Slashdot Mirror
Sendmail Bug Tests US Dept Homeland Security
yanestra writes "CNET reports that the reported Sendmail bug has been a test for the US Department of Homeland Security which seems to have managed information flow in this case."
← Back to Stories (view on slashdot.org)
Interesting to read that the government is involved with this -- kind of makes you wonder what happened to CERT, which always used to coordinate public disclosure of and vendor response to bugs like this.
The fact that CERT always seemed to do a decent job makes this even more interesting. The biggest criticisms voiced about CERT were that they acted too slow and didn't provide enough detail information about problems (other than to acknowledge the general nature of it). How will the government do better in these areas?
My guess is that the answer to the latter question is 'not much', and that we'll start hearing the same complaints about the Dept. of Homeland Security soon...
This is actually quite encouraging. Having an organization that deals with the painful process of contacting each vendor and major user of a program with a newly discovered vulnerability is a major improvement. They also seem to have the law behind them (is this true?), so we finally have someone that can force people to fix security holes. I don't quite like the homeland-security big-brother model, but it worked nicely in this case and got the job done, something pretty hard in the Internet jungle.
We all got notified to patch our systems immediately.
Everyone is working togther to get all the systems running sendmail patched.
While this doesn't seem like a big deal in the corporate world, in the government world, all red tape has been removed and we can make changes to critical systems INSTANTLY.
FIX FIRST, meet later. It's an entirely different attitude, and it allows me to do my job more efficently. It works.
The reason I ask is because this type of co-operation with public defense organisations and the private sector are likeley to become much more important as we come to rely more on these technologies, OR if we ever see any kind of cyber-terrorism. Ideally there would be a single point through which relevant information flows - as hinted at in the article, any leaks could be a problem.
Do these agencies have a reputation for hiring good security people?
Vacancy for signature. Apply within.
Is the U.S. Department of Homeland Security also going to try and take care of software developed internationally?
For example, it seems that a lot of OpenSSH development is done in Canada and Germany. And the server is run out of Canada.
The OpenSSL team looks primarily international too (UK, Germany, Sweden, New Zealand). There server is managed by Brits and Swedes.
Actually... I think you'll find that a lot of crypto software is based outside the US. Probably due to constraints placed on crypto development in the last decade.
Windows always has been and always will be a security risk.
Superior alternatives exist... so why is anyone still using Windows???
--
Sure Joe runs sendmail, and sendmail is insecure. But does Joe's server get attacked frequently? Chances are it probably doesn't. If it does, Joe may be looking into alternatives, or Joe may have found one already.
Joe doesn't have the time to fix every potential threat. Joe probably installs patches and updates as frequently as possible, maybe even on a schedule. Joe does his best to keep sendmail from being a problem, and at the same time Joe tries not to waste time.
If Joe were working for a huge company that depended heavily on it's e-mail, Joe would probably spend more time on sendmail. But odds are Joe doesn't, and Joe is doing the best he can.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
Once again, ISS have let the community down. Instead of informing the vendors, or CERT, or even just posting to Bugtraq, they informed the USG first. As a result .mil sites had the patch four days before anyone else (so far as we know) were even aware that there was an issue. [Although they claim that they checked their private "sensor" networks, somehow I doubt they have better coverage than eg DShield.org. ) This is unacceptable behaviour for an info-sec company that wants to be a responsible member of the community, and of course is just the latest in a list of behaviour that I at least consider unethical. I work for an ISS reseller outside the USA, and I will be exercising my influence internally to push for replacing the ISS prodcuts either with Free alternatives, or proprietary products from companies with a better grasp of their responsibilities. BTW we have several very big global clients.
That's it. I'm guitting the profession as soon as I can find something that pays just enough.
This is the beginning of the end. It's not hard to imagine an "Office of System Software Security Review" or some other government group of 'experts' that mandates all software go through their security analysis. I'm sorry. I have enough trouble explaining my code and system architecture to corporate 'security experts' (the types that don't understand TLS/SSL or SSH, and insist that we use tcp_wrappers enabled tftp since it doesn't use plain-text passwords going over the network!).
So the big question is, what do I do with my life now? Maybe open a Subway sandwich shop. Any other suggestions?
_______
2B1ASK1
I think a timeframe needs to be established. Those who find exploits in programs have a moral obligation to let the maintainers of the program know first and give them a reasonable amount of time to fix the problem.
But what is reasonable? A week? A month? What if the exploit is a deep flaw in the system, something that cannot be fixed?
So, how long is long enough to keep an exploit from the general public? Does it depend upon the exploit, the company that makes the product, or the person who finds it? Is there a balance to be found?
