Linux Getting Harder To Crack

AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."

Slashdot Getting Easier to Dupe

[CajunArson]

Yes this story has already been posted. But don't worry! Since there is no link to Netcraft it will be duped again when there is official confirmation!

Re:Slashdot Getting Easier to Dupe

[CajunArson]

In case you want some facts to backup my previous troll: check it out yall It even links the same website.

Re:Slashdot Getting Easier to Dupe

[Allnighterking]

How about this for facts ... I'm the one who submitted the original *grin*...

Re:Slashdot Getting Easier to Dupe

[mscnln]

Let them dupe all they want, I wont believe it until Brian Hook confirms it.

Re:Slashdot Getting Easier to Dupe

[Klingensor]

I like your sig. Agreed.

Re:Slashdot Getting Easier to Dupe

Nice sig...fuckstick.

cracked

[bryan986]

I cracked a linux box in 30 seconds... ...with a hammer

Re:cracked

[thej1nx]

It is ok. I have patched it now ... with glue.

Re:cracked

Get a bigger hammer.....

Re:cracked

[dodobh]

Be a real geek! Duct tape forever!

Re:cracked

[DMUTPeregrine]

Yeah! I can crack one in less than 2 seconds with a hammer. Really, 30 is quite slow. And the one I did this on had a steel case (I cracked the motherboard through the case...) Windows boxes often have plastic cases. Much easier to crack.

Owned?

[Klar]

it takes about 3 months before a unpatched Linux machine will be owned
Maybe I'm wrong, but shouldn't it be pwnd or 0wned or 0wn3d or 0\/\/|/|3|) or some variation on that instead of owned

Re:Owned?

The person who wrote it is probably old and not up to date.

You know how oldder people say that you have a nintendo when for real you have a playstation 2? It's same thing with owned.

Somebody older than you might understand what the meaning of owned is in the way we use it but if you just say pwnt or pwnz0red, he'll be like "huh?".

They will eventually know..

Re:Owned?

or in this case, postpwn3d

Re:Owned?

The 3 is not a typo, cockbite. The p is a typo.

Re:Owned?

Again, a commonly accepted and blatantly intentional typo.

Re:Owned?

[koreaman]

Important information on this subject

Re:Owned?

Did you even read what I wrote? God damn, some people are dense. I never said Lord Kano typed the 'p' accidentally.

Re:Owned?

[eclectro]

Maybe I'm wrong, but shouldn't it be pwnd or 0wned or 0wn3d or 0\/\/|/|3|) or some variation on that instead of owned

Yes, you are correct. The problem is Slashdot doesn't have spell-check yet.

Re:Owned?

[sevensharpnine]

You are absolutely correct. I have no idea why you are (currently) modded "funny". It's common to adopt the l33t spelling in the security community as a way of poking fun at the script kiddies.

Re:Owned?

[stor]

Obviously the article poster is not as hip and happening as us two, Daddy-O.

Cheers
Stor

Re:Owned?

[Master+of+Transhuman]

How about "pawned"?

Since none of the /. nerd-boys can afford to actually BUY a computer since they're spending too much time on /. instead of working for a living...

(I can't wait for the "What's YOUR excuse?" responses...)

Re:Owned?

[darthdavid]

It's not a typo if it's on purpose you stupid cockgoblin.

Re:Owned?

[tepples]

they're spending too much time on /. instead of working for a living...

What's your suggestion for getting around "Sorry, we picked another candidate" in a period of jobless growth in the United States?

Re:Owned?

[Technician]

it takes about 3 months before a unpatched Linux machine will be owned

Nope, that's about right. As a newbie I put Slackware on a machine and it took about that long to get X to work with my AGP video card. Until I got a GUI, I didn't feel like I was in control. ;-)

Re:Owned?

[halowolf]

Until this day I had never heard of a cockgoblin. You have made me laugh.

Re:Owned?

The 3 is not a typo, cockbite. The p is a typo.

Yes, you did.

Re:Owned?

[sydolta]

um..

STALLOWN3D!1

(it is work safe)

Re:Owned?

[mboverload]

You can surf Slahdot on a 386. I have one right here, got it out of my high school's dumpster.

Re:Owned?

[Tony+Hoyle]

Move.

So you're expecting someone with no income to emigrate to *another country* just because there's an economic downturn.

That's about the lamest thing I've ever heard. If you're unemployed you're going to have trouble getting bus fare let alone buying a new house in a foreign country.

Re:Owned?

[BlackHawk-666]

You must be new here if that's the lamest thing you've ever heard. I tend to agree with the other poster in any case (having just seen that edutainment mockomentary Roger and Me). If there are no jobs where you are, move elsewhere *whilst* you still have a job and some cash stashed away. It doesn't have to be to a new country, just a town with better oportunities. If you can't get a job in your field then you are most likely crap at your job and should cross-train to a different career.

Re:Owned?

you filthy dirty tramp

Re:Owned?

Why? is that what you saw on your defaced website?

Re:Owned?

[JPelorat]

It shares the same genus as the assgoblin. And both are distantly related to the sphincterweasel.

Re:Owned?

[EDSdrone]

In India, the job finds you.

Re:Owned?

[vasqzr]

When did you go to high school? 1993?

Re:Owned?

How about, oh, I don't know...WORKING? You sound like a whiney brat who grew up in a period of unprecedented growth and are just sitting around waiting for someone to do something for you.
-old guy

Re:Owned?

[jmodule]

Actually that is quite common in third world countries (Mexicans in the USA, people from Ecuador in Spain, etc.) and I'm sure they have less money than most unemployed programmers in the USA. But I guess they're used to not requiring a new house when they arrive in another country. :-/

Re:Owned?

[tepples]

If you can't get a job in your field then you are most likely crap at your job and should cross-train to a different career.

I'm already thousands of dollars deep in student loan debt from getting a B.S. in computer science from a respected school, and even if I can convince the government or a bank to lend me even more money, I'll still have no paid work experience in anything I train for.

Re:Owned?

[Master+of+Transhuman]

Self-employment. That's my solution.

Fuck the corporations. Make them pay you to get something done, rather than working for them for peanuts and getting no respect in the process.

As long as we have "peons", we'll have corporations. Do away with being a peon, and the corporations will be forced to change.

Despite all the so-called "tech support" outsourcing, and despite all the hype about "remote access", most computer problems (and new development) require somebody on the ground at the site - or at least be able to speak English to the people involved for alonger period of time than three minutes. Outsourcing is just the usual corporate attempt to deliver no value at less cost to their bottom line. Typical management.

Fine - let them fuck up. The rest of us will take up the slack - for a nice piece of change.

Fuck "jobs". Work for yourself.

Re:Owned?

[tepples]

How about, oh, I don't know...WORKING?

When the only jobs that will take me are volunteer jobs (such as one at the local VA hospital) that by definition pay zip, I don't see how that would help.

Re:Owned?

[tepples]

Move.

And where do I get the money to learn a new language and do that? Most developed English-speaking countries seem to have the same dilemma. Or is there another English-speaking country that has offered to import a lot of foreign workers right now? Besides, given that I currently live with my parents, how would I get around my parents' objections?

Why do people generally choose not to give helpful suggestions as to how I can become no longer a bum?

Re:Owned?

If you are serious about working in your career field, you might have to move to a (gasp) smaller town and accept a (bigger gasp) smaller salary.

Re:Owned?

[tepples]

you might have to move to a (gasp) smaller town

Sure, there are lots of towns in northeast Indiana that are smaller than Fort Wayne (pop. 200,000), but I don't have family in any of them except possibly Bluffton. How can I get enough money to move out of the reach of family?

Re:Owned?

[BlackHawk-666]

Yep, you're probably in the worst position at present. With big loans already and no industry experience you will find it difficult to get a position while the industry is still attempting to recover from the dotcom boom bust. You can try what I did to break into contracting. Even though I was well overqualified I took a position doing backfill for the helpdesks of several big financials (through an agency, get an agency first thing!). I worked hard, and managed to get coding for the financials - crap stuff first, then onto really decent projects as they saw my potential. Two years later I was getting 100 grand a year (AUS) and was considered a highly valued contractor. I used that experience to leverage new bank positions in the UK where I am working my way through to working with derivatives valuation.

Now, I didn't have nig debts to start with but I did start from a position of zero dollars in the bank, and I had to pay rent on a flat during this time. It's possible, but it takes determination, a positive attitude, a little blagging and effort.

Big town, small town, go wherever you can get that first position and take it from there - once you have momentum it's hard to stop.

Re:Owned?

owned (pronounced pwnd, 0wned 0wn3d or 0W|\|3|)) is the original form of the word in the (now archahic) english language.

English was a language used by people or persons of European (specifically British) decent. It's usage dates back to well before 1000 AD, and was used until as recently as 1997 AD. It is rumored that in some corners of the world it is still used, though these reports are unconfirmed and have been widly regarded as n00bs attepmting to gain 733T status, and should be taken as such.

Re:Owned?

Yes, the reason you work for yourself is your attittude - who would want to employ a fouled mouth punk? Whether you realize it or not you are now a individual corporate ass. rather than a corporate ass.

Re:Owned?

Today's lesson on learning to read:

(I don't know how to type this slower so you can comprehend it, I'm just going to have to suggest you read slower and try to ignore your moron gene)

FUCKING. TYPO. ACCEPTED. AS. SPELLING.

The first dumb piece of shit to type "pwn3d" was just a monkey who couldn't type. Now half the people who use it don't even know it's a goddamn typo because they're a bunch of know-nothing kids trying to fit in. So, in summary, I hope everyone perpetuating this dipshit typo dies a horrible death with their parents watching.

Re:Owned?

[Curtman]

If you're unemployed you're going to have trouble getting bus fare let alone buying a new house in a foreign country.

You're right, stay there, remain broke and just bitch about it on Slashdot. That's a much better solution.

Re:Owned?

How is that flamebait? He asked.

Re:Owned?

If you go volunteer you can put it on your resume.

This is useful for two reasons:
A) Potential employers will probably want to see experience. Any kind of experience is good, but experience in something to do with your career is probably better.
B) They'll like to know if they drop from a heart attack you know _something_ about medicine :P

Re:Owned?

[jo42]

All you need to do is to spread the word that it is "ghey" to spell and type like that, and no sooner that it takes you to decipher such gibberish, it will cease forthwith.

Re:Owned?

[darthdavid]

STFU Dumbass. pwn3d works because p has the circle in it like o. So it looks similar. So go die n00b.

Re:Owned?

You're right, which is surprising for a moron. See, he's more likely to get a job in his chosen field by staying where he is than by moving to a country where he has no frinds, contacts, or work history. Especially since moving to another country would take a rather large sum of money that may or may not be available. Saying that he neeed to buy a house was a bit extreme, but renting is fucking expensive.

Imagine, now, going to another country without a guaranteed income. Imagine, if you will, needing to pay for food, clothing, and a roof over your head. Imagine having to go into further debt just to get there.

You're right, it's a MUCH better option to fuck off, without the facilities to support such a move.

"Let them eat cake," indeed.

Re:Owned?

[Curtman]

See, he's more likely to get a job in his chosen field by staying where he is than by moving to a country ...

Which post did I say he should move to another country?

.. where he has no frinds, contacts, or work history.

You and the rest of the people who get caught up in blaming their circumstances rather than examining their options don't get any sympathy from me. I moved 2,000 kilometers from home after school to find decent work. By far the best thing I got out it was finding new friends, contacts and actually having a job history in my field.

interesting

[tuxter]

"A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past."

"A study conducted by the Honeynet Project has found that it takes about 3 minutes before a unpatched Windows SP2 machine to be owned, compared with about 72 seconds in the past.

Re:interesting

[tuxter]

The patch is installing Linux.

Re:interesting

" Last time we checked, SP2 was a patch. I'd like to see this unpatched patched machine of which you speak."

maybe you're trying to be witty(and failing miserably), or maybe you're just plain dumb.

While it is true that SP2 is a patch, an unpatched system is one which does not have all of the latest patches.

Re:interesting

[NanoGator]

"The patch is installing Linux."

Tell the millions of gamers out there about it.

Re:interesting

[mad+flyer]

Did you run windows update lately ?

can't blame you, me neither... tired of reinstalling my gaming PC... (and too lazy to make a ghost disk image)

Re:interesting

[atriusofbricia]

I better tell my friend to stop playing CS:Source and BF1942 then. Granted, that is with cedega, but still.

Re:interesting

that's ok, we've got tux racer! what more could anyone want???

Re:interesting

[NanoGator]

Two down. Several thousand more to go.

Re:interesting

[NoMoreNicksLeft]

Yes, tell the millions of sports fans that. You know, the ones who drive East German Trebants because the stadium owners only allow Trebant owners to attend sports events.

I'd rather give up the superbowl and drive my Ferrari, thank you. Besides, sooner or later, all the Trebant owners will die when their engine block explodes, and the stadium owners will be forced to accept me as a customer...

Re:interesting

[stor]

that's ok, we've got tux racer! what more could anyone want???

Tux Racer 2? Tux Racer Forever?

Cheers
Stor

p.s. Yeah I'm in a bloody stupid mood today

Re:interesting

Last week, my friend made the mistake of trying to reinstall a friend's XP machine with the LAN cable connected. By the time we had IE running sufficiently to access Windows Update, the machine was already infected.

To save a bunch of posts:
- No it was not the very latest printing of the CD. It was the one that came with the computer.
- No, he did not use slipstream, jumpstart, SMS, MOM, POP or anything else that needed a CD prepped in advance.
- No, he did not have a router (*).

I'm not saying this is the ideal Windows installation environment but it is the default enviroment of the average schmoe. What really boggles me is how many people there must be out there who just accept that. People who's PCs are nearly unusable but are conditioned to expect such poor quality that they just accept it.

(*) Router Rant: This is the one thing that p***ed me off. IF YOU DONT OWN A DEDICATED FIREWALL, GET ONE! Not once, not one single time, have I had someone come back and say that they wish they hadn't spent $30 on a hardware firewall. It'll make your system faster, simplify configuration, allow you to network if you can't, reduce traffic if you can AND it's cheap g****** insurance. Buy the stupid thing!

Re:interesting

[stor]

Two down. Several thousand more to go.

There's still plenty of work in this area but the situation *is* gradually improving.

Besides, obviously we don't need every single PeeCee game to work on Linux for a successful gaming platform: most people will only care about the games they personally run.

Cheers
Stor

Re:interesting

[Lord+Kano]

Last time we checked, SP2 was a patch. I'd like to see this unpatched patched machine of which you speak.

If you slipstreamed SP2 into your install and burned a new CD would any machine that you install onto be unpatched?

After all, if you didn't run any "patches" on the machine in question, one could call that unpatched.

LK

Re:interesting

[tuba_dude]

Hell no. Tux Racer Underground is where it's at. You can trick out Tux with cool new shades, wing spoilers, ground effects and even decals!

Re:interesting

[lpret]

Why not tell them about Cedega?

5 bucks a month is pretty cheap for outstanding features.

Re:interesting

[odano]

Well lets perform a little deduction here.

Chances are high that any PC game that is sold is bought by at least a few people.

Chances are high that if a group of people buy a game, at least one person will run it on a regular basis.

Most people only care about the games they personally run.

Therefore: Chances are high that *all* games need to be ported to Linux to make most people happy.

So I am going to revise your statement from:
obviously we don't need every single PeeCee game to work on Linux for a successful gaming platform

to

the most important thing to make linux a successful gaming platform is to make sure the most popular PC games work to cover the most users

Re:interesting

[Technician]

Tell the millions of gamers out there about it.


Certianly as soon as all their Win games run with no issues.. OOPS, they haven't done that with Windows yet!

Re:interesting

Tux Racer Underground is where it's at. You can trick out Tux with cool new shades, wing spoilers, ground effects and even decals!

You've just described the as-yet-secret title, Tux Ricer.

Re:interesting

[slobbargoat]

no, tell the game developers out there about it.

Re:interesting

"The patch is installing Linux."

Tell the millions of gamers out there about it.

They already know about XBox.

Re:interesting

[NanoGator]

"no, tell the game developers out there about it."

Hey Developers!! There's a small handful of people that want you to make games for their underdog OS!!! You could literally make hundreds of dollars!!

Re:interesting

Sorry, you can't reach the ticket booth from down there.

Re:interesting

[stor]

the most important thing to make linux a successful gaming platform is to make sure the most popular PC games work to cover the most users

Cool, I can't argue with that.

Cheers
Stor

Re:interesting

The firewall in XP is disabled by default (before SP2 that is). I bet that if you had enabled it, you'd gotten away trouble-free? This doesn't of course doesn't change the fact that 'the average schmoe' isn't aware of this more than you. The fact still remains: you had a freaking firewall there, but didn't use it, right?

I must agree with you on the router thing. Everyone should have one, especially the average schmoes, who don't have a clue. There's good money in fixing / re-installing peoples computers though. :)

Re:interesting

[Taladar]

Perhaps you could be a little more specific about what your jobs are. Perhaps someone could then point out a way to do them in Linux (or someone gets the idea to develop a matching program). If you don't tell anyone what you need don't rant when you don't get it.

Re:interesting

[randallpowell]

Is that with or without a firewall? (Fuck RTFA).

Did they usea router or NAT? Did they download all the lastest patches? What kind of attcks were made? Which type of attacks failed for each OS?

It's more than OS, it's intelligent design of the network. But since Linux doesn't have ActiveX, open ports, and a need for endless patches, it may do better.

Re:interesting

[Omniscientist]

It is impressive that they have somewhat emulated DX, however I fail to see the features Cedega provides as being outstanding. I followed all the documentation, everything was set up correctly, and only one game ran, and it lagged terribly. This game that was lagging terrible is a game that will run perfectly at 1280x1024 resolution, with 8xS anti-aliasing, 16x anistropic filtering, and all other options set to max while running many other applications in the background in windows.

Linux itself really doesn't need that much added to it, its the game developers themselves who need to change over to making more OpenGL games so the game can run fine on both platforms.

Re:interesting

[Curtman]

most people will only care about the games they personally run.

Exactly.. And our solitaire is waaaaaaaay better.

Re:interesting

[Curtman]

5 bucks a month is pretty cheap for outstanding features.

Or just use standard wine. I have no problem with cracking a game that I paid for, rather than pay $5 to enable their copy protection with proprietary BS. Open source cracks, thats what we need.

Re:interesting

[slobbargoat]

still :/ thats hundreds of dollars more than they would have had.

Re:interesting

Well, I get the sense you aren't going to change the linux landscape without a killer app, so let me tell you what that killer app is: windows emulation for Linux.

That alone would change the face of the OS wars forever.

Re:interesting

[NanoGator]

"Well, I get the sense you aren't going to change the linux landscape without a killer app, so let me tell you what that killer app is: windows emulation for Linux."

WINE, though not really an emulator, has made Linux a lot easier to adopt. However, Linux still has a long way to go. Don't get me wrong, it has made IMPRESSIVE strides, but these things take time.

Re:interesting

[Tony+Hoyle]

Doesn't really work... I installed an SP2 machine from scratch (from the MSDN CD) and it still got virused before I'd even finished downloading the video card drivers. And that's behind a tight firewall too...

Re:interesting

[BlackHawk-666]

Over a year it would most likely have been cheaper to buy a copy of Windows than pay that game tax each month. Linux is not going to be a good gaming platform any time soon, it's all compromises, slower framerates, less stability, and less tools. Just dual boot, it won't kill you to run Windows occasionally - it's not a virus like Linux is ;-)

Re:interesting

[BlackHawk-666]

Minus the hundreds of thousands it cost to actually make the game for two OSes - that leaves a total profit of -$999,800...not bad, better than Enron.

Re:interesting

when the millions of gamers use linux no doubt they will run their insecure game as root and play the buggy game over the internet....

This article means win family are targeted more it just isn't worth it for nix condisidering:

- the vulnerable userbase (% successful scans)
- the likely time a box would be owned for.

the goal being numbers of boxes owned of course not something specific.

Re:interesting

[slobbargoat]

err, thats pretty narrow minded. If everyone had that train of thought then we wouldnt be able to communicate to people in different languages, or use cross-platform software like java.

The effort has to come from somewhere, and the sooner it happens the better. If not from the game developers, who then?

Re:interesting

It's trabant you insensitive clod!

Re:interesting

[jaavaaguru]

Either it's not that tight, or you were using a bad broswer that allows software (viruses) to install itself. Bad boy. It's a matter of common sense now. www.getfirefox.com

Re:interesting

[Fred_A]

You mean DoomIII is writen in Java ?

Re:interesting

[BlackHawk-666]

It's not narrow minded, it's accounting. Businesses exist to make a profit and they can't make a profit out of the marginal group of Linux users out there. Sure, we now outnumber the Mac-o-philes, but we're still too small a market to care about. When there is more like 25% market penetration, then the games will come.

Re:interesting

You've just described the as-yet-secret title, Tux Ricer. ... only for gentoo

Re:interesting

[node+3]

Tell the millions of gamers out there about it.

What? Isn't Unreal good enough for you? There's also Doom III, and, um, Free Cell, and Super Free Cell, and that pong game with Tux.

(hint: think "funny", not "troll". I know there are other games for linux, like that one where you squash bill gates as he tries to install Windows all over the place, and there's also neko, and vi...)

Re:interesting

Open source cracks

You are retarded on many different and interesting levels.

Re:interesting

[Jerry+Smith]

>No it was not the very latest printing of the CD. It was the one that came with the computer.
Dell, according to vicious rumours, ships their computers with cd's with builtin spyware. and their tecksupport is not allowed to advise you how to get rid of it (legal reasons). And did Belkin not ship one of their routers a bit... erm... different?

http://www.spywareinfo.com/newsletter/archives/1 103/11.php

Re:interesting

[yRabbit]

And Neverwinter Nights, and Quake 3..
Um.... though, you need Cedega to run NWN's editor. Yeah..

Re:interesting

[ultranova]

hint: think "funny", not "troll"

How about "kobold" ? A bit trollish, but not really quite at the same class.

Not every lizard is a red dragon, after all.

I know there are other games for linux, like that one where you squash bill gates as he tries to install Windows all over the place, and there's also neko, and vi...

...Neverwinter Nights, Alpha Centauri, Majesty Gold...

Funny how these slipped your mind. And vi isn't a game, it's a self-torture implement.

Re:interesting

How about Tux Racer 2005? How else can we know if our games are outdated?

Re:interesting

[mvdwege]

Even if the firewall were enabled, this is a pre-SP2 box he was talking about. That still leaves a short window of vulnerability, as Windows XP will bring up the firewall after the networking is set up.

Mart

Re:interesting

Besides, sooner or later, all the Trebant owners will die when their engine block explodes...

Hey!!! I'm a Trebant owner and my engine block never eve*BOOOOOOMMMMM!!!!!!!!!!!*

Re:interesting

tux racer undreground 2 you race with BAM and cut things up old-skool.

nothing like sliding for fish while causing destruction...

although I still have no idea what tux does when you trigger a freak out. it looks like he just stands there shivvering and glaring.

it rocks! I can not wait for version 3 with even more of the same!

Re:interesting

[Tim+C]

Oh, I'm not ranting about not being able to do what I want to under Linux, I'm ranting at the persistent "Linux will solve all your problems!" meme that permeates most sites like this.

Contrary to popular slashdot belief, Linux is not the solution to all computing woes, and blindly promoting it as such is not helpful. There's no point telling someone to install Linux without first knowing what it is that they actually use their PC for. If they can't do what they want with it (or work out how to), not only will they go back to Windows, they'll be that much more reluctant to try it again in the future.

Re:interesting

"killer app is: windows emulation for Linux"

Umm, no. Emulation is never a killer app. Emulation does nothing to sway developers to develop native apps. Native apps are the only thing that will change the "linux landscape", otherwise you have a perfectly ok landscape, cluttered up by windoze.

Case in point, OS/2. OS/2 had perfectly good emulation (when it wasn't chasing a moving target), and that was one of it's biggest downfalls. People did not want to write software for it because they could just write windows software instead and it would run. Been there, done that, got the t-shirt.

Re:interesting

[KilobyteKnight]

When there is more like 25% market penetration, then the games will come.

Or when the major game companies realize they can write for a Knoppix-like CD and have it run on everything.

It's kind of a chicken-and-egg thing I know, but I believe the market share will come when the games do.

Re:interesting

[TheFifthHorseMan]

How on earth did an unpatched winbox last that long without Pwnership ?

