Posted by
ryuzaki0
on from the no-backdoors-here-move-along-citizen dept.
bpitzer writes: "The NSA has released their guides for securing Windows 2000 that they have issued for various DoD organizations."
186 comments
NSA & Linux?
by
Anonymous Coward
·
· Score: 1
Anyone happen to know if the NSA (or a similarly respected group) has information on locking down, say, Red Hat 7.1? Can't seem to find it on their website... I'm sure they're running something other than just Win32.
Locking down RedHat is quite similer to locking down win2k. Remove and shut down all daemons, find / -type f -perms -u+s -exec chmod -s {};.. Of course, you could install a more security-minded distribution such as slackware or debian and have security AND functionality at the same time...
on the NSA homepage, just below the link to the article mentioned in this post is a link Security-enhanced Linux.
If you did'nt find that on their wabpage you surely did not look very herd.
--
120 chars is not enough!
Re:An omission
by
Anonymous Coward
·
· Score: 1
Oh no! You gave our secret password away! And it will be so hard to change!?!!!? (We hardcoded it in with a 'if (password eq "nsaspooks") {logged_in=1;} else {logged_in=0;}'
Re:Backdoors?
by
Anonymous Coward
·
· Score: 1
RMS says: All your base are belong to GCC! ^_^
Re:Unplugging the computer...
by
Anonymous Coward
·
· Score: 1
"You mean, like NTFS' ACL? Which NT had since forever? "
No - because it applies to processes too. For example you can't cut and paste (or pipe, I don't think SE Linux has an X server yet) classified information into an unclassified document. Much more sophisticated than any form of file permissions.
Re:Backdoors?
by
Anonymous Coward
·
· Score: 1
I have been thinking of that myself and i got to the following conclusion:
If you compiled a hello world program or something similar you could easily debug, view using a hex editor or disassemble the code using any third party tools. That would mean that the "attacker" would have to own the compiler, debugger, and any other tool on the system that could be used to verify the integrity of the compiled code.
If i were the "attacker" i'd put the backdoors on the linked libraries (libc perhaps?) so any program running would be "infected" and they could not be debugged as easily as a simple program.
Breaking News
by
Anonymous Coward
·
· Score: 5
In a gigantic police operation many thousands hackers from a gang calling themselves "Slashdotters" were lifted from their beds and arrested this night for organising a massive DDOS (Distributed Denial Of Service) attack to the main NSA network. It is not yet clear which foreign country payed the leader of this gang known under the name Commander Taco to destabilize the national security of the U.S.
While being dragged away to the waiting police car, Cmdr Taco was overheard saying "...a *$&@ing minute! It's called SLASHDOTTED: A natural occuring event on the net!!! I swear! It wasn't intenti...". If the only tool you have is a hammer, you tend to see every problem as a nail.
-- Blarf.
Damn! NSA was slashdotted!
by
sullrich
·
· Score: 1
The NSA site has been slashdotted! How hilarious!!!!!!
That might be a little hard to do after Step 8, you might simply want to put it in your will to be done by your next of kin instead.
Re:Unplugging the computer...
by
Simon
·
· Score: 2
The NSA has the Win2k source code. It's very easy for universities and other establishments to get the source, slightly less easy for large companies, and slightly less easy still for small companies and individuals (although they're changing this as we speak...)
True, but just because they have the source doesn't mean they can hack on it or fork it like they can with Linux.
It's not just apps. The permissions granularity on the filesystem are often misunderstood and misused by sysadmins, who leave their machines open to attack. The issue here is that while Windows is all GUI and easy enough for a monkey to configure (if you're to believe Microsoft advertising), finer points like correctly using the granularity provided are often overlooked because no one knows how to use them. And of course Microsoft is never part of the solution here, they stomp all over their own guidelines (design, installation, security, etc) with their software, so it's a big case of do as I say not as I do.
There's an interesting post on BugTraq that can be boiled down to "Win2k has some great granularity features... unfortunately the apps you are pretty much forced to use with it (Office2k, etc.) stink up that granularity."
-l
-- Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
Oh you're right about that. Sorry... I just skimmed it since I saw it on the ml and didn't reread it properly. I am curious if Office2k is affected now!
-l
-- Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
Indeed, I wonder if GNU/Linux distributions were to adopt MAC and CAPS more fully whether or not sysadmins would be up to the task... especially at smaller companies (like mine) where they can't afford the higher end guys to do simple internal MIS stuff. I've actually been kind of glad that Linux has not gone all ACLs yet due to the sheer complexity that that involves. But, when Linus does finally accept a patch for it, I'll thank my stars again that I transferred to the programming department!
-l
-- Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
wow, with acres and acres of computers...
by
otis+wildflower
·
· Score: 1
... one would think they'd have more than a dinky uplink to the 'net.. They're slashdotted:p
Still, I suppose you get SOME security by using extremely slow connections..
Your Working Boy,
- Otis (GAIM: OtisWild)
Re:Yet another DDoS attack logged...
by
knuth
·
· Score: 2
They say:
"Because of the amount of interest in the Windows 2000 Security Recommendation Guides, we
are updating our Web site to better handle the demands placed on downloading the files. We
expect to make the guides available once again during the week of June 18, 2001."
NSA machines are taken down and scanned regularly for trojans and other guests. A good friend of mine is a physicist for several govt. projects of which he wont talk, but his laptop is replaced every two weeks or so.
-- errr....umm...*whooosh* *whoosh* Is this thing on ?
Re:Unplugging the computer...
by
Goonie
·
· Score: 2
Instead, I have to ask, did they return that code to the community?
Yes, they did - which is pretty remarkable for an incredibly secretive organisation like the NSA.
Did they attempt to prevent forking the kernel by offering the improvement for inclusion in the "standard" kernel?
By putting it out there under the GPL, they have. I don't know whether it's planned to integrate with the main tree or not - it may be that the features the NSA require interfere with other things more important for maintream use.
Go you big red fire engine!
--
Any sufficiently advanced technology is indistinguishable from a rigged demo --Andy Finkel (J. Klass?)
One computer per department that does not have knowledge on it is connected to the net, but is also networked to other boxes in the department that may or may not have knowledge on them. Those boxes, in turn are connected to other boxes in the building that may or may not have knowledge on them, etc....
While what you say is theoretically true, as a practical matter any machine that has any really secret stuff on it is always going to be air-gapped. That is, the machines that really have to be secure are simply not physically connected to the outside world, either directly or indirectly. It's the only way to be sure there won't be a remote exploit...
-- ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
You can actually see the site.
by
paleck
·
· Score: 4
SELinux also has support for various forms of mandatory access control, and the related (and necessary for the same) labelling of data with
security-related information.
Shoving all that under "capabilities" and then
arguing that since win2k outshines linux in the
granularity of it's permissions model borders on dishonest. Security-feature wise, SELinux is
in a whole different ballpark (B1) from both win2k and Linux.
Pretending that that patch was necessary to get
Linux to be as secure as NT is dishonest (or ignorant).
I suppose technically you could still root it by using microwaves to power the circuits as well as read/write values (van Eck style) into the onboard cache of the processor. You've got a couple kilobytes in the BIOS memory you could use for runtime/firmware stuff. Granted you'd need to get some equipment really close to it but the water might provide a good way to cancel out noise. Hmmm.
I downloaded 'em all (except the three supporting docs that I wasn't interested in) before they turned off the pipe, so if they change something, I would notice. I don't expect them to, though.
Cheers,
Re:Unplugging the computer...
by
dr_labrat
·
· Score: 3
The problem is not that they had to fork the linux kernel, but rather that they are forced to make do with whatever Microsoft allows them to do to make their servers secure.....
Forking the kernel can be a good thing, and it shows how flexible linux can be...
-- The secret of success is honesty and fair dealing. If you can fake those, you've got it made.
(Marx)
Re:Unplugging the computer...
by
dicey
·
· Score: 1
Why is this moderated to +5 Interesting? If you read the docs and follow the mailing list you will see that what they are doing is experimenting with manditory access control and the only reason they picked linux was because the source is available and there are a lot of people using it. The project does not aim to create a secure distro - only experiment with a single feature that could lead to more secure distros in the future (and probably not just linux distros)
your post would have been funnier if you spelled caveat properly
=P
Re:Unplugging the computer...
by
Ambassador+Kosh
·
· Score: 3
Actually you are partly right and mostly wrong. They forked linux not to get it as secure as w2k but to make it a secure operating system. Since they had the source code to work with they have worked on adding features to linux to make it secure in a way that other operating systems can not be guaranteed to be.
With their linux dist they get many eyes looking at it and they can do anything they want with the source code to make it as secure as possible.
Given the choice of mostly secure which the nsa can get with w2k and redoing parts of linux to make it actually secure which would you choose? It seems obvious which one the nsa chose. Also they are more changes in their linux dist then just the kernel.
-- Computer modeling for biotech drug manufacturing is HARD!:)
Re:Yet another DDoS attack logged...
by
GC
·
· Score: 2
yeah right - "because our Win2k IIS server seemed to get DDos even after we posted our recommendations on securing Win2k against it we are migrating to Linux... we expect to have completed this the week after next"
Is bashing ms your chief joy in life?
by
Saint+Stephen
·
· Score: 1
Man, some of you guys are as automatic as a jack in the box. Give you the right stimulus, get the exact response.
For those of you over 17,
I'm going to tell you a story I heard in a movie. A little boy grows up hating his stern father because he punishes him, while he is very close to his mother because she protects him. He grows up and moves out. Later, when he's about 25, his mother dies unexpectedly at around 50. At her funeral, he's silent. His father continues to remain estranged to him but lives to an old age, and dies at 75 when the man is now 50. As he's standing at his father's graveside, he finds himself sobbing uncontrollably.
The point is that when his mother died, it was unfortunate. But, when the father died, the man, who hated his father so much, now no longer had the hate to keep him going.
The movie was a movie about how Nazis and Jews. It reminds me very much about how some of you act. Please be more interesting. [Saint Stephen]
Re:Unplugging the computer...
by
listen
·
· Score: 1
You are so clueless.
ACLs provide very little security in
a practical sense because they are
almost impossible to administer.
Capabilities, (not the dumbass privileges of
POSIX) are the only easily administered general
security model. They are a lot less work for the kernel too.
It is simple for the child to have only the rights that the parent had at the time of the fork.
The trick is to have the child lose the rights whenever the parent loses the rights.
Just like the government to put up a bait site like in the book "The Cuckoo's Egg"
--
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
Re:Unplugging the computer...
by
spectecjr
·
· Score: 5
And they forked linux because they could it being open source and all. They would undoubtedly have done the same with win2k, but they can not because it is closed source.
The NSA has the Win2k source code. It's very easy for universities and other establishments to get the source, slightly less easy for large companies, and slightly less easy still for small companies and individuals (although they're changing this as we speak...)
So if a million of us chip in a dollar and pay for access to the W2K source all of us can see it? I don't think so.
The W2K source is available for corporations with the funds. There will never come a day when CompSci students can learn OS design by looking over MS's source.
-- I don't want knowledge. I want certainty. - Law, David Bowie
I just tried to go to the SE Linux page and it looks to be pretty well slashdotted. I wonder if we'll see any stories about DoS attacks on the NSA in the news because of this post...
Step 1: Disconnect the network cable.
Step 2: Disconnect the keyboard
Step 3: Disconnect the mouse
Step 4: Disconnect the monitor
Step 5: Turn the computer off
Step 6: Unplug it
Step 7: Remove the harddrive and lock it in a safe somewhere where nobody will ever think to look for it, then promptly forget where you left it.
