Slashdot Mirror
Linux Getting Harder To Crack
AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."
Yes this story has already been posted. But don't worry! Since there is no link to Netcraft it will be duped again when there is official confirmation!
AntiFA: An abbreviation for Anti First Amendment.
I cracked a linux box in 30 seconds... ...with a hammer
There is no sig
it takes about 3 months before a unpatched Linux machine will be owned
Maybe I'm wrong, but shouldn't it be pwnd or 0wned or 0wn3d or 0\/\/|/|3|) or some variation on that instead of owned
Boxing Equipment Reviews
"A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past."
"A study conducted by the Honeynet Project has found that it takes about 3 minutes before a unpatched Windows SP2 machine to be owned, compared with about 72 seconds in the past.
I am happy to hear this, as I run a linux box. These reports are mostly moot, however, because a router will deter all but hackers with a reason to pwn your box, and there is little reason to do so to a home computer. My unfirewalled SP1 Windows XP box has faired similarly to my linux box, with just a bit of spyware.
SCO is the easiest to crack judging from all of the smoking going on there....
My day job's in a big hosting facility, and it was a surprise when setting up RHEL 3.0 that it had by default quite the restrictive iptables ruleset which let very little besides SSH through, and pam_tally was set up in the install, so 5 login failures locked out the account.
Quite refreshing to see, since I was doing the install for a customer who'd decided to go for a reimaging because their machine had been compromised.
500GB of disk, 5TB of transfer, $5.95/mo
Comparing new and revised Linux installs to old and decrepit Solaris 8 & 9 installs. Distros release new versions at least once a year while Solaris 9 was released... when? A couple years ago? A default install with patches from the last 6 months versus a default install that is 2 years or so stale. Which one wins?
DUH!
Here's a summary:
(Ranked from most crackable to least crackable)
Linux>Solaris>Glass>Windows
De John Wisniewski - a memorial
The game began at 10 a.m. on Friday. The VMS machine on the Green team was configured with Apache web server. As we are aware, VMS is an extremely secure operating system. While many of the other boxes in the room, mostly Unix, linux, and forms of windows, and even a Macintosh, were compromised and subsequently attended to by their masters, the VMS system remained intact. Here is where a real security issue comes into play.
We were very confident of the VMS box, and a lot of interest was generated by it. In the spirit of spreading the good word and educating the people about VMS, we ended up answering a lot of questions about VMS, and showing how the machine automagically added user accounts, and demonstrated the various terminal games and web pages which had been created. We were also aware that, in this crowd of 5000+ hackers, someone might be able to weasel their way into the machine if any security measures were taken lightly.
As events would have it, we had an issue, which we did not understand, with the operation of the serial port used as the operators' console. At 2:00 a.m. Saturday morning the system manager decided to telnet to the box in order to do some routine checks. Using Telnet in an environment with 5000 hackers on your network is an insecure method of administering a computer system. A lot of people were fascinated by the VMS system, and had asked many questions about it, shoulder-surfing the console operator, who of course answered their questions in this friendly game of an environment.
One of the hackers who had been showing a lot of interest in the VMS box happened to be sniffing packets from the system manager's PC. He discovered the password to the account, a simple procedure any 13 year old kid can pull off with ease after a little social engineering. The hacker logged in, and placed a couple text files (his mark for points) in the manager's user directory, and then notified the system manager in order to claim the points. There were no points for hacking the machine because the files were placed in a user directory instead of the `root' VMS directory. He was awarded 10 points for social engineering.
Was this an instance of VMS being hacked? No, it was just a circumstance where a privileged login session was passed in plaintext over a network with 5000 mechanics, social engineers, and hackers on it. By using a telnet session on an open network, the system managers' login information was freely made available to any who cared to record it. Giving away your login info in this way to a hacker who subsequently uses it does not constitute being hacked, it constitutes an error in security procedure. The thought of improved security, such as some level of encryption for telnet on VMS, immediately comes to mind. Be very afraid.