Re:interesting

[petecarlson]

I just installed three XP Pro boxes from Dell for a client of mine and am now in the position of having to bill them an hour for spyware removal on their new boxes. What the hell is Dell thinking?

CP

Re:interesting

By definition, an unpatched system has no patches. SP2 is a patch. Therefore, an SP2 system is not unpatched. There have been updates issued since the release of SP2; if they are not installed, then the system is less than optimally patched, but certainly not unpatched.

Re:interesting

[fitten]

Any links to the rumors about Dell's installed spyware? I just got a Dell laptop and need to check it.

Re:interesting

[Fatchap]

Well said old man. There is nothing that gets on my goat more than "x will solve all your problems!", whether it is a Mac, Linux or anthing else.

Re:interesting

He asked you what your jobs are, so he and others can try to make linux fit the role, hopefully improving linux all that much more. You answer with that? The poster does exactly what you say in your little rant, trying to find out what you use your computer for, and not only do you not answer him, you blast away with meaningless drivel. Are/were you trolling? It really seems like it.

Re:interesting

[Fatchap]

You must have been doing something wrong. I just installed Windows, from scratched, patched the system and was working within 4 hours.

The system had been running for over a year without crashing, without BSOD and without problems. Until last week when I got a bit overzealous on regedit and knackered the boot sequence so badly I had to start again!

Re:interesting

[4of12]

I just installed three XP Pro boxes from Dell for a client of mine and am now in the position of having to bill them an hour for spyware removal on their new boxes. What the hell is Dell thinking?

That you'll recommend Windows XP on Dell to your future customers because of the extra business it throws your way after the initial setup?

Re:interesting

i
vi is my life, you insensitive clod!ESC:wq

Re:interesting

[SirTalon42]

RTFA

Re:interesting

[SirTalon42]

The computer was completely unplugged from all electrical circuts.

Re:interesting

[n00i3]

that's how i scam most of my dates ;o

if you are reading this, stop and go fix chicks' pcs :)

Re:interesting

[Jerry+Smith]

Why yes:

http://yro.slashdot.org/article.pl?sid=03/12/03/02 57238

It's on /. so it must be true.

Re:interesting

OS/2 was free, right? OS/2 had better security than Windows?

You are comparing two different particulars. The only thing that will cause developers to write native apps for Linux is if a bunch of people adopt Linux. Here I am, waiting to go, except I want my previously aquired software to come with me.

Emulation is never going to be perfect. If enough people adopt Linux, it is easier to write a native app than to have a windows native app emulated.

I mean, Linux is a better OS, it is cheaper, and comes in enough different flavors to satisfy everyone from newbie to 133t.

So you have to ask yourself, why isn't being used?

Witness the furor surround the idea of CherryOS and tell me again emulation isn't the killer app.

Re:interesting

[JCWDenton]

I am always recommending people to switch to Linux yet I never do. I installed Open Office and export my documents to word format yet at college they end up in a mess. to put it plainly so I have yet to revert back to M$ Office. M$ their education monopoly strategy paying off.
Dual boot isn't a lot of use as Windows still requires all the maintenance [2 nights ago I had to do a complete reinstall of XP as it got hit by a virus or some other malicious code project and after "checking" the services settings it failed to work.]
I don't update as it will helpl my OS to crash every 5 min anyway and service packs refuse to install. I rely on Norton Internet Security for to protect me from all malicious intent but am seriously considering purchasing a hardware firewall or getting a linux machine to protect me.
I would permanently switch to linux if:
I can play my games smoothly
Get my office work done [i know - a superior alternative to Windows the combination of OP]
Develop [currently using VS studio and Sharp develop]

I can't wait for the day Windows is required to run a linux emulator.

[/rant]

Re:interesting

[MrHanky]

I am always recommending people to switch to Linux yet I never do. I installed Open Office and export my documents to word format yet at college they end up in a mess.

I have a feeling you don't use your word processor properly. I've written lots of documents in OO Writer, and never had significant problems with Word .doc export or import. But you're not alone -- I've seen several people ending each line by pressing the enter key, and that would certainly mess up formatting between office suites. I recommend this article as an introduction to proper use of a word processor.

Of course, if you don't need anyone editing you documents, you can export to PDF instead.

Re:interesting

[The+Patient]

Quotage: If you slipstreamed SP2 into your install and burned a new CD would any machine that you install onto be unpatched?

That's a debatable point. So here we go:

I recently redid the whole fershchlugginer schmear and reinstalled Windows XP using said slipstreamed SP2 CD. After that, I installed the 8 track UMixit application from Aerosmith's new You Gotta Move CD, which allows me to futz around with one of their songs and remix it.

Then, for a bit of coin, I upgraded to the 16 track version just for shites and giggles.

The 16 track upgrade file won't execute, and when I try to acquire the 16 track license, that doesn't work either. From what I've read, there is a very good probability that my problems are being caused by SP2.

So, I'm about to engage in a (no doubt) lengthy dialog with Cakewalk tech support. If the tech asks "Do you have any Windows XP patches on your system?", should I say "No, my system is unpatched."?

Re:interesting

[NuclearDog]

Bad, bad idea.

What happens if the game doesn't support my sound card? video card? ?

What happens in a year when I try to run this game but it wont run because all my hardware was released after the game was?

How do I save games? You're just opening yourself up to lawsuits if you allow the game to touch the HD (it may destroy some piece of important data or another).

Why go back to the old days of DOS gaming where every game had to support every sound card, etc if we don't have to?

ND

Re:interesting

[NuclearDog]

Also, (sorry for replying to myself):

What about the network settings? What about all the other configuration?

Most users wouldn't know an IP address if it was printed on the side of their computer with a permenant marker with 'IP ADDRESS:' written above it.

Even so, do you really think anyone would want to have to enter their configuration information:
A) For each game (assuming you find a suitable way to save stuff).
B) Everytime they run a game.

ND

Re:interesting

[bbtom]

Still useless if your video card doesn't work (and I speak from experience of having used both GeForce and Radeon cards with no success - and there's no fricking way I'm buying a Matrox either).

Re:interesting

[bbtom]

Unless of course, your video card isn't supported...

As a Linux User...

[agraupe]

I am happy to hear this, as I run a linux box. These reports are mostly moot, however, because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer. My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.

Re:As a Linux User...

[huber]

wow linux user with a linux box!!1

Re:As a Linux User...

[eln]

because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.

To create a zombie for a DDoS attack, to host child pornography or warez, to use as a spam relay. All of these and more are reasons home computers are attacked. All they want are more systems in their arsenal, to make them more resilient and more effective. It doesn't make much difference if it's a home PC or a workstation in some office somewhere.

Re:As a Linux User...

[Le+Marteau]

My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.

As far as you know. Gone are the days of random vandalism, where if your box was cracked you knew about it the next day. Today's box is owned not to trash it, but to use it. If your Windows box is owned, you won't always know about it, until it is sold called into use to serve its new master.

Re:As a Linux User...

[jbplou]

well thats not completely true. A workstation in some office is more likely to have a static ip and be on 24 - 7. Of course it is more likly to be admistered by someone who knows what they are doing then someone who refers to their computer as the hard drive and the monitor as the computer.

Re:As a Linux User...

[gid13]

His point was that nobody's going to bother going through a router to do that when there are innumerable completely unprotected boxes out there.

Re:As a Linux User...

[fimbulvetr]

I don't think it's very wise to consider yourself safe, even if you have a router (or a firewall, which I presume is what you meant). If you still want to...feel free to, but don't come crying to me if it's not all you thought it would be.

Re:As a Linux User...

[NanoGator]

" Today's box is owned not to trash it, but to use it. If your Windows box is owned, you won't always know about it, until it is sold called into use to serve its new master."

That's true of any OS, not just Windows.

Re:As a Linux User...

most workstations in an office shouldn't have a static IP, they should be NATed, or even not have direct external network access. Only the necessary servers if it is that type of office, or router should have a static IP.

Re:As a Linux User...

[Aurix]

It doesn't matter necessarily that the office workstatations are NAT'ed. Just firewall that subnet from the outside world. They can still have their own public IP, but still have restricted incoming connections set by the border router...

Re:As a Linux User...

They prefer University computers for those purposes actually.

Re:As a Linux User...

Tell that to the millions of gamers out there.

Re:As a Linux User...

[thrillseeker]

My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.

Being infected with "just a bit of spyware" is like being just a little bit pregnant.

Re:As a Linux User...

[Ubi_NL]

If the software is installed via social engineering, the zombie can just 'phone home' and the router wil happily pass the traffic.

Re:As a Linux User...

[BlackHawk-666]

Let me make this quite clear for those who haven't any networking knowledge, and yet seem to want to post on slashdot like they do: a router does NOTHING to stop you being hacked, in fact, it makes it possible. Without a router you aren't connected to the internet, period, you need to route packets to the net and that takes a router of some kind. A firewall filters the packets incoming and outgoing and helps you stop people doing things like typing \\youripaddress\ and reading your Windows file system straight across the internet, try it, it's funny.

Hackers don't care if your box is on 24/7 or has good bandwidth, they are after zombies armies and these are made up massively of ignorant home users windows/linux PCs that they haven't secured. They don't attack you personnally, they sweep entire IP ranges and perform automated scans/attacks on each device in that range (nmap, nessus). If you connect a box to the internet without a firewall, patches, and a generally well secured setup then you may as well send your PC out with a program like this running on it:

10 PRINT "Brains"
20 GOTO 10

Re:As a Linux User...

haha, finally a reply that fucktard deserves!

Re:As a Linux User...

Being infected with "just a bit of spyware" is like being just a little bit pregnant.

That is more true than ever nowadays. Many spyware products include features that allow the downloading and installation of arbitrary software (for instance, search on Hotbar). Black hats have learned how to use these to install their own software.

If your unfirewalled SP1 Windows XP box has just a bit of spyware, then it probably also has keyloggers, SPAM relays and password sniffers. You are most likely owned!

Re:As a Linux User...

Actually a computer directly connected to the Internet (usually home pc's) is a more attractive target rather than an office pc. However any router than can run an uploaded program is a better target than both.
P.S. Hackers don't do child porn or DDoS attack. Those would be crackers. But since no one seems to be able to tell the difference because obviousle "h" looks so much like "cr" and the keys are right next to each other, I will start calling crackers "nuns". So please protect your computers from the nuns cauz we've had enough of those nuns distributing pre18 port!

Re:As a Linux User...

[fbjon]

That should be the assumption, but it also depends what your ISP or net admin does. And there's also a random element, just because a windows box can be rooted within minutes of connecting it, doesn't mean it will happen. I have actually connected an XP box, downloaded sp2, patched it (and subsequently counted myself lucky). No infections. Of course, this was only due to laziness, as I would've pushed away any trojans/crap afterwards, had they come.

Grammer

with less services enabled by default

That should read "with _fewer_ services".

Re:Grammer

Thanks, Kelsey.

Re:Grammer

Wonderful, a Grammar post with a spelling mistake in the title! Snicker.

Re:Grammer

Hopefully, that was the joke.

Solaris 10

[purduephotog]

We support all versions of Solaris for some software but it's honestly started to bug everyone that some places are running pre-5.

Solaris 10 is supposed to be much 'safer'. We'll see.

Re:Solaris 10

If they're running Solaris 2.4 or earlier it's pretty sure that they have an EOL'd product from Sun, upgrade to 2.5.1 and you will have patches for a little while longer. Nobody in their right mind runs an open ancient box of that kind.

Re:Solaris 10

Why not? If it ain't broke...

Re:Solaris 10

[pknoll]

Solaris 10 still ships with a lot of services running by default, most notably the following Old Favorites:

online Jan_07 svc:/network/telnet:default
online Jan_07 svc:/network/ftp:default
online Jan_07 svc:/network/finger:default
online Jan_07 svc:/network/login:rlogin
online Jan_07 svc:/network/rpc/rstat:default
online Jan_07 svc:/network/rpc/rusers:default
online Jan_07 svc:/network/shell:default

I don't know about you, but if I'm setting up a "modern" UNIX O/S, I expect all that stuff to be OFF be default. This is on SunOS 5.10 s10_72, so not a release build, but you'd think if they had really rethought their approach to security these things wouldn't be running.

well something that gets progressivly easier

[0xdeaddead]

Would be windows. And that sucks. If anything its a sliding windows of vulnerabilities... I mean how many people run telnet? And yet since everyone is so busy banging away at ssh telnet is probably way safer...Bottom line, nothing is secure, its what is en vogue...

Im now going to switch to OS/2! nobody uses that so it ought to be super secure!

Re:well something that gets progressivly easier

I always get this feeling that when I patch a windows machine against 10 current vulnerabilites, I am also opening up 50 more holes in that machines future.

Re:well something that gets progressivly easier

[Everleet]

Telnet has always been safer as an exposed service, if for no other reason than its simplicity. SSH has a lot more code in it, maintains way too much control over the system, does complex internal processing on all data sent to it, has a nastier protocol...while telnet just sets up a virtual terminal and sends you on to system's login prompt. Apparently the creators thought "secure" only has to mean "encrypted"; it obviously doesn't say anything about the program's design.

Re:well something that gets progressivly easier

Apache is used a lot, yet it's more secure than IIS and has fewer bugs.

INSECURITY IS NOT JUST CAUSED BY POPULARITY.

Re:well something that gets progressivly easier

[Klingensor]

I'm writing from Linux, but I also use OS/2, running my entire intranet. A proper configuration of the built-in (but not documented) AIX firewall in OS/2 precludes any shenanigans. And, yes, it's a bit obscure....

Re:well something that gets progressivly easier

Telnet doesn't have to be cracked because everything is transmitted in cleartext including passwords.

Why bother cracking Telnet when the desired secret info is handed over on a silver platter?

Re:well something that gets progressivly easier

[wirelessbuzzers]

SSH is not so weak as you suggest. It is certainly more complex, but it uses stack canaries and privilege separation to reduce its vulnerabilities. While its protocol is nastier, some level of nastiness is necessary to securely encrypt things.

OpenBSD ships SSH open by default, and has only had one root hole in what, 8 years? Any reasonably exploitable SSH root hole would count (although holes which are exploitable on Linux might not be on OpenBSD). And there have been buffer overflows in telnetd, too...

Re:well something that gets progressivly easier

[amorsen]

Telnet has always been safer as an exposed service, if for no other reason than its simplicity.

You should read the RFC. Telnet is a very bloated protocol. And yes, there has been at least one remote root vulnerability in telnetd -- the exploit happens before telnetd gets as far as displaying the prompt.

Telnet obviously could have been a very simple protocol just setting up a virtual terminal as you say. That is however not what it is in practice.

Re:well something that gets progressivly easier

[fr0dicus]

But that still requires physical access or an existing logon on either client or server, or route inbetween. Not as deadly as a remote exploit.

SCO

SCO is the easiest to crack judging from all of the smoking going on there....

RedHat comes with a pretty good iptables setup

[PornMaster]

My day job's in a big hosting facility, and it was a surprise when setting up RHEL 3.0 that it had by default quite the restrictive iptables ruleset which let very little besides SSH through, and pam_tally was set up in the install, so 5 login failures locked out the account.

Quite refreshing to see, since I was doing the install for a customer who'd decided to go for a reimaging because their machine had been compromised.

Re:RedHat comes with a pretty good iptables setup

[changelingyahoo.com]

To my knowledge pam_tally is not part of the standard RHEL v3 installation. Was this some type of custom installation?

Re:RedHat comes with a pretty good iptables setup

[PornMaster]

May have been a post-install config done through kickstart. I was using an SOE image done up by the product guys. I may not have looked carefully enough through what they customize. It would be nice if it were default, though.

Re:RedHat comes with a pretty good iptables setup

pam_tally was set up in the install, so 5 login failures locked out the account.

So attackers can remotely DoS your accounts so you can't log in? Wonderful.

Wouldn't it be better to block the IPs from which the bad logins are coming for x hours and log something?

Re:RedHat comes with a pretty good iptables setup

[bluGill]

Re-image because of a little thing like the box being owned? I worked for one place that let some SunOS (not Solaris) machines go after being compromised because our sites were working, and the sysadmin didn't know what they did. (At least these machines didn't processes credit cards)

This was before I worked there, and when the current sysadmin started he bought some linux (or BSD, I'm not sure) servers and moved over to something more secure. Hasn't had a problem yet.

Re:RedHat comes with a pretty good iptables setup

[wobblie]

Why? Locking out accounts is fucking retarded and is the easiest way to DOS someone.

Re:RedHat comes with a pretty good iptables setup

[maelstrom]

Just have to be careful with this as someone can DoS your accounts pretty easy.

Re:RedHat comes with a pretty good iptables setup

Yes that is true. But since you have mentioned RHEL 3.0, I have a question.. Are there any major changes between RHEL 3.0 and RedHat Ver 9.0 ?
--
Linux Help - a very good help site for linux.
Indomitable Thoughts

Re:RedHat comes with a pretty good iptables setup

[jmkrtyuio]

Whats better? To lose access for a bit until corrective measures can be taken or have that not so super random and long account password be brute forced overnight?

Doing this by host ip may be more granular however.

Re:RedHat comes with a pretty good iptables setup

[bill_mcgonigle]

So attackers can remotely DoS your accounts so you can't log in? Wonderful.

Wouldn't it be better to block the IPs from which the bad logins are coming for x hours and log something?

Anybody have a solution for this? I'd like to iptables the wankers who are ssh-scanning all my boxes.

how is that "interesting"?

Comparing new and revised Linux installs to old and decrepit Solaris 8 & 9 installs. Distros release new versions at least once a year while Solaris 9 was released... when? A couple years ago? A default install with patches from the last 6 months versus a default install that is 2 years or so stale. Which one wins?

DUH!

Re:how is that "interesting"?

[SunFan]

Solaris installs a number of services for enterprise environments, because Sun knows what hand feeds them. These environments are always behind firewalls and IDS. With minimal effort (well documented, BTW), Solaris can be hardened quite effectively for web-facing roles.

Re:how is that "interesting"?

Specifically, download and harden using the Sun supplied JASS tool.

Download from:

http://www.sun.com/software/security/jass/

In Case it get's /.ed

[spac3manspiff]

Here's a summary:
(Ranked from most crackable to least crackable)
Linux>Solaris>Glass>Windows

Re:In Case it get's /.ed

You forgot the comedy "PC in cement block" option.

Re:In Case it get's /.ed

[rritterson]

what?

is this a joke, or did you reverse your 's? Either way, you just made Linux much easier to crack than glass...

Re:In Case it get's /.ed

[desplesda]

That's it, I'll build my house entirely out of windows! It will be indestructible!

Re:In Case it get's /.ed

[spac3manspiff]

Lol I meant, "Least to Most"
Really messed that post up.

Re:In Case it get's /.ed

[Allnighterking]

Heck... it worked for Gates Y not you?

Re:In Case it get's /.ed

[ppanon]

I still wouldn't go throwing stones if I were you.

Re:In Case it get's /.ed

[HanB]

He sells them. His computers surely are not secure, but boy did he make a lot of money.

And that's what it's all about.

Re:In Case it get's /.ed

[coma_bug]

It would be interesting to see a real vulnerability analysis comparison with operating systems designed to be more secure, like these ones:

• Plan 9
• Inferno
• EROS

In Lunix and other access control list operating systems the exploit path is well known: (1) remote exploit to an unprivileged account; (2) local exploit to a privileged account. The operating systems referenced above have no privileged accounts so this exploit path is not possible and especially so in the case of EROS, a capability based system that has no accounts (in the Lunix sense) at all!

Re:In Case it get's /.ed

[SteeldrivingJon]

I think you mean:

(Ranked from most crackable to least crackable)
Linux>Solaris> "Sugar Glass">Windows

Sugar glass being the fake glass used for special effects. It breaks easy, and is less likely to cut the poor sod who has to jump through it.

Sugar glass doesn't last long (warps or goes sticky) so make it close to the time when you plan to use it.
Keep it out of moist areas and direct sun. The same as a lolipop it will melt or go gooey.
The sugar can attract ants and other bugs so keep it packaged in plastic, etc. until you use it.
Though only sugar, the glass can have sharp edges/points when broken, so be careful when handling

(From: here)

Well, reading that, sugar glass really is pretty close to Windows. Best keep it in the plastic, so as not to run into any bugs.

Re:In Case it get's /.ed

[gstoddart]

Either way, you just made Linux much easier to crack than glass...

Oh. He must have been referring to an independant study funded by Microsoft. :-P

I'm sure it's coming soon.

Re:In Case it get's /.ed

Sorry. I guess the poster meant 'mainstream' OS alternatives. I mean, now that 'Lunix' is mainstream... (it ain't 1996 anymore...)
BTW, how many business apps (databases, userland progs, etc.), run on the highly secure OS platforms that you have proffered?
Thx for playing, next..........

Re:In Case it get's /.ed

[DrSkwid]

Perhaps he meant "internet facing machines"

If one is a serious player, why have your database server internet facing ?

Re:In Case it get's /.ed

Mod parent up you humorless dullards!

when will it reach vms standards?

De John Wisniewski - a memorial

The game began at 10 a.m. on Friday. The VMS machine on the Green team was configured with Apache web server. As we are aware, VMS is an extremely secure operating system. While many of the other boxes in the room, mostly Unix, linux, and forms of windows, and even a Macintosh, were compromised and subsequently attended to by their masters, the VMS system remained intact. Here is where a real security issue comes into play.

We were very confident of the VMS box, and a lot of interest was generated by it. In the spirit of spreading the good word and educating the people about VMS, we ended up answering a lot of questions about VMS, and showing how the machine automagically added user accounts, and demonstrated the various terminal games and web pages which had been created. We were also aware that, in this crowd of 5000+ hackers, someone might be able to weasel their way into the machine if any security measures were taken lightly.

As events would have it, we had an issue, which we did not understand, with the operation of the serial port used as the operators' console. At 2:00 a.m. Saturday morning the system manager decided to telnet to the box in order to do some routine checks. Using Telnet in an environment with 5000 hackers on your network is an insecure method of administering a computer system. A lot of people were fascinated by the VMS system, and had asked many questions about it, shoulder-surfing the console operator, who of course answered their questions in this friendly game of an environment.

One of the hackers who had been showing a lot of interest in the VMS box happened to be sniffing packets from the system manager's PC. He discovered the password to the account, a simple procedure any 13 year old kid can pull off with ease after a little social engineering. The hacker logged in, and placed a couple text files (his mark for points) in the manager's user directory, and then notified the system manager in order to claim the points. There were no points for hacking the machine because the files were placed in a user directory instead of the `root' VMS directory. He was awarded 10 points for social engineering.

Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it. By using a telnet session on an open network, the system managers' login information was freely made available to any who cared to record it. Giving away your login info in this way to a hacker who subsequently uses it does not constitute being hacked, it constitutes an error in security procedure. The thought of improved security, such as some level of encryption for telnet on VMS, immediately comes to mind. Be very afraid.

The Alpha was disconnected from the haxor network, the serial port issue (our fault alone) was fixed, and the network was reconnected. The incident did not repeat, nor did any hack whatsoever of the VMS system take place during the event. The hackers bombarded the box with telnets and ftp attempts to every bizarre port number imaginable, obscure ports in the 40,000 range and more. The word of the early-morning incident had spread, and those seeking glory and a reputation besieged the box.

Another kind of social engineering, involving a clever lie intended to trap those who would think it cool to hack the NOC was presented in this way: People came by, with an IP address, saying, "here is the IP address for the NOC, have fun". It was really an outside IP address, and this was a ruse to make those who listened loose points for attacking sites outside the defcon network. Hacking outside the CTF network was forbidden.

As the game progressed, the goons announced that there were not enough hackers (huh? The tables were *full* of people). To make it more enticing, the point award for placing your mark in the root directory of a server

Re:when will it reach vms standards?

[Rares+Marian]

Hard to hack a box that has no root.

Re:when will it reach vms standards?

[Nailer]

Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it.

Which never, ever should be allowed in the default install of any OS at all.

PS, real men make their own names rather than using degrees as prefixes ;^).

Re:when will it reach vms standards?

[eraserewind]

Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it.

Sure it is.

If the tool for administration (which requires a similarly insecure server running on the box) sends your password across the network in plaintext, most people would consider it as a security vulnerability.

Re:when will it reach vms standards?

[zcat_NZ]

Nitpick; using plaintext authentication on an insecure network _IS_ a security flaw. If the password got sniffed and subsequently used, you're just as 0wned as via any other kind of hack.

