Slashdot Mirror
Unsafe At Any Runlevel
joestump98 writes: "In an effort much like Ralph Nader's effort to increase safety standards for the car industry, The Center for Internet Security plans to pressure software vendors into shipping products with the 'highest security settings available, making them less vulnerable to viruses and hacking ...' Some of its members include Intel and Stanford. The best part is they will be releasing testing tools for all of the major operating systems, including Linux."
Coupled with this, it would sure be nice if journalists would start reporting fairly on security problems. I'm not the conspiratorial sorta type, but has anyone else noticed how most every MicroSoft-related security gaffe is reported in such a generic manner that it takes the heat (and spotlight) completely off of Redmond? A macro virus tripped by Word or a .vbs script that attacks Outlook and rips through its addressbook needs to be reported as a MicroSoft-specific virus|worm|trojan|etc. Rather, it's made to sound like a universal threat; spreading the risk across all OS's equally, instead of dropping it exactly where it belongs -- in Gate's buggy lap.
It's natural selection. The survive of the fittest idiot.
While I applaud the idea, and champion it myself, users and marketeers will resist this to the end.
You see, security isn't user friendly.
<sight>
When I've tried to push a "secure by default" position in the past, the response I usually get is: "But that would be a pain for the user! Let's make the secure configuration an option. The user that really needs security can just turn it on".
The rub is, the ones who really need it don't now enough to turn it on.
by GriffX (DONTjlgriffithsSPAM@MEearthlinkPLEASE.net) on 06:23 PM July 21st, 2001 EDT (#25)
(User #130554 Info) http://www.griffx.com
Will the leader of the Center for Internet Security be running for President in twenty years as a spoiler, handing the election to oh, say, George P. Bush that time around?
These comments and opinions are mine and mine alone, although they shouldn't be."
Dear moderator: A joke about Ralph Nader isn't necessarily a flame, especially since Nader was mentioned right off the bat in the story post.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
by SumDeusExMachina (god_from_the_machine@*REMOVETHIS*hotmail.com) on 06:37 PM July 21st, 2001 EDT (#36)
(User #318037 Info)
making them less vulnerable to viruses and hacking
Well, you can just forget about Linux getting included in this initiative. After all, it is the most hacked-on operating system. Just ask Alan Cox or Linus.
"Everybody knows what's best for you" - Bad Religion"
have karma, will burn
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Most people who administrate networks, are not full-time professional network administrators. It's only 5% of their job, and the other 95% of their job is something else.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Yes, but if they disable Javascript, then they don't get the aforementioned popups. Then, as far as the user knows, everything works just fine.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Probably waiting for you to log in.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
"Hi, I'm Troy McClure! You might remember me from other User-Ed films such as "Why Mac Users Can't Handle More Than One Button," and "Web Browsers and Porn: The Origin of RSI."
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
OH,
I guess they are talking about all those other operating systems without FreeBSD secure levels's.
Read here
If this brings us closer to movie clips of computers slamming into barriers, I'm all for it.
Out of the box, most OSes have WAY too many services enabled. All of the manufacturers do this in the name of "Ease Of Use", another way of saying "No Security". Urging companies to tighten up their security out of the box will slowly make the internet a better place for all.
/.ers are covering the micr~1.oft topic in greater depth.
Micro~1.oft is the worst offender, because they strive for the easiest to use systems possible. They also know that 99% of their user base have no clue about computers beyond point-and-click of the few icons scattered on the desktop. Other
Sun is also pretty bad, they've been shipping thier OSen with tons of unnecessary services enabled by default. Every solaris install has sendmail, FTP, telnet and dozens of RPC services running, and quite often the stable version of those services are old and have scripted exploits.
Many other OS developers are in the same boat. Default passwords for unused accounts, obscure services that only 1% of the users ever even know about, and wide open services are the norm HP, IBM, Oracle, etc.
Apple is one of the few shining examples of good systems, but that is probably less for altruistic reasons than for their user oriented paradigm. They concentrate on the desktop and user, and not on network facing services. OSX is nice, because even though the system is loaded with BSD utilities, none are enabled originally, and require user intervention to turn them on. The way all systems should be.