The Alpha was disconnected from the haxor network, the serial port issue (our fault alone) was fixed, and the network was reconnected. The incident did not repeat, nor did any hack whatsoever of the VMS system take place during the event. The hackers bombarded the box with telnets and ftp attempts to every bizarre port number imaginable, obscure ports in the 40,000 range and more. The word of the early-morning incident had spread, and those seeking glory and a reputation besieged the box.
Another kind of social engineering, involving a clever lie intended to trap those who would think it cool to hack the NOC was presented in this way: People came by, with an IP address, saying, "here is the IP address for the NOC, have fun". It was really an outside IP address, and this was a ruse to make those who listened loose points for attacking sites outside the defcon network. Hacking outside the CTF network was forbidden.
As the game progressed, the goons announced that there were not enough hackers (huh? The tables were *full* of people). To make it more enticing, the point award for placing your mark in the root directory of a server
I just read an article at the Register (linking to an old article on http://www.usatoday.com/money/industries/technolog y/2004-11-29-honeypot_x.htm about un-patched XP sp1 machines only surviving for 4 minutes when connected to a broadband connection. Within 10 hours the hackers had an IRC channel running on the machines.
Tongue: A variety of meat, rarely served because it crosses the line between a cut of beef and a piece of dead cow.
Well they list it in the list but give no data on it what so ever. So one is to assume FreeBSD was never hacked from the data presented (or lack thereof). Way to go BSD!
i have said it before and i will say it again: only because more and more people stand up to state how superior and ultra-safe linux is, won't necessarily make it so!
...) ...). therefore it is as questionable a time to glorify linux as it will ever be.
if it is indeed true what this study claims then i am the first to applaude the kernel guys and the distribution makers.
but there are facts that won't change:
- software monoculture is BAD (no matter what the monoculture consists of)
- linux is NOT the safest alternative out there (compare *BSD, VMS,
- there have been an alarming number of exploits as well for the kernel itself (local root exploits, anybody) as also many exploits for user land applications (mplayer, mpeg123, mozilla,
SECURITY IS A PROCESS NOT A STATE!
please, dear media (and also dear slashdot), make an effort to educate people in security matters instead of putting some solution on the "security pedestal". don't make claims about the absolute security of any alternative.
the complete solution is what makes and breaks security, not the components, and without adequate, highly trained and proficient personell it will always be near impossible to achieve truly secure (whatever THAT means) solutions.
well, at least the uprising unices make it easier for the proficient and maybe even raise the security bar for the amateurs, but alas this is not an end to itself!
jethr0
And most of the spam I see is from home machines that have been cracked (zombies).
Not to mention the DDoS zombies out there.
They'd be happy to get your credit card info off of your home machine, but they attack to turn you into a zombie with bandwidth.
Stop nagging, I'll get to it.
It's such a bullshit comparison. Windows XP gets owned in 3 minutes after starting up. Linux takes 3 weeks. Wooo! Linux must be harder to own! No, there's just more losers out there trying to break into random Windows XP boxes than there are losers out there trying to break into random Linux boxes. If you actually went and asked a representative sample of script kiddies which OS they found easier to attack and why you might get some valuable information, but it's more fun to "catch" hackers in your "honeypot". About the only good thing that could ever come out of The Honeypot Project is previously unknown attack methods. For example, if someone got root using some local exploit no-one had seen before we could reverse engineer the script they used and fix the bug. But this has never happened. Why? Cause no-one who has zero day exploits goes around using them on random machines. They use their zero day exploits to attack specific machines for a specific purpose, because they know that every time they use the exploit the run the risk of it being discovered.
How we know is more important than what we know.
Parding is such suite sorrough...
This is just another example of how hardening keeps your servers from getting compromised. Red Hat and SuSE Linux systems now ship with every remote service in xinetd deactivated and most have a default firewall active at installation. This partly reflects the lessons we've learned with Bastille Linux, a hardening program for SuSE, Debian, Fedora, RHEL, HP-UX, and OS X. What's interesting is that while new releases of HP-UX are shipping with Bastille pre-loaded and runnable at installation, giving the user easy hardening at install time, Sun's still been releasing servers with 50+ network ports listening, including deprecated services like tnamed (Trivial named). The Linux vendors have been leading the older Unix vendors, mostly because users influence them more. But hardening is becoming a more popular practice in all operating systems now... - Jay Beale
Why even bother testing unpatched Solaris when Sun specifically tells you to patch your boxes? It's like never changing your car's oil and then complaining that it breaks down too often. It's almost, but not quite, as stupid as complaining your burrito is frozen because you didn't read the microwave directions.