I'm a bit sore on this point; I recently had someone try to set up a BNC on my home PC after they managed to hack another box I have a shell on and brute-forced the shadow file. Fact is I ignored the important security precaution of using a unique password on every box, and it cost me a weekend rebuilding and making sure that any other passwords they may have had access to were changed as soon as possible.

Re:when will it reach vms standards?

to the best hackers the world has to offer",
Nobody knows who THEY are.

Re:when will it reach vms standards?

[xmp_phrack]

there is very little interest in VMS among DefCon attendees. one needs relative familiarity with an OS to effectively attack it. and even if someone had a decent zero day, they are not going to waste it at a con. it would be either published for fame, or traded in the underground. nevertheless, VMS is a strong OS. whole classes of buffer overflows don't even work. anyone interested in this OS should check out the Deathrow Cluster (featured on Slashdot) which invites non-malicious hack attempts.

Re:when will it reach vms standards?

[demachina]

The big questions, is VMS more secure or are today's hackers just increasingly ignorant of it, and study it less, so they are less likely to know its weaknesses or where to begin to try to exploit it. Linux, Mac and Windows all have hackers who know every angle and known vulnerability, I doubt VMS has that kind of dubious following.

Re:when will it reach vms standards?

[Graphyx]

The system engineers did great. The kernel hackers left no module unturned. However some intern who set up the root system left the root password as default. Fortunately no one expected this serious of a machine to have that password so no one got it. (Well not really, but I can only imagine that happening somewhere out there...)

Re:when will it reach vms standards?

[Opcom]

Sure VMS has a root. There might be some discussion over what it is, maybe DKA0:[000000] which could be a top level directory on the system disk, or maybe the logical sys$manager or sys$system which are a level down, I suppose any would do, but there's no way into those places unless the system manager says so. The user stays put in its own place and is not free to peruse, or at least to change things.

Opcom was there, along with Cedric Zool from Belgium. It is true. all boxes were hacked except the vms box, and one system made of 3 sun boxes with one acting as 'the box', one logging everything, and one as a console for the team of 2 guys who were continuously on duty babysitting it and fending off attacks (does that count? -if you have to expend that much energy, what's the impact on cost of operation?). We set up the VMS box and left it alone while we debauched and got drunk. heh. VMS$RULES.

Not even remotely scientific

[QuantumG]

The number of variables in this study are not even remotely controlled. There are no sensible conclusions you can draw from this, except that an unpatched systems are susceptible to attack and that there are still people out there who are attacking susceptible systems. For all we know an increase in the cost of beef in Tokyo is encouraging the russian mafia to hire more hackers to fake livestock reports and therefore there's less hackers available to attack the useless machines involved in these tests.

Re:Not even remotely scientific

[j0217995]

Ah but that doesn't matter here. As long as it is pro linux and anti microsoft its good news :)

Re:Not even remotely scientific

[QuantumG]

It's such a bullshit comparison. Windows XP gets owned in 3 minutes after starting up. Linux takes 3 weeks. Wooo! Linux must be harder to own! No, there's just more losers out there trying to break into random Windows XP boxes than there are losers out there trying to break into random Linux boxes. If you actually went and asked a representative sample of script kiddies which OS they found easier to attack and why you might get some valuable information, but it's more fun to "catch" hackers in your "honeypot". About the only good thing that could ever come out of The Honeypot Project is previously unknown attack methods. For example, if someone got root using some local exploit no-one had seen before we could reverse engineer the script they used and fix the bug. But this has never happened. Why? Cause no-one who has zero day exploits goes around using them on random machines. They use their zero day exploits to attack specific machines for a specific purpose, because they know that every time they use the exploit the run the risk of it being discovered.

Re:Not even remotely scientific

[idlake]

The number of variables in this study are not even remotely controlled. There are no sensible conclusions you can draw from this,

Scientific experiments don't "control the number of variables", they control the number of variables that actually vary between experimental conditions.

For all we know an increase in the cost of beef in Tokyo is encouraging the russian mafia to hire more hackers to fake livestock reports and therefore there's less hackers available to attack the useless machines involved in these tests.

That's a random variable that affects all experimental conditions equally. Those kinds of random variables exist in most experimental settings. Their existence doesn't make an experiment "unscientific". One doesn't "eliminate them", one discloses all the ones one knows about and deals with them statistically if possible.

They could have improved the experiment by including an old version of Linux as a control experiment, to see whether the rate of break-ins is roughly the same this year as it was last year. But such controls are often not feasible in the sciences because of cost or other constraints.

Re:Not even remotely scientific

[ComputerSlicer23]

You are approaching that all incorrectly. I haven't read the study, but from a general understanding of honeypot theory it is "scientific".

They have an experiment they run, and they measure the outcomes. The measurements over time have changed. They compared the measurements.

That's pretty much the textbook definition of "scientific" and "statistics".

No, this "study", might be an anecdote (I'm unaware of how many machines they have). However, it is a "fact", N months that putting an unpatched Linux system on the Internet used to on average last X minutes. A more recent measurement shows that it now lasts M * X minutes before being compromised. I'm fairly sure these people have several measurements at several points in time (I've read similar measurments like this from the same people a number of times).

That's a controlled experiment (technically speaking, the old measurement is the "baseline"). It's an interesting fact. It doesn't mean "Linux is getting more Secure". It means that on average it appears that a Linux machine without security patches lasts longer before being compromised. That could be because of the cost of beef in Tokyo. It could be because Linux is more secure. It could be because Linux is a low priority target for blackhats. It could be because the IP ranges used this time are known honeypot addresses by the blackhats (which is one of the few causes of problems that would make this "fact" useless to me).

It's not a measurement of causation. It's not a measurement of security. It's a scientific measurement of a length of time. Just like measuring the length of daylight outside. You can measure that scientifically. It won't explain seasonality. It won't explain the tilt of the earth. It won't explain the nature of quantum mechanics. However, it will be an accurate measurement of what it is: "How long the sun was up". Sure it's not the worlds most fact that Linux machines are lasting longer before being successfully attacked, but it is novel for those of us who have Linux machines on the Internet. However, it's lack of being the end all be all theory of Linux security, that doesn't mean it isn't a well defined measure.

Kirby

Re:Not even remotely scientific

[juicyfruit]

Yes, it's a "scientific" measurement, but the implication (and the explicit statement in the /. blurb) is that Linux is getting more secure because the survival time of an unpatched system is getting longer. That just ain't a valid conclusion.

As a counter-example, perhaps there are getting to be more and more unpatched windows boxes, so windows exploits become that much more attractive to zombie-network maintainers. That doesn't make Linux "more secure," in the sense of a native attribute of the O/S; it just means people are less interested in writing exploits or there are fewer unpatched machines to propagate them.

Re:Not even remotely scientific

[QuantumG]

By your own admission, the conditions under which the "experiment" is being repeated are not the same, therefore it is not a measurement of anything. If I note that it takes 3 minutes to boil water on my stove and then repeat the experiment 3 months later on your stove I have not measured anything about the rate of boiling water. I've changed more than one variable at a time, therefore I am unable to make any sensible conclusion from my experiment. Either your stove is has a different boiling water efficiency to mine or the rate of boiling water at different times of year is not a constant. If you add in a million other variables, such as the tempature in your kitchen vs mine, whether or not you have a stove fan, the quality of water in your district vs mine, the iron content of your cookware, etc, you get an experiment that is so wildly useless that you can't honestly call it scientific. That's what The Honeynet Project is, a big boiling pot of useless variables.

Re:Not even remotely scientific

[QuantumG]

or the number of women who find blackhat linux geeks sexy has increased in the last 3 months and they were all out on dates instead of hacking stupid Honeynet Project machines. It could be anything. Because it could be anything it's not a scientific measurement, it's not even a measurement, it's a useless observation of how long that particular set of linux boxes took to be owned.

Re:Not even remotely scientific

[ComputerSlicer23]

I'd venture to say that no science experiment ever conducted has ever been under "the same conditions". It's merely a matter of how close the conditions are, and why everything else doesn't matter. You figure that out by starting by making measurements and when you can't explain something, guess why, and form a model. Then try and setup a situation to measure if you guess is correct. Any number of "Scientific" measurements aren't repeatable (the analysis of any number of astronomical events are unique to our lifetimes and are irrepeatable in the sense you are using).

You can only draw those conclusions about water because someone has done all the scientific measurements before you.

We didn't figure out gravity all at once. Some guy started dropping balls and measuring time. Some guys started measuring the time it took to roll down planks. Eventually they made lots of measurements that were "big boiling pot of useless variables", and figured out that air resistance makes a difference. That if you measure incredibly accurately, that the latitude and longitude (more specifically your distance from the center of the earth) matter. Even more accurately, what time of year does matter (our distance from the sun changes). They sorted out the patterns in the data. What they are doing is called "basic science". It isn't sexy, and it isn't useful right away. However to start something that a is a "science", you have to start by making measurements and then explaining them. Explain to me roughly speaking, how one makes "Scientific" measurements on the internet where you have control groups? How precisely does one setup a second world wide interent that is identical in all ways except one has an extra Linux machine on it? Maybe if they continue to make such measurements, they might figure what the variables are.

That's precisely what they are doing. I'd have to read the actual statement they made to see how well they are lying with statistics. My guess is the statement they made was accurate and accurately captured what it was they measured.

Also, I'm going to guess they used the same RedHat distributions (or at least had all of the old ones, and some new ones), and they used all the same old IP's (or at least used all the old ranges, and some new ranges). So I'd further venture to guess that your "boiling water" analogy is incorrect. I've read about these guys quite often. They are fairly "scientific" about what they do, and how they do it. The biggest problem they have is man power to setup and analyze the machines and attacks. Which is really a function of their other big problem, a serious lack of financial resources. What they are doing on a large scale would result in really useful measurements. Sure what they are doing is on the level of "Grade School Science Projects" in terms of the scale and quality of science. However, that doesn't make it any less "scientific".

As to this:

get an experiment that is so wildly useless that you can't honestly call it scientific

Useful science, is called "Engineering". Useless science is all over the place. Science is about forming a hypothesis, setting up a way of measuring your hypothesis, then analyzing the data after the fact. This sure seems to fit the bill. Useless Science, is how all science started. Next you'll tell me Linux isn't at all like Unix, because it started out life as a useless terminal program.

Kirby

Re:Not even remotely scientific

[ComputerSlicer23]

For example, if someone got root using some local exploit no-one had seen before we could reverse engineer the script they used and fix the bug. But this has never happened

You really should read up on the honeynet project sometime before saying silly things like this.

For starters, they have in fact found previously unknown exploits (at least one, but possibly several). I forget the exact details off hand, but in "Honeypots" (A pretty decent book), it is covered. They cover it in the section about different types of honeypots and what they are good for. They discovered a hole in a network service that was previously unknown on Linux machines several years ago when the project first started. I can cite it tomorrow if you really don't believe me (the book is at home, I'm not). A lot of blackhats give out zero days as a way of gaining credibility. While it wans't a zero day, a honeypot was one of the first things to figure out how one of the Major worms worked (Code Red I think, but it might have been one of the others).

Also, black hats need a platform to mount their attack from that they can easily own without worry. So they attach home networks knowing that they can complete own a box and wipe the logs. Meanwhile, they can mount attacks from those machines onto others that are important. They need the intermediate machines to be anonymous. They might want to attack "American Express", or "Amazon.com". Anyone with any brains doesn't attack those from the IP's known to be in their basement. They find other machines that will have no logging, or logging that can be completely compromised to use as a base of attack. Then the trail to find them dies at these random machines on the interent.

Besides that, any one wanting to implement a "Andy Worhal Worm", needs to find a set of machines that have an exploit available. In order to find those, one has to start attacking random machines on the internet. The honeypot project could accomplish that (I don't know that they have, but it would be a very good use of it).

Finally, I don't have any important machines, so information about random machines on the internet fits me to a "T". I am more interested in what the script kiddies are doing, and what sorts of attacks they are making. The honeynet project does provide details about what JRandom guy with an IP on the internet can expect to be hit with.

Kirby

Re:Not even remotely scientific

[QuantumG]

Although blackhats do indeed attack machines simply to use them as intermediate hosts, they don't use their zero-day exploits to do it. They keep them in reserve for when they can't get into a well secured machine. Intermediate hosts are deliberately chosen for their poor security so they need not use zero-day exploits. Now at this point you might be thinking that a honeypot is still useful cause if a blackhat uses it as an intermediate host then the scripts they use to do this zero-day exploit will have to pass through the intermediate host. Well 1) Honeypots are deliberately designed so that blackhats can't use them as intermediate hosts, and 2) blackhats never use intermediate hosts that they are not 100% aware of what the machine is used for. No-one except a script kiddie gets into a honeypot and doesn't know it is a honeypot for more than 15 minutes. It's simply too easy to tell a machine that has a purpose from a machine that is a deliberate trap.

Re:Not even remotely scientific

[maxpublic]

All true, but the number of real hackers out in the wild is tiny. The overwhelming majority of 'hackers' are just script kiddies using someone else's code to attack unsecured machines. Protect yourself from them and you protect yourself from 99.9% of the people who want to seize your machine for their own use. The odds of your machine coming to the attention of a real hacker are vanishingly small, unless you've got something the hacker wants.

Max

Re:Not even remotely scientific

[DrSkwid]

fyi you can write "T" as tee

Re:Not even remotely scientific

[QuantumG]

around and around we go. Honeypots in no way help you secure your machine against known attacks. They may be good for finding out about unknown attacks but seeing as blackhats never use their zero-day exploits on Honeypots and know when they're on a Honeypot, so they never use them as intemediate hosts, Honeypots are good for nothing. Unless you consider watching script kiddies go about being script kiddies productive. In which case you should slap yourself firmly in the head and go back to securing your machine.

Re:Not even remotely scientific

My house is extremely secure. I haven't had a break-in since I moved here 20 or so years ago. Neither have my neighbors.

Odd since I haven't locked the doors in that time.

The first best way in the real world to remain secure is to avoid bad neighborhoods, bad areas. Linux use avoids a bad neighborhood. How long that will remain, I don't know. The second best way is to have someone near you that is more vulnerable than you.

The end result, scientific or not, are less problems. While the windows admins were running around patching and closing the huge windows (sic) of insecurity, the linux admins were able to fine tune their security strategies.

Derek (don't think that this area is an easy hit for crime. A regular noise in these parts is gunfire then a backhoe starting up.)

Re:Not even remotely scientific

[QuantumG]

Yep, and FireFox is immune to spyware too.

Re:Not even remotely scientific

[Oddly_Drac]

"No, there's just more losers out there trying to break into random Windows XP boxes than there are losers out there trying to break into random Linux boxes."

Steve Ballmar said much the same thing, but I'm currently capturing more attacks against my BSD server than I am my windows box. Do you have anything to base your claim on?

Conversely, there are thousands of *nix servers out there carrying web content that represent a fairly easy target for 'crackers'. You might be mistaking the horrendous security profile of windows in daft social engineering attacks (click here to see nude girls) rather than cracking per se.

"If you actually went and asked a representative sample of script kiddies"

Or read what they put on their BBS'. A lot of fun sometimes because the majority have no clue, but it's important to watch the talented ones.

"About the only good thing that could ever come out of The Honeypot Project is previously unknown attack methods."

And IP addresses of the attackers. Sure, some will be proxies, but a nasty email from the ISP would start the cleansing process. I reported five IP addresses last night that belonged to ISPs with my log files.

"They use their zero day exploits to attack specific machines for a specific purpose, because they know that every time they use the exploit the run the risk of it being discovered."

I've never seen a 'zero day' exploit hitting anything but the security sites for Kudos and a method of expanding your CV, but I bow to your greater knowledge of the subject. Incidentally, a local exploit to get root would mean that you weren't jailing users, and you'd be unlikely to ever see the original script that created the rootkit.

Re:Not even remotely scientific

[Oddly_Drac]

"Honeypots in no way help you secure your machine against known attacks."

Fusion toroids don't change the price of gasoline, but they're still regarded as a fairly valid research project; likewise honeypot projects are interesting research that is being applied all over the place.

The real question is why you're so vociferously opposed to them. False sense of security?

When all the linux boxen get owned, you can have that warm fuzzy glow that people fell for the 'honeypot scam', but until then, people like myself will take any scraps of information that we can get from security sites, script kiddies and honeypots to keep this lovely arms race rolling and spend an inordinate amount of time explaining hygiene to people with windows boxes.

"Honeypots are good for nothing. Unless..."

Unless? Unless is information. Ignore it at your peril.

Re:Not even remotely scientific

[pedrop357]

"Linux use avoids a bad neighborhood. How long that will remain, I don't know. The second best way is to have someone near you that is more vulnerable than you."

I agree, in part. Linux is the "new" more upscale (compared to existing) neighborhood. As time goes by, it will become "worse".

I live in Las Vegas, and have seen what was the "new" area in 1993ish become less "upscale" with more crime, etc. Compare an area like Smoke Ranch and Rainbow today to what it was 10 years ago.

As Linux becomes more popular, more people will go that neighborhood to check it out. More and more will stay and will bring with them all their bad habits. We know these people. Every article that discusses spyware involves them.

As the linux userbase grows, the bad will come with the good and companies will find it profitable to port their cheesy apps to Linux.
Insecure apps ported to linux by companies wishing to (continue) appease(ing) joe user will bring a lot of the current windows problems to Linux.

Picture a bunch of Linux boxes with joe user running as "root" because he doesn't know better, it's easier, he hates typing in the root password for privileged functions, and/or he "knows what he's doing". He's the type that gets ahold of some POS app like bargain buddy or weatherbug or somethingly intentionally harmful and runs it. There are going to be others like him, running as root with net happy spypware running on his linux box looking for other linux boxes in similar fashion.

Even if the linux code was 100%, the various apps run by ignorant (in the polite context) users won't be.

I know the argument is tired, but as more and more people visit linux, more and more criminals will come to victimize those tourists and new residents.

Re:Not even remotely scientific

[pedrop357]

Sorry,

"Even if the linux code was 100%, the various apps run by ignorant (in the polite context) users won't be."

Should be
"Even if the linux code was 100% secure, the various apps run by ignorant (in the polite context) users won't be."

Re:Not even remotely scientific

[Taladar]

The difference being e.g. that in Linux some apps just don't run as root (most IRC-clients e.g.) while in windows lots of apps don't run unless you are root (Admin). So lazy people will get problems with Linux running as root that are bigger than having to type the root password a few times and will start running as user.

Re:Not even remotely scientific

[ComputerSlicer23]

You keep stating that like it's a fact, despite counter evidence. Honeypots have discovered previously unknown attacks in the wild. Full stop (unless you have a different definition of "zero-day exploit" then I do, that'd be a counter example to "Honeypots can't possibly capture a zero-day exploit"). Who used them, and how they discovered them is unknown.

I'm not saying they have discovered them all, but they do discover them. Any number of honeypots are intentionally put into the middle of existing production networks by people do have valuable data, specifically so a blackhat will attack it with all it's best tools so they can be aware. What are dead giveaways to blackhats would be avoided in those situations.

The Honeynet Project does do somethings to make it fairly obvious that you are being captured. However, don't fall into the trap of believing that blackhats are all knowing, ominscient gods of computing. Some of them, are very, very good at what they do. Any number of master criminals get caught because they've been lured into doing something silly in both the real world, and in the computer crime world.

Kirby

Re:Not even remotely scientific

[QuantumG]

Why do I have to keep repeating myself? Catching a script kiddie doesn't tell you any valuable information! You already know that the machine you set up was unpatched. I'm not talking to you anymore.

Re:Not even remotely scientific

[ComputerSlicer23]

For starters, that's the first time you said it only catches script kiddies (that might be true). I can't argue that for sure or not (I don't know that any of the Honeypots has ever given out personal information about the people they catch, several of the logs have shown them to be script kiddies, but that's not conclusive evidence). You claim that no one but a script kiddie wouldn't know after 15 minutes. Well, they've already given up the goat in the first 15 minutes. You now have successfully logged how they go there. On unpatched machines that might be less interesting. So setup a completely up-to-date one. It's not complex.

Prior to the previous post, you have said, "It can't catch zero day exploits", which it can, and has in the past. I've pointed that out, and offered to cite a source on it (It's "Honeypots" by Lance Spitzer, I don't have a page reference right off hand).

Second, you might not find that valuable data, however "valuable" is in the eye of the beholder.

So setup a completely patched honeypot, watch that one. Christ, they haven't, but that doesn't mean it can't be done or isn't interesting. One of the more interesting things, if you track down the original paper and read it, is that 2 of the cracks didn't get cracked via binary flaws, they were brute force password attacks (which in and of itself is interesting to me at least). Plenty of people do could setup production. I'll bet google does. I'll bet Yahoo does. I'll be American Express does. They have machines that are there to be attacked, and serve no other purpose.

I'll bet they have machines setup in the middle of their internal network that are specially logged via a transparent bridge (I've set one of these up before), that sits and captures all packets that cross the interface (make sure it doesn't munge the MAC addr is about the only trick). It's in the DNS server. It's fully operational just like the 10 other machines just like it. It just sits there in the middle of any number of other machines. When traffic crosses that bridge that isn't arp traffic, bells and whistles go off.

The reason they use unpatched machines is to keep the deterance factor low. So people will easily be successful in the attack. My guess is that Amazon, AmEx, Yahoo, Google and any number of others, have machines they want to get attacked with the full security setup. Specifically so they have machines that are safe to pull off line once they realize a hack is being attempted. I wouldn't be shocked to see that they have a network of such machines that communicate with each other. That way the entire system looks busy enough to be a live system to not give up the goat to quickly to the hacker. So data is flowing thru the system, but just not data you really care about. It wouldn't be too incredibly hard to just replay data from yesterday thru the system. In a well designed message passing system, that's all you have to do. Treat it just like every other machine, make sure it has load that is passing thru it. Log all the packets via transparent bridges that have not TCP/IP configured. Just plain jane Ethernet 802.3 repeaters (use a Linux box it's trivial). Put in scads of harddrive space that writes really fast. Spool it to tape with a big tape drive. Production honeypot on a production system, that is indistinguisable to a blackhat from the production system until after he has broken in to a larger number of machines. Honeypots are left easy to break into, specifically so they will succeed first. So have an easy set, and a hard set. Geez.

This point of data is interesting to me, as it clues me in that I can't just update a Windows machine every over the internet from a fresh install. I'll have to have the security patches, or I'm screwed. However, it appears with a Linux box, assuming I shutdown enough services, it appears I can feel relatively save updating it via the network even from a scratch install (generally I never ever do an install off known media, but it's a warm fuzzy to that I have less and less to worry about a hack being available and me not having the update immediatly).

Kirby

Re:Not even remotely scientific

[QuantumG]

Sounds like a lot of great ideas, that may very well have some useful applications, but none of that is done by the Honeynet project. It's just a bunch of geeks sitting around watching script kiddies attack unpatched boxes for the voyeuristic pleasure of it. There's nothing to be learned, it's just masterbation. Running snort on a box connected to the broadcast port of your router is a thousand times more effective at ringing alarm bells.

Groovy

RE:A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned.

that an unpatched box they tested, i bet a patched, and locked down & firewalled Linux box is nearly impossible to crack...

good news for Linux :^)

Windows is down to 4 minutes...

[Bucket+Truck]

I just read an article at the Register (linking to an old article on http://www.usatoday.com/money/industries/technolog y/2004-11-29-honeypot_x.htm about un-patched XP sp1 machines only surviving for 4 minutes when connected to a broadband connection. Within 10 hours the hackers had an IRC channel running on the machines.

Re:Windows is down to 4 minutes...

[open_source_dweeb]

I've been running XP SP1 for almost a year without any problems. I only bothered to upgrade to SP2 last week. I run the box behind a NAT router (no port forwarding, except for the few times I forward port 6881 for BitTorrent) and I also use a non-admin user for normal everyday use. I only log in as admin to install software or make configuration changes. Other than turning Symantec auto-updates, I don't bother with the security of this box too often.

The point is, doing a few simple things can keep a not-so-updated version of Windows XP safe. I even use IE to browse pr0n sites and malicious ActiveX's won't even install. The only thing that I pick up is the occasional spyware cookie, which I doesn't really bother me.

Re:Windows is down to 4 minutes...

