Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unsafe At Any Runlevel

Posted by ryuzaki0 on from the mrs-smith's-bakeries dept.

joestump98 writes: "In an effort much like Ralph Nader's effort to increase safety standards for the car industry, The Center for Internet Security plans to pressure software vendors into shipping products with the 'highest security settings available, making them less vulnerable to viruses and hacking ...' Some of its members include Intel and Stanford. The best part is they will be releasing testing tools for all of the major operating systems, including Linux."

8 of 106 comments (clear)

  1. Re:A good thing AND a bad thing by Sloppy · · Score: 4

    But when it comes to Java, web browsing and other stuff, locking it down will only frustrate users who are used to browsers just 'working' - Imagine if they get hammered with popups about enabling cookies, Javascript, Java, etc.

    Yes, but if they disable Javascript, then they don't get the aforementioned popups. Then, as far as the user knows, everything works just fine.


    ---
    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  2. Re:car metaphores by sharkey · · Score: 5

    "Hi, I'm Troy McClure! You might remember me from other User-Ed films such as "Why Mac Users Can't Handle More Than One Button," and "Web Browsers and Porn: The Origin of RSI."

    --

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  3. "much like..safety standards for the car industry" by nakaduct · · Score: 4

    If this brings us closer to movie clips of computers slamming into barriers, I'm all for it.

  4. And when they DO mention it's Microsoft specific.. by Ungrounded+Lightning · · Score: 5

    ... has anyone else noticed how most every MicroSoft-related security gaffe is reported in such a generic manner that it takes the heat (and spotlight) completely off of Redmond?

    Yep.

    And when they DO report that a particular virus or attack only hits Microsoft software they make it sound like that's because the bad guy was out to get Microsoft, completely missing that Microsoft is both the biggest and the most insecure target.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. PEBKAC by Redking · · Score: 5

    Problem Exists Between Chair And Keyboard.

    No amount of pressuring of software vendors will make a difference. Did you look at the members lists?!? No Microsoft, No Oracle, No SAP, No Computer Associates, No Adobe, No Red Hat...hmm, pretty weak IMHO. If the vendors really cared, they would already be members in the CIS and not have to be "pressured".

    Back to my inital acronym, PEBKAC. It's the weakest point in the chain of security. How many people do we know write their passwords in easily located places? How many people do we know download anything (directx updates, flash, Comet Cursor!)? How many people do we know still give out AOL passwords, even though the Instant Messange windows have warnings not to give out passwords? Even if software security settings are the highest, social engineering will always be able to bypass wetware security settings. I'm not even going to mention exploits in software, just read BugTraq.

    Lastly, the car analogy doesn't hold up. You don't tell car manufacturers to build tanks because people are speeding and/or driving drunk. You educate them and if necessary, punish them. True, anti-lock brakes and airbags are standard in almost every modern car available today, but automakers only put them there because of pressure from the insurance industry. But do people will die from automobile accidents? Unfortunately, yes...again, PEBSWAC (Problem Exists Between Steering Wheel and Chair).

    redking

    --
    Rangers Lead the Way!
  6. You know what would be good? by Tom7 · · Score: 5

    Awright, soapbox time!

    Redhat, or someone who makes a user-oriented linux distribution, should put together standard internet services which are written in a higher-level language than C. Perhaps they will not be super high-performance, or perhaps they will not have the advanced features of sendmail or bind that most users don't use. But if they're written in a safe language like Java or O'Caml (or, to a lesser extent, scripting languages like Python) we will see the largest class of security holes vanish overnight -- buffer overflows. (Also, format-style bugs, too!)

    Though I don't necessarily think this would slow them down -- even if it did, I am guessing that most people would take security over speed any day. I certainly would; hardware is cheap but my time patching and responding to incidents isn't!

    I know that C is highly regarded as a systems programming language; it has many useful features in this respect. But it happens to encourage some idioms which are entirely inappropriate for network or security-critical applications. It's really not that hard to do systems programming in other languages. I kept saying this and people kept arguing with me, so I rewrote ftpd in SML . It only took me a few days; maybe a bigger team or better programmers could crank these out even faster. Here is the source code . (Also identd and fingerd ). These are not as featureful as their standard counterparts, but they are much much shorter, and buffer-overflow free.

    If they can't do that because it seems like too much work (I believe moving to a more modern language would be worth it anyway), why aren't they at least compiling their default installs with stackguard ? This is so easy to use, and makes exploiting buffer overflows so much more difficult. The speed loss is imperceptible and existing code carries over.

    Let's leave the last 30 years of the last century behind us and move to a world without buffer overflows! If we do this, we can perhaps spend less time worrying about security (our current practices are NOT WORKING, by the way) and start worrying about more important things!

    (Yes, it's true that the sshd problem is just dumb coding and is not C's fault. However, most of the rest of this year's, and last year's big security holes come from buffer overflows. Viz: Code Red worm, BIND exploits, wu_ftpd exploits, etc...)

  7. car metaphores by rchatterjee · · Score: 5

    Does this mean if I run my processes at too high a runlevel and get caught I'll have to go to a school and be forced to watch a video called "Core dumps on the hard drive" to clear my record?

  8. A good thing AND a bad thing by baptiste · · Score: 5
    Must .. resist .. Micro$oft .. bashing ....

    OK - Now that I've calmed down....

    While I think this is a great idea, I worry that this will cause problems for average users AND I doubt vendos like Microsoft will bother. Ever tried to browse the web with IE set to the max security level? Lots of stuff stops working! RedHat did the right thing w 7.x by locking down most services so you had to open them up if you needed ftp, telnet, etc. But when it comes to Java, web browsing and other stuff, locking it down will only frustrate users who are used to browsers just 'working' - Imagine if they get hammered with popups about enabling cookies, Javascript, Java, etc.

    I'm not saying that this is a bad cause, it's a noble one, but it seems that much more work needs to be done on the underlying security risks of certain platforms vs. just running them at a 'secure' level

    --
    Top Most Bizarre/Disturbing Error Messages