Don't blame me, I didn't vote for either of them!
It's been discovered that it takes about 3 months before an owned Windows machine will be patched.
They have an experiment they run, and they measure the outcomes. The measurements over time have changed. They compared the measurements.
That's pretty much the textbook definition of "scientific" and "statistics".
No, this "study", might be an anecdote (I'm unaware of how many machines they have). However, it is a "fact", N months that putting an unpatched Linux system on the Internet used to on average last X minutes. A more recent measurement shows that it now lasts M * X minutes before being compromised. I'm fairly sure these people have several measurements at several points in time (I've read similar measurments like this from the same people a number of times).
That's a controlled experiment (technically speaking, the old measurement is the "baseline"). It's an interesting fact. It doesn't mean "Linux is getting more Secure". It means that on average it appears that a Linux machine without security patches lasts longer before being compromised. That could be because of the cost of beef in Tokyo. It could be because Linux is more secure. It could be because Linux is a low priority target for blackhats. It could be because the IP ranges used this time are known honeypot addresses by the blackhats (which is one of the few causes of problems that would make this "fact" useless to me).
It's not a measurement of causation. It's not a measurement of security. It's a scientific measurement of a length of time. Just like measuring the length of daylight outside. You can measure that scientifically. It won't explain seasonality. It won't explain the tilt of the earth. It won't explain the nature of quantum mechanics. However, it will be an accurate measurement of what it is: "How long the sun was up". Sure it's not the worlds most fact that Linux machines are lasting longer before being successfully attacked, but it is novel for those of us who have Linux machines on the Internet. However, it's lack of being the end all be all theory of Linux security, that doesn't mean it isn't a well defined measure.
Kirby
"Every home machine that's been cracked has been cracked through a router"
No it hasn't. Beyond the false assumption that every machine ever cracked was directly beyond a router(aka cheapo linksys), many/most zombies come from people plugged directly into to the Net with no buffer. How do you think all of those worms spread so fast when all they do is simple port scans to find hosts to propagate with? Scans that a router running NAT would block. The real threat comes from users plugged directly into their cable modem or dumb dsl modem with pppoe etc which is what that person was reffering to. These people have no firewall/NAT to block outside attacks and thus join the legions of zombies out there every time a new worm comes out.
If you wanna get rich, you know that payback is a bitch
Gene Spafford was interviewed by linuxplanet couple of years ago. He says why linux isn't completely secure, even though it is a outdated interview, I will like to say most of his ideas do make sense even today.
Even if those honeypots are harder to penetrate that does not mean drivers, or individual applications that many people use are designed with security in mind first. Hackers are always going to be around all this means is that script kiddies are going to be able to do less and less to break into a linux but but more sophisticated hackers are going to want to try harder and within time. You will have the same problems just like in real life a ADT system can make your home safer does not mean you still will not get broken into. Plus, within this article you should be asking who are the security experts?
All in all I would hope people read this article in hopes that linux is their solution too security out of the box. In other words if you believe in security do not rely on the distro. to be 80% secure even if you locked the system up tight like your suppose too you still have a good chance of getting hacked. This article is just showing business people in the IT world that they can setup linux and not need a administartor with good experise to be hired instead of that person they can pay half as much with little experence to manage the network because linux is so secure. See where I am going with this article?
Red Hat, on the other hand, has moved to both turning no remotely-accessible inetd/xinetd services on by default and offers an easy install-time firewall that works transparently on workstations and very simple servers. The difference in exposure of vulnerabilities to attackers is tremendous. The vulnerabilities may still be there, but the attacker often can't get to them or can't get the same level of privilege out of them. For instance, running OpenSSH in privilege-separated mode the way most Linux distros do now means that some exploits don't work, while others only grant the attacker non-root access.