This could lead to a usefull honeypot. Put an un-patched XP sp1 machine on a broadband connection. Wait for hackers to arrive. After they put their crap on it, monitor the connections. You now own the hackers.

XP SP 2?

The article doesn't say whether the Windows boxes were running XP Service Pack 2, which implements a bunch of lock down policies in addition to patching the usual assortment of buffer overflow vulnerabilities. It's well known that XP's security was abysmal before SP2 so I'd be more interested in seeing the results with the lockdowns.

FreeBSD?

[SubTexel]

Well they list it in the list but give no data on it what so ever. So one is to assume FreeBSD was never hacked from the data presented (or lack thereof). Way to go BSD!

not again (the partisanship)

[jonastullus]

i have said it before and i will say it again: only because more and more people stand up to state how superior and ultra-safe linux is, won't necessarily make it so!

if it is indeed true what this study claims then i am the first to applaude the kernel guys and the distribution makers.

but there are facts that won't change:

- software monoculture is BAD (no matter what the monoculture consists of)
- linux is NOT the safest alternative out there (compare *BSD, VMS, ...)
- there have been an alarming number of exploits as well for the kernel itself (local root exploits, anybody) as also many exploits for user land applications (mplayer, mpeg123, mozilla, ...). therefore it is as questionable a time to glorify linux as it will ever be.

SECURITY IS A PROCESS NOT A STATE!

please, dear media (and also dear slashdot), make an effort to educate people in security matters instead of putting some solution on the "security pedestal". don't make claims about the absolute security of any alternative.

the complete solution is what makes and breaks security, not the components, and without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.

well, at least the uprising unices make it easier for the proficient and maybe even raise the security bar for the amateurs, but alas this is not an end to itself!

jethr0

Re:not again (the partisanship)

[davidu]

well, at least the uprising unices make it easier for the proficient and maybe even raise the security bar for the amateurs, but alas this is not an end to itself!

I would argue that by raising the bar of those qualified to attack your systems you are actually decreasing the security of your systems.

And yes, I've been here a long time...
davidu

Re:not again (the partisanship)

- linux is NOT the safest alternative out there (compare *BSD, VMS, ...)

What about a Lisp machine? ;)

Lisp does dynamic buffer allocation (since the '50s) so there are no buffer overflows.

Re:not again (the partisanship)

[jdreed1024]

SECURITY IS A PROCESS NOT A STATE!

please, dear media (and also dear slashdot), make an effort to educate people in security matters instead of putting some solution on the "security pedestal". don't make claims about the absolute security of any alternative.

Very true. Only this time, it's solely Slashdot ath's responsible for putting the solution on the pedestal. The article merely mentions that default install settings on most Linux distributions have gotten better, which is a fair statement. The article was comparing default installations of Solaris, Window, and Linux, and mentioned that Linux has improved recently. This says nothing about Linux security, but says everything about judgements made by vendors/distributors. This shouldn't be taken as saying Linux itself is more secure. That's not to say that it is or it isn't, merely that this article contains no data on that.

Re:not again (the partisanship)

[egarland]

SECURITY IS A PROCESS NOT A STATE!

Wrong. Security is a state. Securing is a proces. Look them up, they're in the dictionary.

I usually hear that quote from people who want to make a living out of implementing security. The fact is, with the current state of systems, a lot of time needs to go in to creating a secure system and keeping it secure. This is not inevitable however. As time goes on, computer systems and networks will simply be more secure by default, especially thanks to all the hackers out there that find the holes and let us know about them (often times via the always funny "I infected you with a virus" method.

software monoculture is BAD

There are huge powerful upsides to a monoculture. Sure there are downsides too but I think in the end we will have one and it will be a huge benefit, even to security.

... without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.

And 640K should be enough for anyone.

If you really think that it is impossible for security to happen automatically, ask your self exactly what is it that a security professional can do that it is theoretically impossible to automate.

Re:not again (the partisanship)

Linux is hardly a monoculture; I can't install binaries (or even source sometimes) that're intended for a specific distro onto another distro. Binary compatibility isn't in the forseeable future for ANY linux release, so even if there was a virus/trojan/whatever it wouldn't run on more than 10% of the linux population regardless. When you consider that even among Red Hat users, there are still 2.2 boxes and 2.4 and now 2.6, all incompatible kernels with different (incompatible) libraries and totally different in how they operate. Any virus or malware would have to be magic to run in a shitty atmosphere like that.
That's the true secret of Linux 'security' - obscurity, lack of standards, and you can't rely on anything being present on all those machines.
good luck with your cracking.

Re:not again (the partisanship)

[reverius]

"As time goes on, computer systems and networks will simply be more secure by default"

Actually, what you really meant to say was "as time goes on, existing computer systems and networks will simply be more secure by default", and your hacker-hole-finder explanation is consistent with that.

However, we'll always be using brand-spankin' new software, not the old stuff that we've already found the holes in. As time goes on, new software comes out, and hackers spend X amount of time finding the holes in -that-. That's why there are still insecure pieces of software. I bet right now, we know how to make, oh, MS-DOS secure. But that's completely useless.

20 years from now, we'll have found all of the holes in Apache 2. Guess who will still be using Apache 2?

Re:not again (the partisanship)

[DrSkwid]

However, we'll always be using brand-spankin' new software, not the old stuff

wrong

Guess who will still be using Apache 2?

people use it now ?

Re:not again (the partisanship)

[shic]

I feel I have to reply - while your heart seems to be in the right place, your facts appear to be elsewhere!

Re: Security is a state. Securing is a process.

Wrong again! Secure is a state; Securing is the activity of improving security and security is the perpetuation of a secure state.

Re: If you really think that it is impossible for security to happen automatically, ask your self exactly what is it that a security professional can do that it is theoretically impossible to automate.

"Theoretically impossible to automate" is far stronger a constraint than is necessary to justify human involvement. These aspects of security which are extraordinarily difficult to automate relate to the following security tasks - for example:

• Explaining to people the importance and relevance of the security measures.
  
• Taking decisions to mitigate risk where tradeoffs must be made between productivity and security.
  
• Identifying real-world business practices which can enhance security without negative effects on legitimate interaction.
  

Re:not again (the partisanship)

[1lus10n]

No. You make to many assumptions in your post. What you are saying is somewhat akin to claiming humanity will someday reach a point where violence is non-existant.

If the security gets better (just like it has over the past 40 years) its because the good guys are usually behind by a few steps, if they weren't behind they wouldnt know what to secure, or why. Even given the assumption that security somehow catches up with what the people attacking the systems are doing your also assuming that the people doing the attacking wont be able to adapt and break the new security.

Any security made by a person and implemented on a computer can be broken by a person with a computer.

"There are huge powerful upsides to a monoculture."

Not when it comes to security there aint. In the "oooh shiney" world of point-and-click userland sure its helpful, but anything beneficial from this aspect can also be gained from using open standards and open formats.

"ask your self exactly what is it that a security professional can do that it is theoretically impossible to automate."

Adapt, interact in an intelligent way, grow. Last I checked we still hadnt created a sentient intelligence yet, and in order to compete with sentient intelligence we have to use sentient intelligence. Once we create true AI ... then the bad guys will have it too. So the story goes on.

Re:not again (the partisanship)

[Taladar]

Actually this is the only thing you can hope for. You will never eliminate all security holes (given that the system is in active development and gets new drivers,...). The only think you can hope for is making compromising the system as hard as possible.

Re:not again (the partisanship)

[egarland]

Any security made by a person and implemented on a computer can be broken by a person with a computer.

It sure does seem that way these days but this is completely incorrect. The situation we have now results from bugs and design flaws in rapidly chaning and expanding software. Software without bugs and design flaws is possible. Software with no secuirty holes is possible. Security systems will always be able to be defeated, but one without holes can only be defeated by satisfying the requirements designed into the system.

Re:not again (the partisanship)

[davidu]

You didn't read my post did you?

My point was that by raising the bar, you make your system less secure.

-david

Re:not again (the partisanship)

[groomed]

Wrong. Security is a state. Securing is a proces. Look them up, they're in the dictionary.

Security means that you have procedures and mechanisms to prevent and deal with escalations as they occur.

Security means training your staff never to give out passwords, to use PGP, and to close the door behind them. Security means performing unannounced regular tests to see how well these guidelines are being followed.

Security means knowing when your security has been breached and knowing how to grade the severity of the breach. It means having an escalation protocol in place by which you notify your customers, associates and affiliates. It means testing this protocol every so often and evaluating how it can be improved.

Security is about monitoring and controlling the flow of classified information. Since humans are ultimately the only ones who can distinguish between classified information and unclassified information, this will always be a human job.

This is why security always means there needs to be a person in the loop. It's a lot easier to fool a login prompt than to fool a security guard.

Re:not again (the partisanship)

[egarland]

It's a lot easier to fool a login prompt than to fool a security guard.

You really think so?

Re:not again (the partisanship)

[groomed]

Absolutely. To fool a login prompt into thinking I am John all I need is John's username and password. To fool a guard into thinking I am John requires drastic plastic surgery.

Re:not again (the partisanship)

[egarland]

Ok. You're probably right about the grammar breakdown but you get my point.

"Theoretically impossible to automate" is far stronger a constraint than is necessary to justify human involvement.

Absolutely, and that was intentional. Many people view security professionals as impossible to do without (this view seems to be especially popular among security professionals). That may be true now, but it will be less so in the future. The reason I pull out the big guns of "theoretically impossible" is because humans suck at doing things like security. If the computers can do it for us, someone will figure out a way to make them and odds are it will do a better job for less.

• Explaining to people the importance and relevance of the security measures.
  
  If there is no way around the security measures then why do they need to know why they are doing them? They are doing them to get their work done.
  
  
• Taking decisions to mitigate risk where tradeoffs must be made between productivity and security.
  
  What if the options are wildly easy to understand and come pre-implemented. Think: car alarms. Fifteen years ago, someone could convince you to spend a lot of money on auto security and it was a complicated business. Today, while the president's limo has upgraded security most of us live with what comes with our cars because it's good enough.
  
  
• Identifying real-world business practices which can enhance security without negative effects on legitimate interaction.
  
  Again, you are assuming that this is a complicated thing. Managers don't have security professionals to help them decide who to give keys to the front door of the building. Computer security is a giant mess right now. It won't stay that way.
  

The risk in hiring a computer security person is that they will cost more than the problems they solve. As software bugs get worked out and security is more automated and automatic, that risk increases.

For the same reason you don't see armed guards x-raying everyone going in and out of a Walmart you will see fewer computer security people at companies. At some point, it's cheaper to deal with the issue than hire security people to lessen it.

Re:not again (the partisanship)

[egarland]

But security guards aren't in charge of identity, they are in charge of who get's in to a building. To fool a guard into letting you in a building, you usually just need a piece of plastic with a picture of you and a company logo. It's a hell of a lot easier to get past a security guard than it is to get past a login prompt. Riskier, yes, but definitely easier and it requires much less knowledge.

Re:not again (the partisanship)

[shic]

I feel you are replying cross-purposes.

I still claim that Secutity is an ongoing process and not something which can be bought off the shelf and forgotten about - I remain steadfast in that opinion. You are right that the weak link in any system is typically the human - however you can't take the human out of the equation. Security has far more to do with understanding risks and managing people than it will ever be about cryptography or algorithmic techniques. Security will only become straightforward and automated when the risk profile is such that extremely basic precautions are sufficient.

Your argument that users do not need to understand security measures if these measures can not be circumvented is nonsense for two reasons. First: every security measure can be circumvented given sufficient determination and resources. Second: Even if the security measures could not be bypassed it would still be important for users to be aware of the level of protection the systems afford. Only in trivial situations will the implications for the security be obvious. In the realm of software there are even curious paradoxes - for example digital signatures can be deemed to either increase or decrease security depending upon perspective. In some circumstances I want my documents to be verifiably tamper-proof - in others I may wish to conceal my identity in order to avoid giving a competitor better intelligence about my company's business plans. Addressing this kind of issue requires a thorough understanding of the problem domain as well as a good grounding in the technical strategies which may be employed.

Your example of car security is interesting. When a yob threw a brick through the rear window of my car (among several other acts of vandalism) last year my car alarm was no use. Until that point I'd assumed that the standard alarm would be sufficient to protect my car on a bustling business park - but the risk profile had been wrongly assessed. CCTV might have prevented this problem... but if it was dark - maybe it would need to be an infra-red night-vision CCTV system. Does there need to be a security guard? Many guards? Patrols with dogs? Prior arrangements with car hire companies to avoid down-time during repairs? At the time I felt it would have been a good idea to have thousand-strong teams of brutal vigilantes... but on reflection I admit that would likely have proved overkill (pardon the pun!). The car alarm does not solve the security problem for cars - far from it! Security for cars requires an ongoing assessment of risk and selection of appropriate mechanisms to mitigate that risk.

You take issue asserting that I claim that "this is a complicated thing" - well I suppose it depends what you think "this" to be. You claim that managers do not have security professionals to decide upon who should be given keys to the door - but that misses the point entirely. A diligent manager will get professional help to secure the building - particularly if it is located in an area where crime is a problem - advice will likely be taken on everything from the type of locks; deadbolts; toughened glass; retractable bollards; security fencing; alarm systems and business cover either from a security firm and/or the police to name but a few - and there is likely a rota for call out in the event of a break in or other emergency... and this will need to be actively managed to ensure cover in spite of sick leave and holidays. Securing an office is also an ongoing process - simply buying some locks is, I'm sad to say, rarely sufficient.

At the risk of you accusing me of being pedantic - no risk increases as a result of bugs and security loopholes being closed in software... all other factors remaining constant (which, rarely they do) risk will only be reduced. You appear to be complaining that your costs are not reduced as you continue to pay for a full time security consultant. The issue here is one of ongoing risk assessment. When risk falls it is prude

Re:not again (the partisanship)

[groomed]

But security guards aren't in charge of identity, they are in charge of who get's in to a building.

That's a non-starter, because the guard uses (some token of) identity to determine who gets into the building.

The situation where an unverified piece of plastic provides sufficient proof of identity is comparable to the situation where an account has username "administrator" and an empty password. It's just lousy security.

No matter how cryptic usernames and passwords are, they don't make it impossible for an attacker to impersonate someone else. If a security guard has to be able to identify you personally, impersonation is virtually impossible.

Penetration is of course still possible. You can shoot the guard and/or find ways around him. But these are both different issues. If you take the guard out by force you are certain to invite countermeasures. And if you can evade him, then the system is just as broken as a login service with a buffer overflow. With the crucial difference that by evading the guard you still haven't managed to impersonate someone: you have just bypassed the need for identification.

Re:not again (the partisanship)

[egarland]

Only in trivial situations will the implications for the security be obvious.

I'd argue that 90% of standard business employees will fall under this category of "trivial" situations. Most of the rest fall under SEC or military requirements where the security repercussions are obvious to those involved and the option to not have dedicated security personell doesn't really exist.

Security for cars requires an ongoing assessment of risk and selection of appropriate mechanisms to mitigate that risk.

"Could benefit from" is not the same as "requires". There are lots of things you could do to better secure your car. Should you? Probably not because the 3,000 multi-camera recording system/gps tracking unit you could install still wouldn't stop the window from breaking and you'd be out 3K plus the cost of reparing your window.

I can sympathise with what I see is your frustration: self-appointed "security professionals" using fear and misinformation to encourage inappropriate risk assessment to bolster their own positions. I feel this (prevalent) practice is despicable - but this does not mean the ongoing nature of security can be ignored - either in the real world or in the rarefied realm of software.

I'm not trying to ignore the nature of computer security, I'm trying to de-spin it. It is currently something that needs constant attention but the issues we have now are not inevitable. The software we use is insecure and broken. The right answer is to fix the insecure and broken software and that will happen in time. Eventually, security will be simple and more or less happen by default.

Re:not again (the partisanship)

[shic]

I'd be willing to believe that 90% of the time security considerations are trivial, though I hold the opinion that it is difficult to determine, without appropriate consideration, if a particular scenario is in the remaining 10% or not. I'd also contend that it is a bad idea to assume that having considered a security requirement under one set of assumptions that the matter will never benefit from review. In order to perform this periodic review, at least a basic understanding of the currently provisions is essential - and for the limits of a system to be clearly understood and heeded.

I agree that there is a distinction between required provision and beneficial provision. Using the car analogy - yes there are many things I could do which would improve the security of a car... and not all of them are appropriate - that is exactly my point. It is for exactly this reason I contend that security is an ongoing concern and not something for which it is sensible to simply buy a solution and forget the issue. Provision for security needs to be re-assessed whenever the base assumptions change. In some environments it is appropriate to leave a car unlocked for convenience - in others it is worth paying for attended parking or a secure garage. Only by regularly assessing the risks can an acceptable compromise be found.

I think trying to dampen the spin on computer security is a good idea - I just feel that this is an area in which extreme care must be taken with wording. I do not believe that the grotesque flaws we put up with in today's software are inevitable - but I do believe that security risks which accompany the widespread use of ad-hoc software are. I hope that in future the industry is better equipped to supply quality software (which would undoubtedly simplify security) though I'm sorry I don't share your optimism that security problems will be eliminated any time soon. While I realise that this is mere conjecture - aren't we already in the situation where the majority of substantial individual losses as a result of computer security breaches were attributable to social engineering rather than the exploitation of bugs?

Re:not again (the partisanship)

Yo, e.e. cummings, it's called a 'shift key'. No wam sayin?

Re:not again (the partisanship)

[1lus10n]

"esults from bugs and design flaws in rapidly chaning and expanding software." What in the 3000 (or so) year recorded history of humanity makes you think any of this is going to stop anytime soon ?

We should be able to build a fire-proof home by now. Safe cars (not safer.), safe drugs etc etc All of these things have been around longer than security in computers. Yet these problems have not been solved. Nor have real world security issues.

Don't plan on a utopian society or computer industry anytime soon (soon == in our lifetime). You'll only be greatly dissapointed.

Re:not again (the partisanship)

You had me right up until you misspelled "unixes" as "unices".

Nice try, though.

Re:not again (the partisanship)

20 years from now, we'll have found all of the holes in Apache 2. Guess who will still be using Apache 2?

debian stable?

*ragadish*

They aren't after your data - just your connection

[khasim]

These reports are mostly moot, however, because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer.

What do you mean by "router"? There are probably several routers between your computer and any other computer on the Internet.

And most of the spam I see is from home machines that have been cracked (zombies).

Not to mention the DDoS zombies out there.

They'd be happy to get your credit card info off of your home machine, but they attack to turn you into a zombie with bandwidth.

However:

[reality-bytes]

Solaris 9 (while we wait for the 'open-source' 10) is in current use in 'enterprise' situations.

So presumably any compromises of Solaris production system may mean big-trouble for it's operating companies.

This, I would suggest is the reason for the comparison.

Re:However:

Solaris 9 (while we wait for the 'open-source' 10) is in current use in 'enterprise' situations.

Never use odd-numbered Solaris releases. ;)

Re:However:

[1lus10n]

right. But how many enterprise's dont have an IT staff with the patches right on hand ? How many of them are not behind a corporate firewall ?

I see your point and all ... just dont think its that simple.

133t...

[bender647]

But there was bad news for Solaris users, with three out of the four honeypots running Solaris 8 or 9 hacked within three weeks. However, a fourth has been online for six months without being compromised.

Stop nagging, I'll get to it.

Re:133t...

[StikyPad]

But there was bad news for Solaris users, with three out of the four honeypots running Solaris 8 or 9 hacked within three weeks. However, a fourth has been online for six months without being compromised.

Stop nagging, I'll get to it.

It's not that all 4 weren't compromised, it's just that they didn't notice me. I guess you're the one they caught on the first 3? It's okay, keep practicing. ;)

Re:133t...

So you're the admin who put unpatched Solaris servers on the net? Patch them already!

just buy a mac ;-)

Way to go Apple !!!

Re:just buy a mac ;-)

[SubTexel]

One could assume that as well =) Oh well, maybe they will include more data next time.

Re:just buy a mac ;-)

Just buy it for me, idiot. You keep posting this all over; if you're such a fanatic, buying one for me shouldn't pose much of a problem for you.

Re:just buy a mac ;-)

Me too.

I often wonder

If users don't care about being penetrated because deep down they have homosexual tendencies which override common sense.........SHUT UP!

For the love of $diety, please mod parent troll

BULLSHIT

Apple apologists are one thing, but did you go out of your way to ignore every single security patch that has been inssued in the last several years?! There are tons of exploits

Seeing as you (unbelievably) can't even spell "OS X" properly, I'm not even sure you've ever USED a Mac

Re:OS/X BSD Unix

[I+kan+Spl]

Sorry to feed the troll here but:
What about Apple's OS/X ?
No know exploits. Uncrackable.

**NOTHING** is "uncrackable" A machine may be less crackable, or diffucult to crack but as long as it's connected to a network it is crackable. It may take longer than the lifetime of the universe to do it, but it is possible.

I suppose in the same sense, even things that arn't connected to the network are crackable, but that requires mission impossible like stunts.

Fairwell, English grammer

[MerryGoByeBye]

Parding is such suite sorrough...

Solaris default install

[SunFan]

Solaris' default install is geared more toward internal datacenter environments. A small amount of hardening effort (e.g., paring /etc/rc directories) can make Solaris extremely secure. BTW, Solaris 10 now has the same codebase between the Trusted and regular versions.

Re:Solaris default install

[DanteLysin]

A Solaris default install shouldn't have to be secure. There are too many "self proclaimed" system administrators out there not worth the time to interview.

Making a server OS secure OOTB makes it too easy on the SA.

Hardening Linux works!

This is just another example of how hardening keeps your servers from getting compromised. Red Hat and SuSE Linux systems now ship with every remote service in xinetd deactivated and most have a default firewall active at installation. This partly reflects the lessons we've learned with Bastille Linux, a hardening program for SuSE, Debian, Fedora, RHEL, HP-UX, and OS X. What's interesting is that while new releases of HP-UX are shipping with Bastille pre-loaded and runnable at installation, giving the user easy hardening at install time, Sun's still been releasing servers with 50+ network ports listening, including deprecated services like tnamed (Trivial named). The Linux vendors have been leading the older Unix vendors, mostly because users influence them more. But hardening is becoming a more popular practice in all operating systems now... - Jay Beale

Re:Hardening Linux works!

What about CIS security scan/benchmark ? Not only does it harden your system, but it educates as well. It is a great complement to Bastille.

Re:Hardening Linux works!

[jjb]

The CIS benchmarks are excellent. The Linux benchmark is based strongly on the Solaris benchmark, edited by SANS's Hal Pomeranz and collaborated on by a number of great people in industry and government. Bastille and the CIS Benchmarks/Auditing Tools are pretty complementary.

Anyway, Bastille is also educational -- it was the first hardening program to interactively educate the user as it hardened the system. It educates to allow the user to make more informed decisions in how their system is hardened.

Re:of course

I meant, Windows discontents.

I am still right bahahaha

Linux failed it. It was a good idea, too bad it sucked.

Unpatched?

[Brandybuck]

Why even bother testing unpatched Solaris when Sun specifically tells you to patch your boxes? It's like never changing your car's oil and then complaining that it breaks down too often. It's almost, but not quite, as stupid as complaining your burrito is frozen because you didn't read the microwave directions.

Re:Unpatched?

[TrancePhreak]

"Why even bother testing unpatched Windows when Microsoft specifically tells you to patch your boxes?"

My thoughts exactly....

Re:Unpatched?

[AlanS2002]

That doesn't address the problem of 0 day exploits. Further I know people who have done a fresh install of Windoze XP and connected to the internet to get all the patches available from WindowsUpdate only to be infected within 5 seconds of connecting.

Re:Unpatched?

Do you know of any Solaris 8 or 9 exploits that couldn't be avoided by disabling services before connecting to the network? Or by using a patched Linux, Solaris, or Windows machine to download the latest patch cluster? Unlike Microsoft, Sun makes it easy to download and save patches for installation later, even from another OS.

Also, three months should be enough time to download critical patches even on the slowest of connections.

Re:Unpatched?

[miffo.swe]

Well it is interesting because it shows how well hardened the box is at first boot. You do want to have a chance to patch the box before it gets 0wn3d right? I havent seen any other OS vendor not telling their users to patch but i have seen plenty of unpatched systems in my days.

Re:Unpatched?

[weenis]

lol, your burrito analogy made my day :-)
.

Re:Unpatched?

