Slashback: Public, Anecdotes, Conclusions

It's been a while since the last iteration of Slashback, so tonight there are updates and errata on several recent stories. Read on below to find out more about Harlan Ellison's battle with copyright infringers, why modding your Linksys WAP might not be as cool as you thought, internet access in Wellington, New Zealand, the results of the NASA poll on space priorities and more.

How many anecdotes? Drestin writes "Looks like all the flame mail and traffic to WinInfo for the recent 'Windows more secure than Linux' article prompted it's author, Paul Thurrott, to reply with his opinion. He tells us to think with our heads, not our hearts."

Several readers complained about my original (since updated) headline, and they're all right. As Kathleen Ellis put it:

"I find this title to be rather misleading. Bugtraq is a security mailing list that happens to be archived on security focus' web site (it is also moderated by one of SecurityFocus' founders, but bugtraq content is not subjected to SecurityFocus editorial control), and WinInformant is really the one making the assertion, based on their analysis of Bugtraq list traffic.

As an occasional SecurityFocus reader (and occasional writer), I am particularly concerned that your headline (and the attribution of the assertion to SecurityFocus) will make SecurityFocus look bad. As a professional in "the industry" and as someone who follows computer security very closely, I am confident most sensible members of the security community will quickly realize that the assertion is of extremely dubious merit and your attribution could make SecurityFocus look extremely foolish."

Here, why don't you pay? TheGeneration writes "Recently Salon had an article about public money being used to write private code (ie, for a university.) The article apparently moved Richard Stallman enough to write a response and opinion. Stallman sites his own reason for leaving MIT such as his inability to write free software while under their employ. Stallman discusses ways to sidestep University control of free software, and how to get admins to allow software developed under them to be licensed as free software."

For your personal museum's display cases. airrage writes "As a follow-up to the early design docs for some of the earliest ATARI games. More fascinating, is the 30 Secrets of Atari. Did Jobs ever do any work? Finally, the creater of ATARI's adventure has a web site. Check out his work on virtual nano-technology and his presentation on creating Adventure. They sure didn't have much to work with did they?"

Connecting everything to everything. seanadams.com writes: "Our company has just published the firmware source code for our SliMP3 Ethernet MP3 player, previously reviewed on Slashdot. The firmware, written entirely in assembler, includes our super-compact TCP/IP stack for the 8-bit PIC microcontroller. The license allows for non-commercial use, so I hope this will be of interest to PIC hackers! If you're interested in experimenting with Ethernet and TCP/IP on the PIC, we will have an integrated PIC+CS8900 module and development kits available next month."

Next stop is telepathy. ruvreve writes "An update to a previous article featured here on Slashdot. Wellington is offering not only city-wide gigabit ethernet they are also offering wireless access. Currently it is still 11Mbps but plans are to make it 56Mbps down the road."

Not someone I'd want to mess with anyhow. yndrd writes "As a follow up to a previous Slashdot story about Harlan Ellison's feud with what he considers to be pirates of his work, Ellison has reached a settlement with Critical Path Inc. who will create software that enables Ellison to immediately delete postings of his work on the RemarQ service. The (somewhat) full article is here. He's still ready to rumble with America Online, the other party in his lawsuit."

The dirty side of quick n' dirty. nailgun writes: "http://www.maokhian.com/wireless/wap11.html has before-and-after oscilloscope traces of the spectra of a power-boosted (hacked) Linksys WAP. From the traces it is apparent that power-boosting does no good, since all (or nearly all) additional power is blasted out in neighboring frequencies. Boost your Linksys and you'll step on all other WAPs in the neighborhood. These are cool pictures too."

This took a survey to determine?An Anonymous Coward writes "Remember the Space Survey Thread? Where NASA was asking for our opinion on where to go in space? Well, the results are in. Lo and behold, we all want to go to Mars."

Remember when Harlan Ellison was *GOOD?*

[dr_eaerth]

Ellison has reached a settlement with Critical Path Inc. who will create software that enables Ellison to immediately delete postings of his work on the RemarQ service.

I could barely give a crap about Harlan having ubercancel powers over Supernews's servers, except as it leads to this:

There's a reason that usenet servers almost never respect cancels, and that's frivolous cancelling. It's destroyed froups in the past. Now once Supernews engineers their servers to allow Harlan to cancel any posting he has a personal problem with, there's no reason why others can't also have this power. Universal Music Group will ask for the same thing, followed by all the RIAA. And so on and so forth.

If Critical Path gives it them (and why wouldn't they?), Supernews will turn into a wasteland with as close to 0% binary completion as makes no odds. Harlan has gutted his chosen usenet service.

