Jay Beale On Overcoming Linux Security Holes

alpinista writes "Sorry, Redmond; according to Jay Beale, it's not yet time to throw away all those pesky insecure Linux boxes. Newsforge interviewed Jay and got some pretty straight talk from a guy that knows more that his share about OS security. In a nutshell: 'Beale's take on how you can make your system more secure, on the Linux vs. Windows security debate, and on the Digital Millennium Copyright Act's impact on security testing.'"

hmm

[hfastedge]

dont u usually upgrade things instead of throw them away...

Nice catch phrase.

ultimate security

Don't have the thing plugged in; to anything!

A few facts about Microsoft's OS may help.

[Futurepower(R)]

Some facts about Microsoft's OS may be helpful here in making a comparison:

English: Windows XP Shows the Direction Microsoft is Going..

Spanish: Windows XP muestra la dirección que Microsoft está tomando.

Re:A few facts about Microsoft's OS may help.

[duffbeer703]

That article is full of FUD and very misleading.

Suggesting that Windows XP is awful because it is easy to change a user's password if you have physical access is absurd. Has the dope who wrote this every head of "single-user mode" in Unix?

Similarly is the statement criticizing MS for not supporting ghosted system images without sysprep. If you do not use sysprep, the ghosted systems will have the same SID, which opens you up to all sorts of security vulnerabilites.

Microsoft is a shitty company, which plenty of legimate practices to criticize. If you need to use FUD when knocking Windows XP, you need to pursue a new line of work.

Re:A few facts about Microsoft's OS may help.

[slriv]

um...

single user mode require's root password...

Truth is... if *hacker* has access to physical box, you have no security. Nuff said.

The whole password protect grub etc might be useful to keep the uninitiated out of your box, but in so far as locking down your system, that's just silly.

With respect to Windows XP, 2000 et.al., When I look at companies developing server products and compare the companies with like products selling for the NT platform vs. the companies developing for Solaris/HPUX etc, it's very clear to me the distinction between the two. Sure, this is a generalization, but I've yet to see a scaleable multi-thousand user Exchange Server in production. Seems to me the NT crowd still doesn't get it, therefore it's a foregone conclusion that security is both misunderstood and not a significant concern.

Sam

Re:A few facts about Microsoft's OS may help.

[Lan-Z]

single user mode require's root password...

Uhm...no it doesn't. You can boot in single user mode, mount the drive then "passwd root".

Re:A few facts about Microsoft's OS may help.

[rthille]

Sure, you get get to single-user mode on my machines if you know the ROM password. Want real security? Buy a Mac or a 'real' unix box, like a Sun or SGI, or NeXT :-)

Not that the ROM checks the signature on the drive, so you can still get in if you can get to the drive, but having access to the console isn't necessarily access to the computer/drives.

Re:A few facts about Microsoft's OS may help.

[Black+Copter+Control]

I can mount the root partition on a SUN without the root password. It takes a bit more work, but I've done it a number of times. I teach solaris. From time to time a student will change the root password and forget what (s)he changed it to. I have two solutions to that problem: a backdoor root account, and the install CDs.

I"ve also done the same with NeXt's and older SGIs (haven't used IRIX for a while, so I can't vouch for current systems). I'm betting that I could do it on a Mac, too, if I really had to.

Bastille Linux

[agnosonga]

Linux.com: What's going on with Bastille Linux right now? Where's the project at?

Beale: Well, for readers who don't know, Bastille Linux is a hardening program. Basically, it's a tool that increases the security of a system in every way that we've thought to automate. This includes steps like reconfiguring DNS, Web, FTP and Mail servers for better security, but also includes single-machine or single network firewalls and port scan detection tools.

Now, our most recent piece of good news is that we're officially supporting HP-UX, making our name just slightly inaccurate. Then again, we probably started that trend a few years ago, naming ourselves after a defeated French jail!

you can get it here

Correctness

[norwoodites]

Why do people do not stop for a second and audit their code for correctness, like what the OpenBSD people have been doing?
Correctness will make security holes be very few and far in between.
Also the more eyes the better because someone can spot one problem somewhere that another would not spot.
I think for the linux kernel 2.8, correctness should be a priority. Also for glibc 2.4, and all other project's next version which should include Mozilla.

