Slashdot Mirror
FreeVeracity: Network Intrusion Detection
Ross Williams writes: "FreeVeracity
is a new free intrusion detection tool for free platforms (GNU/Linux, FreeBSD, NetBSD, OpenBSD, etc.) that uses cryptographic hashes to detect file changes that may indicate a network intrusion. FreeVeracity can be run standalone or in a client/server configuration (on TCP port 1062) that enables you to monitor the integrity of hundreds of computers from a single point. FreeVeracity is also an excellent general-purpose data integrity tool with over ten different applications. FreeVeracity is released by
Rocksoft,
vendor of the Veracity data
integrity tool used to secure the networks of leading global companies in finance, communications, transport, aerospace, power generation and
defence. FreeVeracity is released under the
Free World Licence
which provides all the usual free-software freedoms, but for free platforms only." Looks useful.
Am I the only one left who wants to keep govt's of the net? I don't see why it's needed. If it can be solved with tech, why let a bunch of people who are 95% clueless get power? Govt's are nice in meatspace, not here.
They provide a way to remotely check the integrity of files. This is something that the latest commercial version of Tripwire does as well. While this is handy when you want to keep your eye on a few dozen or hundred machines it can easily be defeated by an intruder.
Data integrity tools are useless if they are running on a hostile environment. And the second the machine gets broken into thats what it is. The intruder can modify the kernel to return the right file content to the data integrity tool but not to anything else. He can shutdown the tool and replace it with one that reports everything is fine. Etc.
The only time you can know for sure that a data integrity tool is telling you the truth is when you have booted from clean media and are using file hashes that have been stored in read only media and could not have been tampered with.
Maybe every computer need a secure coprocessor running security software that can act independanly from the OS and primary CPU?
Fascinating.
The Free World License is hypocrisy itself on paper; a license can't be Open-Source if it's under a discriminatory license.
But this does lead to an interesting point: what if someone were to port this to Darwin? Darwin itself is Open-Source. However, if it runs on Darwin, then it should also run on OSX (the core of which is Darwin). But OSX isn't entirely Open-Source, only the core. However, one could say (and actually argue fairly well) that Darwin is really the operating system, and "OSX" is just Apple's value-added stuff on top of it. So is an OSX port legal or not?
Just something to think about.
----------
what? free software on a mac? this is a first... almost anything useful i can find for macos is usually shareware/crippleware/etc.
in all seriousness, though, macintosh is a consumer based platform. the most likely reason that there is no free software for it is simply the fact that people who use that platform aren't interested in developing free commercial quality utilities in their spare time for fun (with is more of the case on free *nix based platform.) Therefore, it would almost be futile, at least for the time being, to release onto that platform.
Additionally, a fear many companies have with releasing source is that 'why would anybody pay for the product when the source is avaliable'. I know i would most likely have simular worries. This licence gives the developer a chance to both a) release the source to a community which would most likely go though it, find security problems, improve it, etc., and b) test the open source concept with a smaller group, while not 'risking' their main income (being the windows folks). Having a way to cautiously try open source before releasing everything open, as to assure themselves that it is a Good Thing, may be the key thing many companies need to disclose their code, which really helps us all. This is why i see this licence as a potentially good thing.
-legolas
(ps RMS ate my balls... i love GNU software, and i'm a fan of the GNU licence, which is what i release anything i make under it. And which is one of the reasons I run Linux instead of Windows. However, not everybody in the world is so 'enlightened' ;^)
i've looked at love from both sides now. from win and lose, and still somehow...
Actually, it's not unlike some of the licenses that Microsoft provides with some of their beer-free add-ons. You're free to use the software, but only under Windows.
I can see why ESR and RMS don't like it.
Bruce
Bruce Perens.
Ok, this looks like something worthwhile to try. Though I have a few questions. First, does anything it use run as root? It opens TCP port 1062 (accessible by normal users), but perhaps it needs root access to some other root-only system files (this would be my guess).