Next stop for me, Giganews. At least until Harlan gets to them.

linux / windows security

[wiswaud]

I'd say one hell of a reason to say that linux is more secure, by a longshot, is the control you have over it. A hole exists in IIS, for example, allowing anyone to look at all files on your system. Crackers found the hole and decide to play with it. They might play with it for months, possibly stealing a heap of documents from you. Then someone else discovers it and publicizes it. How much more time before you get a fix from M$? They might first say it's not a hole. Then they'll admit it at some point. Then they'll get to the patch. This is either time where you take the risk of leaving your server open, or accept downtime.
On Linux: first, there's people looking at the code of Apache out of Apache: it's so much easier to find holes by looking at the code than from the outside (which might be reason #1 that holes make it to things like bugtrak more often!), so you have a good chance that more people will find the hole, which makes your chances higher that someone nice will be among the bunch, which means it's publicized more quickly.
Then you can very, very easily down- or side-grade to a version that doesn't have the hole, and in any case, chances are a new version will be out within hours!!!
So chance of being cracked are very much lower. And i call that higher security.
Another thing to consider is the fact that you should look at the holes discovered in, say only a specific set of versions of Debian 2.2 for example. Then the # goes down significantly. Looking at all linux bugs vs windows bugs would be like having people running ALL builds of ALL windows versions around the world: wouldn't they find HEAPS and TONS of bugs and holes then?

If you want to be serious, look at Windows 2k vs Debian 2.2 (again, for example, you pick one), and look at bugs that would actually have had any time period in which it could have been exploited before a fix was available. They weren't serious about this.

Re:Stallman's right, you know...

[Lakitu]

Please. that's bad logic. Microsoft doesn't even use the BSD-licensed TCP/IP stack anymore, they wrote their own - and they probably only used it in the first place because it was already done for them. Don't you think they could've written their own code?

Microsoft does a lot of things wrong, you don't have to go looking for trouble that doesn't exist. You just lose credibility.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's not your head...

[Mr+Z]

Even with a script, some things are much more difficult to exploit than others. Some holes require local access, a specific set of configuration options, or some other timing aspect to key off of. For instance, heap-overflow attacks require that the overflowable buffer get allocated next to something interesting, which, depending on the program, may or may not happen the bulk of the time.

Compare this to a remote-root overflow vulnerability in telnet that merely requires sending 1000 bytes to in.telnetd over a remote link. No local account needed, no special configuration, and works every time.

So, I'd have to disagree with you -- some flaws are much harder to exploit than others.

This is why, for instance, people harden their machines in various manners -- making the root fs read-only, removing exec permission for the stack, /tmp (and in draconian circumstances) the home areas, and so on. You lock down as many things as you can, making it less easy to script and mount an attack.

--Joe

Re:That's not your head...

[Cato+the+Elder]

I never said that some flaws weren't harder to exploit than others, I just said that it is invalid to say that a system is secure because its flaws are "hard to exploit."

A hole that requires local access is less severe than one that does not, because it has a precondition. However, it is still serious, since it means that anyone who can compromise a local account can compromise the entire machine.

A hole that only occurs with a specific set of configuration options should not be counted as a distrubution/package hole unless those are the options it ships with. Issues like this are the reason for the big disclaimer on SecurityFocus about not using the numbers to draw conclusions about the security of operating system. Also, even given this, it's remarkably easy to write exploits. My home machine sees periodic queries that I'm pretty sure are testing to see if I'm vunerable to the SSH1 bug.

A heap-overflow attack can be executed repeatedly by a cron job, as can attacks that rely on modifying files created in the /tmp directory before they are used. Again, this is a less severe case because automated attempts like that are easier to detect, but it is still a security flaw that needs to be dealt with.

I agree that hardening your machine (for instance, removing the exec bit from stack pages) is a great idea. I think one of the reasons Linux _is_ more secure that Windows is that it is both by default more hardened and easier to harden.

I suppose part of this is a question of what is meant by "hard." If you mean (as I thought the first responder did) that "it is hard to create an exploit that could work" then I think that that is invalid. However, if you mean "the probability of a well-coded exploit succeding is reduced" then that does give you some measure of security. The second is the basis behind improving the randomness of sequence number generation in TCP, for instance.

Re:Jobs and Wozniak?

[PhotoGuy]

For those not taking the time to dig it up themselves, on woz.com:

I was hurt in later years when I heard that Steve was paid more than he'd told me, and I don't think that I hurt easily. But it was a long time ago and I prefer to get away from it. Steve has always been a good friend to me in many ways more than just palling around. It's so ancient that maybe it didn't happen, and maybe the Atari people that said it and wrote it were wrong in their own memories. I do believe that this is possible. Also, if my own self, or my own children, or my own friends did such a thing in their life, it's easy to excuse it if the circumstances were as I described. It's not 'necessarily' akin to stealing. If there was some dishonesty, I'm over that. Who hasn't done some things that would be considered bad, anyway? I doubt that I'd find such a person interesting.

Ouch! What a guy! From my perspective, that only enhances my view of Woz, and diminishes that of Jobs. He discovered Jobs probably screwed him, but prefers to make bygones be bygones. Maybe he's just naive, or maybe he's just a great guy (I really suspect the latter). I hope to be that big a man someday about folks who have screwed me over in my career.

More power to the Woz. He exudes hard work, talent, integrity, caring, and understanding. We should all do so well to live up to that.

I used to get a chuckle out of the Simpeons' line, regarding the US festival, "the guy from *what* computer?" But the guy was obviously trying to make a difference and have an impact on society back then, just as he does now in more personal ways through his teaching career. He's one of the few real heroes out there in this industry. I raise a glass to you, Woz...

-me