Slashdot Mirror
A Taste Of Computer Security
andrew_ps writes "Amit Singh has published on his KernelThread.com a paper (mini book really) on computer security. A Taste of Computer Security is a VERY comprehensive paper in what it covers, but is remarkably easy to read. This is not some list of "sploits" though! Topics covered include popular notions about security, types of mal-ware, viruses & worms, memory attacks/defences, intrusion, sandboxing, review of Solaris 10 security and plenty of others. Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."
For example, the bottom of this page shows a list of games that require Administrator authority to play. Why should administrator authority need to be granted to play a game? And to suggest granting Administrator access to people just so they can play them?
I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.
John
Windows enables things by default that enable exploits. This is done for ease of use. Users can make Windows secure.
*NIX disables things by default. This is done for security. Users could make *NIX insecure.
The number of different *NIXs makes it tedious to create viable exploits.
In spite of what the guy says, I think most of us already knew this stuff. Have I missed anything?
> Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is
> this guy on crack?
> This isn't a fair analysis, it's just more "MS is teh gay linucks is
> awwwwsome!!!!!11!" tripe.
His thesis is actually more along the lines of (and I'm quoting from the Win v Unix section of the article):
"Current Windows systems have some of the highest security ratings (as compared to other systems)... However, the number of documented security issues and the real-life rampant insecurity of Windows are not speculations either! The problems are real, both for Microsoft, and for Windows users."
Nowhere here is he saying that MS sucks, or that linux r0x0rs. Again, from the sam part of the article:
"We stated earlier that UNIX was not even designed with security in mind. Several technologies that originated on Unix, such as NFS and the X Window System, were woefully inadequate in their security."
The argument that explains the paradox is along the lines of what many of us already know - that MS is more prevalent, has a wider spectrum of users (inexperienced to experienced) and exists in a wider range of vulnerable environments - not just cozy, isolated research labs.
So while your arguments are valid, they don't really go against the overall opinion of the article.
These evaluations are evaluations on procedures in handling data. They are not evaluations on system breakability and security against unauthorized break-in as such. They are evaluations on suitability of a system to handle confidential data according to some predefined requirements.
Basically a EAL or Orange book certified system will not allow casual transfer of data from a higher security level to a lower security level. That is the core of the qualification concept. All the stuff about admin roles, etc is just fluff oriented towards managing the concept and the granularity to which it is managed.
After the wave of buffer overrun hacks that followed the publishing of Alef1's paper "Smashing the Stack for Fun and Profit" in 1996 I had a conversation with the security head of a bank-to-bank transfer house head of security. We were discussing what can we do about intrusions like this. His first suggestion was to raise the security level to B1 or higher. At which point I had to point to him that all intrusions were circumventing the security mechanisms, not breaking through a problem in them so the Orange Book level of security did not bloody matter at all.
On a similar note, Old SCO OpenServer 3.x which had C2 certification was quite hard to hack in its normal mode of operation. Raising the system to C2 and the enabling of roles required to do so made the system a walkthrough. It took me around 5 minutes to get root on it by doing casual operations, no real hacking involved.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
The problem is deeper than that, don't ask a RHCE to tighten down a Slackware or Gentoo box. Linux distros can be worlds apart. For instance, Slackware doesn't have /etc/init.d, it uses rc.d scripts, etc.
They store config files in different places, with different names (ldap.conf vs nss_ldap.conf, etc). They install apps to different places, and so on and so on. Now we can deal with XFree vs X.org (migrating to X.org on Gentoo also broke, well, almost freakin everything I use, and I still don't know how to properly configure the new font paths for tightvnc)
For that matter, don't ask a guy who's RHCE is a year old to secure a RedHat box, because for all you know, he doesn't know shit about, as an example, Samba 3.0's new config options or iptables (since he was taught ipchains). The OSS world likes to completely reinvent apps between revisions, for some reason.
Whereas, one XP box is pretty much the same as the next, and not far removed for Win2k.
I've had the same problems with both. I installed PuTTY in Windows as Administrator, tried to run it as a user, oops.. No user rights.. This is when you find out what kind of user you are. Do you switch to Administrator, screw around with permissions, and test until it works and you feel it's secure, or do you just go "fuck it" and add your username to the Administrators group so you don't have to deal with that kind of shit every day.
I'm not ashamed to admit I'd put myself in the latter category. Screwing around with filesystem ACLs and group memberships isn't what I like to spend my time doing. My firewall/router is about the only "secured" box on my home lan, which is fine, since I lock the doors when I leave so the likelyhood of a script kiddie sitting down at one of my machines is low.
There is a point to be made, and it's that it's nearly impossible to have the best of both worlds. It's either simple and painless to use (desktops), or super-hardcore secure (servers). Both OS's can function in both roles.
I don't need no instructions to know how to rock!!!!
There are too many "knobs." The exposed interfaces are either too complicated, even with documentation, or too weak and limited. Security on Windows is hard to configure correctly (try setting up IPSEC).
This guy can't seriously expect me to buy his argument that properly configuring a unix box is "easier", can he?
You are purposefully misunderstanding his point. He was not stating that Windows is "harder" than unix to secure, merely that the "average" unix user will generally have a deeper understanding of how the underlying OS works as opposed to an "average" Windows user. Think about it.
Unix has a larger barrier of entry in terms of learning the OS and understanding how it works until you get to a point where it is "usable". Windows on the other hand has a much lower barrier of entry and a deep understanding of the underlying actions of the OS are not required in order to utilize the system. As a result the complexity of securing unix systems is not as complex to the average unix user since they already have overcome that initial large barrier whereas Windows is more complex to the average windows user because they are faced with a magnitude of complexity they normally do not see.
I do agree with you that Windows can be locked down thoroughly and be just as secure as a unix machine.
Do not taunt Happy-Fun Ball
In the "Unix .vs. MS Windows" part, all I saw was a re-hashing of common miscomceptions, and little substantive on interesting info, and some revealing logic stumbles.
"Windows is supposed to be an easy-to-use platform, while Unix is supposed to be cryptic and hard-to-use." - good grief. An ad-hoc conclusion like this pretty much points to a lack of actual logical analysis.
"Microsoft's success, as reflected in their incredible market share, amplifies their security problems". So, giving an email client the ability to infect a system has nothing to do with it? The article seems to gloss over MS's efforts to graft its applications into its OS as part of the problem. By this logic, killing turkeys causes winter.
"A potentially relevant issue is the phenomenal amount of resentment against Microsoft and Microsoft products that is seen in many circles." So, Microsoft's security issues are because people hate them. Get my violin.
"'Security' is hard to formalize, hard to design (and design for), hard to implement, hard to verify, hard to configure, and hard to use. It is particularly hard to use on a platform such as Windows, which is evolving, security-wise, along with its representative user-base." ! He seems to be saying that windows security is evolving and its users are also 'security-evolving', and as as a result, windows security is getting worse. Well, wait a minute. Maybe he's right on that one...
"We are all geniuses when we dream"
- E.M. Cioran
the simple answer to your question is to dump McAfee in favor of an AV solution that uses profile based heuristic scanning in conjunction with the signature based scanning that most AV scanners use... that way, it will not only recognize the 'named' viruses, but the ones that match characteristics with it as well..
there is truthfully very little innovation in the virus community, outside of a few examples, so a scanner configured to look for known viruses and those that look similar to known viruses is going to catch almost everything...
in short, don't blame MS because McAfee and Symantec refuse to innovate.. just find a company that does...
In this context, a rule-of-thumb definition of security is often cited: a system is considered secure if its "secure-time" is greater than its "insecure-time." Secure time is simply the time during which a system is protected, that is, free of "incidents". Insecure time is the sum of the time it takes to detect an incident and the time it takes to react to the incident (summed over all incidents in a given interval):
I've never heard such a naive definition of security. Apparently, regardless of how many security holes my system has, or how many times I get hacked, I can call it secure as long as it can be recovered quickly.
So, by this definition, my system is still secure even when:
- A hacker exploits IIS and downloads all my customer names and CC numbers.
- A hacker destroys all of my data from the last backup; as long as I can recover it quickly, data loss doesn't matter, right?
- A hacker DDOS' our server and we lose several days worth of business. Our system is still up, so obviously it's not secure.
- A hacker installs a rootkit on our server. You see, it doesn't matter if the box is owned, as long as its up and running, right?
- A hacker zombies the machine and uses it to send SPAM, or worse, host illegal content.
Need I go on?I don't think I could come up with a better explanation of why Microsoft will never design secure software than this one: they're definition of what constitutes a secure system is simply out of touch with the requirements of running a business.
The society for a thought-free internet welcomes you.