Also, does this sort of program work well with Portsentry? Also, it'd be nice if this FreeVeracity client program acted in a similar fashion to LogCheck by checking the syslog-generated files. Then you could use one program to monitor critical file changes, illegal port scans, attempted hack-ins, everything in one bag. Perhaps FreeVeracity provides more functionality than I'm assuming though. I'd like to hear what anyone has to say.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
for detecting portscans, the first program to come to my mind (and that i have had some experience using) is portsentry. It binds itself to a number of unused but frequently scanned ports (1, 12345, 31337, etc) and you can change the list. you can also set it up to automatically respond (add the person to ipchains or whatnot). care should be used in setting up portsentry, though. i've seen attacks where people make scans with forged ips, and the automatic reponce automatically firewalls out your own ip, your router, your nameserver, you mailserver, etc.
hope this is useful.
-legolas
i've looked at love from both sides now. from win and lose, and still somehow...
But shouldn't intrusion detection be at the point of entry? Open ports, terminals, ect? It seems to me that if you have these areas locked down, this may be overkill. Or am I missing the point?
FreeVeracity sounds cool. FreeVeracity should be put on all my linux boxes. FreeVeracity might someday rival TripWire. FreeVeracity story submitters should learn to use pronouns. ;-)
Yet when my box is cracked and my credit card numbers stolen, etc., calling anyone (police, FBI, etc.) gets a "why are you bothering us? You're lucky we don't prosecute *you* for wasting our time with such trivialities." attitude?
Is cracking illegal or isn't it? Who do I report it to when I'm hit? What gov't/state/municipal entity defends me as defends amazon or CNN?
Most file based intrusion detection systems let you specify what directories/files are/aren't checked for changes. Something like user's files in their home directory would probably not be something that would be watched. Other stuff like log files would also be excluded, because they are expected to change. Things like executables in /bin /usr/bin and config files in /etc are examples of the things that are important to watch for modifications to.
Unfortunately, this means that there are still places that intruders can hide files, but it doesn't mean that this type of tool isn't useful.
Reminds me of Network Flight Recorder which used to be open source minus the signature files contributed by l0pht which were under copyright. I believe NetworkComputing magazine did a test on IDS systems a while back and found that many were not mature enough to depend on for security. Though allowing people to help with the project will go a long way in keeping it up to date.
Shine on, you crazy diamond.
>How does this program tell the difference between
/home because you don't really care.
/etc/fstab has been modified, it (hopefully!) won't be a surprise. It's the file changes you can't account for that you're supposed to worry about.
>an intruder modifying files using a real/spoofed
>login and a normal user modifying his own files
>that he should be modifying? Or is this program
>not designed to catch that?
Not familiar with this particular s/w, but with this sort of thing you can generally pick and choose which files/directories to watch. You're not going to bother checksumming
And if you're the admin, you're going to remember what you did. If you add a new HD or something and get an alert the next day saying that
How do they indend on enforcing this "Free World" license? If you've got source, you can port. If it's really free software, how can they stop you from distributing that port? "Oh, these windows ifdefs? Those are for running it under WINE, a bona-fide certified justified free software application that runs under free operating systems."
Doesn't this just become another shrink-wrap license? I think most of us are not idelogically opposed to copyright per se, but are opposed to selling things with strings attached, aka "licensed", because of the obnoxious power it gives vendors over how we use the things we buy. Even the GPL doesn't tell you how you must use a program, it simply says "give back what we hath given you".
This license is foul, for that reason, and because it almost seems to willingly encourage relegating free operating systems to the hobbyist niche. It basically says you can make a profit on your work through traditional licensing frees, and toss a bone to free software enthusiasists at the same time. But what happens to your profit when free operating systems become the norm? If your revenue model is dependent on selling to proprietary platforms, you've screwed yourself by promoting free platforms. So you won't promote those platforms. In fact, why even release a free version at all?
this approach has an interesting motivation - this way, they can experiment with open source on the more 'hackerish' OSs, while still maintaining their commercial customer base on the commercial systems.