Linux vendors/creators have led the commercial Unix world in pre-install hardening - I like to think this is due in part to the success of Bastille Linux, a hardening program for SuSE, Red Hat/Fedora, Debian, and Mandrake Linux, as well as HP-UX and Mac OS X. Bastille ships on recent HP-UX O/S's, is available from both Debian and SuSE as a vendor-supplied package.
I do mean NAT/hardware firewall/router thingy. And, yeah, my point was that there are enough unprotected boxes out there that it doesn't make sense to hack through said NAT/firewall device, unless there was sure to be something tempting on the other side, in much the same way that having a deadbolt will protect you from most home breakins.
When we rolled in Linux to automate our internal business systems, security was at the top of the flag pole for us. Our old systems (AIX) had suffered from numerous repetitive flaws particularly in areas of allowing certain connections and not allowing others, which posed a significant problem when it came to securing the entire network from outside abuse.
We analyzed the various systems available to us at the time we were making the rearchitecture decision, some six months ago or so, and quite rapidly we reached a decision based on the data. That is.. Linux would be more secure in our company because we already have the technical people using Linux outside of work who would be able to already understand the system and be able to fix specific and non-specific security issues themselves rather than having us rely on an outside contractor or vendor. This meant we could buy vanilla beige boxes and install Linux, set up all of our business processes, all without having to go to one of those vendors such as RedHat, Sun, or one of the other many vendors in the Linux field.
So, security is a strong concept of safeness for us, and we're glad we're running Linux.
You're thinking of router in the "linksys little blue box" sense of the word.
How do you think your traffic gets from point A to point B on the net, though? Routers.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Technically it's more PAT (port address translation) rather than NAT (network address translation).
On cisco it's also the "nat overload".
NAT leave you somewhat vulnerable it's a mapping address for address (many to many). Don't feel secure with NAT without firewalling.
PAT is much more closed (many to one).
It's also true that everyone say NAT when they do PAT.
Interesting study, not all that surprising.
How about a study like this against the varous NAT/routers being used out there? How easy is it to own systems sitting behind those? This appears to be the standard anymore for the millions of cable/dsl connections.
What about client side attacks, such as attacks against web browsers and email clients? These kind of security problems comprise a large portion of attacks against Windows based machines, and with the rising popularity of cheap routers that provide good protection to home users via firewall and NAT rules that will prevent direct attacks against daemons, client side attacks will be rising in popularity over the next few years, and cheaply available firewalls won't do anything to help.
Of course, this kind of analysis would require a more involved approach to testing O/S security, rather than just installing an O/S, throwing it on the internet and sitting back and waiting for whatever randomly happens to it to happen, which doesn't really seem to be the way honeynet likes to operate.
Keep in mind that Honeypots were originally intended to track the behavior of so called blackhats, not to analyze the security of operating systems, and they probbably aren't the best choice for the job.
Two issues with your solaris admin experience:
1) Even way back in solaris 2.5 (and probably before that, but that is when I started), you could just download the latest patch cluster, run 'install_cluster', and then reboot when you were done (if required... see below). That was it. No muss, no fuss... A new cluster was generated every 2 weeks for the lazy admin who wanted to stay up to date with patches yet not actually read the patch notes
2) Nowadays, its even easier... All you have to do is install the latest patchpro. Then you can do several things. For the brave/stupid, you can run smpatch (the main patchpro command) out of cron and have it automatically fetch and install the latest `non reboot` pathes and install them. For those of us who have to run under a change control system that requires notifying others of changes, there is `smpatch analyze`, `smpatch download` and `smpatch add`.
You can use the analyze command to generate a list of patches in order of dependencies and then feed that list into your change control system for tracking what you applied. The use the 'download' and 'add' commands then take that list and download them to the system and then add them to the system. (the 'add' command will also perform the download if you dont want to stage them ahead of time.)
