin

The same person tells us that Apache sucks when compared with IIS.

No, Larry Osterman did not tell you that.

Larry Osterman didn't even tell you that IE wins compares to the mass suckitude of other browsers such as Mozilla or Opera when fed malformed HTML.

Specifically, Michael Howard wrote the blog article about Apache vs. IIS

The person who wrote the article about IE being much better - in terms of NOT crashing - than other browsers is Michal Zalewski, who doesn't even work at Microsoft.

But hey, if you want to claim that Microsoft are the people making all this stuff up, and jump up and down, then go ahead. But please, don't be surprised if when people point out that it's not Microsoft doing it, you look like a fool.

But, I couldn't let this slide (even giving up my mod points): counting security advisories is just not a good way to judge the relative security of an OS, especially one of the more uncommon ones. SecurityFocus has no vulnerabilities listed for either MS-DOS or EROS, but few people would conclude that both operating systems were equally secure, or that MS-DOS's unblemished security record means it's more secure than OpenBSD (which has many dozens of vulnerabilites listed, most of which are advisories for bundled programs like Apache which OpenBSD nevertheless takes responsibility for).

Even worse, the more that people are believed to be using vulnerability lists to compare OSes, the more pressure vendors feel to improve their scores by sweeping security problems under the rug. Microsoft is notorious in this regard -- years after promising to make security their #1 focus, whenever they think they can get away with it they continue to hide known security bugs from sysadmins (who would be able to deploy work-arounds if they were told about the problems) in favor of silently sneaking the fixes into the next service pack many months later.

RTFA. Larry didn't find the broken HTML, he just referenced an article which did.

This post on BugTraq suggests that Mozilla and Firefox will have security problems when they get popular enough. The evidence is pretty compelling, too. Current testing procedures for Mozilla are obviously inadequate.

The bug mentioned in this Security Focus article most definitely *IS* the fault of Microsoft. I've seen their patches re-open previously corrected, unrelated security holes. Seems like QA isn't up to snuff at MS, though that's not really that surprising.

With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.

The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.

On the other hand, I wonder why things like these for soem reason never get posted.

My bad. Here's the parent of the threads I ran across this week pertaining to PHP (in)security.

Here's a vulnerability or two right here. Too bad they are in the revered PHP platform. Just to show that no one is immune.

Disappointing to see Slashdot is mostly just mainstream big media news now.

fingerprint biometrics are notoriously spoofable. only 1 in 1000 even mention "liveness detection" with an adequate threat model.

vascular scan biometrics are the only adequate security solution to date (with the possible exception of facial geometry). even iris scanners are susceptible to spoofing.

vascual ! always = retinal scan; many foreign banks are using hand vascular scans for banking transactions. facial vascular scans can also be less intrusive than retinal scans.

they track vulnerabilities reports
Yup. Select the vender

gewg_

This seems the most obvious one.

Yep. This is precisely why I always use a scroll wheel to navigate. I'm not going to be caught off guard by this sort of scam.

Ooh look! What a pretty JPEG.

Yesterday, Diebold sent out a PR piece over BugTraq saying that "Diebold strongly refutes the existence of any 'back doors' or 'hidden codes' in its GEMS software" in response to a BugTraq post in August that announced the discovery of a backdoor in GEMS. The backdoor announcement wasn't substantiated with any technical details.

While this Slashdot aricle appears to reference a vulnerability rather than a backdoor, I just thought that some might find this to be an interesting related story.

Here it is from the horse's mouth:

http://www.securityfocus.com/archive/1/375954/2004 -09-19/2004-09-25/0

If this is indeed a security flaw, why hasn't http://www.securityfocus.com/ listed it?

How soon we forget.

You mean a lower total cost of 0wnership.

Look, I'm not trying to be a knee-jerk, but I'd like a little evidence. A quick search on Security Focus shows IIS and Apache to be about dead even on vulnerabilities. That may not prove that oss is better, but it certainly suggests it's not any worse.

This article is full of speculation on mechanisms, without any real proof. It doesn't even bother to cite the bullshit MS funded studies.

If I want rabid fan baiting with no real evidence, well, I'm on Slashdot already, aren't I?

I don't think it was due to images, however.

Look here - this appears to be the exploit you're thinking of.

Even so, do you really think there is a solid link between MS Security Support and 911? Honestly, is there a real comparison there?

There just might be.

Telenor takes down 'massive' botnet (From the story, they didn't really take down the botnet, just rendered it headless for a little while.)

http://www.securityfocus.com/news/136

I'm not saying that your wrong, but I know this Interbase (the original name of the database, before it was Open Sourced) bug was published on slashdot (I'm not going to bother trying to find the link), and fits the description you give (other then the "hide" portion of the Buzilla DB).

I read slashdot pretty religiously, but don't remember ever hearing such a story about Mozilla. However, it's possible I missed it. A number of bug tracking software uses an "Internal/Hide" option, for a variety of reasons, including keeping the details of a crack secret. So the source for the crack, and details of how to exploit it can be posted for internal use, but not external. Sometimes, it's just a bug that only affects internal versions that have never been released to the public so you want to keep people who've never seen the code with the bug from being able to comment on it.

Kirby

"Claiming a produuct is fit for a purpse when you know it isn't is fraud."

You mean like using a Linux distro as a Key Distribution Center via Kerberos 5 ? "But they said that it was a secure!" Yeah so what. If you sued everyone who had vulnerabilities in their "advertized as secure" software we wouldn't have Mandrakesoft, SUSE, Windows XP, OSX, FreeBSD, etc...

All software has security flaws!

What about the rest of you? What links do you check out, and what am I missing?

What about the rest of you? What links do you check out, and what am I missing?

There's absolutely nothing that Linux can do to protect against a user who has the root password and who has been convinced to run an untrustworthy executable.

Just a side note: you don't even need to be root to run untrusted binaries.

Have a look at bugtraq or any other full disclosure mailing list to get an idea of the magnitude of the problem.

Some vendors, including most linux distros and the BSDs have appointed a security team to handle the issues once they are discovered. BUT if Linux (or BSD) were to become a mainstream product, would you expect every Joe Sixpack to update their system (or third party apps) regularly?

Sure, Linux and BSD are much more secure than Windows; but they are certainly not immune against attacks; even against basic attacks.

They should know how to protect the system from disaster and attack. Tips on hardening should include:

• Hardening a new install with the Bastille Linux scripts. What these are and what they do.
• IP tables configuration. What IP tables is, why it's important, and how to configure it. This may or may not be in relation to Bastille.
• Tripwire. A PITA to configure, but *really* useful in knowing what is happening on the server.
• Kernel options. Do you need loadable modules on a production server? Disable them if not. Do you need USB or CDROM access? Remove them from the kernel. If it's not needed, don't include it.
• Kernel upgrades. When and why. Just because the latest 2.6.87 kernel has been released is no reason to put it in. However, if there is a remote root 'sploit posted to Bugtraq for the current kernel, everything else is a lower priority.
• BugTraq and other security lists. What they are and why they should be monitored.
• Application security patches. Like kernel upgrades, guidelines on why and when production apps should or should not (or must) be upgraded.

• tar, and it's more esoteric options, such as multi-volume tarfiles, dump levels, etc.
• Rotation schemes. What is Grandfather, Father, Son? Why is it important to do this? What is the difference between a differential and an incremental backup?
• Backup media. Redundant hard drive? CDR? DVD-R? Tape? Onsite vs offsite?
• Recovery procedures. Ok, you've got a backup. What do you do if you need it? You have tested the tapes, right? :)

grnbrg.