This licence seems to be borrowing various parts from the GNU licence and the FSF licence. I think this is somewhat a good thing, because it gives us who like to tinker with the code a chance to get at it (and for free!) while not risking the majority of their income (from serious commercial vendors). Perhaps we may see this approach to opensource used more in the near future. and it may encourage more and more companies to release their source, which is kinda cool, i think. also, it could be a starting step for companies to start releasing source, between not-at-all and full-disclosure.
-legolas
i've looked at love from both sides now. from win and lose, and still somehow...
How is this single product announcement newsworthy? It's not even a marginally new category of product. So hard up for material that Slashdot posts random product launch press releases now?
I've finally had it: until slashdot gets article moderation, I am not coming back.
Without GNU, Linux would be a hacked clone of Minix. With GNU, it's a genuine alternative to other commercial/free Unix systems.
Give credit where credit is due, dumbass.
I'm sick and tired of this argument. I don't call my car a Chrysler/Toyota/American Motors Jeep*. I don't call my computer an Intel/Asus/WD/Esoniq/Advanced Gravis 466. I don't call my daughter Andrew/Vanessa Katie.
Yes GNU is a big part of Linux. You don't pollute the name of a product after the fact just because it was possible through a third (or fourth or fifth...) party.
If Linus called it GNU/Linux I may think otherwise. However he didn't, and I don't stroke other people's egos just because they feel that now that what they helped with is popular they should get some face time.
* - I believe that Jeep used Toyota transfer cases in their 90's model Cherokees and Grand Cherokees. That's a pretty important part of a 4WD vehicle, dontchathink?
without C, most GNU tools would not exist: do you call them C/GNU?
I could go on, but you get the message. You should take a course in linguistics and you'd realize that the morpheme "linux" has all of the meaning you prefer associated with it already. The morpheme pair "GNU/Linux", BTW, does contain an extra semantic bit in that it classifies the user as coming from a particular side of this debate. Therefore, it would actually be an error for that AC to use it if that is not her belief.
Before I start this, I should just state for the record that I am a very enthusiastic Debian user, and a wholehearted DFSG & FSF supporter.
I thought for a long time about writng a Free World style license, simply because I resented the fact that Windows users could take almost any Free code I wrote and use it, while I couldn't use closed source Windows programs with anything like the same degree of ease.
Ross Williams (author of the Free World license) states on his Free World pages that he sees the only difference between his approach to licensing and that of the GPL as "strategic". One approach to freeing the world's software is to exclude non-free platforms from using the free code base that we have created; the other is to entice users away from the proprietary software by showing them what wonderful free programs were available.
Eventually, I came round to agreeing with RMS on this. I guess the key points that convinced me were:
- You are restricting trapped users of non-free platforms in rather unpleasant ways
- More importantly, you are encouraging an incompatible world. This is not only an unpleasant situation, but it may be strategically very unwise for the free software movement...
I guess that having said those things, there could be some arguments for using this sort of license for "convenience" code, rather than "essential" code. If your application has no potential to be a source of incompatibility, then it could be acceptable to make it only avaialable to users of Free platforms.Fixing copyright
I'm curious.. I have simple scripts that, in conjunction with md5sum, do what these doo.
Summaries are generated using shell scripts, the results collected from all over the network and stored on a secure machine for later testing.
HOw is this even a 'product'?
FWL makes no sense. People charge for CD's. Therefore it can't be free can it? Some distribution methods are free? Others are not? Apple's Darwin is free. RedHat sells distributions of Linux with add ons that you cannot download. You have to purchase that distribution. So does it not qualify?
Cheers,
WFE
===========
Oh yeah, it's GPL'd too.
FreeVeracity looks to be nothing more than a Tripwire clone that detects file changes on systems it's installed on. To use an analogy, it doesn't detect when your car has been stolen, but it goes off when the thieves try to repaint it.
If you're interested in checking out Snort, head over to www.snort.org and have a look around.