This pressure group has been needed for more than a decade, because companies like Sun have blithely ignored all calls to tighten up their system from security experts and groups like Usenix and NANOG. Before, there were many voices saying the same thing, but never really united. It will be good to see name-and-shame lists maintained by a central group, then I can spend less time maintaining my own lists of evil services to destroy^Wcomment out immediately after an install.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
The primary reason people don't steal things randomly is because they don't want to get arrested. Yes, some people have morals, most of society -doesn't-.
(Maybe where YOU live... B-) )
Actually, most people are "good" or try to be. About one in 100 (between 1-in-50 and 1-in-200) are psychopaths (apparently a brain defect that corresponds to having no concience). They generally won't be "good" unless they learn a set of rules that tells them how and find a reason that it's in their best interest to follow the rules, at least to the extent of not hurting others. Many of them do, but some don't. Another small chunk learns to be "bad" despite not having the problem.
But these few "bad guys" can cause enormous havoc. So they have high visibility. So sometimes it seems like most of the people are "bad guys".
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
... has anyone else noticed how most every MicroSoft-related security gaffe is reported in such a generic manner that it takes the heat (and spotlight) completely off of Redmond?
Yep.
And when they DO report that a particular virus or attack only hits Microsoft software they make it sound like that's because the bad guy was out to get Microsoft, completely missing that Microsoft is both the biggest and the most insecure target.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I can't wait until distributions start shipping with ACL support, and installed files come with ACLs that are as restrictive as possible. Also, with stuff like RSBAC's (www.rsbac.org) auth mechanism for fine control of setuid stuff and more fine grained capabilities control will raise the bar and make it more difficult for attackers to exploit buggy server software. Hopefully it'll be soon :)
Well, performance is important in a lot of situations. Businesses (often targets) will often choose performance over security simply because the cost savings are up front if you can run more on one box... security is one of those delayed savings things ("it won't happen to me" mentality). I agree that people should be using stackguard type things. I also think that we need to maintain least privilige concepts - don't let processes setuid to any user - restrict it (via rsbac), use ACLs to limit access to files to specific applications, run most programs under their own user, etc. This would stand to greatly limit the impact of buggy software.
Ever tried to browse the web with IE set to the max security level? Lots of stuff stops working!
Not only do things stop working, but IE continuously reminds you that you've made them stop working. All I did was disable ActiveX, and every time I visit a page with Flash, I get a window-modal dialog saying "Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly."
The shareholder is always right.
Problem Exists Between Chair And Keyboard.
No amount of pressuring of software vendors will make a difference. Did you look at the members lists?!? No Microsoft, No Oracle, No SAP, No Computer Associates, No Adobe, No Red Hat...hmm, pretty weak IMHO. If the vendors really cared, they would already be members in the CIS and not have to be "pressured".
Back to my inital acronym, PEBKAC. It's the weakest point in the chain of security. How many people do we know write their passwords in easily located places? How many people do we know download anything (directx updates, flash, Comet Cursor!)? How many people do we know still give out AOL passwords, even though the Instant Messange windows have warnings not to give out passwords? Even if software security settings are the highest, social engineering will always be able to bypass wetware security settings. I'm not even going to mention exploits in software, just read BugTraq.
Lastly, the car analogy doesn't hold up. You don't tell car manufacturers to build tanks because people are speeding and/or driving drunk. You educate them and if necessary, punish them. True, anti-lock brakes and airbags are standard in almost every modern car available today, but automakers only put them there because of pressure from the insurance industry. But do people will die from automobile accidents? Unfortunately, yes...again, PEBSWAC (Problem Exists Between Steering Wheel and Chair).
redking
Rangers Lead the Way!
Actually, Intel DOES write a lot of software, including their own programming languages, C compilers, development systems, and a suprisingly large portion of what ships with Windows, including the Winsock 2 implementation for Win98! In fact, I'm willing to bet that less than 1/3 of what we call "Windows" is actually written by Microsoft, in much the same way that very little of what we call "Linux" was originally written by Linus...
"Freedom means freedom for everybody" -- Dick Cheney
Until software vendors can provide the user with a computing experience that is at least as trouble-free as the current situation, tying the user's hands with more secure software won't do anything other than piss him off.
And, after the third time trying to find, which security feature has to be turned off so he can do what he wants (each time having turned off several features before finding the right one, though he leaves the others turned off just to be sure it keeps working), Joe Average Enduser turns off ALL security in one fell swoop, so as to never be hindered by them ever again. J.A. Enduser hassn't an inkling what each feature is about, and "frankly, my dear, I don't give a damn."