Re: UNIX single user mode

[i_am_nitrogen]

Any distribution worth its salt requires you to enter the root password to enter single user mode. There is the possiblity of adding init=/bin/bash or something to that effect to the LILO command line, but then, why didn't you use grub and protect the command line with a password?

Not to mention with encrypted filesystems, you can drastically reduce the risk of physical access allowing a user to take over a system. If a malicious user has physical access to a system that hasn't been physically secured, you have bigger problems than software security...

In summary, though, it's easy enough to put a complex password on every step of accessing the system (bios, lilo/grub, encrypted filesystem, login), and with access control lists, even knowing the root password might not get you full access.

Read the article more carefully.

[Futurepower(R)]

You seem not to have read the article carefully.

This is an amazing phenomenon. Someone takes a quick look at a 12,000 word article, finds one thing wrong, and says the whole article is terrible.

The article does seem to need some improvement, but it is mostly correct. I removed the section you complain about above, so that it can be re-written.

The point of the section about local security is to tell executives that they are getting less security than they think.

The free SysInternals.com SID changer works great.

Re:Read the article more carefully.

[vrt3]

Hey, I read the article too, and I don't think you're right. It's not that it's wrong, but it's a bit misleading at least?

Just one example: the section on the limited resources in Windows 95, 98 and ME. True, this is the reason for lots of the crashes I experienced when I still used 98, but it's not like it's hidden: 'OUT OF RESOURCES' or something to that effect in big ugly letters is hard to miss. And, by the way, it's not a plan to make it crash more often than it would have otherwise, it's just bad design.

And about the virtual memory system: though I doubt it, it might be as bad as the article says it is. But I'm not going to believe it is as bad as the article makes it out to be without supporting evidence. And for the record, the 2.4 kernel series are not known for their superb virtual memory implementation.

All in all, there might be truth in the article, but it's written in such an overblown way that I don't even want to read it all and check all the facts.

Thanks for your comments.

[Futurepower(R)]

Thanks for your comments.

I'm trying to improve the article. The reason I need the article is that I don't feel I can go to a customer and say bad things about Microsoft without casting doubt in a non-technical person's mind about my own competence. The article documents problems in a way that, hopefully, can be convincing.

For example, when a non-technical person goes to a U.S. government web site and discovers that the Federal Trade Commission told Microsoft to stop lying about their Passport service, they can become convinced that there may be a problem with abuse by Microsoft. Most people don't know Microsoft is abusive; they are far behind us.

It is a fact that non-technical customers experience crashes in Windows 98 SE that are caused by using more resources than the OS supports. To them, the reason for the crashes is hidden. There is no error message unless the computer is running the resource checker. (I can't remember the name, it's 1:20 AM.)

Re:Thanks for your comments.

[Yankovic]

Not to mention the fact that many many of the items are either not installed by default (MS DTC), do not require connection to MS computers in all but the rarest of circumstances (MMC), and some aren't even installed (Microsoft Baseline Security Analyzer). This is beyond the fact that many are just wrong (Fax Service does not require connecting to MS, etc). For every puported fact in the article, there are two other ways of interpreting the situation, and the author universally picks the wrong one. This is a FUD article, pure and simple.

another expert on OS security

[belbo]

Security Expert Gives Operating Systems Poor Security Grade

Favourite quote: "Windows is awful, but well, so is Linux."

b.

Re: UNIX single user mode

[Per+Wigren]

You can still use a boot floppy, unless you have turned off boot-from-floppy in BIOS and password-protected it.. But then you can still move that CMOS-reset jumper.. ;)

Encrypted filesystems are too slow to be usable in practice.. Encrypting only /etc and some specific dirs in /var would be nice though...

You'll be modded down to hell for sure

Don't post inconvienient facts like that. You'll make the baby slashbots cry.

it's all FUD

[wcb4]

Its all MS FUD, talking bout insecure linux boxes. Everyone on Slashdot knows that only Microsoft Windows is insecure. There is no such thing as an insecure linux box

OpenBSD

[TerryAtWork]

Ok - WHY is this going on? WHY isn't everyone who has a security situation not running OpenBSD?

Give me ONE REASON....

Re:OpenBSD

[zogger]

--the only decent reason I have read here on slashdot(that I recall readily) is so far no multi processor support, that the medium and larger servers need. It seems to have a decent following on single chipped machines though.

I haven't tried it yet, been working my way through various flavors of this or that until I decide on a favorite. But I like the philosophy of turned off until you turn it on, that open bsd espouses.

Re:OpenBSD

Why not OpenBSD? Managers have never heard of it, many are still only vaguely aware of Linux. Inform them you say? Usually doesn't work. Unfortunately in a great many companies, software choices are made by know-nothing managers, rather than informed techies (that's why Microsoft frequently targets managers for advertising rather than technical staff... not so stupid these Redmond people).

You make a sweeping claim...

[Futurepower(R)]

There is a tendency to read the technical issues and not read the accompanying text.

Are you saying the government is wrong when it says it told Microsoft not to lie about the Passport service?

You make a sweeping claim that I am guessing you don't actually believe.

Re:You make a sweeping claim...

[Yankovic]

No I read that bit. I agree there are components of your article which are true. But I have a paper that says 2+2 = 4 and also 4+4 = 6 and 5+5=11, certainly you would call into question the point of the paper (if any). Your paper's point seems to be to MS's current behavior, and then project future behavior based on that. The fact that most of your factual points today are wrong or grossly distorted seems to indicate that your conclusions would suffer the same maladies.

For example, you state that Windows 98 does not connect to MS computers where as XP can connect to MS computers in 18 ways. This is false. The most of the components you have listed as connecting under Windows XP ALSO can connect under Windows 98. But let's assume that you're correct and that these components don't connect under Windows 98. So what? How many components in DOS 6.22 had a TCP stack? Technologies change, and now that the internet is available (which was in limited scope in 1995-1997 when Win98 was first being built), you would think that they would adopt these components into their architecture. Wouldn't you?

Hidden downloads, etc are just FUD. There's little example of MS doing hidden downloads of any sort. And linking to 4 year old sites about people switching from Windows is great... if you want the story of one person moving. Generally, they have little credibility.

I am not saying anything about the government's case. I AM saying your conclusions are nearly universally wrong, misinformed and flamebait. Your article has little or no worth.

Hmmm - talk to the distro's

[tqft]

I just installed Mandrake 9.0 last night on my crappy PII. As a really slack user it was fine (hell it knew more about the sound card in there than I did).

However, after reading that article, and following a link or two, I realise a number of the articles I selected to be installed are a) of absolutely no use to me, b) are wasting disk space and c) open holes in my security.

Mind you until I run the winmodem rpm from http://www.heby.de/ltmodem
I won't have any linux internet security problem.

If the distro's (at least Mandrake in this case) took a little more care and asked a few pointed questions with yes no answers - eg

Will your isp or other host be providing a mail account or do you want this machine acting as a mail server? If you do not understand cancel the install or select web based mail.

Then no mail server would loaded unless you really needed it. And no sendmail holes. Same for Apache and a good whack of what ever else I clicked on because it looked like it might be fun to play with one day.

Perhaps a better question would be - I was in the idiots setup script - Do you plan to use this machine to just surf the net or host a web service?

Dumping sendmail, apache and whatever else would also make the install go faster and stop my girlfriend being so toey about me being on the computer "all night".

Re:Hmmm - talk to the distro's

I am way past the discussion here, but I can't help posting on this. I agree with the OpenBSD guy. The more I look at Linux as an Admin, the more work I see just fixing installs to do what I want. Most of the time I want a web server, a database server or a mail server, AND THAT IS IT.
The thing I understand more and more is that Linux is really built for the LUG users, who like to play but don't really do any serious work with Linux. Why is this?

Greater and greater dependence on Microsoft

[Futurepower(R)]

You missed the point of that section of the article. The point is clearly stated at the beginning. MS is moving people to subscription licensing and to greater and greater dependence on Microsoft.

Re:Greater and greater dependence on Microsoft

[Yankovic]

But this is not correct either! The contract that you purchase through MS for your copy of whatever is good forever. There is no expiration on the item that you purchased (read the EULA or contract). This is not directionally suggested by the fact that components connect to MS. I can run my laptop forever with never connecting to MS once! (Try it by blocking *.microsoft.com on your firewall). I only call this out as a single section of your article which is wrong... the entire piece is full of fallacies, that's just an example.

Re:Greater and greater dependence on Microsoft

[Futurepower(R)]

I think you are missing the point. The supplier of an operating system is in a position of trust. Microsoft did not publish the changes and ask for public comment. Instead, Microsoft invented a new protocol and designed numerous ways of connecting that are not documented. How do we know if there are vulnerabilities?

Microsoft has shown itself not to be a team player.