[Bronster]

Why even bother testing unpatched Solaris when Sun specifically tells you to patch your boxes? It's like never changing your car's oil and then complaining that it breaks down too often.

That would be the same reason that people don't upgrade to Microsoft's latest security patches on a whole range of embedded systems or machines with a piece of shitware from $CRAP_VENDOR which is only certified to work on a paricular service pack level (if you're lucky it might even work with the security patches installed, but your up shit creek if it doesn't)

And if you're lucky, your crapware vendor might release an updated version which works with the latest patches from your OS vendor from 6 months ago... if you're lucky.

Re:Unpatched?

[o'reor]

I second this entirely. At my current workplace, we rae refraining from upgrading to Windows XP Service Pack 2, because a number of the other software vendors we work with are still in the process of upgrading their software to make sure it works with that new release of WinXP. Altera, for instance, has just released an update for its Quartus CAD software.

Yet SP2 has been released for a few months now, and a number of critical security faults have already been found. Will the othe vendors catch up, and will we be able to upgrade to SP2 before the next major service pack is released ? That's a question that keeps our sysadmin sleepless at night...

Re:Unpatched?

[Brandybuck]

On the other hand, Solaris 8 is considerably older than many of known exploits. Most of the Linux boxes tested were much newer. To make another stupid analogy, it's like comparing old and new bread to see which is moldier.

Re:Unpatched?

[Brandybuck]

That doesn't address the problem of 0 day exploits.

No it doesn't, but ordinary common sense does prevent it. Just grab the patches from a different system. Don't have another Solaris system that's been patched? Use *anything* else to download it. Hell, burn yourself a copy of Knoppix. Or if even that is too much for you, plug in a damned $50 consumer grade firewall router for the twenty minutes it takes to download the patches.

Really, sometimes I think you guys whine just to hear yourselves whine.

Re:Unpatched?

[4of12]

It's like never changing your car's oil and then complaining that it breaks down too often.

As bad a practice as that is, running a car non-stop without changing the oil until it just stops, for whatever the reason, would be a very interesting durability metric for cars.

Likewise for computers and OS: while no one here in secure 31337 /. land would run their machines with the default configurations or without verifying the digital signatures on the install media, the time to 0\/\/n3r5h1p for a fall-of-the-log, quick, default install is still a very interesting security metric for computers.

I know, lies, damn lies, statistics and benchmarks. As long as we all know it's not the only figure of merit for evaluating computer security, it's still useful.

Re:OS/X BSD Unix

It may take longer than the lifetime of the universe to do it, but it is possible.

Well, you better hurry up and get started then.

Maybes

[Rie+Beam]

Erm, maybe it has something to do with the fact most of the worms / exploits out there are just tried-and-true for Windows, and that Linux isn't neccisarily more secure in this sense, but rather, harder to put a finger on the default configuration and thus exploit?

Re:Maybes

[Rie+Beam]

Shouldn't have posted that..gonna get buggered outta existence..

Re:Maybes

So, then, you're saying, it's more secure.

In other news...

[Spy+der+Mann]

It's been discovered that it takes about 3 months before an owned Windows machine will be patched.

Re:In other news...

[Neo-Rio-101]

L.I.N.U.X - Linux Is Not UniX

Re:In other news...

[StikyPad]

T.I.N.A.R.T. - This Is Not A Recursive Tinart

Re:In other news...

[maxwell+demon]

The Absolutely Longest Recursive Acronym You Likely Have Ever Seen In Your Whole Life Is TALRAYLHESIYWLIT.

Re:In other news...

you betcha and we are PROUD of that fact.

unencombered by worthless UNIX patents!

thanks for being a great advocate!

Re:In other news...

Hilarious, well done.

Re:In other news...

[tomhudson]

The Absolutely Longest Recursive Acronym You Likely Have Ever Seen In Your Whole Life Is TALRAYLHESIYWLIT.

No. Acronyms belonging to the "AAITAILTTALRAYLHESIYWL" (Any Acronym Including This Acronym Is Longer Than The Absolutely Longest Recursive Acronym You Are Likely Have Ever Seen In Your Whole Life) family are longer...

There's:

"AAIAAITAILTTALRAYLHESIYWL" (Any Acronym Including AAITAILTTALRAYLHESIYWL)
"AAIAAIAAITAILTTALRAYLHES IYWL" (Any Acronym Including Any Acronym Including AAITAILTTALRAYLHESIYWL)
"AAIAAIAAIAAITAILTTALRAYL HESIYWL" ...
"AAIAAIAAIAAIAAITAILTTALRAYLHESIYWL" ...
"AAIAAIAAIAAIAAIAAITAILTTALRAYLHESIYWL" ...
... until ...

* agghrr - maximum nested calls exceeded - stack overflow *

(oh, the distractions I run into while meta-modding :-)

A router routes packets.

[khasim]

His point was that nobody's going to bother going through a router to do that when there are innumerable completely unprotected boxes out there.

Every home machine that's been cracked has been cracked through a router.

Did he mean "firewall" instead of "router"?

I don't think he did because he refered to his "unfirewalled SP1 Windows XP box".

Unless he refers to a NAT'ing device as a "router".

Re:A router routes packets.

[bogie]

"Every home machine that's been cracked has been cracked through a router"

No it hasn't. Beyond the false assumption that every machine ever cracked was directly beyond a router(aka cheapo linksys), many/most zombies come from people plugged directly into to the Net with no buffer. How do you think all of those worms spread so fast when all they do is simple port scans to find hosts to propagate with? Scans that a router running NAT would block. The real threat comes from users plugged directly into their cable modem or dumb dsl modem with pppoe etc which is what that person was reffering to. These people have no firewall/NAT to block outside attacks and thus join the legions of zombies out there every time a new worm comes out.

Re:A router routes packets.

[Rosonowski]

You're thinking of router in the "linksys little blue box" sense of the word.

How do you think your traffic gets from point A to point B on the net, though? Routers.

Re:A router routes packets.

[mad+flyer]

Technically it's more PAT (port address translation) rather than NAT (network address translation).

On cisco it's also the "nat overload".

NAT leave you somewhat vulnerable it's a mapping address for address (many to many). Don't feel secure with NAT without firewalling.

PAT is much more closed (many to one).

It's also true that everyone say NAT when they do PAT.

Re:A router routes packets.

[mabinogi]

Before you post another word on this topic, please demonstrate that you have the slightest idea what your talking about by defining the following words for us:

1. Hub
2. Switch
3. Router
4. Firewall
5. NAT
6. Proxy
7. Modem

Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

Re:A router routes packets.

Did he mean "firewall" instead of "router"?

No, he meant that little blue Linksys box near the modem. It'll be the one labelled "Router".

Re:A router routes packets.

[Rosonowski]

I'm not saying that routers should be banned, that'd be stupid. I'm just backing up the post that claimed that all attacks have come through routers. They were undoubtly making the point that people think of those little blue boxes as the only routers out there.

Re:A router routes packets.

That's not obtuse, that's encouraging correct use of terminology.

It's not the router that protects them, it's the firewall that comes with it - whether that just be simple NAT, or a full stateful firewall.

Encouraging correct use of terminology is always a good thing, and even more so when the topic is technology.

Re:A router routes packets.

[Dimensio]

Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

http://www.ietf.org/rfc/rfc1149.txt?number=1149

Re:A router routes packets.

Speaking of terminology, NAT has nothing to do with firewalling, even though your NAT router has a built-in firewall.

A NAT router is nothing but the device that forwards packets by translating internet addresses to lan addresses (and vice versa), thus preventing the machines on the lan to be directly plugged into the net. If no rule matches a packet, and granted that it doesn't result of a communication previously established by one of the LAN hosts, the packet doesn't go any further than the router. What the router does with this packet is then up to her (and, generally, her built-in firewall will take care of it).

Re:A router routes packets.

[OneSmartFellow]

Ahh, the old 'IP over carrier pigeon' link, somehow I knew it was coming

Re:A router routes packets.

[jaavaaguru]

The device at your ISP's end of the phone line is a router. Looks like you're talking about a NAT device. Different thing. Try getting a dumbass sales assistant in PC world to understand that though. It's good for a laugh.

Re:A router routes packets.

[FireFury03]

Scans that a router running NAT would block.

Argh! Why does everyone keep talking about how wonderfully secure NAT is? NAT is just as secure as a connection tracking firewall, and far more troublesome. Hopefully when IPv6 eventually gets rolled out it will change people's views since NAT won't be needed (or wanted) anymore.

Re:A router routes packets.

[jaavaaguru]

Damn. I knew why that was funny without even clicking the link. Suspecting I might be a geek.

Re:A router routes packets.

[Fred_A]

Wouldn't each pigeon qualify as a self contained router ?

Re:A router routes packets.

[Sique]

Also a NATting box is a router (in this special case it's a bridge, connecting exactly two networks). Everything that gets data, analyses the address information of the data and according to the address information and a list of rules forwards it to other nodes is a router. The fact that all nodes in one network are mapped to a single node in the other network doesn't change that.
Some of those little devices are capable to route between several networks. Often one or several DMZ networks can be addressed, making it a fairly flexible router.
No. A router doesn't need to implement BGP or OSPF to be called a router.

Re:A router routes packets.

[1lus10n]

Correction. NAT is not as secure as any firewall. Period. NAT is not a security feature, its a convinience feature. NAT != Firewall.

I don't know about you ... but I am not going to stop NAT'ing and/or PAT'ing my internal network off of the rest of the net no matter what verion of ipv they want to implement. I only need 1 real world IP. I only WANT 1 real world IP.

Re:A router routes packets.

[AKnightCowboy]

Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

Computer A dials up with a modem and connects to ISP Y. ISP Y, being very small, uses a single Linux box as it's router and PPP dialup server, therefore you're only going through one router. pwn3d!

Re:A router routes packets.

[FireFury03]

Correction. NAT is not as secure as any firewall. Period. NAT is not a security feature, its a convinience feature. NAT != Firewall.

Correct - using NAT as security involves relying on hardware you don't control doing something that's reasonably undefined. Specifically: if you have a windows machine on 192.168.0.1 behind a NATting router and the ISP decides to route traffic for 192.168.0.1 to your router, you router will quite happilly forward it on. (Unlikely to happen, but IMHO relying on an ISP to do what you preceive as "the right thing" is bad security).

I don't know about you ... but I am not going to stop NAT'ing and/or PAT'ing my internal network off of the rest of the net no matter what verion of ipv they want to implement. I only need 1 real world IP. I only WANT 1 real world IP.

Why? The *only* reason for using NAT/PAT is to relieve the IP address shortage. Under IPv6 this will nolonger be needed so it is far more sensible to give every machine a real address and control access with a firewall. Indeed, ip6tables doesn't even support NAT because it is not required, nor usually wanted. (Ever tried to run H.323 over a NAT?)

And in answer to your question - I already use IPv6, all my machines have real world IPv6 addresses and I do no NAT on IPv6 traffic. I do, obviously, have an IPv6 firewall to control access. Of course, even now, everyone with an IPv4 address automatically has a /48 IPv6 subnet on the 6-to-4 system if they bother to turn it on. (By far the best way to roll out IPv6 support would probably be for MS to do this by default on Windows since then you would end up with millions of machines which have just defaulted to using it). Of course a big problem for the IPv6 roll out is that almost no consumer-grade DSL routers natively support it, so at least the PC to ISP part has to be tunnelled over IPv4, even if the ISP were to natively support IPv6.

Re:A router routes packets.

[mabinogi]

No good - the ISPs will each have their own network block, so you still need a router at each end so the packets know which interface the pidgeon is attatched to.

Re:A router routes packets.

[mabinogi]

Using that logic, if ISP X was also very small, then there'd be no routers at all.

But each ISP will have their own network block, and you can't route packets from one network to another without a router involved.

Each ISP will have a router between them and the internet. The two router case pretty much _is_ the scenario you've described - with the PPP server using proxy ARP to map the dialed in users directly into their network.

Re:A router routes packets.

[upside]

[pedant_mode]
Hmmh. I see the point that "network address translation" kind of implies a one to one relation between external and internal addresses.

However, to me "port address translation" sounds worse because the *network address* is still the key thing that gets changed in a many to one situation. The fact that the router assigns a new client port for outbound connections is just a side effect. The server and client still use the same ports, regardless the router does in between.

"PAT" sounds more logical when describing a port forwarding situation where the router is listening to port x but forwards it to a different port y on an internal server.
[/pedant_mode]

Re:A router routes packets.

[Kjella]

PAT is much more closed (many to one).

It's also true that everyone say NAT when they do PAT.

So... when I route my internal network through one IP, and route ports back to multiple IPs, is that NAT or PAT? The Internet is many. My network is many (well, not as many as the Internet ;). So it's a many-many mapping.

Kjella

Re:A router routes packets.

[ultranova]

Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.

Simple.

Computer A is set to capture its outgoing packets and print them into a piece of paper. This paper is then given to a ninja, who leaps to the other side of the world, types in the packet into machine B, and sends it through the loopback device. 0wn3d !

Moral: firewalls are no defense against ninjas ! In fact, don't have a firewall, because if you do, a ninja will come and 0wn your computer, then flip out right there ! You wouldn't want a ninja to flip out in your house while you're asleep, now would you ?

Re:A router routes packets.

[upside]

I think "many to one" describes mapping many internal IPs to one external IP (the public interface on the router).

I'd say you have NAT with port forwarding. Apparently for purists it's PAT. For the moderates it's probably both since they'd see PAT as a special case of NAT (only one external address). :p

Re:A router routes packets.

[supertsaar]

"Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers."

Easy: VPN :)

Re:A router routes packets.

[Pozac]

So... when I route my internal network through one IP, and route ports back to multiple IPs, is that NAT or PAT? The Internet is many. My network is many (well, not as many as the Internet ;). So it's a many-many mapping.

Your network, to the Internet, is just the one IP. If you were to use NAT, you need an IP per machine.

ALL ports to one IP = NAT. (So you can use an external IP through a router)
ONE OR MORE ports from one IP to another IP = PAT

Re:A router routes packets.

[agraupe]

1. Hub - A device which accepts the packets from multiple network connections, and distributes them to each other connection. 2. Switch - Like a hub, except it detects (via MAC address I think) which connection should receive the data. 3. Router - A device which handles the routing of packets to the correct place on a network. 4. Firewall - A piece of software, sometimes running on a dedicated piece of hardware, designed to keep your system safe from hackers, usually via closing ports. This does not count any backdoors or spyware you may download, which, usually unless custom restrictions are in effect, will be able to "phone home" without any interference from the firewall. I believe ZoneAlarm, for one, has a warning if this ocurrs. 5. NAT - Short for Network Address Translation, a system by which computers on a private LAN are able to access the Internet via a device set up to perform NAT. The NAT/Router takes the request of a computer on the LAN, and routes it to the proper destination using its own public IP address. When the response comes back, it then routes it to the proper computer. In many cases, specific ports may be forwarded to the necessary boxes on the LAN, so you don't need one box providing routing, NAT, webserver, etc... This may be added to the functionality of a router, provided that the router in question would require NAT. 6. Proxy - A bit fuzzy on this one. This is quite similar to NAT (described above), except that it is done over a WAN, usually the Internet, and is usually done for the purpose of using an IP address other than your own, for anonymity reasons (to avoid a ban, or content filtering restrictions). 7. Modem - A device that may be internal or external, designed to convert various methods of transport (cable, phone line, etc) into a usable network for a computer (PPP or Ethernet). All happy now?

Re:A router routes packets.

[Srin+Tuar]

Haha, you cant just make up your own name for it, unless you really dont like being understood.

nice try though.

Re:A router routes packets.

Oh me! me!
Stand back.

1. Hub....where I got stuck in Atlanta.
2. Switch...China-made knockoff swatch.
3. Router....Employee of roto rooter.
4. Firewall....New Dodge Van.
5. NAT....old banana tenant.
6. Proxy....Parenting by leaving kids a daycare.
7. Modem....modulator that demodulates when there's
nothing better to do.

Re:A router routes packets.

I just had a real sense of technical superiority when I instantly knew the contents of an RFC only by its number. After that, I was profoundly disturbed.

Re:A router routes packets.

[o'reor]

Good old 'IP over carrier pigeon protocol'.

In related news, Remington has announced that it will invest in IT, specializing in Internet security systems. They have already released a number of RFC-1149 compliant firewall appliances.

Re:A router routes packets.

[harrkev]

NAT is secure, for what it does. It stops EVERYTHING on the outside from getting in (assuming that it is configured properly). The ONLY WAY for traffic to get in is for you to request it. NAT = firewall without application control.

So it does not protect against stupid users and/or browsers. It will not stop spyware. But it will stop a random script kiddie or a worm.

So they are not the end-all and be-all of security. But they are useful. You can install XP and then fetch the drivers and patches that you need unmolested (as long as you only browse trusted sites, like Windows Update, nVidia, etc.)

I also use a software firewall. I would not feel safe without one. But there may also be flaws in my firewall software (it has happened). And every packet that is denied at the NAT box is one less packet that has to waste CPU cycles in the software firewall.

Re:A router routes packets.

[harrkev]

The *only* reason for using NAT/PAT is to relieve the IP address shortage. Under IPv6 this will nolonger be needed so it is far more sensible to give every machine a real address and control access with a firewall.

Almost, but not quite. For home users, NAT will always have a place, as long as ISPs only include one IP address, and want to charge $$$ for a second or third IP.

This was the rationale behind the first NAT boxen, with the firewall being a happy side-effect.

What you say is true for business users who get a block of addresses, though.

Re:A router routes packets.

[FireFury03]

Almost, but not quite. For home users, NAT will always have a place, as long as ISPs only include one IP address, and want to charge $$$ for a second or third IP.

They shouldn't be doing this under IPv6 - everyone will be getting a reasonable sized subnet. And besides, if your ISP is doing this under IPv4 you need to change ISP - I have a normal home user account from PlusNet and they are quite happy to hand out small IP subnets (4, 8 or 16 addresses) for free so long as you can provide justification for their requirement. Most reasonable UK ISPs will do this for DSL connections on their standard accounts, if this isn't the case in the US then I think you're being horrendously ripped off.

This was the rationale behind the first NAT boxen, with the firewall being a happy side-effect.

NAT was designed to aleviate the IP address space shortage, period. There is no reliable security in doing NAT - you're relying on your ISP's routers to "do the right thing". If you want that kind of security you need a connection tracking firewall.

What you say is true for business users who get a block of addresses, though.

As I said above, so long as you can provide justification for the need, most decent UK ISPs will give you a small subnet for free, even on home accounts. However, this wasn't the original arguement: The original arguement was that you do not need NAT for security (a connection tracking firewall does the job properly and without all the nasty side effects) and that once the IP address space problem is removed (e.g. through IPv6 roll out) you will neither need nor want NAT. NAT is a kludge that works for the short term but causes many problems - the sooner we can ditch it the better.

Re:A router routes packets.

[jonadab]

> > "Every home machine that's been cracked has been cracked through a router"
> No it hasn't.

Almost 100% of the attacks have to go through multiple routers. The only
other way is for the hacker to physically go to the machine's location.

A router does not protect you in any way from being cracked, unless it is
more than just a router (e.g., if it also has NAT or firewalling features).

Re:A router routes packets.

[jonadab]

> NAT leave you somewhat vulnerable it's a mapping address for address

Is anyone still using many-to-many NAT? I was under the impression most NAT
these days is one-to-many, which does provide some protection. (Among other
things, incoming ports are pretty much a non-issue unless you forward them
explicitely. There is also, at least potentially, protection from malformed
packets. Of course, it's still no substitute for safe computing practices.)

Re:A router routes packets.

[harrkev]

NAT was designed to aleviate the IP address space shortage, period. There is no reliable security in doing NAT - you're relying on your ISP's routers to "do the right thing". If you want that kind of security you need a connection tracking firewall.

Ummmmm. Some random script kiddie at some random IP address sends a packet my way. My NAT box ignores the packet, and my PC never even sees it. I find some value in this. This is not 100% security, but it sure helps. Traffic cannot find its way in unless my PC first opens a port to that specific IP.

Please explain how this is not useful.

Also, I would rather doubt that ISPs in America will start handing out blocks of addresses without wanting some money. At one time, my cable modem provider wanted $10 per month for an additional IP. v6 will make them more plentiful, but why would they want to turn down a free revenue stream? I admit that I could be wrong, but I am used to being charged for everything, especially with cable providers:

As a service to our customers, we are adding new channels. The Lithuanian news channel, the 'watching paint dry' channel, and the 'swahili lesson' channel. Your monthly bill will only increase by $10 for these exciting new channels.

Re:A router routes packets.

[FireFury03]

Ummmmm. Some random script kiddie at some random IP address sends a packet my way. My NAT box ignores the packet, and my PC never even sees it. I find some value in this. This is not 100% security, but it sure helps. Traffic cannot find its way in unless my PC first opens a port to that specific IP.

Wrong, if your PC is on 192.168.0.1 (for example) and some random script kiddie sends a packet to that address which somehow gets routed to you (maybe your ISP's router is misconfigured) then your NAT router will route it to your PC with no problem at all. So as I said, you are relying on the behaviour of the ISP's router's being "correct".

Doing NAT requires the router to do some kind of connection tracking. However the router doesn't block based on that connection tracking. Compare with a connection tracking firewall which will do all the connection tracking and actually block packets based on that without doing NAT - you get better security (i.e. the same amount of security you get if you combine NAT with a properly configured ISP, but without actually having to rely on the ISP to be configured correctly), plus you don't get any of the many problems that NAT causes.

Assuming there is no IP address shortage, where is the advantage of using NAT instead of a connection tracking firewall? There is none. There are however big disadvantages with doing NAT.

Also, I would rather doubt that ISPs in America will start handing out blocks of addresses without wanting some money. At one time, my cable modem provider wanted $10 per month for an additional IP. v6 will make them more plentiful, but why would they want to turn down a free revenue stream? I admit that I could be wrong, but I am used to being charged for everything, especially with cable providers

I think you're being completely ripped off - I would never use an ISP that took this kind of attitude (and as I've already said, in the UK it's exceptionally easy to get small subnets for free if you can justify the use, even on cheapo home DSL accounts).

The whole point of IPv6 is to make IP addresses so plentiful that everyone has practically as many as they need without the use of NAT (e.g. you could have lots of IP-enabled appliances in your home). The concept of ISPs only giving you a single IPv6 address compeltely undermines the concept. Remember that the internet was _never_ designed to be a client/server model, it was always designed to be peer-to-peer, and that's a concept that NAT destroys.

Imagine being able to log into your central heating system and turn on the heating remotely when you're returning from holiday, etc. Yes, there are obviously security considerations but it's that kind of useful stuff that you can do if you have massive amounts of address space.

(Not to mention the fact that having 128bit address space probably makes network scanning by worms reasonably unfeasable).

Re:A router routes packets.

[harrkev]

Let's assume that the script kiddie in question is across the country. They send a packet to 192.168.0.1. How does this get to me? Answer: it wouldn't. This is a non-issue. You cannot route this packet, as the address does not go anywhere.

The ONLY chance would be if the particular script kiddie was in my neighborhood. Then, what you say may be true. But in this case, my NET box has blocked 99.99% of all script kiddies. Good enough. I also run a software firewall.

And a NAT box IS based on a connection. Look up how it works. I open a page at slashdot.org. The NAT box stores my real IP address (and port number) in a table along with the slashdot IP address (and port number). When traffic comes in, the only thing that will be allowed through is traffic from slashdot.org, coming from the right port, going to the right port. Simple. If a packet does not match the data in the table, it is blocked. So the only way for ANYTHING to get through is if MY PC initiates it.

I would never use an ISP that took this kind of attitude

Then we would not be having this discussion, except maybe by snail-mail. You simply would not be likely to have a broadband connection.

Re:A router routes packets.

[FireFury03]

Let's assume that the script kiddie in question is across the country. They send a packet to 192.168.0.1. How does this get to me? Answer: it wouldn't. This is a non-issue. You cannot route this packet, as the address does not go anywhere.

Your assumption is invalid - the script kiddie could be on the same ISP as you, connected to the same ISP-side router.

If a packet does not match the data in the table, it is blocked.

If the packet is destined for the router's address then yes it's blocked. If it's destined for a machine behind the router then it won't be blocked (I know of no consumer grade DSL router which blocks such packets by default). My whole arguement is that you are in part relying on the ISP not to actually route certain packets to you. Admittedly the chance of them doing so is small but IMHO relying on their configuration at all is inherently bad security.