Breakins to big-name sites make news. FBI catching perpetrators of those breakins makes news. Congress notices the news. Congress increases FBI budget for chasing computer-crime perps. Hence, it's about money.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Why is it that whenever [big internet site] is cracked, many 3 letter agancies "go after" the crackers with a great zeal and spend millions to try them, and sieze their hardware, and bar them forever from a career in computers....
Because they employ lots of people, have millions of credit card numbers, and take in more money in a day than you will in a year?
Yet when my box is cracked and my credit card numbers stolen, etc., calling anyone (police, FBI, etc.) gets a "why are you bothering us? You're lucky we don't prosecute *you* for wasting our time with such trivialities." attitude?
Because you are not wealthy, a big name, or important?
Is cracking illegal or isn't it?
Yes. And the great thing is that constitutional laws don't apply to cracking cases! Just ask Kevin Mitnick.
Who do I report it to when I'm hit?
A trained consultant, perhaps?
What gov't/state/municipal entity defends me as defends amazon or CNN?
None of them. That's where the private sector comes in. If you can't secure your Corel Linux box, it's not really the government's problem, now is it?
-- Floyd
-- Floyd
If it's new, how come the version number is 3.0? Anyway, remember that security works best in layers, use TCP wrappers, a good firewall and possible even a Tripwire/Veracity like intrusion detection tools and you're relatively safe ( and remember to keep up with your distributions errata!).
If it's free only for free OS's, then it's non-free if you go by the Debian Free Software Guidelines (as I do).
I use Aide (http://www.cs.tut.fi/~rammer/aide.html,) and it does the trick. It isn't all "gee whiz" but it is VERY configureable. (for instance use any or all of about a half a dozen checksums.)
;-)
It is GPL, so you can run it on commerical boxes for free, too
So if you want to security policy to include "it should be an interesting [licensing] experiment" use this thing.
I'll stick to Aide, thanks.
-Peter
The Open Group tried to do this with Motif. RMS hated it. Read the linked-to /. stories for more info.
<O
( \
XGNOME vs. KDE: the game!
Will I retire or break 10K?
you are focusing (I think, you don't say) on the desire of these users to see source code. The license is trying to solve a different problem, how to make money. Yes, there are many users who are trapped, but many users have a choice about their platform, and the choosers are much more apt to be programmers with a need for source than are the trapped. The trapped can purchase the same product, the choosers can choose the source if they want.
Actually, I think you misunderstood me a little there. I am (sometimes) a trapped user. If I sit down in a lab full of Windows boxes, or in an internet cafe, or I use a proprietary UNIX server somewhere, I would like to be able install and use free appliations. The Free World License is a double edged sword....
you may feel that the use of this license may risk an incompatible world, but it explicitly doesn't encourage it. The license encourages selling stuff to people who've chosen a proprietary platform, and sharing stuff with people who've chosen to share. Same stuff, total compatibility.
Obviously, there is some truth to this, and incompatibility is not always going to result from doing this sort of thing. There are however, times when it may; this is most likely to occur when a new area opens up, and different protocols are viying to become the "standard" for some kind of service. During this process, having Free code available on non-free platforms gives us more chance of setting an open standard. When we don't achieve this, we suffer as a result. For example, a hypothetical cross-platform free office suite available in the early 90s might have saved us from having to stress about M$ Office compatibility....
Fixing copyright
sorry... that's the first thing that came into my mind with the subject of your post. =^)
-legolas
i've looked at love from both sides now. from win and lose, and still somehow...
That's not intrustion detection.
It's change detection, yes. System integrity, yes... but not an IDS.
Just like that rather neat linux kernel patch that locks off files and doesn't allow them to be changed isn't an intrusion detection system.. it's a change prevention system.
"This looks a whole heck of a lot like an Ad from Veracity, but the product still looks like it might be worthwhile to check out. Sorry for the blatant advertising in what's ostensibly an interesting technical story."
-=-=-=-=-
-=-=-=-=-
My mom's going to kick you in the face!