Step 8: Kill yourself just to be sure you don't accidently ever remember
New Date Material Will Be Available (!slashdotted)
by
rm3friskerFTN
·
· Score: 1
Notice about the availability of the Windows 2000 Security Recommendation Guides:
Because of the amount of interest in the Windows 2000 Security Recommendation Guides, we are updating our Web site to better handle the demands placed on downloading the files. We expect to make the guides available once again during the week of June 18, 2001.
Why should I freely work for them for a product that they will turn around and charge me for, you ask.
If you're even a halfway productive beta tester, you don't have to pay for the OS. At least, i've never had to.
Plus, its knowing you have access to a pre-release OS in its formative stages, watching it grow and having more input than the average joe into the development of a platform destined to go on thousands of PC's. It also has benefits when it comes to one's career - When one of my previous employers moved to 2000, I already had extensive experience in 2000 and knew it intimately - moreso than any of the other NT admins. This provided a distinct advantage for me within the company which is beyond the scope of this post.
They finally post a/. article that isnt directly attacking windows - and seemingly people crawl out of the woodwork to provide a kneejerk reaction to the words "Windows" and "Secure".
Heres a small dose of insight, from someone who's beta tested MS operating systems for 5 years (or so.)
Microsoft listens to users suggestions. They may not respond to you, they may not integrate them into the OS. But they do listen. MS does not make an insecure operating system on purpose - Beta testers have a whole newsgroup to focus on security and how to improve it before the final build is released. Its part of their role and responsability to test for exploitable security holes - if you don't think they're doing a good enough job, how about you send a request to betareq@microsoft.com and ask to be on the next beta team for windows. Keep in mind though, they usually only want experienced users and there are checks and balances to make sure you're a functional beta tester - not just someone who enjoys bragging about having teh leet XP build #x.
The beta process is not perfect, IMHO - Bugs do get knocked down (i've thought for a long time they should let the beta testers moderate bugs) and i have an extreme distaste for setting a release date before the beta testers agree that testing is complete. XP is remarkable right now, but not perfect. This part is MS's fault.
If you have an intelligent, well-thought-out, non-kneejerk "windows sucks *chortle*" suggestion/comment regarding windows - you may go to http://www.microsoft.com/mswish/
(p.s. - When you list your beta testing experience, the following line is a bad, bad idea: "I tested (unofficially) Windows XP, 2000, ME, 98SE, 98.... you get the idea. har har har *snort*":)
So you worked for Microsoft for 5 years. I hope you made a lot of money. You certainly made them a lot of money.
Did you know that some beta testers even pay to test for Microsoft (as in: I bought winxx rc2 and sent in bugs)?
Has anyone a decent explanation for this behaviour? And is there a way I can make a profit from letting other people do the same for me? Please let me know.
A couple of years ago a Dutch computing magazine organized a contest to find the most bugs in Microsoft winxx rcx. You had to pay to buy the beta software (which would work for a limited time). Prizes were minimal: something like being mentioned in the magazine and somewhere on a website and some cheap electronics (Possibly you could even win some licences for the real thing, I don't remember).
Hundreds of people joined the contest. How is that for cheap labor;)
Laughing about MS security is hardly a knee jerk reaction, and it's not a very good laugh. Windows stuff is driven by marketing goals rather than real design rules. The goal is that the customer will pay for each copy of each application to perform each seperate task every two years. A newer an more insidious goal is direct marketing. The result has been intentionally inflicted waste and security problems. The security problems escape the notice of beta testers like you and are ignored or hidden long after exploitation and publication. The "attacks" you refer to are generally statements of fact, sighs of disbelief and expressions of outrage as networks are clogged by MS bassed bots, viruses, worms and adverts.
We feel for the users and hope and pray for more responsibility from Microsoft. The help they are recieving from the NSA points out the many inadequacies of MS OS design. Many others have pointed out these problems, and indeed MS is slowly responding. The damage done in the mean time should be charged right back to them.
Yes, windows sucks. I have to use it here at work. I'm not laughing.
If you have a product that people love, they will pay for a sneak preview of the next version. Mac users are the same way. Just because you don't appreciate Windows doesn't mean that there aren't those that do.
The help they are recieving from the NSA points out the many inadequacies of MS OS design.
NSA has a "secure" version of Linux, too. Applying your superior deductive skills, Linux is inadequate as well. I guess those GPL hippies really are amateurish lamers. Figures.
There is so much hostility on this site. I used to chalk it up to malevolence, then stupidity, and now my theory is that most of you were molested as children. Would you like to comment on the nature of your relationship with Uncle Johnson?
if you don't think they're doing a good enough job, how about you send a request to betareq@microsoft.com and ask to be on the next beta team for windows. Keep in mind though, they usually only want experienced users and there are checks and balances to make sure you're a functional beta tester - not just someone who enjoys bragging about having teh leet XP build #x.
Or, here's a radical idea, how about I use an OS that doesn't make me go down on my knees for the priviledge of exposing my computer to the risks of a beta version? Who's doing who the favor here, buddy?
The only "intuitive" interface is the nipple. After that, it's all learned.
-- "The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
Thanks for the URL... I was part of the WinME beta test, I think I found and successfully two bugs, so I feel useful... I like the 'first 1000 people to report a bug in this category get squishy toys.' That was neat.
...if you don't think they're doing a good enough job, how about you send a request to betareq@microsoft.com and ask to be on the next beta team for windows...
Why should I freely work for them for a product that they will turn around and charge me for?
Do these security-educated beta testers spend most of their day trying to hack their OS, or do they just poke at it a bit like every other beta tester I've ever known?
The only way to seriously beat up an OS is to find people who are willing to spend their every waking minute trying to break it. These people are generally paid for their effort, or else they stand to gain something if they succeed. MS may be hiring such people, I'm just not convinced that they're hiring enough. And your average beta-tester-with-a-job doesn't cut it.
Typical beta testing will not uncover many of the really tricky security holes in a product. If you need proof of this, go look at the Critical Security Updates page for Windows NT 4.0. The full list of security patches since the original release reads like the first few chapters of the bible.
Unless MS is specifically recruiting thousands of beta-testers just to hack the security, they're not going to fix the important holes. I'm sure they're doing a certain amount of this sort of testing, but it clearly wasn't enough for their previous OSes. In any case, the sort of beta testing you suggest is generally not where you would expect to discover most of your security flaws. I really hope MS knows this.
Re:Unplugging the computer...
by
DaveHowe
·
· Score: 2
NSA has two halves. One half has the purpose of recommending security systems (e.g. DES many moons back).
Ah yes - DES which was deliberately weakened from 128 bits (which was the original recommendation) to 40 (which the NSA could break but hoped nobody else could)
and this supports your argument how? --
--
-=DaveHowe=-
Re:Unplugging the computer...
by
DaveHowe
·
· Score: 3
I think it would be more appropriate to say they took an OSS product, and modified it to suit what they wanted it to look like - as doing so is one of the strengths of Open Source.
I doubt they actually WANT secure versions of windows out there - several governments seem to be viewing windows with mounting suspicion for official use.... --
That's not that hard, really. A program owned by some user will never have more permissions than that user, right? So just have a permissions mask for every program, as well as every user. ------
> The W2K source is [only] available for corporations with the funds. There will never come a day when CompSci students can
learn OS design by looking over MS's source.
Just because you can see source doesn't mean that it is open source. Microsoft won't let you change the source code or build your own version of w2k. They will (for a large fee) let you look at the source to make your code work better, but they have so many rules and restrictions on the code that it next to impossible to do anything useful after you've seen the code.
1) never ever give out your password (except to us of course - you can trust us (really!)).
2) use encryption, but only really stupid encryption so that we can read it.
3) please please please use Windows - it is waay more secure than unix ok? (really!).
4) all your base are belong to us
-- Nevrar
Cool link ! Win2k security for home user
by
UnknownSoldier
·
· Score: 2
Great link, sorry I used up my mod points. One correction though, the posting doesn't mention Office2k, but "Word 97, Excel 97, Visio 5.0" (these are examples, not necessarily all the apps that have the fault mentioned). Pretty old programs to be using, especially if you're using Win2k for the OS. ---
Eh, doubtful. The method used to save a file that the article is talking about is rather Bass-Aackwards, of course, that makes it 100% suitable for an Micro~1 product. And the fact that it's present in Office 97 products removes the option to say "I can't see them doing file-saves like this". ---
-- Linux: The world's best text-adventure game.
Re: And it can't stay up for more than a few days
by
Drestin
·
· Score: 1
In my experience, it's always the fault of stupid admins who don't properly setup and patch their OS (any). But, here it is in a simple nutshell, everything you need to run a secure W2K/IIS box.
Install W2K Server.
Install Service Pack 2
Install this IIS patch: http://www.microsoft.com/windows2000/downloads/cri tical/q293826
OK - lets see someone "root" that box. I can positively guarentee you won't find any box with these two simple patches applied being defaced!
Is this really that hard people? W2K is secure. IIS is not nearly - but can be with a single patch (it's a rollup of all previous patches).
db
Re:netcraft says nsa runs solaris and apache
by
erlando
·
· Score: 1
And that is informative how? Seen that this is an article about NSA publishing documents about securing Win2K this information hardly seems relevant.
-- Remember, there are no stupid questions. But there are a lot of inquisitive idiots.
--
if you want to make God laugh, tell him your plans
Re:Some very true, but old-hat, stuff
by
4of12
·
· Score: 2
Yes, it's probably too elementary for your subtle and keenly-developed sense of computer security, but these guidelines might actually be useful to the great unwashed masses, many of whom die in droves while
crossing the street, talking to strangers, clicking through default W2K security settings
If 90% of the computer security fatalities are a result of supposedly trivial things to fix, that does not make it any less helpful and useful to suggest trivial fixes, given how much grief can be saved.
-- "Provided by the management for your protection."
Re:Unplugging the computer...
by
Steeltoe
·
· Score: 1
You can hardly compare LinuxSE with the security in Win2K. LinuxSE was a showcase in putting in security hooks in a normal consumer OS. They couldn't do this in a MS Windows OS since the source and knowledge is proprietary. I strongly doubt Win2K has the hooks necessary for that kind of security. If it has, it's probably been put in by NSA themselves. Remember there are many types of security.
Yet another DDoS attack logged...
by
cperciva
·
· Score: 5
Anyone care to speculate on what DoD's reaction to a full-scale slashdotting would be? Given that they report routine pings and port scans as "attacks" I imagine their reaction to this unsolicited SYN flood would be similarly excessive.
"Currently Win2K outshines Linux in the granularity of the permissions and security model and filesystem support for things like encryption."
Can you explain this please? AFAIK, both allow user, group, and all/everyone type permissions. As for filesystem support, I don't know. I am genuinely curious what Win2K supports that Linux does not.
Doh! I see what you're talking about (I only passed the NT exam a couple years ago by a slim margin. Blech). Silly me. Thanks for clearing that up. Thanks.
Now, I've worked with security-clearance-required data before. I think it's absolutely fascinating to consider encoding the clearance level and need-to-know requirements into the filesystem. As others have noted, Linux is the only OS extant they could have done this kind of work with.
This is probably the most false claim I've ever seen on Slashdot. SE Linux is based on research into
Capabilities: A concept that is literally over a decade old in OS design as can be seen by the POSIX 1.E standard that never got drafted (although some people prefer to call what POSIX suggested "privileges" and the fact that many operating systems support "encoding clearance into the filesystem and OS" otherwise known as capailities including Spring, EROS, KeyKOS, and Mungi.
Access Control Lists: Again this is an ancient concept which has been implemented in quite a number of OSEs including some versions of Solaris, *BSD and Win2K.
Both of these concepts are things that Linux either does not support or supports in a limited manner. Currently Win2K outshines Linux in the granularity of the permissions and security model and filesystem support for things like encryption. I'm not an OS bigot and run both OSes at home but seeing something so blatantly false and jingoistic just begs to be challenged.
Color me confused. Wouldn't it be fairly simple to force any process or file to have only the permissions of its creator? I thought that in standard-flavor Linux it was impossible for any user to give a file or process permissions beyond the user's own?
That's fairly easy and rather insecure. The hard part is limiting permissions in small chunks to different programs. Basically, the assumption is that any program is potentially hostile so you want them to run with the minimum amount of permissions necessary. For example, just because I can delete files, send emails and edit the registry in Windows doesn't mean that it is the wisest thing to have any script that runs from my email program have the same permissions that I do, the same thing goes for *nix and all those buffer overflow bugs that exploit setuid(). Ideally I should be able to say "start [web server of choice] but the only thing it can do is listen on port 80 and serve read files from directories A, B, and C and everything else is explicitly disallowed to the apache process"
Okay, ignoring the ad-hominem "blatantly false and jingoistic" . . .
Sorry about that, its just sometimes people seem to just be as guilty of spreading FUD as the so-called "evil" corporations that it gets exasperating.
I apologise for those comments.
Now . . . you're saying, if I understand, that the NSA's SE Linux is just hacking the Linux kernel to put in some stuff that's been talked about and even done in other OSes for years?
And stuff that isn't even all that novel for Linux?
Yes and Yes. Actually what regular Linux is implementing (which is different from what the NSA is doing with SE Linux) is POSIX 1.e capabilities or "priviledges" which involves splitting up the permissions typically given to the root user (e.g. can connect to ports under 1024, can mount kernel modules, can change ownership of files, etc) into discrete entities that can be apportioned to other users and processes. This was something that the POSIX folks tried to agree on in the eighties (or is it seventies) but never came to an agreement on how best to implement it. Check out the Linux Capabilities FAQ for more information.
The NSA is working on "true capabilities" which is being able to grant and revoke extremely granular permissions to all objects/entities in the system. This concept is similar to java.policy files being maintained for every entity in the system. Making sure that policies can be tracked in such a manner that they are revokable is the most difficult part (e.g. if I lose permissions to connect on a certain port or write to a certain file, then every process or file that I've created should lose those permissions as well).
ACL's, meaning you can give separate read/write/execute permissions to individual users. They don't necessarily need to belong to a certain group to get additional rights.
Additionally you can give users special rights on the OS that don't have anything to do with file permissions. For instance, you can set up accounts that act only to run server processes, and you might give that account permission to act as part of the OS.
Basically, Win2K security is designed around the user, whereas in UNIX security is designed around the file.
--
No, Thursday's out. How about never - is never good for you?
Making sure that policies can be tracked in such a manner that they are revokable is the most difficult part (e.g. if I lose permissions to connect on a certain port or write to a certain file, then every process or file that I've created should lose those permissions as well).
Color me confused. Wouldn't it be fairly simple to force any process or file to have only the permissions of its creator? I thought that in standard-flavor Linux it was impossible for any user to give a file or process permissions beyond the user's own?
-- -- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
*wishing one could be modded up for "info bait"*:)
Alright. I get it. So, if you start a process with a given set of permissions, and you lose some or all of those permissions, then the ones you lost should be removed from the target process. If you start a process with any given set of permissions and lose the permission to start processes, any process you started should stop.
-- -- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
Okay, ignoring the ad-hominem "blatantly false and jingoistic" . . .
I am a rank newbie into the world of Linux/Unix/POSIX/etc. Please treat what you see as deceit and jingoism as pure, unabashed ignorance. It may not be an excuse for breaking the law, but from what I've seen it's a good enough excuse to post on/.;)
I'm posting from a Win98 machine at the moment because, quite frankly, I'm more comfortable with it. I'm not particularly an OS bigot either. I just plain didn't (and still don't) know anything about any of those other projects.
On the one hand, thank you for pointing out to me the factual errors in my assumptions and suppositions, but on the other, I guess I'd appreciate if you'd not attribute to malice what can be adequately explained by stupidity. Perhaps it's a rarity to find someone who readily admits to it, but I'm much more interested in learning new things than mud-slinging and name-calling.
Now . . . you're saying, if I understand, that the NSA's SE Linux is just hacking the Linux kernel to put in some stuff that's been talked about and even done in other OSes for years? And stuff that isn't even all that novel for Linux?
-- -- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
Unplugging the computer...
by
Carnage4Life
·
· Score: 5
Interesting, there are about 18 comments as I post this and over half are jokes about unplugging the computer to make it safe. The truth of the matter is that by NSA guidelines no popular operating system is secure enough out of the box and has to be extremely looked down.
What is perhaps even more interesting is that at least Win2K can be secured to a level that is suitable for the NSA, they actually had to fork the Linux kernel to get the same functionality out of Linux.
--
Re:Unplugging the computer...
by
martinflack
·
· Score: 1
What is perhaps even more interesting is that at least Win2K can be secured to a level that is suitable for the NSA, they actually had to fork the Linux kernel to get the same functionality out of Linux.
Wrong. SE Linux is a project to add Mandatory Access Controls to a mainstream OS. Win2k does not support MAC. They did not need to work on SE Linux just to secure a COTS Linux. In fact, if anything, it shows the customizability of OSS.
Re:Unplugging the computer...
by
dachshund
·
· Score: 1
The NSA has the Win2k source code
Well, duh. Closed source doesn't necessarily mean that nobody ever sees the code. In any case, I'm sure the NSA could get access to any source code they want, if they put enough pressure on. What closed source does mean is that they can't just make changes and hand them out. Everything they want to fix has to go back to Microsoft where it'll be slowly mixed in with the next set of 'enhancements'. The resulting upgrade, coming out a year or two down the line, might be just as vulnerable as the current version. The same thing happens with Linux, but a) it's possible to fork the code in order to avoid this problem and b) everyone can examine the source to see if anything broke.
Re:Unplugging the computer...
by
Ayende+Rahien
·
· Score: 2
> encoding the clearance level and need-to-know requirements into the filesystem
You mean, like NTFS' ACL? Which NT had since forever?
Hell, NT can do it to any object whatsoever, not just files.
> Linux is the only OS extant they could have done this kind of work with.
No, they could've got any number of other OSes to do it for them.
Most Unixes has some sort of ACL capabilities, and I think that VMS has it as well.
--
Two witches watch two watches.
--
-- Two witches watched two watches.
Which witch watched which watch?
Re:Unplugging the computer...
by
Ayende+Rahien
·
· Score: 2
Give some examples of ACLs being impossible to manage.
--
Two witches watch two watches.
--
-- Two witches watched two watches.
Which witch watched which watch?
Re:Unplugging the computer...
by
Ayende+Rahien
·
· Score: 2
Sorry, but you can apply ACL to proccess, threads, whatever you want to.
--
Two witches watch two watches.
--
-- Two witches watched two watches.
Which witch watched which watch?
Re:Unplugging the computer...
by
CrackElf
·
· Score: 1
Ok. This is slashdot. There are many people here who believe that ms sucks (myself included). Some of them have intelligent things to say about it. Some of them like to make fun of ms. And they forked linux because they could it being open source and all. They would undoubtedly have done the same with win2k, but they can not because it is closed source.
-CrackElf
-- "Blake is an idealist, Jenna. He cannot afford to think." - Kerr Avon, Star One, Blakes 7
Re:Unplugging the computer...
by
Macrobat
·
· Score: 1
Hell, NT can do it to any object whatsoever, not just files.
Of course, *N*X views everything as a file, including things NT would call "objects."
-- "Hardly used" will not fetch you a better price for your brain.
Re:Unplugging the computer...
by
tachy137
·
· Score: 1
Good troll there... but perhaps you're missing the rather obvious fact that NSA SELinux is in fact more secure than Windows 2000, and they worked on it because they could? Unless you show me how windows 2000 can support flexable manditory access controls with a fairly easy to define policy, with proper seperation of policy and enforcement...
Of course, I've also been told that NSA has internally been told not to use Linux at all, but that this isn't strictly followed; many groups try to find reasons they should be allowed to use it, because its what they prefer.
Re:Unplugging the computer...
by
NotoriousQ
·
· Score: 1
The reason is that Windoze crashes before hackers can get to the point where they can steal sensitive info. In Linux they actually have to protect useful data.
Remember, when you are downloading MP3's, you are downloading communism!!!
-- badness 10000
Re:Unplugging the computer...
by
adalger
·
· Score: 1
Bit of a reflex, that, and I had to stop and think before reflexively posting the exact same reply. Instead, I have to ask, did they return that code to the community? Did they attempt to prevent forking the kernel by offering the improvement for inclusion in the "standard" kernel?
Oh, I know they're free not to under the GPL and the Free Software philosophy. I'm just curious.
-- -- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
Re:Unplugging the computer...
by
adalger
·
· Score: 3
Okay, posting before investigating the link is lame. So I know I'm lame.
However, I went and checked the link. They didn't "fork the kernel to get it secure enough for them." They performed some research and experimentation in secure treatment of sensitive data being integrated into an operating system. This is vastly different from the kind of security being discussed in the referenced info on Win2k.
Now, I've worked with security-clearance-required data before. I think it's absolutely fascinating to consider encoding the clearance level and need-to-know requirements into the filesystem. As others have noted, Linux is the only OS extant they could have done this kind of work with.
I don't think anything they might have added would necessarily outright interfere with the main tree, but it would almost certainly create completely unnecessary overhead for most desktop users. OTOH, it might be a big bonus for corporations concerned about industrial espionage to have such features available.
-- -- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
This is only to be used for non-spying means. Really. There is no need for users to worry about invasion of privacy as we at the NSA are above that.
Additionally, please ensure that you give your files clear names such as "Nuke blueprints" or "Kiddie Porn". We suggest this purely to help you organise your file system.
Actually, finding the master password on the documents may not be too difficult. According to Acrobat Reader 5, the encryption level is only 40-bit RC4, at least on a few of the documents. I had expected something a little better (at least 56-bit)!
-- You can never go home again... but I guess you can shop there.
Because you don't buy the source, you license it, dumbass. And if you want people to take the lamer GPL properly, you'd have to repsect Mircosoft's licences too.
--
--
-- I like to watch.
Re:What do you expect, when the subject is Windows
by
The_Messenger
·
· Score: 1
I can't tell if you're a moron or just a really bad troll. Care to clear this up?
One computer per department that does not have knowledge on it is connected to the net, but is also networked to other boxes
That's a rather stupid assumption to make.
-- Vintage computer games and RPG books available. Email me if you're interested.
Re:Some very true, but old-hat, stuff
by
Lord+Omlette
·
· Score: 1
well, it would seem that perhaps the Great and Powerful NSA could come up with something a little better than "Look both ways before crossing the street and don't talk to strangers."
Some things may be common sense to some people, but they won't really be 'common' unless you teach it to other people. These guys are covering their bases and trying to cover yours too... It can't hurt to pay attention.
There have been quite a few people here to suggest that Windows is obviously more secure than Linux because the NSA never forked the Windows as it did the Linux Kernel. Their logic is full of holes.
1 - None of these posters actually documented that the NSA really does have full access to the code. Should we just take their word for it?
2 - What if they are indeed given access, but the access is under the "Shared Source" terms in which the technologists are told basically: "you can look but you can't touch"?
3 - Has anyone contemplated the legal ramifications of altering the Windows source even if Microsoft's contract suggested that it were allowed: which is very doubtful?
4 - Any open copy of Windows is invalidated by the persistent and required security patches. Open source means nothing if upgrades are required, but these updates are closed.
5 - Does any have proof that the Windows code hasn't already been forked without public disclosure? The NSA does not have to inform the public of such things.
I dispute the astroturfing posters who have inundated Slashdot. The NSA forked Linux and publicly disclosed it because they had the liberty to do it. That is what open source is about.
"...The ignorance of some posters suprises even me..."
"..I am so tired of juveniles trashing Win2K. They ramble on about Linux being more secure but I don't think so. Tell me *please* how to implement IPSec with Linux..."
Yes.. Those "ignorant" people who do not appreciate Microsoft's innovations are annoying. You might find the following IPSec link very educational:
The only secure computer is one that is powered down, has all the DIMMs pulled out, is cast in a concrete block, and dropped to the bottom of Lake Superior. And even then, I have my doubts... --------------------------------------- -
Yo soy El Fontosaurus Grande!
From what I understand - the NSA went through an outsourcing effort about 2 years ago (thanks Bill!!) - so anyone who was decent pretty much left the Agency. The ppl left in the trenches now are fresh out of college - most of whom know nothing BUT windows. Upper mgmt lacks the technical knowledge or even vocabulary to make intelligent decisions, and it looks like they're trying to turn the Agency into a "business".. MS caters to the business wannabe's who don't understand the more in-depth technical issues - so what's next? Our National Security depends on the success of the MS security model?
I can't wait to see "How to avoid a Slashdotting"
by
Amon+CMB
·
· Score: 1
"How to Avoid a Slashdotting" guidelines will soon show up on NSA after today.:)
--
Men believe what they want. - Caesar
You cannot gaurantee that anything is 100% secure.
by
shippo
·
· Score: 1
Not able to read the article - I wonder why?;-)
Following any guidelines will still not make the system 100% secure; it will only make it secure against the current known and published exploits. It is more than likely that in future new exploits will appear. There are probably also undocumented exploits out there that are only known to crackers.
The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows 2000 versions or operating systems.
so which is the 'other Windows 2000 version and which version does this apply to???'
Did this take into account...?
by
fishexe
·
· Score: 1
Yes, but were they aware of the backdoors in windows? If they had source they would have needed to fork that too, I guarantee you.
Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?
-- "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
They were doing this as a service to all the stupid Admins out there that mess up their W2K system because they are to retarded to read the manual and set up a good security protocol, and then go on slashdot and complain that Microsoft sucks because the knowledge to set up the server wasn't so obvious a chimp could set it up.
And yet we all can set up our linux boxes just fine. So you're saying linux is so simple a chimp could set it up?
My personal experience with MS products is that how to do what you want to do is not in the manual. This is not stereotypical bias, it proceeds to this day. If they fixed the problem, I would stop deriding them. They don't.
Bear in mind I am someone who uses microsoft products daily, up to and including the 2k shit, and I rtfm otherwise I couldn't use linux. People who say what you just say obviously never used UNIX systems because it's umpossible to be a linux user without being a manual-reader.
Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?
-- "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Re:Really clever posts here
by
InsaneGeek
·
· Score: 2
Ummm... sorry but your are wrong. Nokia firewalls use a BSD derivative, that then runs Checkpoint firewall on top of it as a firewall appliance.
OK, I am sure that today isn't April Fool's Day, and I am also assured that the government isn't on crack (cavet: The assumption that the government isn't on crack)
The only way to secure win2k is to make sure it never gets installed. Win2k is secure in the box, but once you take it out, it already has a hole in it...;-) The holes get to be bigger and more numourous!
Perhaps they should read security focus's stuff more often; then again they think they are all l33t because they are the NSA. After all, backdoors in M$ products are good for them.
Different goals, different OS'
by
Jetifi
·
· Score: 3
Um. May I suggest you read this document which explains the philosophy behind the kernel modifications.
Securing Windows 2000 and 'forking' (actually patching) the Kernel were both done with different goals.
In a nutshell, the modifications done to the kernel were done to impliment the 'Flask' security architecture, which (mainly) is about separation between setting and enforcing security policies, and how this is applied to the various types of resources. In addition, SELinux was the by-product of a research project, and is not used operationally by the NSA.
The suggested configurations for Windows 2000 have different goals, and is not a handbook for implimenting the Flask architecture on Windows 2000.
My apologies if you feel I was taking credit for this idea - I certainly didn't intend to.
I had forgotten who it was that first thought of this. I suppose I should have mentioned that it was someone else's idea - but I posted this quickly during a break at work.
Backdoors are possible in Open Source - if you put them in the compiler.
Suppose I set up a website with my new compiler. I give a binary download and a source download. What I don't tell people is that the binary download contains extra code which adds a backdoor to the software it compiles. It also recognises when it is compiling itself and adds all this extra code.
So now you've got a corrupt compiler which generates back doors.
Of course you have to persuade someone to download the binary compiler first. But if they're working on a system without a compiler - that's exactly what they'll do. Or they installed the compiler direct from the CD.
I'm afraid the only way to 100% sure that your compiler is not corrupt in this way is to write your own. At least one that's good enough to compile another one.
Slashdot Effect strikes again!
by
grape+jelly
·
· Score: 1
It appears that even the NSA isn't invulnerable from the slashdot effect at 5:00 in the morning EDT. I wonder how bad it's gonna be at 10 or 11 AM.... =-)
Listen the NSA does use Windows / Linux / Sun basically what ever the person prefers. But all the computers are on a closed network that has no access to the Internet at all. I have been in Fort Meade (NSA Headquarters) and every department has Internet access but it is usually limited to one computer per department that doesn't have any kind of knowledge on it.
The whole point of the specifications that they realeased if any of you accually read the thing before you started bitching about it, was it was for government agencies that were looking to set up W2K systems. By government agencies they probably ment local and state goverment, because the federal government has a set standard for their servers, and it is not W2K. They were doing this as a service to all the stupid Admins out there that mess up their W2K system because they are to retarded to read the manual and set up a good security protocol, and then go on slashdot and complain that Microsoft sucks because the knowledge to set up the server wasn't so obvious a chimp could set it up.
One computer per department that does not have knowledge on it is connected to the net, but is also networked to other boxes in the department that may or may not have knowledge on them.
Not necessarily. If those other computers have any classified information on them, they will be on an entirely different network, conforming to TEMPEST standards to prevent snooping, which means not only will they not be connected, but the wires on the two networks won't even be run anywhere close to each other. With non-classified networks, the lone computer(s) is/are usually firewalled off from the rest of the network.
"I have been in Fort Meade (NSA Headquarters) and every department has Internet access but it is usually limited to one computer per department that doesn't have any kind of knowledge on it.
"
Valid point, but consider: One computer per department that does not have knowledge on it is connected to the net, but is also networked to other boxes in the department that may or may not have knowledge on them. Those boxes, in turn are connected to other boxes in the building that may or may not have knowledge on them, etc.... Point being, the mistake govt. agencies, and more likely, govt. contractors, tend to make in these situations, even though they may be on a "closed network", is that somewhere down the line, that one internet connection is connected to a machine that has does have knowledge. All it takes, is one BOFH to use some easily guessed password, and this system is not quite so secure any longer.
Point of this rant is, it doesn't matter what os you are using; ms, linux, bsd, solaris, one BOFH + one lazy (or overworked) sys/net admin = one unsecure box/network.
By government agencies they probably ment local and state goverment, because the federal government has a set standard for their servers, and it is not W2K.
Anyone whose spent any time working for government in any form knows that the standard is that there is no standard. Almost every federal organization runs something different and within them you'll often find fractured sub-groups running their own OS'es, networks, etc. It's pure insanity. And Microsoft products are very prevalent, why? Because they're easy to setup so any little departmental guy can have his own server. This is why the NSA has to publish these types of guides because federal computing is a serious mess with differing OS'es and standards all over the place.
Re:Been using it for a while
by
Quila
·
· Score: 1
No, by having had that NSA baseline for a while, modifying it a bit for our theater, and trying to get our sysadmins to use it. We also stay on top of the baseline to keep it up to date with the latest threats (we're thinking of using an Acrobat expiration plugin to make sure what's out there is the most recent).
Try the baselines. They work.
And don't forget this is the same NSA that is working on a hardened version of Linux.
Okay, so that's what they told the public. But it's standard practice in the DoD to do regression testing on any hotfix or patch before releasing it to the theater. Any business would be smart to do the same.
"NSA APPROVED" wouldn't necessarily mean the patch works right in your organization.
These baselines are pretty much common sense with a bit of admin knowledge thrown in. Just apply your own when using them.
We've been using these "Security Baselines" as we call them in our organization for a while.
We have a *LOT* of Win2K boxes spread over a continent, and whenever one's compromised, we always find that the administrator or operator was not following the baseline. I don't know of any baselined machines being compromised.
Use these; they're a Good Thing.
Re:Been using it for a while
by
(H)elix1
·
· Score: 1
Re:Been using it for a while
by
dachshund
·
· Score: 1
Hmm. I'm thinking of the huge number of NT hacks that weren't preventable until MS threw together a patch. Many of these hacks couldn't be avoided simply by securing the box. I really hope Win2K doesn't have any of those, but how the hell do we know? It's a lot of code, and people are only now beginning to peck at it.
"Man, some of you guys are as automatic as a jack in the box. Give you the right stimulus, get the exact response."
Well, I bash on Microsoft because their products are generally pieces of junk. I use an OS that is free and cannot be commercial, and it is developed by people in their spare time who are gracious enough to lend their talents despite their hectic work schedules, and it still is better than anything coming out of Redmond. Besides, Linux people aren't trying to collect marketing data, and aren't trying to artifically adjust the market itself that they operate in to their own favour. Microsoft stands accused of all of these, and is in court litigation for the last one.
If Microsoft put out a decent product, didn't screw with others for their marketing, and won over customers on merit, I would not have a problem with them. Unfortunately, none of these are true, and after having to deal with their shitty OSes for several years as a field service technician, I don't see a reason to use their software if another solution is available. I will gladly even use products that compete with a potentially decent product that they have, simply to deny them the income of that into their corporate monstrosity.
Don't compare dissing corporate stupidity to someone's family, they are wholly unreleated, and even stretching the analogy, it doesn't hold up. If you don't like how people here dis on Microsoft, don't read the articles. Slashdot's core readers seem to be UN*X people, so it would make sense that we don't like Microsoft, no wouldn't it?
"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
--
IBM had PL/1, with syntax worse than JOSS, And everywhere the language went, it was a total loss...
No, their ISP canceled their account because of excessive traffic.
-- -- I have monkeys in my pants.
Agree about the cost point....
by
max.inglis
·
· Score: 2
I work for an MS gold certified partner. As the network specialist, I implement MS, UNIX or Cisco based firewall/Proxy/whatever solutions, based on the customers needed. Because we're a MCGP, we have free reign over MS licenses, and can install basically all we need. This is great, because we have full access to any products we want to look at.
HOWEVER, I can't imagine what it's like for businesses/persons who have to pay for BS from MS. The cost of these products is outrageous. Sure win2k is a nice stable platform (I've been running it for over 2 months on one system, very hard on it, and it seems good), but the price? OMG.
Let me clarify this with one thing. I would gladly pay the price most companies ask for software because I know they have costs, and expect to make a reasonable return. However, knowing the sheer magnitude of the profits MS is making, surely their software doesn't need to be so expensive. They have billions and billions in the bank... Now I'm not saying they should stop turning a profit or give money back, but be reasonable about your greed!
Ack.
I also blame "boot camps" for the prevelance of MS products, but that's a whole other rant....