If you made any 'major changes' like an updated kernel, you'll want to reboot. If you didnt apply any patches that require a reboot, then no problem, dont reboot. Some patches may say that they require a reboot, but a savvy admin (or a daring one ) can get around those 'recommendations' reloading the impacted kernel modules (sun even has a way to hot patch the kernel for those customers that absolutely can not bring the system down anytime soon)
Even 'apt-get update' needs a reboot when you change big things like kernels or major libraries (or at least restarting all apps/services/whatever that use those libraries, at which point you may as well just suck it up and reboot since the service is going down. You didnt think that those running apps would get all of those libc.so updates without restarting did ya?)
And as an extra added bonus, smpatch only downloads signed patches and verifies the signature before installing.
You can only draw those conclusions about water because someone has done all the scientific measurements before you.
We didn't figure out gravity all at once. Some guy started dropping balls and measuring time. Some guys started measuring the time it took to roll down planks. Eventually they made lots of measurements that were "big boiling pot of useless variables", and figured out that air resistance makes a difference. That if you measure incredibly accurately, that the latitude and longitude (more specifically your distance from the center of the earth) matter. Even more accurately, what time of year does matter (our distance from the sun changes). They sorted out the patterns in the data. What they are doing is called "basic science". It isn't sexy, and it isn't useful right away. However to start something that a is a "science", you have to start by making measurements and then explaining them. Explain to me roughly speaking, how one makes "Scientific" measurements on the internet where you have control groups? How precisely does one setup a second world wide interent that is identical in all ways except one has an extra Linux machine on it? Maybe if they continue to make such measurements, they might figure what the variables are.
That's precisely what they are doing. I'd have to read the actual statement they made to see how well they are lying with statistics. My guess is the statement they made was accurate and accurately captured what it was they measured.
Also, I'm going to guess they used the same RedHat distributions (or at least had all of the old ones, and some new ones), and they used all the same old IP's (or at least used all the old ranges, and some new ranges). So I'd further venture to guess that your "boiling water" analogy is incorrect. I've read about these guys quite often. They are fairly "scientific" about what they do, and how they do it. The biggest problem they have is man power to setup and analyze the machines and attacks. Which is really a function of their other big problem, a serious lack of financial resources. What they are doing on a large scale would result in really useful measurements. Sure what they are doing is on the level of "Grade School Science Projects" in terms of the scale and quality of science. However, that doesn't make it any less "scientific".
As to this:
Useful science, is called "Engineering". Useless science is all over the place. Science is about forming a hypothesis, setting up a way of measuring your hypothesis, then analyzing the data after the fact. This sure seems to fit the bill. Useless Science, is how all science started. Next you'll tell me Linux isn't at all like Unix, because it started out life as a useless terminal program.
Kirby
That's not what the article said. It tested unpatched boxes in all cases. The Linux, Solaris and Windows boxen were all default installations, with no security patches or add-ons.
Good, inexpensive web hosting
Before you post another word on this topic, please demonstrate that you have the slightest idea what your talking about by defining the following words for us:
1. Hub
2. Switch
3. Router
4. Firewall
5. NAT
6. Proxy
7. Modem
Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.
Advanced users are users too!
(The idea being to discourage people from playing at skript-kiddie, but concentrating on the real challenges. Using the above logic, if a box was "practically uncrackable", the incentive should be so great that it becomes almost the sole focus.)
As for Linux, a correctly-configured hardened box should come close to VMS in security. The sorts of things that you could configure to do this are as follows:
The reason for so many steps is that Linux is flexible. Flexibility, if used well, can make for an extremely tough system. If used badly, it can make for a highly vulnerable system. Mistakes are not always easy to catch, so it's better to have enough independent redundancy that a failure isn't catastrophic.
VMS had flaws, too, and could be easily mis-configured. (Being able to put DCL scripts in mail subject lines was plain stupid.) But, again, if set up well, was virtually bullet-proof.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
http://www.worleybuggerflyco.com/flytyingtools/arr ow_diagram.jpg
"Something unknown is doing we don't know what." - Sir Arthur Eddington
You really should read up on the honeynet project sometime before saying silly things like this.