You still haven't explained where the _security_ advantage is in using NAT over a connection tracking firewall.

Then we would not be having this discussion, except maybe by snail-mail. You simply would not be likely to have a broadband connection.

Err, huh? Explain how you came to this conclusion?

Re:A router routes packets.

[msh104]

I think you forgot about the V part of vpn.
all packets are still routed through the routers.

Re:A router routes packets.

[harrkev]

It is clear that you do not know now NAT works.

Every NAT box has a table. Each entry in the table has the following data:

1) Source IP address (usually 192.168.?.?)
2) Source port (usually over 32K)
3) Destination IP address (could be anything)
4) Destination port (usually 80 for web access).
5) Re-numbered source port (some routers have this, some don't - we will assume that ours doesn't, just to simplify things).

My computer, 192.168.1.69 port 40,000 (random port) sends a request to 1.2.3.4 port 80 (http request).

The NAT box takes the packet, removes 192.168.1.69 and replaces it with the ISP-assigned IP address (let's assume 9.8.7.6). It also fills in an entry in the table.

1.2.3.4 port 80 gets the data and returns the web page to 9.8.7.6 port 40,000.

NAT gets data from 1.2.3.4, port 80. It is addressed to 9.8.7.6 port 40,000. That matches an entry in the table, so the 9.8.7.6 is replaced with 192.168.1.69, and sent to the LAN.

My computer gets what it wants, and is happy.

Mr Joe Cracker sends ANY sort of traffic to 9.8.7.6. This can be either a portscan, or a deliberate cracking attempt. My NAT box gets it. Mr Cracer's source IP address is not in the table. Packet dropped. In order for Mr. Cracker to get ANY traffic in, he must spoof his address as being from 1.2.3.4, AND know the destination port on my PC. In short, the only way that Mr. Cracker can send ANYTHING to my PC is to snoop on my conversation to 1.2.3.4. So, people who can sniff passing traffic might stand a shot of getting something in., but he could only do this by inserting data into an existing stream. But Mr. Cracker could NOT attack an arbitrary port, such as what you would need for worms.

The table is the key for NAT. If you have two computers sharing one IP address, and both go to google for a query, how does the NAT know which computer gets which response? The answer is that the outgoing port numbers are randomized. So it is a combination of source port and destination port and IP address that determines where the packet goes. If a packet comes in that does not match, the NAT does not have any idea which computer gets is. So it is dropped.

This is useful.

And as to my comment that you questioned, it is simply that you would find it difficult to find an ISP over here that would give you a block of IP addresses for free. You get one address included. More addresses = more money.

Re:A router routes packets.

[msh104]

any good guide on how to set this up?
it sounds interesting to me, because I suffer from the H.323 thingy you mentioned.

Re:A router routes packets.

[FireFury03]

It is clear that you do not know now NAT works.

I know exactly how NAT works. If someone connects to one of your *INTERNAL* addresses from the outside world (not the router's address) then the router *WILL* allow the traffic through - all consumer grade DSL routers I've come across do this in their default configuration. since the traffic is directly addressed to the internal network it will bypass the NAT system completely. (Trust me - I've seen it happen several times on misconfigured customer's routers).

Compare to a connection tracking firewall, which does connection tracking in the same way as a NAT system does, except it actually does firewalling based on it.

In any case, my original arguement wasn't to discount the security that you inherently get from a NAT system, it was to say that you get at least the same security from a connection tracking firewall without many of the inherent problems you get from NAT, so in the case where you don't need NAT it would be better to avoid it. (From a technical perspective).

And as to my comment that you questioned, it is simply that you would find it difficult to find an ISP over here that would give you a block of IP addresses for free.

So your original comment that *I* wouldn't get an ISP account is completely wrong, you meant that *YOU* wouldn't be able to get a suitable account. As I said, in the UK it is very easy to get small IP subnets for free from any reasonable DSL provider if you need them. It seems that people in the US are being royally screwed then by being charged for something which is free.

Re:A router routes packets.

[SirTalon42]

"since the traffic is directly addressed to the internal network it will bypass the NAT system completely."

Since home routers use private network addresses (such as 192.168.x.y), if anyone on the internet sends out a packet your internal IP address it will be dropped by the first router it encounters because it will be unroutable. An ISP's router would have to be grossly misconfigured to allow it to move about (plus statistically very unlikely that it would ever happy, so unlikely that it can be ignored completely).

Re:A router routes packets.

[Ciaran_H]

Yes, but since computer B is logging into ISP Y, they must have at least one router too. Therefore your packet from computer A to computer B goes through at least two routers - ISP X's and ISP Y's.

Of course, you generally won't have such a direct connection as that, and as such you'll probably have any number of routers in the middle - check the output of traceroute to a site of your choice to see what I mean.

Re:A router routes packets.

[Ciaran_H]

Just reread your answer, and it mangles the question. He said from ISP X to ISP Y, not ISP Y to ISP Y. I think the parent was well aware that it would be possible for one ISP to have one router which both users are logged into otherwise he wouldn't have explicitly stated the two different ISPs.

Re:A router routes packets.

[FireFury03]

Since home routers use private network addresses (such as 192.168.x.y), if anyone on the internet sends out a packet your internal IP address it will be dropped by the first router it encounters because it will be unroutable.

*sigh* you haven't read what I said - Yes, it is unlikely but it seems like bad security to me for your security to rely on hardware you don't have access to to be configured correctly when there is a better way.

so unlikely that it can be ignored completely

I'd hate to have you doing security programming. "Oh yes, they could overrun that buffer and get root access, but it's statistically so unlikely that I'll ignore it... oops, they just did".

A big chunk of security work is thinking up unlikely things which could happen and closing those holes.

Re:A router routes packets.

[mabinogi]

I bow before your l33t n1nj4 networking sk1llz!

Re:A router routes packets.

[supertsaar]

Yes, but the packet _itself_ is unaware of this.... as far as _it_ knows its on a flat LAN....

Re:A router routes packets.

If the packet is destined for the router's address then yes it's blocked. If it's destined for a machine behind the router then it won't be blocked (I know of no consumer grade DSL router which blocks such packets by default).

I'm running a BEFSR41 (pretty much the most common consumer grade router out there) and, as far as I can tell short of recabling and load testing it does block 192.168.x.x traffic from the WAN. Specifically, I am on cable so the router is being constantly beaten with every kind of traffic you can imagine (including misconfigured local subnet traffic). All of the software I have monitoring the local zone indicates that those packets are not showing up there.

You still haven't explained where the _security_ advantage is in using NAT over a connection tracking firewall.

Securing a system is always a balance of cost, convenience and risk. If you can set up something that provides the security and convenience of a Linksys router for $30 total including hardware and labour, I'm listening. Even then, I would suggest that the cost benefit equation suggests having BOTH the router + whatever additional security you deem appropriate. I myself run the Linksys, Zone Alarm, a daily AV scan and some Linux packet scanning. If I could only keep one of those, I would stick with the Linksys since all the other tools are basically there just to dectect anything that gets past the router and, to date, nothing has.

Re:A router routes packets.

[1lus10n]

NAT is not a device. Its a feature. I dont know about the UK but here in the USA most every end-user router comes with a firewall and NAT has features. Using NAT has a stand alone security feature is retarded. That being said it can be used in combination with other things to assist in making a setup more secure.

You claim that NAT is a kludge. How so ? It provides a usefull feature and the ability to have a stand alone internal network with a single access point. One of the main things you do with security is limit access. Gaurding every box on a network singularly is a PITA and far FAR beyond what the average person or corporation wants to do. That doesnt mean the turtle theory is good (hard on the outside, soft and gooey on the inside) but the most reasonable level of expectation is somewhere in-between.

In reality NAT provides a level of obscurity. Although it can easily be worked around (or through) it is helpful in preventing or limiting the amount of malicious traffic that hits internal boxes.

Re:A router routes packets.

[mabinogi]

> A big chunk of security work is thinking up unlikely things which could happen and closing those holes.

Yes but so is addressing the most likely instances first, and not wasting time on the 1 in 10^100 instances until everything else is sorted out.
A lot of security concepts are based on "So unlikely that it can be ignored completely". Encryption is a good example of that, and most authorisation systems.

However, you're right that trusting a third party to do something right is never a good idea.
But NAT as implemented by home DSL routers is still a hell of a lot better than nothing, and protects you against everyting except a deliberate act from within your ISP.

You trust your money to no more than that with a bank.

Re:A router routes packets.

IGNORE THIS . . .

Re:A router routes packets.

[Jouser]

Sorry but the RFC does state the following:

This specification is primarily
useful in Metropolitan Area Networks.

and the other gentleman's statement mentioned going from one side of the world to another. What's this avian networks? A new player in the game against cisco?

Re:A router routes packets.

[FireFury03]

You claim that NAT is a kludge. How so ? It provides a usefull feature and the ability to have a stand alone internal network with a single access point.

It is a kludge to work around the lack of IP address space. If there were enough addresses to give one to every machine (see IPv6) then you wouldn't need it - you can still have an internal network with a single access point, but every machine on that network would have a real IP address.

Gaurding every box on a network singularly is a PITA and far FAR beyond what the average person or corporation wants to do.

Why do you need to guard every box singularly? Just tell the firewall between your network and the internet to not allow incoming connections for your subnet. You do not require NAT to do this.

My point was not that NAT does not have security benefits, it was that you do not need NAT to get the same (better) security just as easilly (easier infact since you avoid the problems associated with translating addresses).

Re:A router routes packets.

[NuclearDog]

"Mr Joe Cracker sends ANY sort of traffic to 9.8.7.6."

You assume that IP addresses are the only way packets are routed.

So Joe Random Cracker on the same router/switch at the ISP as you sends a packet destined for your NAT/router's ethernet address but the IP headers say it is destined for your computer's internal address?

Packet gets sent to router, router looks at the IP headers to see where to send it next and sees it's destined for your internal computer ("Hey! I know that guy!") and sends it to you.

Assuming, of course, that my understanding of ethernet and ip are correct.

ND

Re:A router routes packets.

NAT is not a security feature, its a convinience feature.

Besides the fact that you don't know the difference betweeen a packet filter and a firewall, your assersion is provably false.

All modern packet filters do *stateful inspection* - why? Because it's *MORE SECURE*.

By necessity, one-to-many NAT requires stateful inspection (because it wouldn't work otherwise. If an inbound connection is not part of session, it gets dropped.) In fact, stateful inspection packet filtering grew out of NAT.

Therefore, NAT *IS* a security feature, because it does stateful inspection of the traffic.

Re:Better interpretation of the results:

[ScrewMaster]

Would you care to be more specific as to those "obvious reasons"?

export $deity="Steve Jobs"

Can you cite an "OS X" exploit?

Just buy a mac :-)

Re:export $deity="Steve Jobs"

I'll bite:

http://secunia.com/product/96/

Granted, Apple is much faster (generally 1-3 weeks) at patching known bugs than Microsoft, but new issues are discovered every month and a couple weeks is plenty of time for a nasty worm to spread.

Re:export $deity="Steve Jobs"

Actually, I've had a Mac for a few years, now.

There's a pretty vibrant (fanatical) Mac community at my university; I tend to avoid them due to the simple fact that they completely lack social skills of any kind.

In all seriousness, the computer is just a tool. If it helps you get your work done, good for you. If it's not for you, move on and try something else. And for chrissakes, move out of your parents' basement, work on your hygeine, and get a life; there's quite a big world outside your lickable interfaces...

Better colours

http://shit.slashdot.org/article.pl?sid=05/01/18/0 218242

Re:Better colours

Interesting that this also works : http://slashdotislameihateslashdotmicrosoftiskings coisemperor.slashdot.org/article.pl?sid=05/01/18/0 218242

Re:Spelling

[NanoGator]

"Ahem, journalistic professionals, it should read, "...Solaris did not _fare_ so well.""

Oh CRAP!! I totally misunderstood that sentence!

Re:Spelling

[brilinux]

Actually, that was referring to the carnival last week in which some Sun representatives were kicked out after yelling "Linux sucks, use Solaris, Java r0x0rs!". Apparently, then, all the workers for the Sun attaction left, and it was taken over by some script kiddies and used to serve cotton candy.

Doesn't this say more about open source than linux

[neonfreon]

Most of the default services that run on common Linux distributions aren't specific to Linux itself, i.e. you can run apache, openssh, sendmail, etc on a BSD system just as easily as you can on a Linux system.

Granted, the underlying operating system can and does affect the exploitability of bugs that exist in these services, but the system comprimise is more of a direct result of the daemon than it is the underlying operating system.

In fact, the hardware of the system can and does have just as much or more influence over the exploitability of many daemon bugs as the operating system does, yet I see no mention of what architecture these honeypot boxes were running on in Honeypot Project's report.

Fare/Fair

[lousyd]

Interestingly Solaris 8 and 9 did not fair so well.

"Fare," god damn it. Not "fair".

Re:Fare/Fair

[stormi]

Indeed. *nods approvingly*

Re:Fare/Fair

"God", God damn it. Not "god".

cause an defect relationship?

[museumpeace]

of course solaris 8 and 9 didn't fare as well as Linux: you have to wait for Solaris 10 to get the magic open source effect on security;-)

Re:cause an defect relationship?

Yes, you do have to wait.

Solaris 10 copied a number of kernel ideas from Linux. Hopefully, they picked up better security

Re:cause an defect relationship?

> Solaris 10 copied a number of kernel ideas from Linux. Hopefully, they picked up better security Care to list them?

Or did you make this up?

Re:Better interpretation of the results:

Poor quality control (look at 2.6! G-d! Every kernel release is a roll of the dice)
Inconsistent standards
Amateur software engineering
Evolution instead of planned growth - Linux has a lot of appendixes
Reliance on corporate donations for anything good
Buggy drivers

Need I go on?

Re:OS/X BSD Unix

If my "mission impossible stunts" you mean walking over and plugging a network cable in ;)

More data

The honeynet project had just 4 data points.
I've had five Mac OS9 boxes online for longer,
and they have not been hacked. Therefore,
Macs are very secure.

Aren't statistics fun? All you need is a few
data points, and you can make fantastic
causal arguments. Wheeee!

Half Truth

[aoptik]

Gene Spafford was interviewed by linuxplanet couple of years ago. He says why linux isn't completely secure, even though it is a outdated interview, I will like to say most of his ideas do make sense even today.

Even if those honeypots are harder to penetrate that does not mean drivers, or individual applications that many people use are designed with security in mind first. Hackers are always going to be around all this means is that script kiddies are going to be able to do less and less to break into a linux but but more sophisticated hackers are going to want to try harder and within time. You will have the same problems just like in real life a ADT system can make your home safer does not mean you still will not get broken into. Plus, within this article you should be asking who are the security experts?

All in all I would hope people read this article in hopes that linux is their solution too security out of the box. In other words if you believe in security do not rely on the distro. to be 80% secure even if you locked the system up tight like your suppose too you still have a good chance of getting hacked. This article is just showing business people in the IT world that they can setup linux and not need a administartor with good experise to be hired instead of that person they can pay half as much with little experence to manage the network because linux is so secure. See where I am going with this article?

Re:Half Truth

[Taladar]

He says why linux isn't completely secure,

Might have something to do with "complete security" being impossible.

Hardening systems works!

[jjb]

The question is entirely one of pre-install system hardening. Solaris 9 barely improved anything hardening-wise over Solaris 8. It still ships with over 60 TCP ports open, a large number of UDP ports open, and some default-listening network services that have been deprecated for over five years, like tnamed. tnamed is the Trivial name daemon and pre-dates DNS!

Red Hat, on the other hand, has moved to both turning no remotely-accessible inetd/xinetd services on by default and offers an easy install-time firewall that works transparently on workstations and very simple servers. The difference in exposure of vulnerabilities to attackers is tremendous. The vulnerabilities may still be there, but the attacker often can't get to them or can't get the same level of privilege out of them. For instance, running OpenSSH in privilege-separated mode the way most Linux distros do now means that some exploits don't work, while others only grant the attacker non-root access.

Linux vendors/creators have led the commercial Unix world in pre-install hardening - I like to think this is due in part to the success of Bastille Linux, a hardening program for SuSE, Red Hat/Fedora, Debian, and Mandrake Linux, as well as HP-UX and Mac OS X. Bastille ships on recent HP-UX O/S's, is available from both Debian and SuSE as a vendor-supplied package.

Re:Hardening systems works!

Stop griping. Solaris 8 & 9 come with around 15 TCP & UDP ports open; even less if you don't install X (which you wouldn't on a real server, anyways). tnamed is not even enabled in a default install. Almost all those services can be disabled by editing the inetd configuration file. Stop spreading ignorance.

Re:Hardening systems works!

[neonfreon]

I wouldn't say that Linux Vendors hardening their system by default has anything to do at all with Bastille Linux. For the most part, Bastille just covers up for shortcomings in distribution desgin, which are bound to be corrected over time anyway. In my opinion, Bastille's utility depends on how poorly the system was designed for a security standpoint to begin with, and isn't due to any extra value added features that Bastille provides. Having said that, there will continue to be a need for hardening systems such as Bastille as long as vendors continue to ship with things that provide an additional security risk to everyone who uses the distro while only being of utility to a small portion of the people that use a distro (like isdn utilities being set to SUID as default, don't even try to tell me that most people use ISDN). Hopefully in the future vendors will take a more role based approach to securing systems, and only things that are explicity selected as required functionality will be enabled, eliminating extra nextwork services and unnecessarily SUID/SGID binaries.

Re:Hardening systems works!

Then use the vendor supplied tool on Solaris that is equivalent to Bastille:

http://www.sun.com/software/security/jass/

The Solaris Security Toolkit.

Re:Hardening systems works!

There are several Linux hardening projects around. Interestingly enough, they are somewhat orthogonal to each other, and tend to complement one another.

Here's a basic roundup of useful links:

• GRsecurity
• CIS Scan
• Openwall Project
• Bastille
• RSBAC
• SELinux

Re:Hardening systems works!

It would be nice to see the results of a similar honeypot project, except where the honeypot machines are installed by competent admins, and maybe another set where they are also maintained by competent admins. As is, these results hold little direct relevance to me; I guess i can present them to my boss and tell him that's his survivability if he didn't have me and my co-workers, or someone as competent.

Re:Hardening systems works!

[Nailer]

Also, note Linux generally runs services as their own account. Apache HTTPD runs as apache, VSFTPd as ftp, BIND runs as named, OpenLDAP runs as ldap.

In Solaris, most services share the 'nobody' account. When means when you break nobody, you have a lot more access to the system.

Re:Hardening systems works!

[thogard]

Brand new V100 out of the box from sun. Put on a network and given an public ip address and while other things were done. Soon it started probing every machine on the test network.

That should not happen. With my production sun boxes, I purge everything rpc related and comment out all kinds of crud in inetd.conf. The base install is just wrong.

Re:Hardening systems works!

[SunFan]

Or download Solaris and get them all in one bundle.

Re:Hardening systems works!

[SunFan]

Are you saying that Solaris remained uncompromised for as long as it did even with that many ports open?

Re:Hardening systems works!

You shouldn't be putting a machine on the network without hardening it first. Sun provides a great tool for this called the Solaris Security Toolkit (http://www.sun.com/software/security/jass/). Its like bastille for linux only better IMO. Its easier to customize and run it repeatedly (like after patches have been installed) and it can be setup to run as a finish script in a jumpstart install.

Re:Hardening systems works!

[jjb]

I think projects like Bastille, and to a greater extent the Center for Internet Security's work, both illustrate to vendors what improvements they could make and create a sysadmin awareness of and experience with hardening measures. Creating that awareness and experience then creates demand on the sysadmin's part that their vendor give them systems in better default configurations and comfort in the vendors' minds that the sysadmins can handle the hardening measures.
Finally, these kinds of projects demonstrate the effect of hardening to sysadmins when their hardened systems fare better than their stock systems in the face of an attack.

The effect of easing the hardening of systems is to produce far more hardened systems, which has the macroscopic effect of making the Best Practice into a Standard Practice. Take the example of telnet on by default. Bastille and programs like it had been turning off telnet for years and educating sysadmins about SSH as a replacement before vendors became comfortable turning it off.

Here's another example, more complicated. Most Linux vendors chroot their DNS servers, for instance -- they didn't do this for the first two years that Bastille was around until the Lion worm changed their minds. Chroot'ed DNS servers fared much better, it had been best practice to chroot for a while, and projects like Bastille created a larger base of admins comfortable with the practice. When vendors' packagers decide whether to do this by default, they feel more comfortable with the idea if they've seen it done a great deal in the field. They feel even more comfortable if they've seen it done successfully programmatically.

Re:Hardening systems works!

[jjb]

First, Solaris 9 comes with 61 listening ports, as shown in the analysis here. I did the netstat on my VMware image of a completely virgin Solaris 9 system. I thought it was 60+ for TCP alone, but this is still over 10 times what Red Hat 9 was shipping with. Solaris 8 was worse, so Sun is improving.

Next, tnamed is still active on Solaris 9. From the same box:

# grep tnamed /etc/inetd.conf name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

Finally, as another poster pointed out, Sun's got a great tool in JASS, a vendor-supplied tool. And we all owe a debt to Titan, the first majorly popular Sun hardening program. YASSPis also out there for Sun.

Re:Hardening systems works!

[sad_]

Ofcourse you can disable the services, but that is not the point here. We are talking about default installation security. Which is just horrible on solaris (but just so on hpux i might add).

There are still security settings to change on both systems after install, i just know that on linux (red hat) there will less left to close.

If you do not acknowledge this fact, then it is you who is ignorant.

Re:Hardening systems works!

[thogard]

BS. I buy a system from sub because of its reputation. If that reputation isn't correct, the box gets owned and I never buy their junk again. If they can't provide a simple command line tool to keep their systems from being owned, its junk. And I don't buy junk.

Re:Hardening systems works!

Solaris 10 has been available on beta for a good while now, and is quite secure by default. It's going gold soon. Just pointing this out before the usual /. zealots get on their anti-Sun rave (which still don't understand). See below (from Sun.com):

One of the key security enhancements to the Solaris 10 OS is the ability for system administrators to install the system with no default network services enabled, creating a secure building block for a customized system. Enhanced security profiles are due in a future update of the Solaris 10 OS, which will install with minimized, protected network services and protective firewall services enabled. These features can save many hours of configuration and training costs.

One area of concern is stack buffer overflows, which enable many types of common attacks. The Solaris 10 OS defends the entire system from these attacks with system-wide and new per-application stack buffer overflow protection that prevents malicious code from executing. Per-application stack buffer overflow provides more flexibility for application compatibility; developers can link to designated libraries for stack overflow protection.

Solaris Process Rights Management limits and selectively enables applications to gain access to just enough system resources to perform their function. This capability dramatically reduces the possibility of attack from a poorly written application by eliminating inappropriate access to the system. Even if a hacker gains access to an application server, they are unable to increase operating privileges, thus limiting the opportunity to inject malicious code or otherwise damage data.

The Solaris 10 OS also includes file integrity checking, which verifies the integrity of a file through a unique digital signature, making it easy to validate that system resources are not modified without knowledge.

http://www.sun.com/software/solaris/10/ds/securi ty .jsp

wrong definition.

Security is a process AND a state, albeit a state with many degrees and a process with many steps.

Security

[Per+Wigren]

I think that the most secure OS is the one easiest to keep up-to-date because the most common reason for hacking is uninstalled patches.

The worst OS I've ever had the displeasure to patch is Solaris (8 - maybe it's better now). 35 patches. Had to calculate patch dependancies and install them one by one. 5 of them needed "immediate reboot", another 15 or so needed to be installed in single user mode. A Solaris server take a LONG time to boot. That's a lot of unwanted downtime.. I'm not surprised that most Solaris systems out there (even very critical ones) are waaay behind security patch schedule..

Compare that to "apt-get update && apt-get upgrade". Rarely even needs a reboot..

Luckily I'm not forced to use Solaris anymore. :)

Re:Security

This is the reason people don't like Solaris - idiots like you spreading this garbage Take a look at PatchPro. You were obviously an incompetent Solaris administrator.

Re:Security

Did you run Patch Manager or download the Recommended and Security Patch Cluster, rather than indivudal patches?

These contain a role up of all the patches for a Solaris release.

Re:Security

[segfaultcoredump]

Two issues with your solaris admin experience:

1) Even way back in solaris 2.5 (and probably before that, but that is when I started), you could just download the latest patch cluster, run 'install_cluster', and then reboot when you were done (if required... see below). That was it. No muss, no fuss... A new cluster was generated every 2 weeks for the lazy admin who wanted to stay up to date with patches yet not actually read the patch notes

2) Nowadays, its even easier... All you have to do is install the latest patchpro. Then you can do several things. For the brave/stupid, you can run smpatch (the main patchpro command) out of cron and have it automatically fetch and install the latest `non reboot` pathes and install them. For those of us who have to run under a change control system that requires notifying others of changes, there is `smpatch analyze`, `smpatch download` and `smpatch add`.

You can use the analyze command to generate a list of patches in order of dependencies and then feed that list into your change control system for tracking what you applied. The use the 'download' and 'add' commands then take that list and download them to the system and then add them to the system. (the 'add' command will also perform the download if you dont want to stage them ahead of time.)

If you made any 'major changes' like an updated kernel, you'll want to reboot. If you didnt apply any patches that require a reboot, then no problem, dont reboot. Some patches may say that they require a reboot, but a savvy admin (or a daring one ) can get around those 'recommendations' reloading the impacted kernel modules (sun even has a way to hot patch the kernel for those customers that absolutely can not bring the system down anytime soon)

Even 'apt-get update' needs a reboot when you change big things like kernels or major libraries (or at least restarting all apps/services/whatever that use those libraries, at which point you may as well just suck it up and reboot since the service is going down. You didnt think that those running apps would get all of those libc.so updates without restarting did ya?)

And as an extra added bonus, smpatch only downloads signed patches and verifies the signature before installing.

Re:Security

[Ramadog]

If you use the right tools, patching solaris is a lot easier than what you did. I have found patching solaris machines quite easy.

Download the latest patch cluster, maybe drop to single user mode and run the cluster. It does all the work for you.

There is a tool that will look at your system and determine what patches you need and do the work for you.

Re:Security

[Per+Wigren]

Yes, I'm not a Solaris administrator at all and I never pretended to be, this was something I was forced to do. I looked at PatchPro but never tried it because it still seemed a lot kludgier than it should be and the PatchPro webpage hints that it requires Netscape 4.7 with Java, WTF?
Patch-management for a few servers shouldn't require a full-time job..

Sorry for spreading FUD, I was just a little bitter.. :)

Re:Security

isn't smpatch one of the tools that let the hackers into sun boxes?

Re:Security

well, I was unlucky enough to install win2k3 server today.. 31 critical patches!

Re:Security

[sad_]

Even 'apt-get update' needs a reboot when you change big things like kernels or major libraries

this has got nothing to do with apt, you can patch your linux system with rpm without rebooting even if it is a kernel, library or some daemon update. it has nothing to do with your package manager
ok, now that we have that out of the way, the reason why daemons are restarted or why it is good to reboot after these updates is because ... you don't want to leave the insecure kernel/daemon/etc running ...otherwise you could just as well not patch or wait until you get to your outage window.

Re:Security

[segfaultcoredump]

that was my point, it does not matter if you are using rpm, apt, patchadd or tar.

And there may be another reason why you want to reboot: in the case of libraries, you may have shared memory apps (like oracle) running w/ one libc trying to talk to each other with different versions of the systems libs.... it could introduce subtle bugs that cause big problems. It is best to just shut it down and reboot.

The same is true on solaris... I dont necessarily _have_ to reboot, but it is higly suggested that i do for the reasons that we have outlined above.

Re:Security

[Wiz]

1) Even way back in solaris 2.5 (and probably before that, but that is when I started), you could just download the latest patch cluster, run 'install_cluster', and then reboot when you were done (if required... see below). That was it. No muss, no fuss... A new cluster was generated every 2 weeks for the lazy admin who wanted to stay up to date with patches yet not actually read the patch notes

I can't comment on smpatch, but I can comment on this. It is terrible.

Ok, sure, it does get all the patches applied. The problem is that it tries to re-apply patches that you've already got, on even on our fastest systems it still takes a long time for each patch to fail. On our desktop Ultra 5, it caused way too much trashing for each patch to fail. As least Redhat, Debian, etc etc only apply patches that are required.

Re:Security

[segfaultcoredump]

It did not re-apply old patches. It just takes so long that one thinks that it is re-applying them. (i know, same result)

The solaris patch mechanism is rather paranoid and does a dozen checks for each patch. The main one is that it runs 'showrev -p' for each patch and then parses the output. On a slow system (the ultra5 has both a slow cpu and a slow disk), this can take a while... a long while. If it sees that the patch is already installed, it will exit out and go onto the next patch (and run showrev -p again).

To make the patch process even slower, solaris then backs up each file, makes sure that there is enough space to do the patch by doing a 'dry run', and then finally appliess the patch.

It does this for each and every patch. To make things even worse, the 'patchadd' script is just that, a huge ksh script that is slow. With each invocation it checks things over and over again. (what packages does this patch patch? are they installed? what patches rely on this one? what patches does this patch rely on? are the dependencies met? can i apply this patch without running out of disk space?, etc, etc)

Sun has speed things up starting w/ a patch to patchadd in solaris 8, but it still takes a while. The only advantage is that the patchadd script will not screw up a system (the patch itself may, but patchadd wont) and you can always back out unless you specify -d.

Re:Security

[segfaultcoredump]

smpatch can run in two modes: Local and Remote.

Remote uses the WebEM management framework (or whatever they are calling it today). This is one of the first things that i disable when setting up a new system. Like Webmin, it is ok for operation on a trusted network, but is a bit too new for me to trust till it has been put through the full test. (aparently, it failed) Besides, I dont like running things that serve no real purpose and yet open the system up to full 'remote management' (i'll stick w/ ssh keys for now)

Local mode is just that, smpatch can only run on the local system by root (or somebody with the correct privs now that solaris 9 and newer have made root obsolete for those willing to take the plunge).

Thus, I doubt that smpatch was the problem. The management framework, however.... that has 'hack me' written all over it :-)

Re:Security

[Rod.Dorman]

>I think that the most secure OS is the one easiest to keep up-to-date because the most common reason for hacking is uninstalled patches.

I'd have to disagree with this. MS-Windows has a fairly easy update mechanism but there's no way I would call it a secure OS :-)

Making it easy to apply patches certainly contributes to keeping it secure but you need to start with the underlying architecture being secure first.

Re:They aren't after your data - just your connect

[agraupe]

I do mean NAT/hardware firewall/router thingy. And, yeah, my point was that there are enough unprotected boxes out there that it doesn't make sense to hack through said NAT/firewall device, unless there was sure to be something tempting on the other side, in much the same way that having a deadbolt will protect you from most home breakins.

bad analogy

Don't change your oil and your car breaks down /once/.

Security is a strong concept of safeness

[Peter+Cooper]

When we rolled in Linux to automate our internal business systems, security was at the top of the flag pole for us. Our old systems (AIX) had suffered from numerous repetitive flaws particularly in areas of allowing certain connections and not allowing others, which posed a significant problem when it came to securing the entire network from outside abuse.

We analyzed the various systems available to us at the time we were making the rearchitecture decision, some six months ago or so, and quite rapidly we reached a decision based on the data. That is.. Linux would be more secure in our company because we already have the technical people using Linux outside of work who would be able to already understand the system and be able to fix specific and non-specific security issues themselves rather than having us rely on an outside contractor or vendor. This meant we could buy vanilla beige boxes and install Linux, set up all of our business processes, all without having to go to one of those vendors such as RedHat, Sun, or one of the other many vendors in the Linux field.

So, security is a strong concept of safeness for us, and we're glad we're running Linux.

mine took 3 weeks

[IASmaster]

It's true, I had mine unpatched for about 3 weeks before i "knew" it was hacked. I know I deserved it, but someone didn't have to over-write 60 important system commands with "ps"

Jerk

Re:Spelling

How about the "less services" gaff? :) Good thing I'm not a writer. My grammar and spelling suck.

How about testing against NAT/routers?

[slashname3]

Interesting study, not all that surprising.

How about a study like this against the varous NAT/routers being used out there? How easy is it to own systems sitting behind those? This appears to be the standard anymore for the millions of cable/dsl connections.

Re:How about testing against NAT/routers?

[woah]

Interesting study, not all that surprising. How about a study like this against the varous NAT/routers being used out there? How easy is it to own systems sitting behind those?

... also, how easy is it to own the routers themselves?

I think this is a real issue with all those cheap broadband routers.

Re:LEADING ANALYSTS CONFIRM IT...

[Veamon]

Whatever, its all about knowing which security holes to exploit. Someone would have a better chance hacking a Linux box than my PC...just because 'tard with a PC is too dumb to patch their system, everyone thinks "Windows sucks, Windows sucks"...put the same 'tard with a Linux machine, and the same thing would happen. Blame the user, not the equipment.

Client Side Attacks

[neonfreon]

What about client side attacks, such as attacks against web browsers and email clients? These kind of security problems comprise a large portion of attacks against Windows based machines, and with the rising popularity of cheap routers that provide good protection to home users via firewall and NAT rules that will prevent direct attacks against daemons, client side attacks will be rising in popularity over the next few years, and cheaply available firewalls won't do anything to help.

Of course, this kind of analysis would require a more involved approach to testing O/S security, rather than just installing an O/S, throwing it on the internet and sitting back and waiting for whatever randomly happens to it to happen, which doesn't really seem to be the way honeynet likes to operate.

Keep in mind that Honeypots were originally intended to track the behavior of so called blackhats, not to analyze the security of operating systems, and they probbably aren't the best choice for the job.

Re:Client Side Attacks

simple. block ActiveX and java at the firewall as well as site specific blocking at the firewall.

we do this at work, it's great when the NOC is already ahead of the game.

and yes, some users whine about the java and ActiveX blocking, but it never is on a website that is important to company business, only "fun sites", and they always shut up when they are told, "and what does this site have to do with company business?"

-5 wrong

you know, it's amazing that when the parent says you don't know what the meaning of 'router' is, and you prove him right, that you get modded up. i don't know who belongs on a tard-farm more: you or the moderators.

EXCELLENT ANALYSIS!

[Futurepower(R)]

MOD PARENT UP!!!! That is an excellent analysis.

Quote: "... no-one who has zero day exploits goes around using them on random machines."

FYI -- "Pwned"

It's "pwned", or the variant "pwn3d!!/11", now.

If you're still using "0wned", you're a geezer; over the hill, above the speed limit. Go to the back of the bus with all the other people who've used a PDP-11 in their lifetime.

Re:FYI -- "Pwned"

[TapeCutter]

It's childish and boring, kind of like pig latin.
I would rant on (like only an old fart's or a teenage girl can) but the handset keeps falling off my modem....

Re:LEADING ANALYSTS CONFIRM IT...

[techno-vampire]

That's not what the article said. It tested unpatched boxes in all cases. The Linux, Solaris and Windows boxen were all default installations, with no security patches or add-ons.

Is there an end-point to patches?

[Tzarius]

I wanted to make the title "Is there an end-point to security" but the answer to that is obvious.

Rather, I'm asking whether, given a system to which no new features will be added, will the process of patching the vulnerabilities (buffer overflows, whathaveyou) eventually make it impossible to enter the system by exploiting the software it is runnning? (ignoring other avenues such as social engineering for the moment).

Interesting.

[jd]

Personally, I'd have set the scoring up on a sliding scale, so that easier-to-hack boxes scored fewer and fewer points, the more they were broken into. If a system isn't getting any harder, then it damn well shouldn't be worth anything. Likewise, if a box was surviving all-out assaults, it should be gaining in value.

(The idea being to discourage people from playing at skript-kiddie, but concentrating on the real challenges. Using the above logic, if a box was "practically uncrackable", the incentive should be so great that it becomes almost the sole focus.)

As for Linux, a correctly-configured hardened box should come close to VMS in security. The sorts of things that you could configure to do this are as follows:

• Configure iptables to block ports that should not be visible from the outside. Either that, or get it to return spurious data, to confuse scanners.
  
• Use one (or preferably two) of SE-Linux, GRSecurity and RSBAC, to make it hard to actually use any exploits that are found.
  
• Disable insecure protocols where possible. If you have to use them, run them over IPSec.
  
• If a server isn't time-sensitive, then use a bounds-checker such as ElectricFence to reduce the risks.
  
• Use a pro-active NIDS to block suspicious traffic (usually an indicator of a scan).
  
• Verify file permissions with a utility such as TARA, although that one might be a little old these days.
  
• Scan for weaknesses with the latest Nessus and -at least- one other independent security scanner.
  

The reason for so many steps is that Linux is flexible. Flexibility, if used well, can make for an extremely tough system. If used badly, it can make for a highly vulnerable system. Mistakes are not always easy to catch, so it's better to have enough independent redundancy that a failure isn't catastrophic.

VMS had flaws, too, and could be easily mis-configured. (Being able to put DCL scripts in mail subject lines was plain stupid.) But, again, if set up well, was virtually bullet-proof.

Re:Interesting.

Finally, Actually pay attention to your sshd configuration. almost EVERY linux distro comes with sshd set up to allow root login.. this is INSANE. disable root login and enable the password security functions.

i also strongly suggest grepping the logs for sshd and sending the result to yourself in email form twice daily and LOOKING though it.

you would be suprised the number of ssh attempts you take on.

i just wish there was a secure way to open up sshd and add in those accounts they are trying with the passwords they want but redirecting to a 30 second timeout and then logoff that was secure enough to not break out.

that would keep a script kiddie busy for weeks trying to figure out that sucessful login that goes nowhere and then disconnects.

hell, ask for a username and password again, with no possible sucessful combination.. lety them try and bang on that for a few weeks.

Re:Interesting.

[dpilot]

You've really just described another sort of honeypot. How about adding the MOTD:
"Welcome to WOPR. Do you want to play Global Thermonuclear War?"

Re:Interesting.

using su is plain dangerous!

if someone comprimises your account its not all that difficult for them to monitor everything you do with your account. If they can do that then they can capture the password you use to su.

despite the dangers of su for some reaon people still seem to forwn on direct logins to root remotely.

Re:Interesting.

[fizbin]

i just wish there was a secure way to open up sshd and add in those accounts they are trying with the passwords they want but redirecting to a 30 second timeout and then logoff that was secure enough to not break out.

There is. All you have to do is set them up with an ultra-restrictive shell, and with a home directory that no one but root can write to.

For example, you could write a simple C program that prints some specified string, sits and waits for some amount of time, then prints some other string and exits. Add some stuff to syslog along the way for fun (for example, log the arguments to see if they're trying sftp). Maybe you could even go a small tiny bit further and have an actual miniature shell, though that'd be too risky for my tastes.

Then, compile it statically - it shouldn't be an issue if you've got the home directory locked down, but I don't always trust that the attackers won't be able to sneak some harmful environmental variable in there somehow. Put it in /usr/bin and enter it as a valid shell in /etc/shells, then add these accounts they're trying to use to your system, with the home directory set to some root-owned directory. Sit back and watch.

What I suspect you'll see is that you won't actually end up slowing these people down much; as the fake shell doesn't handle the "-c" option, they'll see the same result from:
ssh yourhost.com echo I got in
as they do from:
ssh yourhost.com
and then it's pretty obvious that this isn't a real compromised account.

Re:Interesting.

[Opcom]

It is a little more than odd that thereafter, the rules were changed in a manner that disallowed VMS (and most other o/s's) and required a game-standardized defcon-supplied operating system and application set. Too much heat in the kitchen I suppose. We were going to take VMS back again, and offer even more services to attack, but with the rule change we did not get the chance.

Here's a counter to that.

[khasim]

http://www.techweb.com/wire/security/54201306

The attacks are scripted to do port scans to find open ports that correspond to the attacks the zombies are launching.

If you don't have the ports open, then they don't attack the services commonly using those ports.

There was another, better article that stated that Linux boxes had Linux-app-specific attacks against them either twice an hour or once every 2 hours (I don't remember which).

The point is, if you are vulnerable, you WILL be attacked.

How many Windows machines there are out there does NOT matter.

How few Linux machines there are out there does NOT matter.

The attacks are automated and run 24/7/52. Your machine will be found.

That doesn't make Linux "more secure," in the sense of a native attribute of the O/S; it just means people are less interested in writing exploits or there are fewer unpatched machines to propagate them.

Read more articles. See how most Linux distributions have things like Apache running in a more secured state (non-root and/or in a chroot'ed environment).

Security is all about limiting the avenues of attack.

Re:Better interpretation of the results:

[Klingensor]

No. Go eat dirt. Oh, you're already doing that.

The Way to a 100% Secure System

[one_n_only_wildcat]

There is a way to a 100% secure system..

http://www.worleybuggerflyco.com/flytyingtools/arr ow_diagram.jpg

Re:The Way to a 100% Secure System

Yeah, it works even even better if that is the power cord, (instead of the network cable) !!

Re:The Way to a 100% Secure System

"The only system that is truly secure is one that is switched off and unplugged, locked in a titanium safe, buried in a concrete vault on the bottom of the sea and surrounded by very highly paid armed guards," says Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security. "Even then I wouldn't bet on it."

Mod parent up, please.

[khasim]

Nice explanation of "PAT" vs "NAT". Thanks for correcting me.

You might want to toss in "IP Masquerading", too. A term familiar to many of us from the days of the 2.0 kernel.

Also, it is possible to have both PAT and NAT on one firewall. This is commonly seen where you have one firewall providing PAT/firewalling for the users, and NAT for the servers in the DMZ.

tired and read this article wrong...

I thought it said "linux, like a plumber on the Atkins diet, is harder to crack..."

Re:LEADING ANALYSTS CONFIRM IT...

[tonsofpcs]

Actually, if you read it, it says that some of the linux systems had ADDITIONAL SERVICES enabled, not default installs.

It's all about choices, baby.

[khasim]

Tell the millions of gamers out there about it.

Okay, listen up you all.

"A big hello to all intelligent lifeforms everywhere...and to everyone else out there, the secret is to bang the rocks together, guys."

But seriously, run whatever you want to. Just remember that your machine can be taken over and used to spew spam and DDoS attacks. Let's all act responsibly with whatever we choose to run and make sure we're keeping the scumwads off of our machines.

Re:It's all about choices, baby.

come over here and say that

Re:Work hard for the Linus Force!

Someone donating their time and expertise bothers you that much, huh.

Perhaps you have too much time and too little expertise.

We've been through this before.

[khasim]

If I want to verify that my Debian box is 100% clean, I just boot with a Knoppix disk, chroot the box and use dpkg to list the installed packages and again to validate all of the files against the installed packages.

Any files that are not identified that way should only be in the /home/~* directory. If you find something somewhere else ...

Validating a Debian box is easy. I'm sure that validating most other Linux boxes is just as easy. Any advice from Red Hat/Fedora or SuSE or others?

I like Debian.

Re:We've been through this before.

You shouldn't do that from within the chroot.

If there were a rootkit installed on the system, it would include a modified dpkg binary (amongst other things) if it were any good.

Verify your verification tools from outside the chroot.

But still, the Fedora and SuSE users I know would have installed too many non-distro RPMs. Having a smaller package library IS a liability when you need to pull in packages from umpteen different projects and sources. It is a liability because you no longer have a single, definitive source you can look to in order to verify your system

Re:We've been through this before.

[Erik+Hensema]

rpm -qa | while read package ; do rpm -V $package ; done

Re:We've been through this before.

[Sunspire]

Simply "rpm -Va" will do, as in Validate All.

Re:We've been through this before.

[1lus10n]

but scripting is funner and informative.

/end_re-inventing_wheel_syndrome

Re:We've been through this before.

How would that help if the malware is in your BIOS, or your cdrom/hard drive/video card firmware? A compromised machine can't be trusted at all, not even booting from a clean knoppix cd is enough anymore. See "Reflections on Trusting Trust" for more information.

Mod parent as "Informative"

[zooblethorpe]

http://slashdot.org/comments.pl?sid=136414&cid=113 92284/

Re:Leading analysts confirm it...

Actually, I recommend using some elder kernel and elder software (Becuase most of the market uses Win98 -- let's be fair here and put Linux on the same slate). And running all services as root (becuase anytime a service update or any program says it can't do something withtout root access, they *will* give it the password -- they don't care).

Use your fucking head moron, it's all social engineering one way or another.

Any machine truely capable of being infect in 4 minutes is behind a NAT router/firewall, becuase they use a broadband service. Heck, I wouldn't trust my Gentoo box (hardened) without it being behind my NAT firewall... I can't keep up with all those updates, I have a life... oh wait... this is slashdot... you probably don't and *like* updating hundreds of lines of config files just to get %01 more secure. No thanks, I like windows configuring for me. I'm running clean with no problems (and yes, I have looked at my network traffic -- nothing abnormal).

In other words, you morons only read these and believe them -- you never do the dirty work yourselves. Bling faith in security is worse than knowing your insecure -- becuase at least one you can do something about it.

Welcome to the biased slashdot community... filled with Linux zealots of hell...

Oh yes, and please fucking turn caps off when putting a subject in.

Statistically Insignificant

[hallucination]

Anyone who has even done basic high school statistics can tell you that the numbers in these reports are absolutely statistically insignificant. They don't mean a thing.

Re:Statistically Insignificant

In South Korea, only old people learn statistics in high school.

Re:Statistically Insignificant

[xmp_phrack]

i agree they are relatively insignificant, but interesting nevertheless. in the case of Honeynet Project, the sample size is too low. the probability of an attack will also vary with IP address allocation, perceived box worth, and other factors. nevertheless an unpatched linux box is a bit safer than an unpatched windows box. with windows, you'll get nailed by DCOM, LSASS, or others via worms and autorooters. with linux, you will probably have a semi-manual attacker where there's a script kiddie at the keyboard enumerating and rooting the system. the problem is one of time and money. a home user just can't be bothered to patch and harden his box. a net admin is already extremely busy. the hackers have time on their side, and by hiding behind enough zombies, they are relatively safe from prosecution. in rare cases, you'll have a skilled attacker who can bypass stackguards, chroot, IDS, and other safeguards. you can kiss you ass goodbye in those cases. fortunately the more skilled attackers are often stealthy and inconspicious and at least have a set of ethics to which they adhere. the main problem today is the DDOS zombies, spam zombies and skript kiddies. this is one argument for partial or non disclosure of exploits.

Solaris 8

[terryfunk]

I have run Solaris on Sun architecture since 1997.

Out of the box Solaris 5,6,7 and 8 are VERY insecure if left unpatched. Even when patched they can be rather insecure and crackable with ease. Though more secure than Windows servers, Solaris is MUST be patched and basically run with RPCs all shutdown, if the server is running outside your intranet. Placing it in a DMZ is also a must.

Re:Solaris 8

FUD. The point of a server is normally to provide some service, impossible if you shut down all services. Patch the machines and you'll be fine.

Re:Solaris 8

[kellererik]

Upgrade to Solaris 9, activate the supplied firewall (needs some configuration, though) and you are golden.
Only Traffic supposed to reach the machine will reach it. I used this as an example in my book, if you are willing to invest 30 minutes reading documentation, getting the firewall up and running is a no-brainer; it will rat every IP trying to access it out to you as a bonus.

my 2 cents
Erik

no, not even.

[twitter]

It's such a bullshit comparison. Windows XP gets owned in 3 minutes after starting up. Linux takes 3 weeks. Wooo! Linux must be harder to own! No, there's just more losers out there trying to break into random Windows XP boxes than there are losers out there trying to break into random Linux boxes.

So, is this a good reason to use Windoze or something? What's your point? Most of us here are running "random" machines and would rather not be owned before we can update our way out of harm's way. Even if you were right in your reasoning, the result is still in favor of using Linux over the alternatives, Windoze and Solaris.

Do you have a better method to determine system performance than the one used? All your theorizing is so much BS when actual computers are put onto the web in normal configurations. Put it up.

If anything, the Windoze boxes had it easy. I doubt they configured the thing to surf with IE or read email with OE, which are both filled with holes. Surfing with Konqueror/Mozilla/Dillo/Galeon/whatever is a world safer as is reading your email with Evolution/Kmail/MozillaMail/Balsa/mutt/whatever. We can be sure the results would be worse for Windoze if all the machines were set to get mail every 5 minutes. Many would not survive the first shot.

Re:They aren't after your data - just your connect

[maxpublic]

The "little blue box" is usually both a router AND a hub, and uses NAT (not much good to Joe HomeUser otherwise, since he probably bought it to link up his computers in a home network and connect them all to the net through a single i.p. address). This is enough to deter the script kiddies, unless you've gone and left all your services running without restriction or simply port-forwarded everything under the sun to a computer on your home network without thinking about it.

Combine the little blue box with a firewall, however (e.g., ZoneAlarm) and you've just defeated 99.9% of the so-called 'hackers' out there. Because when all is said and done they're nothing more than little brats who've jacked someone else's code and used it, and they themselves have no friggin' clue how any of this works, much less how to write code themselves. In fact, I'm willing to bet if you asked most of these 'hackers' whether the little blue box was a router or hub or both, they'd just stare at you blankly.

All you need to do from this point on is a) DON'T user IE, and b) don't friggin' download crap from an untrusted source! I admit I rarely use my Windows partition (mostly for gaming, or after gaming when I'm too lazy to reboot or haul my ass to one of my other machines, like right now) but I've never had a successful hack of my system despite the fact that nowadays it's almost constantly being scanned for vulnerabilities.

Max

Re:LEADING ANALYSTS CONFIRM IT...

[aichpvee]

Only a windows user would be enough of a "'tard" to say PC when they mean windows and fail to understand that Linux was developed FOR PC. Though obviously it runs on just about anything these days.

OS/2

[TapeCutter]

Maybe that's the same reason some ATM's use OS/2. Nah, that would be "security through obscurity" and bank's know better than to...never mind.

Not Unix.

[TapeCutter]

I'm I keep getting stack overflows trying to work out what GNU stands for.

SELinux

[Sunspire]

I'm personally wondering how a relatively new system like SELinux combined with Exec-Shield are keeping machines from being rooted. Let's say a cracker a compromises your Apache server through a bug in the server itself or a flaw you've introduced yourself through either a CGI or PHP script. He is simply not breaking out of the kernel security context set by the SELinux policy, so what's a hacker to do these days? Would a local root exploit allow you to bypass SELinux? What if there's no root on the system anymore, which is entirely possible. Doesn't that completely mess up the hacker's plans?

Do people still get rooted running something like Fedora Core 3 with SELinux? I can imagine they do, you just don't really hear about it anymore. Perhaps the system is still too new to tell either way. If every daemon is locked down with a targeted SELinux policy in the future, and I see no reason why you wouldn't want this once someone has done the work of writing the policy, perhaps we'll see a dramatic reduction in compromised systems.

BUT I LIKE CAPS, FAG

Yeah, you go ahead and trust Windows. I'll just stay here and wait for the explosion.

Re:Spelling

At least you can spell "grammar" correctly, so you're better than 90% of all "grammer" nazis.

Obviously...

You've never used SE Linux, or any MAC/DTE/RBAC environment I'd wager. *grin*

Silly really

Anyone connecting an unpatched server to the Internet is looking for trouble. This study is pretty pointless. Anyone with a clue would have patched their servers. It's like doing a study to find out which freeway is the safest to let your kids play on.

Yup Solaris 10 is the one to wait for, don't see how open source will make a huge impact though. Just look and Java and .NET VM implementations. The open source implementations aren't even in the same performance league as the commercial implementations from Sun, IBM, BEA and Microsoft and probably never will be.

Re:of course

Will you teach me to see the future too?

Or if you don't, will you teach me to be a dumbass just like you?

Nonsense!

Let's see, looks like some typical slashdot logic.
Linux is a UNIX clone. Solaris is the leading Linux. Rather obvious where the ideas came from isn't it.

Solaris 10 is FAR more advanced than any Linux implementation. To claim that it is stealing ideas from Linux is just silly.

As for security Linux could learn a lot from Solaris 10's military grade security. You must be delusional if you think a study of the security of UNPATCHED servers is of any relevance to a serious data center.

Old article,

[TapeCutter]

Yes it is an "old" article and so is my Win98 install. Five plus years now connected to either cable or DSL. Two reasons why my install is stable enough to browse porn with IE.

1. I'm an old fart.
2. The kids moved out and took all thier teenage mates with them.

Please don't take this to mean I want everyone to use Win98 or that my box is "unbreakable". I like it because "it works for me", when it doesn't I will go to the hassle of replacing it.

Forgot to mention :

If no rule matches an incoming packet from the internet ...

Rolls Royce Help Desk, Workaround #13.

[TapeCutter]

1. Remove packaging and read engine EULA.
2. Erase any existing traces of engine from engine bay and clean with pressure hose.
3. Format engine bay with new engine mounts.
4. RTFM and install new engine.
5. Install patches, ..I mean parts, oil filter, oil, water, spark plugs.
6. Tune engine.
Note: If at any stage you find that you can not proceed to the next step then refer to Workaround #1 ( Keys locked in car).

Desktop security

[Halcyon-X]

Wrong. Security is a state. Securing is a proces.

Right, and it's my experience that securing Linux is not only a lot easier because there is more information readily available to allow you to determine exactly what you're running and the flexibility in configuring it, but because there are distributions that address these concerns on the desktop with easy to use interfaces such as Redhat's Firewall configuration tool, Services configuration tool, SuSE's YaST 2 configuration tool, so that it's more accessible to the new user.

On OS X and on Windows, applications are categorized in a Extensions Folder and Control Panel, that allows an obvious method of accessing tools that configure the important functions of your system. It is much less daunting than a command line to the new user, as the most important tools and settings are presented in a way that prevents having to collect as much information as is required to accomplish the same tasks on the command line.

In desktop Linux distributions this is happening as well, and often this leads to a greater understanding of the command line. The curious user will notice the relation between the GUI applications and the commands they invoke, and as many tasks still require using the command line, the user will not be totally lost having already been familiar with a more accessible representation of the same tools.

Hopefully more GUI applications will be written to cover a larger scope of command line tools, making them more accessible. A lot of users now have grown up on the GUI, having been the preferred method of interacting with the majority of PC users now since they have become much more affordable and accessible. It's beneficial to provide an interface that caters to that group because it allows more people to get familiar with the OS in a familiar way!

Worms Against Nuclear Killers 1989 attack

[billstewart]

Phrack article on the WANK worm that cracked lots of NASA VMS machines. Yes, it was 1989 or so, but this is VMS, so that's a reasonable timeframe :-)

Login = "System", Password = "Manager"

[billstewart]

Some kinds of cracking methods are timeless and relatively system-independent. The DEC standard logins to the VMS administrative accounts used login name "System" and password "manager", or "Field" and "Service" so that field circus could get access to a machine, and too many sysadmins didn't bother changing either or both of these passwords. I'm posting this separately from the Worms Against Nuclear Killers comment to make the point that VMS _does_ have administrative accounts, and that they were at least at the time an obvious cracking method. (Of course, so was popping off the removable disk pack with the VMS operating system installed and popping on your own copy, so you could go look at the data on the other disk, but you needed physical access to do that one :-)

Re:Login = "System", Password = "Manager"

Anyone remember 'Sambar' yes with r at end.
default password is nothing as in zero nada.

Re:Login = "System", Password = "Manager"

[Rares+Marian]

But attacking a VMS binary does not give you root access.

Re:crack n hacks !!

[TapeCutter]

My eyes hurt...

RedHat 6 vs. Win98 - Windows was safer

[billstewart]

A few years ago I got a DSL line for my lab (back when that was still new and cool :-) and some of the boxes we were using were doorstop Pentium-60 and Pentium-133 machines that had become surplus when their users got newer machines. The P133 was running Win98 or maybe Win95, with all the MSOffice apps that a secretary had used (initially set up by our IT department), plus some Netscape and a shareware web server and such that I'd added. The P60 was running RedHat 6, installed right out of the box with minimal configuration effort, and one of the P60s spent most of its time running tcpdump to monitor what was on the LAN.

Nobody ever bothered the Windows box, not that there was much you could do with it.

On the other hand, the Linux box got cracked pretty rapidly, sometimes with Staecheldraht DDOS clients, sometimes with an attacker who appeared to have logged in by hand and installed things once he'd cracked it. After 3-4 rounds of the machine being brutally and senselessly attacked every week, I renamed the box "Kenny"... Sometimes I discovered the crack by looking at the tcpdump ("why is my box pinging a university in Sweden???") and sometimes by running commands like "find" in root's home directory which found files that looked suspicious ("ls" had been replaced with a version that didn't show the cracker's files, and "ps" didn't show his processes, but "ls /proc" showed his processes just fine :-)

As an old Unix hacker, this annoyed me. One major target for the crackers was the WU-FTPD ftp server, so it was somewhat ironic that my machine once attacked or was attacked by machines at Washington University (I forget which - I think my machine was cracking them.) It looked for a while like I was getting attacked by somebody at MIT, but it turns out that the culprit was really in Japan, and had the byte order backwards for the response packets...

Re:RedHat 6 vs. Win98 - Windows was safer

[cnelzie]

A few years old? RedHat 6 was released late 98 early 99. That's about 6 years ago, which is practically the dark ages of computing, when compared to today.

What's your point? That back at the end of the 90's RedHat 6 was worse then Windows 98? How does that really have any bearing on the article this whole thread is about?

As an old UNIX Hacker, your annoyance should have meant that you were going to actually lock down that machine, instead of letting it get cracked everytime you turned around. ...or are you just being a troll?

NAT firewall boxes help immensely

[billstewart]

NAT's a really lame approach to firewalling. But it's usually good enough to let you plug in a newly installed Windows machine behind your NAT box on your DSL/cablemodem so you can download all the necessary Windows updates to make the machine slightly less vulnerable, as opposed to having it 0wned before SP2 is even downloads :-)

Re:NAT firewall boxes help immensely

[Azghoul]

Can you explain why NAT is "really lame"? I'm genuinely curious. It occurs to me that hiding everything behind a NAT firewall is a pretty good solution, all things considered.

Re:NAT firewall boxes help immensely

[Taladar]

A better way would be real routing with firewall. That way we probably had IPv6 today already. NAT has a bad name for delaying a real solution for the address-space problem while the pain of changing will be even greater for every month and year we wait (due to more hosts having to change).

Re:NAT firewall boxes help immensely

[Azghoul]

That's probably true, but let's say my network has nothing you should ever see... but I want my network to be able to get out. I don't need my workstation to have a public IP address, ever.

Is there a better solution than NAT? Why would IPv6 be such a great thing? I mean, imagining back to the world when every machine was addressable directly is fun, but might not be what people desire any more...

Re:They aren't after your data - just your connect

[BlackHawk-666]

Please stop posting until you have a clue. You are misleading other clueless readers here judging by your moderation.

Re:LEADING ANALYSTS CONFIRM IT...

[maxwell+demon]

I've now read the linked article several times, but couldn't find that statement.
But anyway, enabling more services tends to make a box less secure.

Naaah!

[iyliki]

I did that two years ago. That is, left windows on another partition when I had migrated almost completely to linux.

Since my linux did most of the work for me I didn't boot to windows during a couple of mounths, but then , for unknown reasons today, I had to do something in windows. And BAM! My network connection was cut after a couple of minutes (university network) because of a worm who got into my system.

I deleted the partition. Told my netadmin about it. Got my network connection back and NEVER looked back at windows again.

Now the question is:
Would it be wise to buy windows, so that I need to buy a "dedicated firewall" to protect it, so that I can buy alot of modern hardware so that I can buy games to play in windows, which I have to reboot twice a day and reinstall every now and then?

Or should I just stick to linux?

Re:Naaah!

[ultranova]

Would it be wise to buy windows, so that I need to buy a "dedicated firewall" to protect it, so that I can buy alot of modern hardware so that I can buy games to play in windows, which I have to reboot twice a day and reinstall every now and then?

No, of course not. If you want new games, buy a console - it's cheaper and never needs to have anything reinstalled.

If you want old games, use DOSEMU under Linux. Everything I've tried that way has worked fine - but, unfortunately, DOSEMU doesn't have image zoom/filter functions, so the window is postmark-sized :(. And I haven't tried any action games, just strategy games like Master of Magic and Princess Maker 2, so I can't say how fast the graphics system is.

Or, if you are truly desperate, try Wine; in my experience, most programs almost work under it. Keyword being "almost" here...

Re:Naaah!

[ggy]

No, of course not. If you want new games, buy a console - it's cheaper and never needs to have anything reinstalled.
Just a scary thought I just had, given that most next-gen gamingconsoles will be delivered with a ethernet port, how long do you think it'll take the crackers to start taking advantage of it?
How long until you have to have a dedicated firewall to dare plug in your xbox 2, ps3 or revolution?

Re:Naaah!

[ultranova]

Forever, since I don't like multiplayer games and thus don't have any reason to connect anything to that ethernet port.

Unless, of course, someone gets the great idea of requiring games to phone home through the Internet, to ensure that they are'n pirated - nah, people would never stand for such inconvenience, not even in proton's half-life's time times two.

Or, they could start distributing console games as buggy as all other games, and require you to download patches before you start playing...

Better yet, show the consumer commercials on the top of the screen while he plays ! And if someone complains, tell him that games take a lot of money to develop, and part comes from commercials, and only an amoral communist pirate hippie would try to filter them out ! It worker for television and movies, so why not for games ? You could even tailor the commercials shown to the scenes in the game - if you're buying healing potions in an RPG, show a Viagra commercial; if you're talking to a female character, show "dating" service commercial.

Alternatively, have commercial breaks, and use an infrared camera to ensure that the people really sit them through. If they leave, the break pauses untill they comes back. You could even demand that the player gets two other people to watch the break with him. Naturally, you'd need to make circumventing these methods a federal crime, punishable by at least 10 years of imprisonment, but the RIAA is already working on that, isn't it ? The camera is, after all, an access control method, used to prevent anyone who doesn't watch the commercials from playing the game... Hmm. On second thought, you'd need to track eye movements too, to ensure that the consumers really watch the commercials, instead of sitting there reading or speaking to someone else - yep, better include a microphone too, and a mini-game after the break where you need to answer questions about the commercials you just saw to continue the game - feel free to watch them again if you fail the first time around. BTW, with DRM, you could do this with PC as well - you want to edit your documents ? Watch these commercials and answer these questions first !

Re:They aren't after your data - just your connect

[1lus10n]

"this is enough to deter the script kiddies"

Yes.

"Combine the little blue box with a firewall, however (e.g., ZoneAlarm) and you've just defeated 99.9% of the so-called 'hackers' out there."

I don't want to argue about the terms your choosing to use. I do however want to point out that the bad guys are always one step ahead of the good guys, and assuming that any security you have is good enough to stop practically anyone is the first step towards becoming owned. Not just your machine .... your information. Which is worth far far more money than the 2 hours it takes you to wipe the machine and restore your data.

Anyone who really wants in can get in, it will take them time and patients. Thats one thing the good guys have going for them, most of the bad guys are script kiddies who just run a scan and move on. Eventually we will get to the point where breaking through firewalls and any other security device is as simple as clicking "ok". We are still some ways away from the kiddies having to learn all of that though since there are many many more unprotected systems out there .... but the day will come.

Very true

[Kludge]

Our VMS administrator still uses telnet to do administration, thinking that it's secure enough. Personally I use ssh. However, in order to change our passwords once they expires, we have to use telnet. SSH stops working.
Just because the bozo in the above story didn't know what to do once in was in the box, doesn't mean that other bozos won't be more ambitious or do more sniffing.

Re:Very true

[router]

Which ssh? Some of them allow changing expired passwords....

andy

or.

[Fuzzums]

"it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past" could mean most kiddies moved to M$ to crack.

There is a solution for dupes

[master_p]

When a story is posted, the previous stories are searched for similarities. If more than, let's say, 80% similarity is found, then the story is a dupe and it is rejected (or the reviewers are notified that the story might be a dupe). It can be automated with a few lines of code.

Re:There is a solution for dupes

[Master+Bait]

That would save the editors from the trouble of having to actually read the website.

Re:There is a solution for dupes

[fbjon]

But dupes aren't necessarily bad either. Not all people read slashdot 24/7/356. Some people even leave their computers for a while. Thus, an interesting story can be repeated. The best solution would be to have a separate category for known dupes, a database of who has read what story, and an option to display missed articles.

Time to 0wn != difficulty to crack

The fact that the machine gets 0wned at all proves that it's not 100% secure. The only issue now is how long it'll take someone to crack the box. The time to do this is mostly dependent on how easy it is to crack other boxes, NOT on how hard it is to crack this one.

Think about it. If some script kiddie is launching a 5-year-old attack on boxes that still tends to work, he'll keep doing it. If the Honeynet boxes don't fall prey to this, because they're properly configured and people care about keeping them up-to-date, other Linux systems will. If other Linux systems weren't prey to this, the kiddies would find exploits that worked (we've proven they exist already).

This is a measure of how the variety of Linuxes in the wild mean that an up-to-date box will be hacked less quickly, which is certainly a useful data point. But it doesn't mean Linux is "more secure" than in the past, only that the holes in Linux now are less well known that the holes in the past, and those holes are still rife in the wild.

Newer things are, for this reason, always "more secure". For a while.

harden the services

[xmp_phrack]

disable unneeded crap in inetd.conf. add "--nolisten tcp" to X server args. for Windows, disable any unneeded services via start/run/services.msc. firewalling, decent passwords, and patches are obviously good too. i wish more home users would take the time to do this.

link to article please!

[dioscaido]

I'm sorry for being daft but on the honeypot site I can't find the specific article everyone is talking about. I'd comment more on their study if I knew what they were running. Is the unpatched linux distribution as old as the unpatched XP SP1 they are using, and Solaris?

I'd like to see benchmarks of fully patched systems. I would also like to see server systems (OSX server, win2k3, etc...) being tested.

But more importantly, I'd like to see the number of attempts on each box. If there were 10 to 1 attempts on the XP box vs Linux box, while its performance was deplorable, the measurements would have a bit more context. I was especially surprised with Solaris, because I'll assume the box wasn't targeted nearly as often as the linux and XP boxes.

The article goes to show that it's important to have at least a router between you and the 'live' internet connection. Copies of XP bought after SP2 was released come with SP2, but still for those with older systems, they need a fighting chance to patch.

NAT is not really safe

[tomofumi]

NAT is only safe if you are the only user (PC) on the local network...You will still get infect by other PCs if they share the same subnet with you. (Our newly installed XPSP1 PC learn this lesson in our office)

Re:Answers (disregard the nonspaced one)

[agraupe]

1. Hub - A device which accepts the packets from multiple network connections, and distributes them to each other connection.

2. Switch - Like a hub, except it detects (via MAC address I think) which connection should receive the data.

3. Router - A device which handles the routing of packets to the correct place on a network.

4. Firewall - A piece of software, sometimes running on a dedicated piece of hardware, designed to keep your system safe from hackers, usually via closing ports. This does not count any backdoors or spyware you may download, which, usually unless custom restrictions are in effect, will be able to "phone home" without any interference from the firewall. I believe ZoneAlarm, for one, has a warning if this ocurrs.

5. NAT - Short for Network Address Translation, a system by which computers on a private LAN are able to access the Internet via a device set up to perform NAT. The NAT/Router takes the request of a computer on the LAN, and routes it to the proper destination using its own public IP address. When the response comes back, it then routes it to the proper computer. In many cases, specific ports may be forwarded to the necessary boxes on the LAN, so you don't need one box providing routing, NAT, webserver, etc... This may be added to the functionality of a router, provided that the router in question would require NAT.

6. Proxy - A bit fuzzy on this one. This is quite similar to NAT (described above), except that it is done over a WAN, usually the Internet, and is usually done for the purpose of using an IP address other than your own, for anonymity reasons (to avoid a ban, or content filtering restrictions).

7. Modem - A device that may be internal or external, designed to convert various methods of transport (cable, phone line, etc) into a usable network for a computer (PPP or Ethernet).

For any given TCP or UDP connection, yes, I know that it must travel through several routers. I mistakenly said router when I meant something else. Each router uses a series of routing tables to figure out where the packet must go. This is repeated until the packet finds the correct destination (where it then might be NAT'd if the destination is on a private LAN).

All happy now?

win

[BaronGanut]

haha eat that windows suckers!!

MOD PARENT DOWN

[WillerZ]

-1, buzzword-infested-middle-manager.

Re:LEADING ANALYSTS CONFIRM IT...

[RyuuzakiTetsuya]

Except exploits are uniquely available to be guaranteed to be on most Windows installs by default as far as IIS goes. Apache with Linux distributions tends to be updated to whatever version the distributor thinks is safe. Which tends to be tried and true apache installs.

Re:They aren't after your data - just your connect

so to paraphrase
it is inevitabellely, inevitabbb, inevitable!

Summary?

[Laebshade]

I think you mean "Ranked from least crackable to most crackable"

Unless you're some Jew who thinks he's reading Hebrew (read right to left), but then you'd have to change the text:

Linux<Solaris<Glass<Windows

But of course!

[hugo_pt]

With so many root holes on Linux, it's natural the amount of bugs keep getting down as more and more are published.

BSD Testing

[nurb432]

would have been nice to add some BSD machines to the list..

That and customized 'router' flavors of linux..

I have no idea how to run a profitable business

[tepples]

Self-employment. That's my solution.

When I'm already tens of thousands of dollars deep in student loan debt, how in the world would I get the money to go back to school for business administration training? Do people normally go from a B.Sc. in a technical field to self-employment? If so, how do they learn about how to run a business?

Re:I have no idea how to run a profitable business

[Master+of+Transhuman]

By reading the tons of available texts on that subject (in the library if you can't afford to buy them) and by experimenting - which is the way most small businesess get started. Almost nobody starting a small business has business administration training.

In the case of PC tech support, you print up some business cards, some flyers, maybe a small brochure, and start handing them out. I put out maybe thirty flyers one Sunday over two hours (it was hot that day, so I called it a day early) - and got about 15 calls, out of which I got a half dozen clients - one or two of which have been repeat clients. EVERYBODY needs PC tech support - because, as Woody Allen put it years ago, "Nothing works and nobody cares." I may never get rich at this job, but I expect once I start pushing my marketing more, I'll at least pay my rent and expenses.

What else are you going to do? Move to India?

Re:They aren't after your data - just your connect

[plasticsquirrel]

I do mean NAT/hardware firewall/router thingy. And, yeah, my point was that there are enough unprotected boxes out there that it doesn't make sense to hack through said NAT/firewall device, unless there was sure to be something tempting on the other side, in much the same way that having a deadbolt will protect you from most home breakins.

Yes, but those "thingies" are usually bought by clueless users who have never even changed the default admin password. I would estimate that at least 50% of all home hardware routers out there are running 100% default settings. How's that for secure?

According to Bruce Schneier...

[ChoyLeeFut]

In his Jan. 15 2005 CRYPTO-GRAM, Bruce Schneier comments on this. Go here:

CRYPTO-GRAM News

Then search for The Honeynet Project. Something to think about.

Morale to this story... use a FFW

From an article on USA Today...

While attempted break-ins never ceased, successful compromises were limited to nine instances on the minimally protected Windows XP computer and a single break-in of the Windows Small Business Server. There were no successful compromises of the Macintosh, the Linspire or the two Windows XPs using firewalls.

Junk Science

Who gives an f about unpatched machines?

This is like comparing a baby and a puppy. Put the two together in a locked room and the puppy will kill the baby. Does that really say anything?

On slashdot the headline would be something like "Dogs smarter than Humans".

And easy updates

[bill_mcgonigle]

Whether it's up2date, yum or apt, distros make it easy to keep up to date with patches.

I yum update all my machines every night and judging by the logs it has to be making a difference.

Thanks to the yum guys, dag, et. al., you're making a great difference. DHS should give you some funding.

From Dell's Website

[WD_40]

clicky

"NOTE: Dell does not ship any product with spyware included or installed."

But I'm sure they're lying. *rolleyes*

Interesting

It's about time. Soon Linux will catch up to and be as secure as Windows 95 was.

Re:Answers (disregard the nonspaced one)

[mabinogi]

Perfectly happy!

Although I liked the ninja answer someone else gave better ;)

Re:They aren't after your data - just your connect

[Shotgun]

Yeah! What makes you think my God died just because he was nailed to a tree?

Shhhh! don't mention Trusted Solaris

Do you really want to talk about out of the box security? And, on OS's meant for general purpose uses? Here's a hacker's nightmare...

If you want real security don't play with Linus' toy, get Trusted.

Its the next best thing to disconnecting from the net.

Re:LEADING ANALYSTS CONFIRM IT...

And yet, the linux boxes were still the most secure....