Net result: less security than even the little now achieved.
Oh, wait, let me guess: this idea comes from Gates, who has realised, that as long as there's an internet, he can never beat the free software people. So step 1: Make sure the default setting on any computer by law makes internet a dud, step 2: J.A. Enduser opens up his computer so wide the crackers will destroy the internet, and this time M$ doens't get the blame. Brilliant!
The end of the 'net: Film at 11.
Stefan.
The truth shall make you fret. (Ankh-Morpork tImes motto)
I agree, but buffer overflows and format strings are the most common ones, and the ones which most easily lead to exploits.
Calling shells with untested user-provided parameters (e.g. 'filename; rm -rf /').
Yes, though this is typically only done in interpreted languages, like perl. Compiled languages (Java, O'Caml) are more likely to
use execv-like system calls.
Constructing filenames out of untested user-provided parameters (e.g. ' ../etc/passwd' - there should be more of '../' but Slashdot does not like that).
True. This one usually doesn't lead to a direct compromise of the host, though.
Not limiting resources (=> DoS Attacks); note that 'secure' languages are much more prone to that error because programmers usually don't care sbout size...
Yeah, this is a good point. In fact, I bet my ftpd is more vulnerable to DOS attacks than wu_ftpd. (I think the user would have to commit as many resources sending data as I commit to receiving it, though.) However, DOS attacks are much less serious than compromises of the host.
Trigger bugs in the environment (interpreter, compiler's RTL).
Scripting languages: Constructing programme code including user-provided data (e.g. with perl's eval statement).
Yes.. for this reason and the first one, I think scripting languages are also inappropriate (though not as inappropriate as C) for network applications and security-critical work.
My overall point is -- if we can *automatically* get rid of the biggest class of security problems, why aren't we doing it? We can use the time we save checking for those bugs (and patching them) securing the programs in other ways, or perhaps optimizing them so that we get the speed some claim is necessary.
Awright, soapbox time!
Redhat, or someone who makes a user-oriented linux distribution, should put together standard internet services which are written in a higher-level language than C. Perhaps they will not be super high-performance, or perhaps they will not have the advanced features of sendmail or bind that most users don't use. But if they're written in a safe language like Java or O'Caml (or, to a lesser extent, scripting languages like Python) we will see the largest class of security holes vanish overnight -- buffer overflows. (Also, format-style bugs, too!)
Though I don't necessarily think this would slow them down -- even if it did, I am guessing that most people would take security over speed any day. I certainly would; hardware is cheap but my time patching and responding to incidents isn't!
I know that C is highly regarded as a systems programming language; it has many useful features in this respect. But it happens to encourage some idioms which are entirely inappropriate for network or security-critical applications. It's really not that hard to do systems programming in other languages. I kept saying this and people kept arguing with me, so I rewrote ftpd in SML . It only took me a few days; maybe a bigger team or better programmers could crank these out even faster. Here is the source code . (Also identd and fingerd ). These are not as featureful as their standard counterparts, but they are much much shorter, and buffer-overflow free.
If they can't do that because it seems like too much work (I believe moving to a more modern language would be worth it anyway), why aren't they at least compiling their default installs with stackguard ? This is so easy to use, and makes exploiting buffer overflows so much more difficult. The speed loss is imperceptible and existing code carries over.
Let's leave the last 30 years of the last century behind us and move to a world without buffer overflows! If we do this, we can perhaps spend less time worrying about security (our current practices are NOT WORKING, by the way) and start worrying about more important things!
(Yes, it's true that the sshd problem is just dumb coding and is not C's fault. However, most of the rest of this year's, and last year's big security holes come from buffer overflows. Viz: Code Red worm, BIND exploits, wu_ftpd exploits, etc...)
At the very least, what you need to do is make it so that the highest security level is clearly available for the default install. Much like the RedHat Firewall stuff in 7.1, that brings a pop-up that gives high-security as an option... (though a not terribly workable option if you actually want your machine to talk to the world much).
There's the old adage that the only fully secure system is encased in cement (unplugged) and sitting at the bottom of a lake -- and that presumes you can control physical access to the lake.