For starters, they have in fact found previously unknown exploits (at least one, but possibly several). I forget the exact details off hand, but in "Honeypots" (A pretty decent book), it is covered. They cover it in the section about different types of honeypots and what they are good for. They discovered a hole in a network service that was previously unknown on Linux machines several years ago when the project first started. I can cite it tomorrow if you really don't believe me (the book is at home, I'm not). A lot of blackhats give out zero days as a way of gaining credibility. While it wans't a zero day, a honeypot was one of the first things to figure out how one of the Major worms worked (Code Red I think, but it might have been one of the others).
Also, black hats need a platform to mount their attack from that they can easily own without worry. So they attach home networks knowing that they can complete own a box and wipe the logs. Meanwhile, they can mount attacks from those machines onto others that are important. They need the intermediate machines to be anonymous. They might want to attack "American Express", or "Amazon.com". Anyone with any brains doesn't attack those from the IP's known to be in their basement. They find other machines that will have no logging, or logging that can be completely compromised to use as a base of attack. Then the trail to find them dies at these random machines on the interent.
Besides that, any one wanting to implement a "Andy Worhal Worm", needs to find a set of machines that have an exploit available. In order to find those, one has to start attacking random machines on the internet. The honeypot project could accomplish that (I don't know that they have, but it would be a very good use of it).
Finally, I don't have any important machines, so information about random machines on the internet fits me to a "T". I am more interested in what the script kiddies are doing, and what sorts of attacks they are making. The honeynet project does provide details about what JRandom guy with an IP on the internet can expect to be hit with.
Kirby
I'm not saying that routers should be banned, that'd be stupid. I'm just backing up the post that claimed that all attacks have come through routers. They were undoubtly making the point that people think of those little blue boxes as the only routers out there.
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
That's not obtuse, that's encouraging correct use of terminology.
It's not the router that protects them, it's the firewall that comes with it - whether that just be simple NAT, or a full stateful firewall.
Encouraging correct use of terminology is always a good thing, and even more so when the topic is technology.
Next, explain to us how packets from computer A with ISP X on one side of the world, can possibly attack computer B with ISP Y on the other side of the world without going through at least two routers.
http://www.ietf.org/rfc/rfc1149.txt?number=1149
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Anyone who has even done basic high school statistics can tell you that the numbers in these reports are absolutely statistically insignificant. They don't mean a thing.
The "little blue box" is usually both a router AND a hub, and uses NAT (not much good to Joe HomeUser otherwise, since he probably bought it to link up his computers in a home network and connect them all to the net through a single i.p. address). This is enough to deter the script kiddies, unless you've gone and left all your services running without restriction or simply port-forwarded everything under the sun to a computer on your home network without thinking about it.
Combine the little blue box with a firewall, however (e.g., ZoneAlarm) and you've just defeated 99.9% of the so-called 'hackers' out there. Because when all is said and done they're nothing more than little brats who've jacked someone else's code and used it, and they themselves have no friggin' clue how any of this works, much less how to write code themselves. In fact, I'm willing to bet if you asked most of these 'hackers' whether the little blue box was a router or hub or both, they'd just stare at you blankly.
All you need to do from this point on is a) DON'T user IE, and b) don't friggin' download crap from an untrusted source! I admit I rarely use my Windows partition (mostly for gaming, or after gaming when I'm too lazy to reboot or haul my ass to one of my other machines, like right now) but I've never had a successful hack of my system despite the fact that nowadays it's almost constantly being scanned for vulnerabilities.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
SSH is not so weak as you suggest. It is certainly more complex, but it uses stack canaries and privilege separation to reduce its vulnerabilities. While its protocol is nastier, some level of nastiness is necessary to securely encrypt things.
OpenBSD ships SSH open by default, and has only had one root hole in what, 8 years? Any reasonably exploitable SSH root hole would count (although holes which are exploitable on Linux might not be on OpenBSD). And there have been buffer overflows in telnetd, too...
I hereby place the above post in the public domain.