Max Inglis
Perhaps steal the Blue Print of the Star Wars program?
Too late! You'll need to scour the space-lanes near the small desert world of Tatooine for a Corellian-made ship called Tantive IV and see if a white-and-blue astromech droid is aboard.
You might be able to get the plans out of him, if you can get his ponce "companion" to shut up long enough...
While you're waiting for the droid to be found, why not watch Wargames? Somewhere in that movie is the infamous line:
WOPR: All your ICBM are belong to us!!
GTRacer
- C'mon, I know it's troll-feeding, laugh a little!
-- Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
I started reading the Guide to Securing Microsoft Windows 2000 File and Disk Resources and one of the first things they recommend is to "Apply the latest Windows 2000 service pack and security-related
hotfixes." I'm not MS bashing here, but isn't that a (cough) BAD IDEA?? I don't care if it's W2K, Linux, Solaris, etc. -- that's just not the way you run a production server, let alone a workstation that you are trying to make as secure as possible for sensitive info. You should always test out any patches/fixes/service packs. I would think the wording would be, "Apply the latest **NSA APPROVED** Windows 2000 service pack and security-related hotfixes."
Reams of NSA information on how to make your Win2k box "secure" just points out that Win2k was not meant for the large majorities of home users. Microsoft expects your Win2k system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet, right out of the box. It is not set up by default to be the gateway computer to the net.
I came up with a step-by-step checklist a while back for all my friends that were running non-networked Win2k home systems directly connected to the net. I don't know how good an idea it was to give step-by-step directions on how to change registry settings, but hey, no one has locked themselves out of their computer yet (at least that I know of). You can see it here:
http://www.gpick.net/sbr/security/w2ksecuritytips. htm
my point is that this isn't a compiler even it's an instruction checklist.
how can backdoors go in that that wouldn't be detected by anyone with even the lease bit of experience?
hmm... step 3: create an account username "spook" password "nsa0wnz0rz" with administrator priveliges, if you do not do this EXACTLY your system will be insecure
RST2003, noticing slashdot doesn't allow >br/< so i have to add >/br< to be w3c compliant
Finally someone is recognicing the vast security abilities in Windows 2000...
Ha ha ha (I have tears in my eyes from laughing)
--
There isn't much like the scent of a fresh harddisk
For those that missed the article...
by
thanq
·
· Score: 1
which include me, a short note. They took the guide down "Because of the amount of interest in the Windows 2000 Security Recommendation Guides" And they "expect to make the guides available once again during the week of June 18, 2001.
It makes you wonder, if it's all because of the/. readers or if their security releases are indeed so popular.
Uh... doesn't this represent one MAJOR security problem for windows? Think about it the NSA is laying down it's report on all of it's W2k security concerns on the Internet. And the only major news service to link to it is Slashdot....
This means your average NT administrator (who thinks that nerd news doesn't matter to him), will never know about this documentation. Which means basically that this is the NSA's recommendations to hackers as to W2k's soft points. (not that anyone needed that much help)
Because of the amount of interest in the Windows 2000 Security Recommendation Guides, we are updating our Web site to better handle the demands placed on downloading the files. We expect to make the guides available once again during the week of June 18, 2001.
Those poor bastards...
Let me get this straight...
by
Guppy06
·
· Score: 2
They've probably been working on the proper security settings since W2K hit the market, spending heaps of man-hours and tax dollars trying to find the right template that makes their data-protection job easier and web hosters happy. Then they make this template avaiable for public access and use (read "scrutiny"). Do you really think they'd foul the whole thing up by then inserting a back door that the whole internet-surfing world could see for themselves?
Before trying to accuse the NSA of putting a private back door into your OS, be ready to explain how your conspiracy theory would keep it private. "Relying on the stupidity of several hundred million individuals" gets cut to shreds by Occam's Razor.
why are you supporting a company wich does so many things clearly and knowingly wrong? market practises, monopolies, hampering of development and downright robbing of customers by forcing them to upgrade just to stay compatible with rest of the world?
more than that, you then come and advertise it's products here, telling you have worked for microsoft (for free?) for 5 years. what is this? trolling? plea for pity or fairness towards ms? display of empathy? why?
i don't think ms needs any of it, and besides, i think most of us want to get rid of the whole SOB and it's products. yes, i know some other company probably would take it's place and get eventually just as bad, but i still want ms to disappear. now.
don't shoot me, i'm just a keyboard player.
-- Preserve old classics: copy your collection onto all hard drives.
Anyone remember the old NSAKey hidden in the Win95 registry? Remember all the conjecture about how it was some secret backdoor for the NSA to peer into foreign government computers? *chuckle* um all that was silly, and was never taken serious by anyone but idiots - but I found it amusing to consider the possibilities (regardless of their probability or lack thereof). Reminds me also of the recent/. item about the German gov't banning MS products due to the fact that it couldn't see source, thus couldn't guarantee the security of MS products. I find it amusing that the NSA has lower standards than the German gov't.
As for the guy who mentioned the forked Linux kernel the gov't deemed was necessary to provide for security - what you're forgetting here, guy, is that Linux kernel source is AVAILABLE while Win2k is NOT AVAILABLE - thus no forking is possible. And btw, if the source to Win2k were available, what do you think the chances are that the NSA would find it acceptable? Would they even bother forking, or just shrug and go Linux/BSD/etc totally instead?
--
think for yourself, you won't like the results if others do it for you.
That was my whole point - except I find the concept of MS backdooring wind0ze for the NSA to be ludicrous. My take on it was the humor and contradiction etc
--
think for yourself, you won't like the results if others do it for you.
One of the German Foreign Office's concerns about Windos (all flavours) was that the NSA (with M$ approval, of course) had backdoors inserted in the code. If so, then using anything M$ could be a national security risk.
Hmm... The NSA 'hardening' an OS that may already have backdoors to help them. Need I say more?
The W2K source is available to everyone. It is just very costly to get ahold of.
Typical MS illiterate /. answer
by
m$+is+great
·
· Score: 1
ACLs provide very little security in
a practical sense because they are
almost impossible to administer.
Security provided by MS NT / Win2K in by using ACLs / DACLs is just fascinating. How much programming have you done in NT security before posting this? Have you anytime at least configured a DCOM server? ACLs provide facility to grant / deny the permissions viz. 'read / write / execute / administer' on any object in NT. And this facility is far superior as compared to the primitive drwx facility on the *nix OSes. Using ACLs you can set permissions on directory / file / thread / COM object... For more information read the "Security" topic in MSDN, where you can find all the required APIs, information and help.
-- Where will you take me today, M$?
Incompetent or impotent?
by
m$+is+great
·
· Score: 1
/. has just be reduced to a junk yard where all the developers, frustated by achievements (althought monopolistic) by the MS, look down and frown at the Gates family. Hey okay, the Gates and Windows guys might be acting smart, but they do deliver the products that do really work. It seems most of the comments here, regarding security are by the peoply who have never touched Windows boxes or used / are using the prehistoric Win 3.0/3.11 or Win9x machines. Just shake off ur impotency and provide a security system for Linux that can stand up to the security system (ACLs and DACLs) of the Win NT / 2K platform.
The ignorance of some posters suprises even me.
Someone points out that Win2K source is available to some people, universities AND the NSA --
it gets completely ignored.
"You can't SEE the source because it is closed blah blah blah."
I am so tired of juveniles trashing Win2K. They ramble on about Linux being more secure but I don't think so. Tell me *please* how to implement IPSec with Linux.
All I know is that I know both operating systems..that this gives me the edge over the whiners.
Did anyone besides me notice that the URL contained the word "winsecurity"? That is punny.
--
"What is the sound of one belly slapping?"
Some very true, but old-hat, stuff
by
adalger
·
· Score: 3
Only open digitally signed Word documents received from trusted individuals via trusted paths. This is Microsoft's preferred security solution. While this can guarantee the source of the document, it does not guarantee that the trusted source was free of infection when
the document was sent.
Not to be a knee-jerk basher, but does it really surprise anyone that MS's preferred solution is inadequate?
Macro viruses pose a serious threat to Microsoft Office users. The best defense is to be alert to the danger, and to trust no document that was externally created.
Okay . . . and this the NSA spent years researching and deciding on? I mean . . . okay. I don't suppose they've got a bunch of chimps randomly banging on keyboards over there, but . . . well, it would seem that perhaps the Great and Powerful NSA could come up with something a little better than "Look both ways before crossing the street and don't talk to strangers."
-- -- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
Re:Really clever posts here
by
species267
·
· Score: 3
Agreed name calling is a little low, but Linux can be secured and is used in big old nokia firewalls used by the likes of BT, admittedly they stick on a number of 3rd party/proprietry software to sure things up, but most operationg systems need that.(do you run zone alarm or similar on win 2K?)
I have run win 2000 pro as well, its nice enough, and stable(I didn't run it for too long), no real complaints except the cost.
as for good software, it is out there, it just means you have to look thurther than PC world, and if you still can not find what you want, find a software company that can produce it for you - I can almost gaurentee that if you want it someone else will to.
- note I use OpenBSD rather than Linux (but thats my current personal preference)
- those who can spell care, those who can't don't -
Did anyone out there get to the NSA site and actually download the files BEFORE they took them offline? I would love to get a copy of the original files and see if they change anything when it is back up next week...
Funny, they can crack passwords and defend the USA, but supposedly cannot handle the traffic at their website.... as if!
Slashdot Mirror
Anyone happen to know if the NSA (or a similarly respected group) has information on locking down, say, Red Hat 7.1? Can't seem to find it on their website... I'm sure they're running something other than just Win32.
Oh no! You gave our secret password away! And it will be so hard to change!?!!!? (We hardcoded it in with a 'if (password eq "nsaspooks") {logged_in=1;} else {logged_in=0;}'
RMS says: All your base are belong to GCC! ^_^
"You mean, like NTFS' ACL? Which NT had since forever? "
No - because it applies to processes too. For example you can't cut and paste (or pipe, I don't think SE Linux has an X server yet) classified information into an unclassified document. Much more sophisticated than any form of file permissions.
I have been thinking of that myself and i got to the following conclusion: If you compiled a hello world program or something similar you could easily debug, view using a hex editor or disassemble the code using any third party tools. That would mean that the "attacker" would have to own the compiler, debugger, and any other tool on the system that could be used to verify the integrity of the compiled code. If i were the "attacker" i'd put the backdoors on the linked libraries (libc perhaps?) so any program running would be "infected" and they could not be debugged as easily as a simple program.
In a gigantic police operation many thousands hackers from a gang calling themselves "Slashdotters" were lifted from their beds and arrested this night for organising a massive DDOS (Distributed Denial Of Service) attack to the main NSA network. It is not yet clear which foreign country payed the leader of this gang known under the name Commander Taco to destabilize the national security of the U.S.
The NSA site has been slashdotted! How hilarious!!!!!!
That might be a little hard to do after Step 8, you might simply want to put it in your will to be done by your next of kin instead.
True, but just because they have the source doesn't mean they can hack on it or fork it like they can with Linux.
--
Simon
--
"Hot lesbian witches! It's fucking genius!"
Format the hard disk.....
sigs are a waste of space
Charge you? Beta testers get free copies of the product they are testing.
-l
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
Oh you're right about that. Sorry... I just skimmed it since I saw it on the ml and didn't reread it properly. I am curious if Office2k is affected now!
-l
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
Indeed, I wonder if GNU/Linux distributions were to adopt MAC and CAPS more fully whether or not sysadmins would be up to the task... especially at smaller companies (like mine) where they can't afford the higher end guys to do simple internal MIS stuff. I've actually been kind of glad that Linux has not gone all ACLs yet due to the sheer complexity that that involves. But, when Linus does finally accept a patch for it, I'll thank my stars again that I transferred to the programming department!
-l
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
... one would think they'd have more than a dinky uplink to the 'net.. They're slashdotted :p
Still, I suppose you get SOME security by using extremely slow connections..
Your Working Boy,
- Otis (GAIM: OtisWild)
They say: "Because of the amount of interest in the Windows 2000 Security Recommendation Guides, we are updating our Web site to better handle the demands placed on downloading the files. We expect to make the guides available once again during the week of June 18, 2001."
NSA machines are taken down and scanned regularly for trojans and other guests. A good friend of mine is a physicist for several govt. projects of which he wont talk, but his laptop is replaced every two weeks or so.
errr....umm...*whooosh* *whoosh* Is this thing on ?
Yes, they did - which is pretty remarkable for an incredibly secretive organisation like the NSA.
By putting it out there under the GPL, they have. I don't know whether it's planned to integrate with the main tree or not - it may be that the features the NSA require interfere with other things more important for maintream use.
Go you big red fire engine!
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
One computer per department that does not have knowledge on it is connected to the net, but is also networked to other boxes in the department that may or may not have knowledge on them. Those boxes, in turn are connected to other boxes in the building that may or may not have knowledge on them, etc....
While what you say is theoretically true, as a practical matter any machine that has any really secret stuff on it is always going to be air-gapped. That is, the machines that really have to be secure are simply not physically connected to the outside world, either directly or indirectly. It's the only way to be sure there won't be a remote exploit...
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
For some reason you have to go to http://www.nsa.gov/winsecurity and then proceed from there.
Shoving all that under "capabilities" and then arguing that since win2k outshines linux in the granularity of it's permissions model borders on dishonest. Security-feature wise, SELinux is in a whole different ballpark (B1) from both win2k and Linux.
Pretending that that patch was necessary to get Linux to be as secure as NT is dishonest (or ignorant).
I suppose technically you could still root it by using microwaves to power the circuits as well as read/write values (van Eck style) into the onboard cache of the processor. You've got a couple kilobytes in the BIOS memory you could use for runtime/firmware stuff. Granted you'd need to get some equipment really close to it but the water might provide a good way to cancel out noise. Hmmm.
I'm a loner Dottie, a Rebel.
I downloaded 'em all (except the three supporting docs that I wasn't interested in) before they turned off the pipe, so if they change something, I would notice. I don't expect them to, though.
Cheers,
The problem is not that they had to fork the linux kernel, but rather that they are forced to make do with whatever Microsoft allows them to do to make their servers secure.....
Forking the kernel can be a good thing, and it shows how flexible linux can be...
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Why is this moderated to +5 Interesting? If you read the docs and follow the mailing list you will see that what they are doing is experimenting with manditory access control and the only reason they picked linux was because the source is available and there are a lot of people using it. The project does not aim to create a secure distro - only experiment with a single feature that could lead to more secure distros in the future (and probably not just linux distros)
your post would have been funnier if you spelled caveat properly
=P
Actually you are partly right and mostly wrong. They forked linux not to get it as secure as w2k but to make it a secure operating system. Since they had the source code to work with they have worked on adding features to linux to make it secure in a way that other operating systems can not be guaranteed to be.
With their linux dist they get many eyes looking at it and they can do anything they want with the source code to make it as secure as possible.
Given the choice of mostly secure which the nsa can get with w2k and redoing parts of linux to make it actually secure which would you choose? It seems obvious which one the nsa chose. Also they are more changes in their linux dist then just the kernel.
Computer modeling for biotech drug manufacturing is HARD!
yeah right - "because our Win2k IIS server seemed to get DDos even after we posted our recommendations on securing Win2k against it we are migrating to Linux... we expect to have completed this the week after next"
Man, some of you guys are as automatic as a jack in the box. Give you the right stimulus, get the exact response.
For those of you over 17,
I'm going to tell you a story I heard in a movie. A little boy grows up hating his stern father because he punishes him, while he is very close to his mother because she protects him. He grows up and moves out. Later, when he's about 25, his mother dies unexpectedly at around 50. At her funeral, he's silent. His father continues to remain estranged to him but lives to an old age, and dies at 75 when the man is now 50. As he's standing at his father's graveside, he finds himself sobbing uncontrollably.
The point is that when his mother died, it was unfortunate. But, when the father died, the man, who hated his father so much, now no longer had the hate to keep him going.
The movie was a movie about how Nazis and Jews. It reminds me very much about how some of you act. Please be more interesting.
[Saint Stephen]
You are so clueless.
ACLs provide very little security in
a practical sense because they are
almost impossible to administer.
Capabilities, (not the dumbass privileges of
POSIX) are the only easily administered general
security model. They are a lot less work for the kernel too.
It is simple for the child to have only the rights that the parent had at the time of the fork.
The trick is to have the child lose the rights whenever the parent loses the rights.
Just like the government to put up a bait site like in the book "The Cuckoo's Egg"
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
And they forked linux because they could it being open source and all. They would undoubtedly have done the same with win2k, but they can not because it is closed source.
The NSA has the Win2k source code. It's very easy for universities and other establishments to get the source, slightly less easy for large companies, and slightly less easy still for small companies and individuals (although they're changing this as we speak...)
Simon
Coming soon - pyrogyra
The W2K source is available for corporations with the funds. There will never come a day when CompSci students can learn OS design by looking over MS's source.
I don't want knowledge. I want certainty. - Law, David Bowie
I just tried to go to the SE Linux page and it looks to be pretty well slashdotted. I wonder if we'll see any stories about DoS attacks on the NSA in the news because of this post...
Step 1: Disconnect the network cable.
Step 2: Disconnect the keyboard
Step 3: Disconnect the mouse
Step 4: Disconnect the monitor
Step 5: Turn the computer off
Step 6: Unplug it
Step 7: Remove the harddrive and lock it in a safe somewhere where nobody will ever think to look for it, then promptly forget where you left it.
Step 8: Kill yourself just to be sure you don't accidently ever remember
Ok. Its secure.
-Restil
Play with my webcams and lights here
Because of the amount of interest in the Windows 2000 Security Recommendation Guides, we are updating our Web site to better handle the demands placed on downloading the files. We expect to make the guides available once again during the week of June 18, 2001.
Windows 2000 Security Recommendation Guides
Maintain a questioning attitude
I believe Juanita
ignorant posts on zdnet, though... I love those!
Just kidding. It's impossible to read those pathetic forums.
Juln
Well... it just became Error 403... Forbidden... I guess, that's how they handle that problem...:) At least, that's what it is now... hehe:)
- -
-----------------------------------------------
Jobs? Which jobs?
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment.
Really? Well, I guess I shouldn't kiss this rattle snake then. Lucky I read the legal notice.
How we know is more important than what we know.
Why should I freely work for them for a product that they will turn around and charge me for, you ask.
If you're even a halfway productive beta tester, you don't have to pay for the OS. At least, i've never had to.
Plus, its knowing you have access to a pre-release OS in its formative stages, watching it grow and having more input than the average joe into the development of a platform destined to go on thousands of PC's. It also has benefits when it comes to one's career - When one of my previous employers moved to 2000, I already had extensive experience in 2000 and knew it intimately - moreso than any of the other NT admins. This provided a distinct advantage for me within the company which is beyond the scope of this post.
This is the reason one of the best ways to get into the beta team is you have a security background and a positive attitude.
They finally post a /. article that isnt directly attacking windows - and seemingly people crawl out of the woodwork to provide a kneejerk reaction to the words "Windows" and "Secure".
:)
Heres a small dose of insight, from someone who's beta tested MS operating systems for 5 years (or so.)
Microsoft listens to users suggestions. They may not respond to you, they may not integrate them into the OS. But they do listen. MS does not make an insecure operating system on purpose - Beta testers have a whole newsgroup to focus on security and how to improve it before the final build is released. Its part of their role and responsability to test for exploitable security holes - if you don't think they're doing a good enough job, how about you send a request to betareq@microsoft.com and ask to be on the next beta team for windows. Keep in mind though, they usually only want experienced users and there are checks and balances to make sure you're a functional beta tester - not just someone who enjoys bragging about having teh leet XP build #x.
The beta process is not perfect, IMHO - Bugs do get knocked down (i've thought for a long time they should let the beta testers moderate bugs) and i have an extreme distaste for setting a release date before the beta testers agree that testing is complete. XP is remarkable right now, but not perfect. This part is MS's fault.
If you have an intelligent, well-thought-out, non-kneejerk "windows sucks *chortle*" suggestion/comment regarding windows - you may go to http://www.microsoft.com/mswish/
(p.s. - When you list your beta testing experience, the following line is a bad, bad idea: "I tested (unofficially) Windows XP, 2000, ME, 98SE, 98.... you get the idea. har har har *snort*"
NSA has two halves. One half has the purpose of recommending security systems (e.g. DES many moons back).
Ah yes - DES which was deliberately weakened from 128 bits (which was the original recommendation) to 40 (which the NSA could break but hoped nobody else could)
and this supports your argument how?
--
-=DaveHowe=-
I think it would be more appropriate to say they took an OSS product, and modified it to suit what they wanted it to look like - as doing so is one of the strengths of Open Source. I doubt they actually WANT secure versions of windows out there - several governments seem to be viewing windows with mounting suspicion for official use....
--
-=DaveHowe=-
That's not that hard, really. A program owned by some user will never have more permissions than that user, right? So just have a permissions mask for every program, as well as every user.
------
Thank God for that.
This is also quite useful: http://arstechnica.com/tweak/win2k/security/begin- 1.html
Ummm... It *is* closed.
Just because you can see source doesn't mean that it is open source. Microsoft won't let you change the source code or build your own version of w2k. They will (for a large fee) let you look at the source to make your code work better, but they have so many rules and restrictions on the code that it next to impossible to do anything useful after you've seen the code.
1) never ever give out your password (except to us of course - you can trust us (really!)).
2) use encryption, but only really stupid encryption so that we can read it.
3) please please please use Windows - it is waay more secure than unix ok? (really!).
4) all your base are belong to us
Nevrar
Mod parent up.
. htm is very good !
That link http://www.gpick.net/sbr/security/w2ksecuritytips
Stupid troll.
Great link, sorry I used up my mod points. One correction though, the posting doesn't mention Office2k, but "Word 97, Excel 97, Visio 5.0" (these are examples, not necessarily all the apps that have the fault mentioned). Pretty old programs to be using, especially if you're using Win2k for the OS.
---
Linux: The world's best text-adventure game.
Eh, doubtful. The method used to save a file that the article is talking about is rather Bass-Aackwards, of course, that makes it 100% suitable for an Micro~1 product. And the fact that it's present in Office 97 products removes the option to say "I can't see them doing file-saves like this".
---
Linux: The world's best text-adventure game.
Gee - wonderfull...
In my experience, it's always the fault of stupid admins who don't properly setup and patch their OS (any). But, here it is in a simple nutshell, everything you need to run a secure W2K/IIS box.
i tical/q293826
Install W2K Server.
Install Service Pack 2
Install this IIS patch: http://www.microsoft.com/windows2000/downloads/cr
OK - lets see someone "root" that box. I can positively guarentee you won't find any box with these two simple patches applied being defaced!
Is this really that hard people? W2K is secure. IIS is not nearly - but can be with a single patch (it's a rollup of all previous patches).
db
And that is informative how? Seen that this is an article about NSA publishing documents about securing Win2K this information hardly seems relevant.
Remember, there are no stupid questions. But there are a lot of inquisitive idiots.
The site nsa.gov is running Apache/1.3.11 (Unix) on Solaris.
if you want to make God laugh, tell him your plans
Yes, it's probably too elementary for your subtle and keenly-developed sense of computer security, but these guidelines might actually be useful to the great unwashed masses, many of whom die in droves while
If 90% of the computer security fatalities are a result of supposedly trivial things to fix, that does not make it any less helpful and useful to suggest trivial fixes, given how much grief can be saved.
"Provided by the management for your protection."
You can hardly compare LinuxSE with the security in Win2K. LinuxSE was a showcase in putting in security hooks in a normal consumer OS. They couldn't do this in a MS Windows OS since the source and knowledge is proprietary. I strongly doubt Win2K has the hooks necessary for that kind of security. If it has, it's probably been put in by NSA themselves. Remember there are many types of security.
- Steeltoe
http://www.debunkingskeptics.com/
Anyone care to speculate on what DoD's reaction to a full-scale slashdotting would be? Given that they report routine pings and port scans as "attacks" I imagine their reaction to this unsolicited SYN flood would be similarly excessive.
Tarsnap: Online backups for the truly paranoid
Funny, I thought it was "CIAagentsareweenies".
Can you explain this please? AFAIK, both allow user, group, and all/everyone type permissions. As for filesystem support, I don't know. I am genuinely curious what Win2K supports that Linux does not.
Always a Linux newbie,
psxndc
The emacs religion: to be saved, control excess.
psxndc
The emacs religion: to be saved, control excess.
This is probably the most false claim I've ever seen on Slashdot. SE Linux is based on research into
- Capabilities: A concept that is literally over a decade old in OS design as can be seen by the POSIX 1.E standard that never got drafted (although some people prefer to call what POSIX suggested "privileges" and the fact that many operating systems support "encoding clearance into the filesystem and OS" otherwise known as capailities including Spring, EROS, KeyKOS, and Mungi.
- Access Control Lists: Again this is an ancient concept which has been implemented in quite a number of OSEs including some versions of Solaris, *BSD and Win2K.
Both of these concepts are things that Linux either does not support or supports in a limited manner. Currently Win2K outshines Linux in the granularity of the permissions and security model and filesystem support for things like encryption. I'm not an OS bigot and run both OSes at home but seeing something so blatantly false and jingoistic just begs to be challenged.--
Interesting, there are about 18 comments as I post this and over half are jokes about unplugging the computer to make it safe. The truth of the matter is that by NSA guidelines no popular operating system is secure enough out of the box and has to be extremely looked down.
What is perhaps even more interesting is that at least Win2K can be secured to a level that is suitable for the NSA, they actually had to fork the Linux kernel to get the same functionality out of Linux.
--
This is only to be used for non-spying means. Really. There is no need for users to worry about invasion of privacy as we at the NSA are above that.
Additionally, please ensure that you give your files clear names such as "Nuke blueprints" or "Kiddie Porn". We suggest this purely to help you organise your file system.
--
--
I like to watch.
--
--
I like to watch.
You're further proving my theory that Slashdotters' hostility can be chalked up to child abuse of a sexual nature.
--
--
I like to watch.
Huh. Max uptime of 11 days? Somehow I expected a bit more out of the NSA...
The only "intuitive" interface is the nipple. After that, it's all learned.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
You've slashdotted the NSA!
- -----------
You bastards!
--------------------------------------
Can't get on there from the UK at all. Congratulations..... Tim
Vintage computer games and RPG books available. Email me if you're interested.
well, it would seem that perhaps the Great and Powerful NSA could come up with something a little better than "Look both ways before crossing the street and don't talk to strangers."
Some things may be common sense to some people, but they won't really be 'common' unless you teach it to other people. These guys are covering their bases and trying to cover yours too... It can't hurt to pay attention.
Peace,
Amit
ICQ 77863057
[o]_O
Quoteth the raven:
The site www.nsa.gov is running Apache/1.3.11 (Unix) on Solaris
There have been quite a few people here to suggest that Windows is obviously more secure than Linux because the NSA never forked the Windows as it did the Linux Kernel. Their logic is full of holes.
1 - None of these posters actually documented that the NSA really does have full access to the code. Should we just take their word for it?
2 - What if they are indeed given access, but the access is under the "Shared Source" terms in which the technologists are told basically: "you can look but you can't touch"?
3 - Has anyone contemplated the legal ramifications of altering the Windows source even if Microsoft's contract suggested that it were allowed: which is very doubtful?
4 - Any open copy of Windows is invalidated by the persistent and required security patches. Open source means nothing if upgrades are required, but these updates are closed.
5 - Does any have proof that the Windows code hasn't already been forked without public disclosure? The NSA does not have to inform the public of such things.
I dispute the astroturfing posters who have inundated Slashdot. The NSA forked Linux and publicly disclosed it because they had the liberty to do it. That is what open source is about.
-- Thomas Corriher
"...The ignorance of some posters suprises even me..."
"..I am so tired of juveniles trashing Win2K. They ramble on about Linux being more secure but I don't think so. Tell me *please* how to implement IPSec with Linux..."
Yes.. Those "ignorant" people who do not appreciate Microsoft's innovations are annoying. You might find the following IPSec link very educational:
http://www.google.com/search?as_q=ipsec+linux& num= 30&btnG=Google+Search&as_epq=&as_oq=&a mp;as_eq=&lr=lan g_en&as_occt=any&as_dt=i&as_sitesearch =&safe=off
-- Thomas Corriher
Now that the NSA has been /.ed, will there be a suit against /. for a DDoS attack against the government?
Eh...
The only secure computer is one that is powered down, has all the DIMMs pulled out, is cast in a concrete block, and dropped to the bottom of Lake Superior. And even then, I have my doubts...- -
--------------------------------------
Yo soy El Fontosaurus Grande!
blog |
If you forget the administrative password just phones us and we'll get it for you!
From what I understand - the NSA went through an outsourcing effort about 2 years ago (thanks Bill!!) - so anyone who was decent pretty much left the Agency. The ppl left in the trenches now are fresh out of college - most of whom know nothing BUT windows. Upper mgmt lacks the technical knowledge or even vocabulary to make intelligent decisions, and it looks like they're trying to turn the Agency into a "business" .. MS caters to the business wannabe's who don't understand the more in-depth technical issues - so what's next? Our National Security depends on the success of the MS security model?
"How to Avoid a Slashdotting" guidelines will soon show up on NSA after today. :)
Men believe what they want. - Caesar
Following any guidelines will still not make the system 100% secure; it will only make it secure against the current known and published exploits. It is more than likely that in future new exploits will appear. There are probably also undocumented exploits out there that are only known to crackers.
The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows 2000 versions or operating systems. so which is the 'other Windows 2000 version and which version does this apply to???'
Yes, but were they aware of the backdoors in windows? If they had source they would have needed to fork that too, I guarantee you.
Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
They were doing this as a service to all the stupid Admins out there that mess up their W2K system because they are to retarded to read the manual and set up a good security protocol, and then go on slashdot and complain that Microsoft sucks because the knowledge to set up the server wasn't so obvious a chimp could set it up.
And yet we all can set up our linux boxes just fine. So you're saying linux is so simple a chimp could set it up?
My personal experience with MS products is that how to do what you want to do is not in the manual. This is not stereotypical bias, it proceeds to this day. If they fixed the problem, I would stop deriding them. They don't.
Bear in mind I am someone who uses microsoft products daily, up to and including the 2k shit, and I rtfm otherwise I couldn't use linux. People who say what you just say obviously never used UNIX systems because it's umpossible to be a linux user without being a manual-reader.
Ever get the impression that your life would make a good sitcom?
Ever follow this to its logical conclusion: that your life is a sitcom?
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Ummm... sorry but your are wrong. Nokia firewalls use a BSD derivative, that then runs Checkpoint firewall on top of it as a firewall appliance.
Step 1: Shut off computer. Step 2: Unplug from wall. Step 3: Lock in NSA basement. Congratulations, it is now secure.
...I'll procrastinate tomorrow...
The only way to secure win2k is to make sure it never gets installed. Win2k is secure in the box, but once you take it out, it already has a hole in it... ;-) The holes get to be bigger and more numourous!
Perhaps they should read security focus's stuff more often; then again they think they are all l33t because they are the NSA. After all, backdoors in M$ products are good for them.
Karma whorin' since 1999
Anybody got a mirror???
---- Put Sig here:
Um. May I suggest you read this document which explains the philosophy behind the kernel modifications.
Securing Windows 2000 and 'forking' (actually patching) the Kernel were both done with different goals.
In a nutshell, the modifications done to the kernel were done to impliment the 'Flask' security architecture, which (mainly) is about separation between setting and enforcing security policies, and how this is applied to the various types of resources. In addition, SELinux was the by-product of a research project, and is not used operationally by the NSA.
The suggested configurations for Windows 2000 have different goals, and is not a handbook for implimenting the Flask architecture on Windows 2000.
My apologies if you feel I was taking credit for this idea - I certainly didn't intend to.
I had forgotten who it was that first thought of this. I suppose I should have mentioned that it was someone else's idea - but I posted this quickly during a break at work.
Once again if I offended you - I apologise.
Backdoors are possible in Open Source - if you put them in the compiler.
Suppose I set up a website with my new compiler. I give a binary download and a source download. What I don't tell people is that the binary download contains extra code which adds a backdoor to the software it compiles. It also recognises when it is compiling itself and adds all this extra code.
So now you've got a corrupt compiler which generates back doors.
Of course you have to persuade someone to download the binary compiler first. But if they're working on a system without a compiler - that's exactly what they'll do. Or they installed the compiler direct from the CD.
I'm afraid the only way to 100% sure that your compiler is not corrupt in this way is to write your own. At least one that's good enough to compile another one.
It appears that even the NSA isn't invulnerable from the slashdot effect at 5:00 in the morning EDT. I wonder how bad it's gonna be at 10 or 11 AM.... =-)
Just a joke man, relax.
/. readers :)
At least I TRIED to read the article. Doesn't that put me above 90% of
-- When a fool hears of the Tao, he will laugh out loud.
Listen the NSA does use Windows / Linux / Sun basically what ever the person prefers. But all the computers are on a closed network that has no access to the Internet at all. I have been in Fort Meade (NSA Headquarters) and every department has Internet access but it is usually limited to one computer per department that doesn't have any kind of knowledge on it.
The whole point of the specifications that they realeased if any of you accually read the thing before you started bitching about it, was it was for government agencies that were looking to set up W2K systems. By government agencies they probably ment local and state goverment, because the federal government has a set standard for their servers, and it is not W2K. They were doing this as a service to all the stupid Admins out there that mess up their W2K system because they are to retarded to read the manual and set up a good security protocol, and then go on slashdot and complain that Microsoft sucks because the knowledge to set up the server wasn't so obvious a chimp could set it up.
No, by having had that NSA baseline for a while, modifying it a bit for our theater, and trying to get our sysadmins to use it. We also stay on top of the baseline to keep it up to date with the latest threats (we're thinking of using an Acrobat expiration plugin to make sure what's out there is the most recent).
Try the baselines. They work.
And don't forget this is the same NSA that is working on a hardened version of Linux.
Okay, so that's what they told the public. But it's standard practice in the DoD to do regression testing on any hotfix or patch before releasing it to the theater. Any business would be smart to do the same.
"NSA APPROVED" wouldn't necessarily mean the patch works right in your organization.
These baselines are pretty much common sense with a bit of admin knowledge thrown in. Just apply your own when using them.
We've been using these "Security Baselines" as we call them in our organization for a while.
We have a *LOT* of Win2K boxes spread over a continent, and whenever one's compromised, we always find that the administrator or operator was not following the baseline. I don't know of any baselined machines being compromised.
Use these; they're a Good Thing.
http://www.kuro5hin.org/?op=displaystory;sid=2001/ 6/13/13341/1119
This of course was the topic of Dennis Ritchie's Turning Award lecture a number of years ago.....
Who, me?
Gawd, I meant "Turing Award" of course...
Who, me?
1:40am PDT, and you guys have slashdotted the NSA, I am so proud of you all :)
The CIA is an agency of the NSA. That is, unless you believe that NSA = No Such Agency.
Drywalling it in a room might not help at all (though this was a Novell server)
Sig (appended to the end of comments I post, 54 chars)
"Man, some of you guys are as automatic as a jack in the box. Give you the right stimulus, get the exact response."
Well, I bash on Microsoft because their products are generally pieces of junk. I use an OS that is free and cannot be commercial, and it is developed by people in their spare time who are gracious enough to lend their talents despite their hectic work schedules, and it still is better than anything coming out of Redmond. Besides, Linux people aren't trying to collect marketing data, and aren't trying to artifically adjust the market itself that they operate in to their own favour. Microsoft stands accused of all of these, and is in court litigation for the last one.
If Microsoft put out a decent product, didn't screw with others for their marketing, and won over customers on merit, I would not have a problem with them. Unfortunately, none of these are true, and after having to deal with their shitty OSes for several years as a field service technician, I don't see a reason to use their software if another solution is available. I will gladly even use products that compete with a potentially decent product that they have, simply to deny them the income of that into their corporate monstrosity.
Don't compare dissing corporate stupidity to someone's family, they are wholly unreleated, and even stretching the analogy, it doesn't hold up. If you don't like how people here dis on Microsoft, don't read the articles. Slashdot's core readers seem to be UN*X people, so it would make sense that we don't like Microsoft, no wouldn't it?
"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
IBM had PL/1, with syntax worse than JOSS,
And everywhere the language went, it was a total loss...
No, their ISP canceled their account because of excessive traffic.
-- I have monkeys in my pants.
I work for an MS gold certified partner. As the network specialist, I implement MS, UNIX or Cisco based firewall/Proxy/whatever solutions, based on the customers needed. Because we're a MCGP, we have free reign over MS licenses, and can install basically all we need. This is great, because we have full access to any products we want to look at. HOWEVER, I can't imagine what it's like for businesses/persons who have to pay for BS from MS. The cost of these products is outrageous. Sure win2k is a nice stable platform (I've been running it for over 2 months on one system, very hard on it, and it seems good), but the price? OMG. Let me clarify this with one thing. I would gladly pay the price most companies ask for software because I know they have costs, and expect to make a reasonable return. However, knowing the sheer magnitude of the profits MS is making, surely their software doesn't need to be so expensive. They have billions and billions in the bank... Now I'm not saying they should stop turning a profit or give money back, but be reasonable about your greed! Ack. I also blame "boot camps" for the prevelance of MS products, but that's a whole other rant.... Max Inglis
Too late! You'll need to scour the space-lanes near the small desert world of Tatooine for a Corellian-made ship called Tantive IV and see if a white-and-blue astromech droid is aboard.
You might be able to get the plans out of him, if you can get his ponce "companion" to shut up long enough...
While you're waiting for the droid to be found, why not watch Wargames? Somewhere in that movie is the infamous line:
WOPR: All your ICBM are belong to us!!
GTRacer
- C'mon, I know it's troll-feeding, laugh a little!
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
It wasn't any more intelligent the second time around.
Nah...
OK,
- B
--
http://www.bradheintz.com/
- updated
Maskirovka
All these feds are saying secure your computers like we do! Should I be worried someone in Swaziland is going to take me down?
Get your Unix fortune now!
I started reading the Guide to Securing Microsoft Windows 2000 File and Disk Resources and one of the first things they recommend is to "Apply the latest Windows 2000 service pack and security-related hotfixes." I'm not MS bashing here, but isn't that a (cough) BAD IDEA?? I don't care if it's W2K, Linux, Solaris, etc. -- that's just not the way you run a production server, let alone a workstation that you are trying to make as secure as possible for sensitive info. You should always test out any patches/fixes/service packs. I would think the wording would be, "Apply the latest **NSA APPROVED** Windows 2000 service pack and security-related hotfixes."
Reams of NSA information on how to make your Win2k box "secure" just points out that Win2k was not meant for the large majorities of home users. Microsoft expects your Win2k system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet, right out of the box. It is not set up by default to be the gateway computer to the net. I came up with a step-by-step checklist a while back for all my friends that were running non-networked Win2k home systems directly connected to the net. I don't know how good an idea it was to give step-by-step directions on how to change registry settings, but hey, no one has locked themselves out of their computer yet (at least that I know of). You can see it here: http://www.gpick.net/sbr/security/w2ksecuritytips. htm
my point is that this isn't a compiler even it's an instruction checklist.
how can backdoors go in that that wouldn't be detected by anyone with even the lease bit of experience?
hmm... step 3: create an account username "spook" password "nsa0wnz0rz" with administrator priveliges, if you do not do this EXACTLY your system will be insecure
RST2003, noticing slashdot doesn't allow >br
apply XOR 0x03 to characters in email address
What would be the legal complications of starting an un-sensored Napster (no, not kidnapster (see futurama)) server at 20,000 feet above the atlantic?
"Reflections on Trusting Trust", Ken Thompsom, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763
Even if you make it only 90% secure, then you are ensuring that a lot of people will not be able to hack you.
Since the number of truely talented hackers is small, that in itself reduce the chances of a break in.
--
Two witches watch two watches.
--
Two witches watched two watches.
Which witch watched which watch?
Their web site is so secure that I can not even look at it.
-CrackElf
"Blake is an idealist, Jenna. He cannot afford to think." - Kerr Avon, Star One, Blakes 7
Finally someone is recognicing the vast security abilities in Windows 2000...
Ha ha ha (I have tears in my eyes from laughing)
There isn't much like the scent of a fresh harddisk
It makes you wonder, if it's all because of the /. readers or if their security releases are indeed so popular.
As another point of interest... they also have "security-enhanced Linux modules" at http://www.nsa.gov/selinux/download.html
Uh... doesn't this represent one MAJOR security problem for windows? Think about it the NSA is laying down it's report on all of it's W2k security concerns on the Internet. And the only major news service to link to it is Slashdot....
This means your average NT administrator (who thinks that nerd news doesn't matter to him), will never know about this documentation. Which means basically that this is the NSA's recommendations to hackers as to W2k's soft points. (not that anyone needed that much help)
I would rather be ashes than dust!
Operating System and Web Server for www.nsa.gov The site www.nsa.gov is running Apache/1.3.11 (Unix) on Solaris.
If you try to access their reccomendation guides you get redirected to http://www.nsa.gov/winsecnote.htm which says:
Those poor bastards...Before trying to accuse the NSA of putting a private back door into your OS, be ready to explain how your conspiracy theory would keep it private. "Relying on the stupidity of several hundred million individuals" gets cut to shreds by Occam's Razor.
more than that, you then come and advertise it's products here, telling you have worked for microsoft (for free?) for 5 years. what is this? trolling? plea for pity or fairness towards ms? display of empathy? why?
i don't think ms needs any of it, and besides, i think most of us want to get rid of the whole SOB and it's products. yes, i know some other company probably would take it's place and get eventually just as bad, but i still want ms to disappear. now.
don't shoot me, i'm just a keyboard player.
Preserve old classics: copy your collection onto all hard drives.
destroy the harddrive.
Anyone remember the old NSAKey hidden in the Win95 registry? Remember all the conjecture about how it was some secret backdoor for the NSA to peer into foreign government computers? *chuckle* um all that was silly, and was never taken serious by anyone but idiots - but I found it amusing to consider the possibilities (regardless of their probability or lack thereof). Reminds me also of the recent /. item about the German gov't banning MS products due to the fact that it couldn't see source, thus couldn't guarantee the security of MS products. I find it amusing that the NSA has lower standards than the German gov't.
As for the guy who mentioned the forked Linux kernel the gov't deemed was necessary to provide for security - what you're forgetting here, guy, is that Linux kernel source is AVAILABLE while Win2k is NOT AVAILABLE - thus no forking is possible. And btw, if the source to Win2k were available, what do you think the chances are that the NSA would find it acceptable? Would they even bother forking, or just shrug and go Linux/BSD/etc totally instead?
think for yourself, you won't like the results if others do it for you.
ACLs provide very little security in a practical sense because they are almost impossible to administer.
... For more information read the "Security" topic in MSDN, where you can find all the required APIs, information and help.
Security provided by MS NT / Win2K in by using ACLs / DACLs is just fascinating. How much programming have you done in NT security before posting this? Have you anytime at least configured a DCOM server? ACLs provide facility to grant / deny the permissions viz. 'read / write / execute / administer' on any object in NT. And this facility is far superior as compared to the primitive drwx facility on the *nix OSes. Using ACLs you can set permissions on directory / file / thread / COM object
Where will you take me today, M$?
/. has just be reduced to a junk yard where all the developers, frustated by achievements (althought monopolistic) by the MS, look down and frown at the Gates family. Hey okay, the Gates and Windows guys might be acting smart, but they do deliver the products that do really work. It seems most of the comments here, regarding security are by the peoply who have never touched Windows boxes or used / are using the prehistoric Win 3.0 /3.11 or Win9x machines. Just shake off ur impotency and provide a security system for Linux that can stand up to the security system (ACLs and DACLs) of the Win NT / 2K platform.
Where will you take me today, M$?
i wonder, do they use the nsakey to spy on themselves?
---
"i was saying gnu-rd"
The ignorance of some posters suprises even me. Someone points out that Win2K source is available to some people, universities AND the NSA -- it gets completely ignored. "You can't SEE the source because it is closed blah blah blah." I am so tired of juveniles trashing Win2K. They ramble on about Linux being more secure but I don't think so. Tell me *please* how to implement IPSec with Linux. All I know is that I know both operating systems..that this gives me the edge over the whiners.
Did anyone besides me notice that the URL contained the word "winsecurity"? That is punny.
"What is the sound of one belly slapping?"
Not to be a knee-jerk basher, but does it really surprise anyone that MS's preferred solution is inadequate?
Okay . . . and this the NSA spent years researching and deciding on? I mean . . . okay. I don't suppose they've got a bunch of chimps randomly banging on keyboards over there, but . . . well, it would seem that perhaps the Great and Powerful NSA could come up with something a little better than "Look both ways before crossing the street and don't talk to strangers."
-- Robert Bunn, gun-toting neo-Nazi anarchist redneck freak
Agreed name calling is a little low, but Linux can be secured and is used in big old nokia firewalls used by the likes of BT, admittedly they stick on a number of 3rd party/proprietry software to sure things up, but most operationg systems need that.(do you run zone alarm or similar on win 2K?)
I have run win 2000 pro as well, its nice enough, and stable(I didn't run it for too long), no real complaints except the cost.
as for good software, it is out there, it just means you have to look thurther than PC world, and if you still can not find what you want, find a software company that can produce it for you - I can almost gaurentee that if you want it someone else will to.
- note I use OpenBSD rather than Linux (but thats my current personal preference)
- those who can spell care, those who can't don't -
Did anyone out there get to the NSA site and actually download the files BEFORE they took them offline? I would love to get a copy of the original files and see if they change anything when it is back up next week... Funny, they can crack passwords and defend the USA, but supposedly cannot handle the traffic at their website.... as if!