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
I think it's interesting that the government is getting credit for working with the private sector in releasing information. Part of the the point of open sourced software is so that bugs can be found and patched quickly. The CERT email I got yesterday afternoon had MANY patch sources listed by vendor (RedHat, Apple, Sendmail etc) and was timely. I don't belive that the pat on the back goes to Uncle Sam in this situation, but rather the folks at Sendmail who worked to resolve this issue in a timely and organized fashion. They released the information to those who needed to know (including the DHS) and worked on a solution to get this stuff out to the public.
To quote Eric Raymond, "Given enough eyeballs, all bugs are shallow"
Kudos to Sendmail for getting this taken care of.
AF-Design, web development.
This is a nice, photogenic, easy dry run. Bully for DHS. But are they ready to get their hands really dirty and take on Microsoft? Patching Sendmail is easy - the OSS community wants to help, Sendmail themselves want to help. But somehow I think Microsoft is going to be a little tougher.
If you look closely, you'll find that there are quite a number of completely different programs now that are called "sendmail". It has been widely understood that the original sendmail program was an overly-complex beast that tried to do everything for everyone, and was probably not fixable in any general sense. So over the past 10 or 15 years, a number of other mail daemons have been written.
Because there has been so much software installed that knows how to talk to the original sendmail, it has been common to make new mailers present the same UI to the world. This way, a new mailer can just be dropped in as a replacement for sendmail, and everything works.
One of the oldest of these, written in the mid-80's, was called "smail". After a few releases, the authors listened to the complaints about the difficulty of installing it in place of sendmail. So they added code that checked argv[0], and if it was called as "sendmail", it interpreted its command line the same way as the original sendmail. It didn't do everything, but it had most of the functionality that was actually in use, and a simple ln command usually sufficed to replace the old monster with the new, smaller monster This made it spread very quickly among systems whose admins were unhappy with the problems with sendmail. Others have since used the same approach.
Most of the newer "sendmail" programs are quite a bit smaller and less bloated with featuritis than the old one. Of course, this means that they don't have all the bells and whistles. But it means that there are a lot fewer places for obscure security holes. And since most people just install sendmail and run it, and never learn to config it, this works pretty well.
In effect, "sendmail" is now just a description of a set of command-line options used in the rc and cron scripts. If a mail daemon implements these, it can be dropped in as a replacement for whatever "sendmail" is there, and it'll do the job required on your system.
On several systems, I've replaced sendmail with a small (100-200 lines) perl script that mimics all the functionality in use there. This has given me a large number of geek points among non-perl-hackers. I just grin and say something like "That's trivial for a true perl guru." They don't have to know that it doesn't take a perl guru to do such a job.
This does bring up a significant question about this news item. When they talk about a "sendmail flaw", which sendmail are they talking about? Presumably it only effects one of the N sendmails that are in use.
Of course, one interpretation of the push to install a "patch" is that this purported patch is merely a way of getting one specific sendmail clone installed as widely as possible. I'd guess that this "patch" is not, say, a set of source diffs, but is a binary. When you install it, you are replacing your current sendmail with a completely different program. Since the article refers to the Sendmail Consortium, this "patch" is probably a version of the original, sendmail. When you install it, you have reverted to a version of the old, bloated sendmail, which probably now has zillions of security holes waiting to be discovered.
The fact that they don't tell us what the security flaw was or how to test for it is supporting evidence that this is what they're doing.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The one thing I didn't like about this article was the idea that this kind of process should be followed by everyone. This is what I saw as the process:
Here's the flaw(s) in this process:
I guess the biggest thing that I don't like about this is that idea that this model will support the Closed Source software model because of the arguments of:
It would be interesting to see the time line on this... Did it take this long for the patch to be created or did it get left on someones desk of periods of time before some one spent an hour making the patch.
MG
Randomly distributing Karma whenever possible.
No competent sysadmin runs sendmail. It's a huge pile of bug-filled crap that's nightmarish to configure.
/usr/lib/sendmail won't even notice.
Install one of the many far-superior free alternatives that provide the same functionality. Exim, for example. Your applications that call
Well, unless they rely on broken header rewriting and slow delivery...
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
--CERT has been runing this "survey" about "internal threats" that companies might have observed between two specific dates. Not from such and such a date until the survey is taken by any respondents, but between two exact dates. I looked, maybe I missed it, but I haven't seen a reason for picking the end date. I can speculate why that might be, but I'll let someone else do that.
/rant
begin more generic rant
Don't know about anyone else, but with patriot act 2 coming into law soon, where the government can just call someone a "terrorist" on their say-so, and with the definition just vague enough to apply to-just about anyone it appears- and that means they are now not under any civil protection or rights, I am wondering if they are starting to set up even more infrastructure to add to "the lists".
Anyone who don't take the "lists" serious is someday gonna be waving bye bye from the back of a truck heading..someplace.
When I was growing up, the stuff the US government is doing right now was something we were taught only "bad" places like east germany did. And those bad places had a complete blend of bureaucracy, large corporations, and then the military and police. Everyone snitched on each other. government had all the rights, you had none, even if some word drivel was printed on paper someplace, government ignored it. That's exactly what those bad places were.
We were taught that was definetly "wrong".
Now it's "patriotic".
Yes, we have a need for some sort of law enforcement effort on the net,and it's there and quite frankly it's more than enough to function, the net is part of society,but what we are seeing now goes WAY beyond it. And now all these other weird things? Model toy rocket permits now but leave the border just wide open, millions of illegals ayear free to just walk across? Huh? They are going to regulate or ban model airplanes, while they have been sprayinbg HUGE amounts of weird crap over america for several years now and outright lying about it? huh?? We have a MAJOR goon run cia front company called "wackenhut security" running private prisons,running for -profit manufacturing efforts using prisoners, running some mental institutions, and now RUNNING ROADBLOCKS on the public highway? This just broke a few days ago, private security org manning roadblocks. Just THINK on this one. We have "secret" Total Informational Awareness efforts codified into law? Is there something about the word "total" that isn't understood? Forced collection of DNA samples at roadblocks? Taking hair and blood samples and you aren't going to be able to say NO? Collation of all purchase records? High level officials who just blatantly WARN YOU that if you are NOT 100% behind their efforts that YOU ARE A TERRORIST? And now they are taking over these internet efforts when it comes to security, telling people what they can and can't do, and this "they" guy will tell you when an exploit gets noted and "official" patches released? Huh? What's to stop them from eventually making little cute distinctions between what they release and what they don't, suppose "they" decide they would like a little pre-patch hacking so they can get into machines THEMSELVES. Maybe they JUST DID THAT, hmmm?
sweet deal for them.
I am against non disclosure of exploits in a timely manner. Waiting months is not timely. Anyone writing code now can review it before release. Anyone NOT knowing about "security" in general needs to stop and step back away from the keyboard and stop writing code until they "get it" on security, because GUARANTEED if this constant release of buggy code continues,and if people who maintain what are historical examples of just dismal exploitable code that should just be chucked out as lame don't voluntarily just admit it's buggy and pull it off the distribution mirrors, this government will start regulating all releases themselves, after a "review". they don't do it now, but they sure as heck could make it a law tomorrow. In my opinion, it's better to be able to not give them any more excuses. If that's what everyone wants,because known sloppy stuff keeps being used and released, this is what's going to happen. You are going to see licenses, you are going to see full governmental review of code, probably fees attached, stuff like that, I tell you, the internet is going to turn into an electronic "highway" whoops they call it that, so that means that this highway is going to be full of smokey the bears and roadblocks and regulations. And I am NOT kidding on that. We saw them just hijacking sites last week. I can see them starting to do that on a much larger scale. And if sites get hosted overseas, you know what, government will have no problems dealing with that, if anyone cares to notice, they have no problems going over stomping on other nations, they can control some wires if they choose to. Host at home, you are going to outfox them? Not when they can just call up your isp and have you dropped, then they send over some goons to pick you up once you are on the "suspicious" list. And they'll do some of these efforts from major backbones or routers if they have to, I am not so convinced that carnivore and such-like efforts only have the capability to just sniff.
It was old - years old - and to knowledge, never used as an exploit.
It was found by a white hat - so this isn't a case of "the criminals having all the guns."
Therefore, what are the chances that, though no one found the bug in five years, that both a black hat and a white hat will find the same exploit within 2 months of each other? Pretty much nil.
As usual,the chances of an exploit coming out are higher if disclosed. So, in terms of a damage perspective, we have to compare two things: greater chance of attack if disclosed, or greater damage per attack if not disclosed from people not being prepared.
In this case, since the chance of double discovery of this bug was VERY low, the chance of total damage was greater if it was disclosed, giving black hats a head start. So I agree with what they did, and given the scope of the project (patching all flavors of sendmail), two months ain't all that bad.
Ultimately, the government doesn't really care about any RMS-style "info wants to be free" crap. They just want the fewest exploited boxes possible. In this case, their actions were pretty well correct. I don't think this will always be the correct action, so we'll have to watch them on other issues, including how they interact with OSS groups, should the need arise.
-Looking for a job as a materials chemist or multivariat
You think this was about two weeks from discovery to reelease?
How do you explain this:
gpg --verify sendmail.8.12.8.tar.gz.sig sendmail.8.12.8.tar.gz
Signature made Tue 11 Feb 2003 11:25:07 AM PST using RSA key ID 396F0789
The code was fixed packaged and signed three weeks ago.
It's one thing to hold off on release of the vulnerability
until a patch is made, but it takes a special kind ofgroup to wait
three more weeks. I just build up a new mail server. I downloaded the cade after the 11th
of Feb. I never trust that the code I'm using is secure, but I require that I can trust the makers
of that code to tell me the truth when they say this is secure to the best of their knowledge.
I'll install this patch and then go look for some other MTA.
I run sendmail on a well connected server, and I'm patching my system of course, but I'm in no real panic to do so.
Why? Because aside from hozing my sendmail, a hacker can't easily touch my box, even if they manage root access via this exploit.
On my FreeBSD server, all services (web, ftp, mail, database, game servers, etc) are run in their own FreeBSD "jails" bound to aliased loopback IPs (127.0.0.200, etc) routed from the real world via nat and bandwidth restricted via dynamically weighted pipes. Hack my sendmail jail all you like, but at the end of the day you can only recieve and send on mail ports and that's about it. So you got r00t; I care why, exactly? You can't do anything with it.
My point here is that the old model of running all services in the host environment is the real problem IMHO. The alternitive that most places seem to use is a service per-box, which adds its own set of problems. FreeBSD's jail system and similar change the game from, "OMG they hacked my server!", to, "Oh bother, they hacked my sendmail.".
Ever since I've redesigned my server environment to be jail-centric, I've slept much better knowing I don't have to jump so fast every time some security issue comes up with one of the dozen of so services hosted on my server. "Oh, a sendmail exploit, how cute. I'll fix it this weekend, maybe next".
AFAIK, this is something Linux can't match with any efficiency. -The closest I know of is User Mode Linux, which is overkill, resource hvy, and I'm not sure how safe it really is (I hand FreeBSD jail root accounts out without much fear).
Think about it, the Department of Homeland Security (and by proxy, the entire US Government) is getting a heads up on potential exploits.
The US spies on it's allies. If you're the Germans, then the NSA are the blackhats. Nobody but the US government themselves should feel more comfortable knowing that they're being informed first.
Umm... they did in fact have everything to
do with this.
The Homeland department contracted out the
NCIP coordination to ISS, allowing them to
hire programmers to do code review. As
part of the NCIP review, this bug was found,
and kept quite for over a month while the
government and industry got first crack at
updates and patches.
OK, it wasn't a government employee who found
the bug, but it was a private contractor
doing work for the government. (You don't
really expect republicans to hire gov't workers
when they can just contract out to industry
do you?)
And by the way, it wasn't Ridge that started
this whole process. The Critical Infrastructure
protection process started under Clinton.
After 9/11, it all got moved under Homeland
to coordinate with other agencies. (E.g.,
the Department of Defense has known about
this bug in Iraqi mail servers since last
year....) Now THAT'S coordination.
They helped participate in the coverup though, didn't they?
When the government comes to you and tells you to cooperate or face charges for aiding terrorism, what would you say?
Here is the problem with the Gov having first knowledge of security flaws in software. In a earlier post it was reported this flaw was found two months ago. Now the Gov knew about this flaw and had two months of time to create a exploit of their own and hack into Iraqs computer systems(If they use sendmail), or into some other russian civilians homes who are suspected of hacking themseleves.
This in no was is a goo thing that the Government knows about these problems first.
I WANT TO KNOW of these Problems first so I can protect myself from that self serving Government that I like so much!!!!
That's great, do I really want a piece of software which has it's security releases based on what is "co-ordinated" by the American government. Hello!?! Global community here. If companies like RedHat, yada yada want me to use their software I'd much rather an impartial international organization (RE: UN) to handle it.
Futhermore, if I ever felt that the country I belong to were to ever be on opposite sides with the great USA, I might never buy the software for fear of having my support cut off, or, worse, I can definitely imagine; "hey we won't release this information until we take down all our enemies networks!"
So regardless of whether or not I belong to a country which is an enemy of the states, I can see that security releases would be delayed for the benefit of America, putting my network, and possibility government at more risk (assuming your government does not share this information with mine).
So to the bit bucket Sendmail goes! Goodbye, and good riddance to your buggy American agenda software! (Luckily it isn't software I paid for.)
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Daniel
http://people.cinn.ca/daniel/
What did they do that was valuable? What did they do that the existing services couldn't? The only thing they did right was they didn't pull an Ashcroft (ham-fisted intervention)...
"I once preached peaceful coexistence with Windows. You may laugh at my expense - I deserve it." Be's Jean-Louis Gass
As this has been mentioned a little bit in other peoples posts, I'll ask the question too :
Why should I (an australian) have to rely on the "Department of Homeland Security" of another country for information regarding a sendmail patch?
What if someone found a root exploit affecting 75% of say, iraq's servers and reported it to the "Department of Homeland Security"?
I wonder how long it would take for them to issue a release about that one? As far as I'm concerned , the body that looks after this sort of thing should be international and not have any majority government control, as otherwise they start acting in their own interests, and not the greater interests of the other technically competent people on the planet.
(And "Department of Homeland Security" always has a weird , 1984-ish sound to me, hence the quotes)
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.