One of the fights for secure systems is to balance usability with risk. The most usable systems have little or no security. The most secure systems tend to have their usability curtailed.
Then there's Windows, which is neither very secure nor very usable -- and the two may be related.
--
Free Software: Like love, it grows best when given away.
Well, it's nice to know someone's looking out for our safety. We wouldn't want 31337 H4X0RZ all over us. Now, we have an anti-terrorist force of 31337 50F7W4R3 6U4RD5 out to protect us.
"I'm not even supposed to BE here today!"
That may be somewhat true, but it doesn't mean that there's necessarily a linear tradeoff between security and usability. For instance, turning off by default services that only advanced users will want to have available is a pretty good idea. Ordinary users aren't going to notice that they're missing anything, while the advanced users will be smart enough to know which things to turn on to get the services they want. The tradeoff there is a tiny bit of usability for a lot of increased security, which is a good deal.
Similarly, switching from a well designed single-user to a well-designed multi-user system should increase security quite a bit without excessive difficulty for the users. Users will still be able to do the kinds of things that they want without risk of their files being read/clobbered by another user. When they try to shoot themselves in the foot, though, the system kindly steps in and tells them that they need help from a sysadmin to do that. I find that this is nice even on my personal system that I don't share with anyone else; I've probably saved myself more grief by having a safety mechanism there to prevent stupid errors than the time wasted by suing to root.
There's no point in questioning authority if you aren't going to listen to the answers.
See their Charter's section on Participants in the Process, there are a few government agencies involved, but they are there in capacities which can only be filled by them. The FBI is the best to ask about how to collect data which can be used in a court of law, and one aspect of security is "get the bad guy" after he's done his deed. So why not ask the FBI how you can best support their efforts to find the guy who screwed you? Then there are the various secret-type agencies who are rather good at testing and classifying systems based upon security, so they might be good to talk to when establishing benchmarks.
Head of the Automotive Licensing League, Bob Smith, "These agreements allow A.L.L., as providers of world-class transportation devices, to offer our customers a quality product, at a reduced price. Most of our Drivers will not notice any change in their Driving Experience (TM), only a decrease in the price they pay for our top-tier products. We manage this amazing feat by removing only one feature, a feature which almost no one uses, and which costs exhorbitant amounts of money. With this near-useless 'feature' removed, we can produce our world-famous transportation solutions at a reduced cost, and pass the savings on to you, our valued Drivers."
Opponents of the new EDAs claim that people who purchase a car and sign an EDA forfeit any and all rights to sue the car manufacturer. These opponents further claim that if EDAs were in wide-spread use, car manufacturers could all reduce the amount of money they spend on safety features and safety research, and victims of the resulting accidents would have no legal recourse. The A.L.L. spokesman denied these allegations, and that's good enough for this reporter.
So stop complaining and sign the Agreement.
Also, check out setting a custom security level. It gives you a list of features to enable or disable. Apparantly, increasing the security in their security bar is the exact same thing as removing functionality.
Think of Microsoft's solution to Outlook to protect against those 'viruses' like the "I Love You". They came out with a patch to disable receiving files with certains extentions. Like not being able to receive *.exe, *.vbs. It was a long list, but it really shows how Microsoft views security, and what they would do if they shipped their products at their 'highest security level'.
The Outlook solution was essentially correct. It put a security wrapper on Outlook's COM API which should have been their in the first place, but all that adds up to is another warning prompt for the user to ignore and press OK.
The root level problem is there's nothing you can do if the user insists on executing things they find in their inbox. There's a hundred ways to send mail that don't involve Outlook APIs. So, solve the root problem and get rid of executables in mail. Smart shops are probably already doing this on the server level. (And yes, it does suck that you can't turn it off.)
When I hear the word 'innovation', I reach for my pistol.
Does this mean if I run my processes at too high a runlevel and get caught I'll have to go to a school and be forced to watch a video called "Core dumps on the hard drive" to clear my record?
but won't work, once the DMCA is in wide use.
... as soon as that happens, people will became to accept and believe in the law. Right now, we still have a taste of freedom, and so we fight the lawas, as it's civil injustice. What about in another 10 years? Sure some people will still fight; the majority will just accept it.
The primary reason people don't steal things randomly is because they don't want to get arrested. Yes, some people have morals, most of society -doesn't-. (Yes, I look down on my fellow man.)
As soon as it becomes commonplace (as if it hasn't) to censor any "subversive" behavior, any intelligent thinking, and any questioning of various standards (ie: PDF security), even for truly and purely intellectual reasons,
Don't get me wrong, I am not saying we should stop fighting. But trying to make a law to demand security won't work, because many people still believe in "security through obfuscation", and in that case it becomes a matter of either perspective or time. (The Vigenier cipher was considered unbreakable in its time, now..well it'll take a few moments).
We should push this, but more importantly continue fighting (and more aggresively) for the repealment of the DMCA. If the DMCA stands, a pressure for security will have absolutely no effect.
My penny's worth....
If engineers design bad brakes, they'll get sued when someone receives "damages" from their product. When software manufacturers design bad software, their licensing agreement saves their ass.....
Agreed. Security and usability are at the opposite ends of the computing spectrum. The average computer user has enough trouble maintaining and using a computer running Windows (or a Mac) as it is. Passing the burden of security along to the user is, IMO, a bad idea that will only lead to frustration.
Security issues should be addressed by software vendors in such a way that it is transparent to the user. While this is difficult, it can be done (e.g. Mac OS X hiding root from the user while still providing multi-user UNIX security).
Until software vendors can provide the user with a computing experience that is at least as trouble-free as the current situation, tying the user's hands with more secure software won't do anything other than piss him off.
"War is God's way of teaching Americans geography." -- Ambrose Bierce
Many network administrators don't know how to change security settings on desktop machines (which are usually some flavor of windows)??? How do they keep their jobs if they can't change a desktop computer's security settings?
The scary thing is, it's probably true. I thought back to my college days and all my fellow CIS majors (computer info. systems). A lot of them couldn't use windows, understand "for" loops or update a printer driver, yet they got their degrees. And they are the ones who use Windows NT and IIS and Outlook because it's so damn easy to install and everything has a pretty icon for it ("ooh! a picture of a person means this icon lets me add people to the PDC... what does PDC mean?"). Not to mention they probably believed Microsoft got to the top because they made the best product, and unix is old so it must be bad.
So considering that the quote above probably has some scary truth to it, maybe we should focus more on idiot-proofing the Network Administration population, and less on idiot-proofing servers with more security installed by default. Remember, if it's installed by default, it will always be the same solution- and that's easier to hack than a security setting that set by each individual sysadmin. Example - If a particular Linux distro by default installed the very strong root password of H8&^h3{ew and a user called user1 with password D4s^Je0* on every machine, wouldn't some less intelligent sysadmins keep those on there, figuring it was pretty strong? Then some beginner hackers could search the web for that flavor's default apache page, telnet the IP and root the machine! Just an example, but meant to point out that installing high security by default could backfire, and usually a better solution is less idiots, not more idiot-proof machines.
I really hate signatures, but go to my website.
OK - Now that I've calmed down....
While I think this is a great idea, I worry that this will cause problems for average users AND I doubt vendos like Microsoft will bother. Ever tried to browse the web with IE set to the max security level? Lots of stuff stops working! RedHat did the right thing w 7.x by locking down most services so you had to open them up if you needed ftp, telnet, etc. But when it comes to Java, web browsing and other stuff, locking it down will only frustrate users who are used to browsers just 'working' - Imagine if they get hammered with popups about enabling cookies, Javascript, Java, etc.
I'm not saying that this is a bad cause, it's a noble one, but it seems that much more work needs to be done on the underlying security risks of certain platforms vs. just running them at a 'secure' level
Top Most Bizarre/Disturbing Error Messages
Hasn't anyone picked up on the fact that this company pushing to "secure and protect us", is one of the major companies just looking for an excuse to implement CPRM (the free software killer) on our computers?
Hmm....spooky. l wonder what a good way to stop "virus-infected pirated software" will be...
Were you going for an ad hominem attack here? Consider this: Is CEO a "real" job? Nader and other consumer advocates are at least responsible enough to do for consumers what consumers should be doing for themselves.
He's not trying to tell them how to design their products. He is making our government aware that there is a minimum acceptable level of safety for any and all consumer products. We all have become too complacent after years and years of buying and using defective commercial software. If you read slashdot at all, you will know how just how defective these products are and the havoc that they can wreak.
"What is the sound of one belly slapping?"