All true, but the number of real hackers out in the wild is tiny. The overwhelming majority of 'hackers' are just script kiddies using someone else's code to attack unsecured machines. Protect yourself from them and you protect yourself from 99.9% of the people who want to seize your machine for their own use. The odds of your machine coming to the attention of a real hacker are vanishingly small, unless you've got something the hacker wants.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
I'm personally wondering how a relatively new system like SELinux combined with Exec-Shield are keeping machines from being rooted. Let's say a cracker a compromises your Apache server through a bug in the server itself or a flaw you've introduced yourself through either a CGI or PHP script. He is simply not breaking out of the kernel security context set by the SELinux policy, so what's a hacker to do these days? Would a local root exploit allow you to bypass SELinux? What if there's no root on the system anymore, which is entirely possible. Doesn't that completely mess up the hacker's plans?
Do people still get rooted running something like Fedora Core 3 with SELinux? I can imagine they do, you just don't really hear about it anymore. Perhaps the system is still too new to tell either way. If every daemon is locked down with a targeted SELinux policy in the future, and I see no reason why you wouldn't want this once someone has done the work of writing the policy, perhaps we'll see a dramatic reduction in compromised systems.
It's like deja vu all over again.
Nobody ever bothered the Windows box, not that there was much you could do with it.
On the other hand, the Linux box got cracked pretty rapidly, sometimes with Staecheldraht DDOS clients, sometimes with an attacker who appeared to have logged in by hand and installed things once he'd cracked it. After 3-4 rounds of the machine being brutally and senselessly attacked every week, I renamed the box "Kenny"... Sometimes I discovered the crack by looking at the tcpdump ("why is my box pinging a university in Sweden???") and sometimes by running commands like "find" in root's home directory which found files that looked suspicious ("ls" had been replaced with a version that didn't show the cracker's files, and "ps" didn't show his processes, but "ls /proc" showed his processes just fine :-)
As an old Unix hacker, this annoyed me. One major target for the crackers was the WU-FTPD ftp server, so it was somewhat ironic that my machine once attacked or was attacked by machines at Washington University (I forget which - I think my machine was cracking them.) It looked for a while like I was getting attacked by somebody at MIT, but it turns out that the culprit was really in Japan, and had the byte order backwards for the response packets...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Our VMS administrator still uses telnet to do administration, thinking that it's secure enough. Personally I use ssh. However, in order to change our passwords once they expires, we have to use telnet. SSH stops working.
Just because the bozo in the above story didn't know what to do once in was in the box, doesn't mean that other bozos won't be more ambitious or do more sniffing.
[pedant_mode]
Hmmh. I see the point that "network address translation" kind of implies a one to one relation between external and internal addresses.
However, to me "port address translation" sounds worse because the *network address* is still the key thing that gets changed in a many to one situation. The fact that the router assigns a new client port for outbound connections is just a side effect. The server and client still use the same ports, regardless the router does in between.
"PAT" sounds more logical when describing a port forwarding situation where the router is listening to port x but forwards it to a different port y on an internal server.
[/pedant_mode]
I'm sorry if I haven't offended anyone
Simple.
Computer A is set to capture its outgoing packets and print them into a piece of paper. This paper is then given to a ninja, who leaps to the other side of the world, types in the packet into machine B, and sends it through the loopback device. 0wn3d !
Moral: firewalls are no defense against ninjas ! In fact, don't have a firewall, because if you do, a ninja will come and 0wn your computer, then flip out right there ! You wouldn't want a ninja to flip out in your house while you're asleep, now would you ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
I think "many to one" describes mapping many internal IPs to one external IP (the public interface on the router).
:p
I'd say you have NAT with port forwarding. Apparently for purists it's PAT. For the moderates it's probably both since they'd see PAT as a special case of NAT (only one external address).
I'm sorry if I haven't offended anyone
In related news, Remington has announced that it will invest in IT, specializing in Internet security systems. They have already released a number of RFC-1149 compliant firewall appliances.
In Soviet Russia, our new overlords are belong to all your base.
That would save the editors from the trouble of having to actually read the website.
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman